Data Breaches and Identity Theft

Transcription

1 Data reaches and Identty Theft Wllam Roberds Stacey L. Schreft * Federal Reserve ank of Atlanta The Mutual Fund Research Center, LLC Ths revson: Arl 8, 009 Abstract Ths aer studes the mlcatons of ayment networks collecton of ersonal dentfyng data and data securty on each other s ncdence and costs of dentty theft. To facltate trade, agents jon clubs (networks) that comle and secure data. Too much data collecton and too lttle securty arse n equlbrum wth noncooeratve networks comared to the effcent allocaton. A number of otental remedes are analyzed: (1) reallocatons of data-breach costs, () mandated securty levels, and (3) mandated lmts on the amount of data collected. Keywords: Identty theft, dentty fraud, data breach, fraud, money, search JEL Codes: D83, E4, G8 * Roberds, Research Deartment, Federal Reserve ank of Atlanta, 1000 Peachtree Street, Atlanta, GA , , [email protected]; Schreft, The Mutual Fund Research Center, 7301 College lvd., Ste. 0, Overland Park, KS 6610, , [email protected]. The authors are grateful for artcants comments n resentatons at the Federal Reserve ank of Chcago, the 008 Payments Worksho at the ank of Canada, and the 008 LAEF Conference on Payments and Networks at UC Santa arbara. The vews exressed n ths aer are not necessarly those of the Federal Reserve ank of Atlanta, the Federal Reserve System, or The Mutual Fund Research Center, LLC.

2 1. Introducton Modern nformaton technology enables the collecton and storage of large amounts of ersonal data. Whle these actvtes undoubtedly rovde economc benefts, t has roved mossble to kee data comletely secure aganst crmnal msuse. Survey data suggest that n 006 dentty theves obtaned about $49.3 bllon from U.S. consumer vctms. Add n the tme and out-of-ocket costs ncurred to resolve the crme, and dentty theft cost the U.S. economy $61 bllon n 006 (Schreft 007). Dollar estmates of the cost of dentty theft do not by themselves ndcate that too much dentty theft s occurrng. However, ress accounts of data breaches suggest that ersonal dentfyng data (PID) 1 s collected n excess and s nsuffcently rotected aganst theft, and ths vew s echoed n the legal lterature on dentty theft and data confdentalty. 3 The underlyng message of ths oular wsdom s that tradtonal data management ractces have led to a market falure. In the words of one legal scholar (Swre 003), the credt ndustry has faled to delver effcent confdentalty of ersonal data. Government reorts 4 and ndustry sources 5 gve a dfferent mresson. Losses from dentty theft are small, t s argued, relatve to overall sze of ayments and credt n today s economy. Also, much dentty theft does not result from any comromse of data stored by busness organzatons, but from oortunstc, low-tech methods (e.g., stolen wallets) that can be deterred through ntensve data analyss (Greene 009). If there s a roblem wth dentty theft, accordng to a common vew n the ndustry lterature, t would be best addressed through the comlaton 1 A.k.a. ersonally dentfable nformaton (PII). See e.g., Swartz and Acohdo (007), Caruso (007), and Dow Jones and Comany, Inc. (008a, b). 3 See e.g., LoPuck (001, 003), Solove (003, 004), Swre (003), and Chandler (008). 4 See e.g., Synovate (007) and Unted States Government Accountablty Offce (007). 5 See e.g., Cheney (004), Exeran (006), Krshbaum (006), McGrath and Kjos (006), and Javeln Research (008). 1

