Data Breaches and Risk Management in Emerging Payments: An Economist's View

Data Breaches and Risk Management in Emerging Payments: An Economist's View

photo of man holding a credit card

Advances in technology have enabled companies to collect and share massive amounts of personal data from individuals and companies. While this practice certainly offers important benefits, such as allowing companies to offer credit more efficiently, it also imposes potential costs.

Originally posted in the most recent edition of the Federal Reserve Bank of Atlanta's Payments Spotlight podcast series, Financial Update Focus also features this podcast, which explores this dilemma from an economist's perspective. The podcast, "Data Breaches and Risk Management in Emerging Payments," features Atlanta Fed research economist and senior policy adviser Will Roberds, who in 2008 coauthored "Data Security, Privacy and Identity Theft: The Economics behind the Policy Debates," a working paper on the topic. (The topic will be explored further in the third-quarter issue of the Atlanta Fed's EconSouth, in print and online.)

More data, more problems
Collecting a greater amount of personal data can increase security by helping companies match credit histories to the correct person or business. At the same time, the data are a gold mine for individuals looking to commit identity theft. This risk can be hard to manage, said Roberds. With so many entities collecting data, it is difficult to coordinate on two important dimensions: how much data are collected and how much effort is given to protect it. The challenge is particularly acute for emerging payments providers because of their diverse make up, he explained.

Further, electronic payments data follow what economists refer to as a "weakest link rule," meaning that the system is only as secure as its weakest point of access. So if one participant is not matching the effort of all the others, it puts the entire system at risk.

The carrot or the stick?
So how do you make sure all participants are doing what they should to protect their data? It all comes down to carrots and sticks, says Roberds. Incentives—monetary rewards, for example—can compel participants to keep their data secure. Conversely, another option is to impose monetary penalties or even exclude participants from the system if they fail to maintain their data security standards at an acceptable level.

July 27, 2011