Please enable JavaScript to view the comments powered by Disqus.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources for help navigating through these uncertain times. Also listen to our special Pandemic Response webinar series.


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

October 2, 2017

A Record-Breaking Season of Hurricanes and Data Breaches

I lived in the panhandle of Florida in 2005, during a record-breaking hurricane season. Four hurricanes that started in the Atlantic—including Katrina—reached Category 5 status that season. That disastrous hurricane season seemed unsurpassable. Yet hurricane Harvey and Irma set new records (both made first landfall in the United States as Category 4 hurricanes).

As Hurricane Irma made its destructive way across the Caribbean, a different kind of disaster was also setting records. On September 7, Equifax announced a data breach potentially affecting most U.S. adults. Could this year also prove to be a record-breaking year for data breaches? According to the Identity Theft Resource Center (ITRC), there are already 976 on the books. Breaches reached a record high of 1,093 in 2016—a substantial hike of 40 percent over the near-record high of 780 reported in 2015.

Truth be told, we can't be sure these data breach "records" are even accurate. Data breach notification laws vary by state in terms of definitions and standard reporting elements. Even the ITRC questions whether there actually are more breaches or the numbers have risen because more states are requiring public release of information on them.

The ITRC Breach Report is a compilation of breaches confirmed by various media sources and notification lists from state governmental agencies. This list is updated daily and published each Tuesday. The ITRC has been tracking breaches since 2005, but only since 2010 has that tracking included the information that has been exposed. Even so, many notifications made available do not include what damages, or types of records, were at stake.

To that point, we don't understand the extent victims will suffer when, for example, card information is stolen along with Social Security numbers. We have yet to see standard data on how fraud trends morph when a certain type of data breach occurs. Lack of correlation could be a risk to consumers.

With data breaches, as with hurricanes, we can respond better if we know what is at stake. Is it time for states to adopt a uniform set of statutes regarding data breach notifications? What do you think?

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


Take On Payments Search

Recent Posts