3 of more (ncludng bometrc) data on ndvduals, not less. Economsts (economc theorsts n artcular) have remaned relatvely quet on ssues regardng dentty theft and data breaches. 6 Ths aer offers an ntal exloraton of these ssues, usng a model derved from contemorary monetary theory. Monetary theory s a useful startng ont for ths analyss, as t delneates two key market frctons that may be counteracted through the use of PID: (1) dslacement of agents consumton demands over tme, and () a lmted ablty to force agents to reay debts. The beneft of a credt-based ayment system derves from ts ablty to overcome these frctons, and knowledge of agents denttes hels rovde ths beneft credt s mossble wthout knowng who the debtor s. The envronment n ths aer extends the model of dentty theft develoed n Kahn and Roberds (008) to ncororate the ossblty of dentty theft through data breaches. The aer begns by resentng a game-theoretc model of multle ayment card networks. Card networks are modeled as club arrangements for the sharng of nformaton for ntertemoral trade. Each club must decde how much data on ts members to assemble nto a database, and each also must choose how thoroughly to secure ts database. Collectng more PID moses costs on cardnetwork artcants, but as ndustry sources assert, yelds a beneft n terms of deterrng attacks on the network. On the other hand, collectng such data can have negatve sllover effects, because one network s data can be stolen and used to oen an account wth another network. A network can reduce data theft (and therefore suress dentty fraud) by better securng ts database, but t mght be cheaer to suress fraud by ncreasng the amount of PID comled. The aer roceeds to comare the networks data and securty decsons to the decsons that a lanner would mlement. Under mld condtons, ths analyss suorts some facets of the oular wsdom : n equlbrum, too much PID s collected, and the data s nsuffcently se- 6 Some relevant lterature s dscussed n Secton 6 below.

4 cured. Ths outcome s also shown to be consstent wth the facts emhaszed n the ndustry vew : low rates of dentty theft and a revalence of unsohstcated fraud. The model framework s then used to analyze the mact of varous aroaches to regulaton. In summary, the model develoed here allows for exlct calculaton of the effcent levels of data accumulaton and data securty, and for evaluaton of olces meant to attan effcency. More generally, t llustrates how any such calculaton should balance the costs of data msuse aganst the gans afforded by the relaxaton of anonymty.. Insttutonal ackground Ths secton rovdes a bref overvew of the henomenon of dentty theft and ts relatonsh to data securty. Recent surveys are gven n Schreft (007) and Anderson et al. (008). It s constructve to begn by defnng terms. Identty theft can take many forms n ractce. The Federal Trade Commsson (Synovate 007) dvdes dentty theft nto two broad categores: exstng-account fraud and new-account fraud. Exstng-account fraud occurs when a thef steals an exstng ayment card or smlar account nformaton (e.g., a checkng account number) and uses these to urchase goods and servces. Tradtonally, new-account fraud occurs when a thef uses someone else s PID to oen a new account. As wll be clear below, newaccount fraud s the tye of dentty fraud that occurs n the model. 7 There are no comrehensve statstcs on the revalence of dentty theft, or defntve estmates of ts cost. In a wdely cted survey, the Federal Trade Commsson (FTC) estmated that n 006, 3.7 ercent of the U.S. adult oulaton fell vctm to some form of dentty theft, at a cost of roughly $16 bllon (Anderson et al. 008). These fgures are lkely underestmates, 7 The term new-account fraud ncludes an ncreasngly revalent tye of fraud, whch s fcttous or synthetc dentty fraud. In ths tye of fraud, a thef combnes nformaton taken from a varety of sources wth nvented nformaton to create a new, fcttous dentty. y one recent estmate, more than 80 ercent of all new-account dentty theft has occurred usng synthetc denttes (Coggeshall 007). 3

5 however, because they omt certan forms of dentty theft as well as many of ts ndrect costs. Adjustng for some of these effects easly quadrules the dollar losses (Schreft 007). A data breach occurs when an unauthorzed arty s able to access ersonal data that has been collected by an organzaton (e.g., busness or ayment servce rovder). Data breaches can facltate ether exstng-account fraud (as when credt-card nformaton s stolen) or new-account fraud (as when PID s stolen). 8 There s no defntve estmate of how many cases of dentty theft have resulted from data breaches. Certanly, data breaches are numerous and ncreasng: for examle, the nformaton-securty webste Attrton.org lsts 553 reorted data breach ncdents for 008, leadng to the comromse of 83 mllon records of ersonal data, as comared to 11 reorted ncdents and 6 mllon comromsed records n 003. A data breach does not necessarly result n dentty theft, as data may be stolen wthout beng used for fraudulent uroses. Nevertheless, there seems to be wdesread agreement that data breaches romote dentty theft. The Unted States Government Accountablty Offce (007), for examle, examned 4 data breaches between 000 and 005 n whch large amounts of data were comromsed, and was able to conclusvely lnk four of these to subsequent outbreaks of fraud. Also, dentty theft can occur wthout data breaches. In consumer surveys, vctms of dentty theft who know how ther nformaton was stolen commonly attrbute ther loss to lowtech channels such as: lost/stolen wallets (e.g., 33% of cases reorted n Javeln 008), fraud by acquantances (17%), or stolen mal (6%). ut there s also evdence that a sgnfcant roorton of dentty theft can be attrbuted to nadequately secured commercal data: Gordon et al. (007) examne 74 cases of dentty theft rosecuted by the Secret Servce over , and fnd that 50% of these resulted from the comromse of data at a busness. 8 Actually, because many credt-card ssuers wll oen accounts for eole who resent an exstng credt card, a data breach nvolvng the theft of credt-card nformaton also contrbutes to new-account fraud. 4

