The headline is striking, particularly since it comes from the Federal Reserve Bank of Atlanta.

“Do Consumers REALLY Care About Payments Privacy and Security?” a blog from the Atlanta Fed blares today.

The blog cites a study from idRADAR, a research outfit, that appears to indicate that “consumers are concerned with security, but they also know they are not active in protecting themselves by adopting strong practices to safeguard their online privacy and security.” But are consumers as negligent as the survey implies?

David Lott, the author of the Atlanta Fed blog, called Portals and Rails, makes it clear that he thinks they are. Here’s the crux of the message from the blog:

The survey asked respondents if they had taken any actions after hearing of the Target breach to protect their privacy or to prevent credit/debit card fraudulent activity. A surprising 79 percent admitted they had done nothing. Despite the scope of the Target data breach, only 4 percent of the respondents indicated that they had signed up for the credit and identity monitoring service that retailers who had been affected offered at no charge.

Here’s more data from the study — the graphic is from the Fed:

Lott sums it up like this:

When we compare the results of this study with other consumer attitudinal studies, it becomes clear that the ability to get consumers to actually adopt strong security practices remains a major challenge.

But let’s look a bit deeper into this study. IdRADAR queried 313 people, which yielded a margin of error of 5.7%. More importantly, the average respondent spent less than two minutes on the survey. In other words, this is a quickie online survey of but nine questions. That is not a reason, in and of itself, to question the data, but I thought it was important to understand what we are dealing with here.

The data itself, however, is a bit more confounding. Consider the graphic above. This is exactly what idRADAR asked: “When you heard about the Target Data Breach, did you initiate any personal actions to protect your privacy or to prevent your credit card or debit card from being fraudulently used?” I am not sure this is the fairest question. Might some of those consumers have taken action some time after hearing about the Target data breach? Target, itself, had taken steps to address the breach — isn’t it fair of the average consumer to consider those actions?

IdRADAR did not ask whether consumers thought Target took appropriate steps, although other data from this study implies that consumers defer to the purveyors of financial services for security. “How often do you change your personal email or other online password?” the research firm asked. While about 8% said “never,” 58% answered “when forced or prompted.” IdRADAR appears to frame this as a sign of consumer apathy, but I don’t. Maulauzai Software, the online and mobile banking software company, mentioned in its May 2014 insights report that it had seen an 850% increase in the use of its on/off card switch. To explain, Malauzai’s software has a feature that allows consumers to turn on or off their credit card. Here is how Malauzai described the phenomenon:

From November 2013 through April 2014, there has been a staggering 850% increase in usage of the component of the card management feature where an end-user can turn the debit card on and off. The real explosion of growth has come in March and April of this year, where usage increased by 250% in March 2014 over November 2013 and hit an 850% increase in April 2014 over November 2013. Even though the well-publicized breach happened in late 2013, it looks like it took several months for behavior to catch up when end-users started hitting the on/off feature hard.

This is not a case of consumers “not active in protecting themselves.” When given the security tools, consumers will use them — and in big numbers. The Atlanta Fed concludes that “we will continue to stress the importance of efforts to educate consumers, and we ask that you join us in this effort.” That’s hogwash. What the Atlanta Fed should be advocating is the building of more security tools for consumers. Consumers want to be safe; they just need the tools to do so.