Data Breaches and Risk Management in Emerging Payments
Jennifer Windh: Welcome to the Federal Reserve Bank of Atlanta's Payments Spotlight podcast. Today, we're joined by Will Roberds, research economist and senior policy adviser at the Federal Reserve Bank of Atlanta. Today, Will is speaking to us about data breaches and risk management in emerging payments. Will, thanks for joining us.
Will Roberds: You're welcome.
Windh: In 2008, you authored a paper that claims too much personal data is being collected, and that collecting data can increase the risk of identity theft. Why are companies collecting too much data?
Roberds: Basically, that paper looks at a phenomenon that is known to economists as an externality. An externality is said to occur in an economic environment when uncontracted action of one economic agent, person, or firm—perhaps a governmental body—imposes a cost or a benefit, again uncontracted, on another party. So the idea of that paper that my coauthor, Stacey Schreft, and I were exploring was the idea of an externality and personal data collection.
Collecting personal data provides a benefit in the sense that it allows the credit industry to offer credit to firms and individuals by being able to match people, to match purchasers of goods and services, to a specific credit record. The more personal data that is collected the better the chance that the person who you think is associated with a credit record is actually that person. But then there is what is called, potentially, a negative externality associated with that data collection, and that is as more and more of that data is assembled and it becomes more and more extensive, it becomes a riper target for theft by talented individuals who are able to access that data, use that to construct, if you will, pseudo-identities that allow them to illegitimately purchase goods and services, and thereby impose costs on everyone else who's working within the credit system.
Windh: Well, that sounds pretty bad. Why aren't the private firms managing these risks comprehensively in-house?
Roberds: Well, again, the whole idea of an externality is that it's something that happens because it's uncontracted. If there were just one or two firms in the world, then it might be easy for them and their lawyers to sit down and draw up guidelines for how much personal data they would be collecting and how secure that data would be kept. But because there are so many entities out there in the economy right now collecting this data, it's difficult for them to coordinate on the right level of personal data collection and to make the right decision about how much data and how much security effort should be expended to preserve the privacy of that data.
Windh: Well, we know that a lot of big companies are already dealing with these issues, but where do emerging payment providers fit into all of this?
Roberds: Well, I think that the same issues that show up with traditional payment services show up with emerging payment providers; it's just that it takes a while for externalities to show up. It's hard to set up a network of secure transactions, in part because security in these environments comes to resemble what economists know as a weakest link public good, or a weakest link club good. This has been studied extensively by all kinds of economists. Hal Varian, a very well known economist and chief economist for Google, by the way, has written about this issue extensively.
A club good is a good that can be produced at zero marginal cost—a good whose value is not diminished with each successive use. All kinds of digital goods, goods that can be represented in digital form are, by their very nature, club goods—think about recorded music or video, that kind of thing. It's the same way with security of digital data. Keeping that data secure is a benefit that's provided to essentially everyone who's operating legitimately within a credit system.
Now, the problem is that a lot times the level of security is not related to the total amount of effort or cost that's put forth in protecting and keeping that data secure. Instead, it follows a weakest link, or lowest-point rule, meaning that the data is only as secure as the weakest place within the system that's using it in terms of its security and its ability to be breached by hackers and other malefactors who would like to exploit the credit system. So it can be quite difficult if you've got a diverse set of participants—as often happens in emerging payment systems—to get everyone to agree, "Well, this is the level of data we should collect and this is the amount of security effort, and these are our standards, etc., etc., to keep the data secure." So that weakest link club good problem can contribute a lot to data security problems in emerging payments environments.
Windh: So what incentives could be put in place to make sure all players are providing the right level of security?
Roberds: Well, I think the paper here by Hal Varian is very instructive. It says that while this weakest link club good problem can be addressed by making sure that the benefit-to-cost ratio for every participant in a system is approximately the same. Where you tend to have problems is when some parties see some big benefits to actions that would tend to increase the security of data, and other parties say, "Well, gee, I'm not getting that big a benefit." So, basically, there's two ways to do it: there's the "carrot" way and there's the "stick" way.
There's a way of offering incentives. If there's a way of offering incentives to people who keep their data secure through some kind of monetary reward. Or the other way is the stick way of imposing monetary fines or, ultimately, exclusion from a system from people whose security efforts and whose overall approach to data security are not up to the standard of what the other people in the system want to see.
Windh: That's all very interesting, and I think that we are going to have to deal with that as an industry going forward as we see more and more emerging payments players try and use existing rails. Could you tell me anything about current research you are working on?
Roberds: Right now, I have moved out of the retail, or small-value payments area, and I've been working extensively in the area of large-value payments. Specifically, I've been working at reconstructing a historical large-value payments system that was operative in the 17th and 18th centuries, the Bank of Amsterdam, which was predecessor to the Bank of England, which is predecessor to the Federal Reserve. It's an interesting project to me because it's a system that had a gross-settlement architecture, which is exactly the same architecture that we see in Fedwire today and virtually all large-value payment systems around the world.
Windh: I will definitely be looking for the results of that, and thanks for agreeing to speak with us today.
Roberds: My pleasure.
Windh: Again, we've been speaking today with Will Roberds, research economist at the Federal Reserve Bank of Atlanta. This concludes our Payments Spotlight podcast on data breaches and emerging payments risk management.
You can find more information about the Retail Payments Risk Forum by visiting our website at frbatlanta.org. Thanks for listening and please return for more podcasts. If you have comments or questions, please send us an e-mail at firstname.lastname@example.org.