6 The costs of dentty theft must be weghed aganst the benefts rovded by the avalablty of PID, whch les at the heart of credt-based systems of exchange. There are no defntve estmates of these benefts, but the sheer volume and ncreasng oularty of servces such as card-based ayments ndcates that these are substantal. For examle, card transactons n the U.S. totaled more than $3 trllon n 006 (ank for Internatonal Settlements 008). 3. Envronment 3.1 asc features The model economy exsts n contnuous tme and conssts of a contnuum of rsk-neutral agents. Assocated wth each agent s a unque fxed vector of ersonal data known as the agent s dentty. Ths vector has effectvely nfnte dmenson. Agents are dvded nto grous G A and G of unt measure, where GA G =. All trade occurs among agents n the same grou. Wthn each grou, agents are congentally subdvded nto legtmate agents and frauds (.e., dentty theves). F denotes the fracton of frauds n the oulaton. Legtmate agents and frauds have the same consumton references, but dffer n two resects. Frst, legtmate agents are able to roduce tradable goods, whle frauds lack ths ablty. Second, frauds are sometmes able to mersonate other agents, whle legtmate agents cannot. 9 An agent s dentty, grou, and legtmacy are all rvate nformaton untl revealed through costly verfcaton and/or observaton of the agent s behavor. Goods are traded wthn grous through random matches of buyers and sellers. 10 There are no double concdences and no reeated matches, and money s not avalable, so trade can 9 The envronment studed can be generalzed to allow for the endogenous choce of agents to secalze n fraudulent actvty; see Kahn and Roberds (008). 10 Addtonal detals of the model are gven n Aendx A. 5

7 only occur usng some form of multlateral credt. 11 Any agent wth access to credt derves a flow utlty u > 0 from acquston of other agents goods. At some ont durng each unt tme nterval, agents may be called uon to suly u to a unt measure of ther endowment good to other agents. Legtmate agents can erform ths acton at a dsutlty of c er unt, where u > c> 0. Whether or not an agent has suled goods s not observable untl the next dscrete date n = 0,1,,, at whch ont t becomes ublc nformaton. Informaton on agents consumton behavor s not avalable wthout the alcaton of a secfc technology, whch s descrbed below. Credt-based exchange n the model requres arrangements for sharng two knds of nformaton: (1) suffcent knowledge of agents transacton hstores (as n, e.g., Kocherlakota 1998) and () suffcent knowledge of agents denttes, n order to assocate would-be consumers wth hstores (as n Kahn and Roberds 008). These arrangements are modeled as clubs for sharng ths nformaton, whch we vsualze as credt card networks. 1 The analyss wll consder the case where one club exsts for each grou of agents. 13 To encomass the ossblty of dentty theft va data breaches, the envronment allows for turnover n club membersh. Turnover n membersh gves each club an ncentve to retan data on ts members denttes, so as to dstngush exstng club members from new alcants. However, the resence of such stored data creates oortuntes for data theves. To ncororate turnover, agents n the model consst of stochastcally lved overlang generatons. At each dscrete date n = 0,1,,, a randomly selected subset of agents des and s 11 The model could be modfed to allow agents to transact wth cash as well as wth credt. Ths generalzaton s exlored n Camera and L (008), Martn, Orlando, and Skee (008), and Monnet and Roberds (008). 1 Clubs are a natural arrangement gven the nonrval nature of the good (nformaton) that s to be allocated (Varan 1998). In ractce, such nformaton s managed through the nteracton of many artes, ncludng card ssuers, credt bureaus, and transacton rocessors. Data sharng among these artes s subject to ublc-goods roblems (Varan 004). The analyss below abstracts from such roblems n order to focus on sllover effects. 13 Aendx D resents an extenson of the model whch allows for endogenety n club sze. 6

