I didn’t catch his name, but a little while ago I heard the “co-founder” of Square say on Bloomberg TV that the Target data breach was no big deal. He said that people didn’t lose any money as a result, either because their account was never actually charged or the bank covered any losses. Ok, but this misses the point. And sure, anyone in the credit card business (and that is how Square makes its money, so reluctance to use credit cards would harm Square rather directly) is going to try to minimize this thing. But it shouldn’t be minimized, it’s a serious problem that requires a serious response.
Let do some simple math to illustrate this. Whenever one of my credit cards has been compromised, either directly or in a data breach, the credit card company cancels and replaces the card. Now this can result in numerous complications. Let me give examples.
We were in Thailand last month when my wife noticed she had voicemail. It was the bank for one of her credit cards reporting that it had been compromised in a data breach. They were cancelling her card and sending a replacement. Great, so now a new credit card would be sitting at home in the U.S. but her credit card was useless on our trip. Fortunately we carry multiple credit cards on our trips in case of just such a situation. Imagine if we’d actually followed conventional advice and taken only a single card?
Want to extend this? If you used a Debit Card at Target at least one bank limited use of those cards until they could issue replacements. Now imagine you are away from home, and away from a branch of your bank, when this happens. Or it’s just a weekend. For extremeness sake let’s say you were out of the country. And you were relying on ATM’s to get local currency for your trip. And now your debit card either doesn’t work or is limited to small withdrawals. Worse, if you use it multiple days your bank will assume it is stolen and block it. How do you get the cash to complete your trip?
Besides the point that just the occurrence of a data breach can cause significant real world repercussions, data breach lead to a huge cost in time, effort, and incidental costs. My wife was on the phone with her bank for about 30 minutes, and that just the initial effort, while the hotel car service (which charged by the hour) waited to take us into town.
Let me broaden this example. First, there are the charges that are in-flight when you cancel a card. You applied for a policy under Obamacare and gave a credit card for the initial payment, a convenience many insurance carriers provided. But that was submitted on paper (even if then faxed or scanned and emailed, because that’s what they also required) and they don’t charge the card until close to the due date. When they do go to charge the card the charge fails because the card has been cancelled. How much time and effort does that take for you to correct? Or in the worst case, what if you miss the due date and end up without insurance. Data breaches have consequences!
Note, the Obamacare scenario is not so far-fetched. We sent our new insurance carrier information before we left the country and returned very close to the deadline. Had a problem occurred, and the insurance carrier only notified us by U.S. Mail (which seems to be the only form of communication they understand), we could have ended up without insurance on January 1st. My highest priority on our return was to collect the paper mail from the post office and find confirmation from the insurance carrier that we were insured.
Keep in mind all the places that have your credit card information for automatic bill pay, or just making life simpler. Another example, you go to use Amazon’s One-Click and it fails because the credit card was cancelled. One-Click just became a thousand clicks as you go through the screens to enter a new credit card. So you go logging in to web site after web site changing your credit card information. In some cases you need to do it by phone. In others, by filling out and mailing paper. In my experience the total time expended on recovering from a credit card breach adds up to between 1/2 and 1 day of effort. And that’s assuming no actual identity theft or serious fraud occurred.
Let me quantify this on a larger scale. Assume a median U.S. income of $50,000/year. Assume 210 work days per year for a daily income of $238. Take the lower end of my time expenditure range and it cost (“time is money”) the average person $119 to deal with the data breach. It also cost them data on their data plan, postage, the cost of phone calls, and perhaps opportunity costs (e.g., the price of the item you were trying to buy on Amazon went up while you struggled with the inability to use your credit card). A more realistic estimate of what the data breach cost the average consumer is on the order of $150 per credit card. In costs that neither Target nor your bank nor anyone else is going to reimburse. And the co-founder of Square says “no big deal”?
If we play this out then 40 million credit/debit cards compromised at Target turns into a non-recoverable cost of $6 Billion to Target’s customers. And the co-founder of Square says “no big deal”?
$6 Billion dollars is a big deal. $150 is a big deal to the average person. And even if you don’t quantify this financially, wasting a half-day of your life every time a business you’ve entrusted financial information to fails to protect it, is a big deal. A VERY BIG DEAL.