Should Credit Card Issuers Reissue Cards in Response to a Data Breach?: Uncertainty and Transparency in Metrics for Data Security Policymaking.

When card data is exposed in a data breach but has not yet been used to attempt fraud, the overall social costs of that breach depend on whether the financial institutions that issued those cards immediately cancel them and issue new cards or instead wait until fraud is attempted. This article empirically investigates the social costs and benefits of those options. We use a parameterized model and Monte Carlo simulation to compare the cost of reissuing cards to the total expected cost of fraud if cards are not reissued. The ranges and distributions in our model are informed by publicly available information, from which we extrapolate estimates of the number of credit card records historically exposed in data breaches, the probability that a card exposed in a breach will be used for fraud, and the associated expected cost of existing-account credit card fraud. We find that automatically reissuing cards may have lower social costs than the costs of waiting until fraud is attempted, although the range of results is considerably broad.