8 relaced by newborn agents. Newborn agents have unque denttes but are otherwse ndstngushable from the agents they relace. The measure of deaths and brths s gven by 1 β, where 0 < β < 1,.e., β serves as a dscount factor n agent s decsons. The deaths of agents and the denttes of the dead mmedately become ublc nformaton, so only the lvng are otental vctms of dentty theft. 3. enchmark: exchange wth costless dentfcaton Consder the case where nformaton on agents denttes can be costlessly assembled and stored, so agents can be erfectly dentfed f they so desre. Agents from each grou form two clubs at tme t = 0. An agent jonng club, = G, G, reveals hs dentty to the club, and the agent receves an uncounterfetable credt card that sgnals hs membersh n the club. The card can be authentcated by all club members at no addtonal cost, and allows ts holder to enjoy the consumton flow u. At each dscrete date n, the club learns whether ts members have roduced goods durng the recedng unt nterval. Producers reman n the club; nonroducers are subject to exulson and to a nonecunary enalty (e.g., stgma or crmnal sanctons) equal to X agents. 14 > u utls. Subsequently, 1 β club members de and membersh s oened to newborn For ths case, t s straghtforward to show 15 that exchange through clubs s selfsustanng: all legtmate agents n the model have an ncentve to jon the arorate club and reman n t over ther lfetmes, whle all frauds are excluded. Legtmate agents exected value of contnued club membersh at each dscrete date n s [ ] A V ( u c)(1 F) / r, (1) 14 See oyd and Prescott (1987) for an analyss of clubs wth a smlar structure. 15 See Aendx A. 7

9 where the clubs dscount rate r 1 = β 1. (Voluntary) dentfcaton of consumers s key to the vablty of the clubs: absent dentfcaton, the ayoff to someone who consumes and never roduces s [ ] u(1 F) / r > V, ().e., shrkng always beats workng, so that the clubs collase. In general, excluson of frauds s also necessary for the clubs to exst. If all frauds are admtted to the clubs and rovded wth consumton goods, then the value of legtmate agents membersh falls to [ ] whch s negatve for F suffcently close to one. u(1 F) c / r, (3) 3.3 Exchange wth costly dentfcaton More generally, relable dentfcaton of agents requres the use of a costly technology. Clubs accomlsh dentfcaton by collectng a subset of each agent s dentty. For ths model, the value of such nformaton, and the costs of managng t, can be reresented by the amount of dentfyng nformaton dsclosed, not by the tye of nformaton. The amount of nformaton dsclosed s gven by d n,, referrng to the number of elements an agent must dsclose from hs dentty vector to be dentfed by club at dscrete dates n. For analytcal convenence d n, s taken to be a contnuous varable,.e., d n, +. Each club comles and mantans a database contanng the dentfyng nformaton dsclosed by ts members. The cost to the two clubs of mergng ther databases s assumed to be rohbtve. Identty verfcaton has two costs. The frst cost s a fxed one-tme cost of K utls, whch s ncurred when an agent ntally jons club and s borne ro-rata by all legtmate club members. The second cost s a er-dscrete-erod, er-member cost of rocessng and mantan- 8

10 ng the data record d n, for each club member. Ths cost s gven by kd n,, where k > 0 and s also borne by all legtmate club members. Note that the arameters K and k reflect hyscal costs but erhas also ntangble costs assocated wth the loss of rvacy stemmng from dentty verfcaton. Also note that d n, can vary across dscrete erods. That s, a club can vary the amount of dentfyng data t requres from ts members from one erod to another. Once a club has collected data at dscrete dates n = 0,1,..., the data must be mantaned untl date n + 1 f the club s to avod ayng the ntal dentty verfcaton cost K on all members at tme n Followng the ntal verfcaton of an agent s dentty, the agent receves an uncounterfetable credt card. Credt cards are ssued at zero addtonal cost. ecause credt cards are uncounterfetable, dentty theft n the model does not nvolve the clonng of exstng cards or use of exstng card numbers: there s no exstng-account fraud. Rather, all dentty theft nvolves the oenng of a new credt-card account n the name of an aarently legtmate agent. 17 Credt cards ssued at dscrete dates n have a vrtual exraton date of n + 1. That s, at dscrete date n > 0, each club comles a lst of agents who have suled goods durng the recedng nterval [ n 1, n). Members who have not suled goods are revealed as mersonators (frauds) and removed from the club, whle those who have suled goods contnue ther membersh. Aart from excluson from the club, no enaltes can be aled to mersonators because ther real denttes are unknown Data that has been retaned for one erod and s not useful for dentfcaton can be costlessly destroyed by the clubs. A data destructon technology could be ntroduced at the cost of some addtonal comlexty. 17 The model could be extended to allow for exstng-account fraud. Formally, exstng-account fraud s qute smlar to counterfetng, whch has been analyzed n the money lterature (see secton 6 below). 18 One can conceve of other arrangements for trade wthn the club. For examle, each roducer could verfy each buyer s dentty ndeendently, but ths would requre that each buyer s verfcaton cost be reeatedly ncurred (nfntely often). Or, the club could verfy members denttes at the begnnng of each dscrete erod, ssue noname credt cards vald for only one erod, and dsose of all dentfyng nformaton on ts members. In what 9

11 3.4 The revalence of dentty theft Identty theft occurs when a fraud gans access to a club by convncngly mersonatng a legtmate agent. Reflectng the dstnctons n the olcy lterature, dentty theft n the model can occur through hgh-tech methods (.e., nvolvng data breaches) or low-tech methods (wthout data breaches). Hgh-tech methods requre less effort but more skll,.e., a successful breach lowers the effort cost of fraud. ecause the submsson of dulcate PID of an exstng club member would be automatcally revealed as fraudulent, data observed n a breach of club j s database s always used to gan access to club. The robablty of a successful data breach deends on how well the target club secures ts database. Suose that club mantans member data dn, 1 over the nterval t [ n 1, n). The club then chooses a securty varable sn, 1 0 that determnes, for the next dscrete date n, the lkelhood of a data breach, gven the techncal sklls of would-be data theves. More secfcally, the varable sn, 1 s the skll threshold requred to access club s database at dscrete date t = n. The dstrbuton of techncal sklls s wthn the oulaton of frauds s tme nvarant, and s gven by the robablty dstrbuton functon Φ ( s), where Φ ( s) < 1 for s <. Intutvely, by settng a hgher skll threshold, the club can lower the roorton of the oulaton of frauds that can otentally steal the club s data. Increasng the skll requred for data breaches brngs wth t ncreased costs, however. In artcular, adotng skll threshold sn, 1 results n a cost to all legtmate members of club of dsutlty n, 1 ncurred at dscrete date n 1, where > 0. Thus, the ossblty of a breach s never comletely elmnated. Frauds lackng the techncal sklls for data theft can attemt to obtan the necessary data s follows t s assumed that the value of the ntal verfcaton cost K s suffcently hgh relatve to other costs n the model that the use of anonymous credt cards s not an attractve oton. 10

12 for mersonaton through other, low-tech means. Comlng the data d n, necessary for entry nto club at dscrete date n nvolves a utlty cost ε d n,, (4) where the effort cost ε > 0. ε s assumed to have a tme-nvarant dstrbuton Γ ( ε ) over the oulaton of frauds, and Γ does not deend on the securty varables s. Frauds wth suffcent sklls may reduce ther effort costs by stealng data. If a fraud of grou breaches club j s date n 1 database, and obtans data d jn, 1, then a fracton η (0,1) of ths data can be aled to gan membersh to club. In ths case, the net amount of data the fraud must synthesze to gan access to club s and hs net effort cost s gven by { dn, ηd jn, 1 } max,0, (5) { dn, d jn, 1 } ε max η,0. (6) Under ths secfcaton, sllover effects arse due to the overla η between the knds of nformaton n varous databases of ersonal dentfyng data. The analyss below wll concentrate on cases where η 1,.e., where ths overla s substantal, though stll merfect. 19 To summarze, the revalence and tye of dentty fraud commtted n club durng [ nn+, 1) deends on three factors: (1) the amount of data d n, needed to gan access to club at dscrete date n, () the skll threshold s jn, 1 secfed by club j at dscrete date n 1, and (3) the amount of club j s data obtanable through a breach at date n, ηd jn, 1. More secfcally, club s equlbrum rate of dentty theft from unsklled frauds over t [ n, n+ 1) s gven by 19 Ths exresses the dea that databases of PID tend to contan many common elements such as name, address, brth date, socal securty number, etc. Requrng η to be strctly less than unty ensures that ostve effort s requred for mersonaton n equlbrum. 11

13 ρ u(1 F) FΦ( s ) Γ. (7) d n, U n, jn, 1 Gven symmetry between the clubs, club s equlbrum rate of dentty theft from sklled frauds over t [ n, n+ 1) s gven by ρ u(1 F) F( 1 Φ( sjn )) Γ. dn, ηd jn, 1 S n,, 1 (8) U S Club s total rate of dentty theft over [ nn+, 1) s gven by ρn, ρn, + ρn,. 3.5 The costs of dentty theft In addton to dentty verfcaton costs, mersonaton of legtmate agents by frauds moses three other tyes of costs on legtmate club members. All legtmate agents are rsk neutral and share the same references, so there s no loss of generalty n assumng that these costs are equally dstrbuted across legtmate club members. The frst cost s smly the cost of rovdng goods to frauds, whch s gven by c utls er erod, er dentty theft. In rncle, ths cost derves from a transfer from legtmate agents to frauds, but s nonetheless economcally meanngful because wdesread fraud can undermne the vablty of the card networks (see exresson (3)). In ractce ths cost s consderable. For examle, the FTC survey (Synovate 007) estmates the medan value of goods obtaned through new-account fraud to be $1,350 er ncdent of dentty theft. The second tye of cost s the cost of resolvng an dentty theft. That s, dscovery of an mersonator n club moses a resoluton cost of L on the club, whch reresents both a socal and rvate cost. L may nclude hyscal costs, loss of lesure tme, and nconvenence. Ths cost s more dffcult to measure but nonetheless sgnfcant. In the FTC survey, the medan amount of tme sent by a consumer to resolve a case of new account fraud was 10 hours, equvalent to 1

14 hundreds of dollars n monetary value. Another examle s gven by Douglas (008), who reorts that t costs a card ssuer about $5 to reactvate any comromsed card account. Other, less readly quantfable costs of resolvng dentty theft are catalogued by Anderson et al. (008), and can nclude harassment of vctms by debt collectors, denal of utlty servce, and the costs of deflectng cvl lawsuts and crmnal nvestgatons. The thrd tye of cost results only when dentty theft results from a data breach,.e., from sklled dentty theft. When a club s data s stolen and used to gan fraudulent access to the other club, the members of the frst club are subject to an addtonal resoluton cost, or breach cost > 0. Emrcally, s lkely smaller than c or L, but stll nonneglgble. A reort by Ponemon Insttute (006) offers real-world examles of such costs. These nclude the costs of notfyng eole whose data has been comromsed ($13 er data record breached), labor costs ( lost roductvty, $30 er record), and the costs of managng otental legal labltes ($11) Clubs objectves and steady-state equlbrum The analyss below wll focus on steady states. A steady-state allocaton n ths economy conssts of two ordered ars {(, )} 1, d s, where d = gves the data length and s gves the skll threshold chosen by club. Takng nto account all costs, and adjustng for the revalence of unsklled and sklled dentty theft, club s total er-erod cost of dentty theft n steady state s ( ) ( 1 F) u C = (1 β ) K + kd + s + FΦ( sj) Γ ( c+ L) d ( ) u 1 F u 1 F + F ( 1 Φ( sj) ) Γ ( c+ L) + β F( 1 Φ( s) ) Γ, d ηd j d j ηd (9) 0 Tycally these costs reresent the costs of legal safeguards aganst otental cvl and crmnal actons stemmng from a breach, rather than reallocatons of fraud losses ncurred by other artes. Reallocatons of fraud losses through the legal system are studed n Secton 5 below. 13

15 .e., the sum of data costs, lus the costs of unsklled ID theft, lus the costs of sklled ID theft. Each club chooses ( d, s ) to maxmze the contnuaton value of legtmate club membersh, whch n steady state s gven by Evdently, ths s the same as mnmzng V f C r V. (10) C. A steady-state allocaton {( *, *)} d s s a symmetrc equlbrum f ( d, s) = ( d*, s*) mnmzes C when club j chooses ( d j, sj) = ( d*, s*). 1 Steady-state equlbra wll be comared to allocatons chosen by a lanner. The lanner oerates under the same nformatonal constrants as the clubs n the decentralzed arrangements, but s able to coordnate the choce of d and s across clubs. The lanner s objectve s to mnmze the steady-state costs of dentty theft to legtmate agents, ncludng all costs resultng from data breaches,.e., the lanner chooses ( ds, ) to mnmze ( 1 F) ( 1 F) u C = (1 β ) K + kd + s+ FΦ( s) Γ ( c+ L) d u + F( 1 Φ( s) ) Γ ( c+ L+ β ). d(1 η) (11) 4. Analyss of equlbra Ths secton consders steady-state equlbra for arametrc secfcatons for Φ and Γ. In artcular, frauds skll endowments s are secfed to follow an exonental dstrbuton Φ() s wth hazard rate φ Φ /(1 Φ ), and the dstrbuton Γ ( ε ) of frauds effort costs s sec- 1 In addton, exstence of equlbrum requres that certan ncentve condtons be satsfed n order to guarantee legtmate agents artcaton n the clubs (gven n Aendx A). These can be shown to hold under mld arametrc restrctons (gven n Prooston 1 below). The allocaton chosen by the lanner reresents a constraned-effcent allocaton, snce the lanner laces no weght on the utlty of ether frauds or the ntal generaton of legtmate agents. Golden-rule welfare crtera such as (11) are wdely emloyed n overlang generaton settngs but of necessty also arbtrary. 14

16 fed as a unform dstrbuton, normalzed to U [0,1]. These secfcatons allow for unque equlbra that can be exressed n closed form. To develo ntuton for the model, we consder some artcular cases. 4.1 Case 1: All dentty theft stems from data breaches Suose that nether club secures ts data so that, n effect, all frauds are sklled,.e. Φ= 0. For ths case, clubs rate of dentty theft s not determned by the amount of data they collect, but nstead by the amount of addtonal data an ID thef must come u wth (beyond that obtanable through a breach) n order to gan access to a club. That s, from (8), club s equlbrum rate of ID theft s determned by e = d ηd j. Changng varables and dfferentatng C, club s frst-order condton s uf(1 F)( c + L) uf(1 F) ηβ = k +. (1) e e j Each club sets the margnal beneft of fraud deterrence through PID collecton [LHS(1)] equal to ts margnal cost [RHS (1)], whch s the sum of the hyscal/ntangble cost k and the cost of ncreased vulnerablty to data breaches. est resonses are gven by e = uf(1 F) e j ke + ufηβ j. (13) Snce RHS (13) s strctly ncreasng, the unque soluton for * d s 1 uf(1 F)( c + L ηβ ) d* = (14) 1 η k under the emrcally lausble restrcton (see secton 3.5 above) that c+ L> ηβ. Quantty may be contrasted wth the unque soluton to the lanner s roblem, whch from (11) s * d 15

17 d = 1 uf(1 F)( c + L + β ) 1 η k. (15) Comarng (14) and (15), t follows that d* > d when (1 + r) η( c+ L) >, (16).e., when breach costs are less than the costs to the other club of ncreased ID theft stemmng from the breach c+ L, adjusted for data overla η and resent value. Note that condton (16) becomes ncreasngly lausble as η goes to 1. Ths case of the model offers a classc examle of a negatve roducton externalty: when (16) holds, the dscreancy between rvate and socal costs results n overcollecton of PID n equlbrum. Not surrsngly, overcollecton of data ncreases data breaches relatve to the lanner s allocaton, consstent wth the oular wsdom dscussed n the Introducton. However, from (8), ths dscreancy also lowers the rate of dentty theft ρ, consstent wth clams n the ndustry lterature. Ineffcency of the noncooeratve equlbrum does not stem from too much dentty theft, but nstead from too much data beng collected. Each club would lke to comle less data on ts members (.e., reduce d ) but, gven the actons of the other club, cannot do so wthout encouragng hgh rates of fraud. The sllover arameter η s a key drver of the extent of ths neffcency. Under condton (16), both * d and d are ncreasng n η, but as stolen data becomes ncreasngly useful for ID theft,.e., as η 1, the clubs actng ndeendently requre ever larger multles of the amount of data that a lanner would collect,.e., ( d / d*) 0. 16

18 4. Case : Fxed roortons of sklled and unsklled dentty theves Now consder a slghtly more general case wth fxed roortons of sklled and unsklled dentty theves wthn the oulaton of frauds. Dfferentatng frst-order condton C wth resect to d yelds the ( 1 Φ( s j) ) Φ( s j ) uf(1 F) ( c L) ( c L) d ( d ηd j) 1 Φ( s ) = k+ βηuf(1 F), ( d j ηd) (17) where agan LHS (17) reresents club s margnal beneft of ncreased data collecton (reducton n unsklled and sklled ID theft) and RHS (17) reresents ts cost (hyscal/ntangble cost lus data breach vulnerablty). Fxng Φ ( s ) =Φ ( s ) =Φ, and solvng as above for equlbrum data length d * yelds a unque soluton j ( η ηβ ) 1 uf(1 F) Φ ( c + L)(1 ) + (1 Φ )( c + L ) d* =, (18) 1 η k when c+ L> ηβ. For the lanner s roblem, dfferentatng C wth resect to data length d yelds ( c+ L+ β )( 1 Φ( s) ) d ( 1 η ) ( c+ L) Φ( s) uf(1 F) + = k, (19) d where agan margnal benefts (all nternalzed by the lanner) are dslayed on the left and margnal costs on the rght. Solvng (19) for d when Φ () s =Φ yelds d = 1 1 η ( η β ) uf(1 F) Φ ( c + L)(1 ) + (1 Φ )( c + L + ). (0) k 17

19 Usng (18) and (0), t can agan be shown that d* > d under condton (16). As n case 1, neffcency of the equlbrum allocaton stems from overcomlaton of PID. A noteworthy dfference between case 1 and case, however, s n the quanttatve manfestaton of ths neffcency: equlbrum rates of unsklled and sklled ID theft (from (7) and (8)) are both below those n the lanner s allocaton. Whch means, deendng on the value of Φ, that the rncal effect of the overcollecton of PID may not be a reducton n sklled dentty theft the underlyng source of the neffcency but nstead a reducton n dentty theft by the unsklled. In other words, neffcency of the symmetrc equlbrum erssts, even when a large roorton of dentty theft does not nvolve data breaches. 4.3 Case 3: Endogenous skll thresholds In general, the clubs can lmt the mact of sklled dentty theft through ther choce of data securty,.e., each club mnmzes ts costs C by settng both d and the securty level of ts data, gven by the skll threshold s. Club s frst-order condton n d s gven by (17); ts frst-order condton n s s β uf(1 F) Φ( s ) d ( 1 η ), (1) wth equalty for s > 0,.e., the club ncreases securty as long as ts margnal beneft n terms of reduced breach costs [LHS (1)] exceeds ts margnal cost. Lkewse, from (11), the lanner s frst-order condtons n d and s are gven by (19) and η( c+ L) + β uf(1 F) Φ( s) d ( 1 η ), () 18

20 wth equalty for s > 0. Comarng (1) and (), note that for a gven data length d, the lanner nternalzes the beneft η ( c+ L) of each club s data securty for the other club, whle n equlbrum the ndvdual clubs do not. One ossblty s that nether club ots to secure ts data n equlbrum. Data length d * s then set as n case 1 above. Substtutng (14) nto (1), such an equlbrum exsts f βφ uf(1 F) k c+ L ηβ <, (3).e., f the margnal ayoff to securty (roortonal to the hazard rate φ of the skll dstrbuton) s always below ts margnal cost. Clearly (3) s satsfed for φ > 0 suffcently small. The dscusson n the rest of ths secton focuses on the case where the clubs set a ostve securty level n equlbrum. Suffcent condtons for exstence and unqueness are gven n the followng rooston (roofs are n Aendx ): Prooston 1. A unque symmetrc steady-state equlbrum ( d*, s *) wth ostve securty effort ( s * > 0) exsts when a) the hazard rate φ of the skll dstrbuton s suffcently large; b) the breach cost s less than the other costs of dentty theft, adjustng for resent value,.e., < (1 + r)( c+ L) ; c) nformaton and data securty are suffcently chea (costs Kk,, > 0 are small); d) the clubs dscount rate ( r > 0 ) s suffcently small. Corollary to Prooston 1. Under the same condtons, there exsts a unque soluton to the lanner s roblem ( d, s ) wth s > 0. Solutons for equlbrum and otmal allocatons are more comlcated than n the revous cases (see Aendx ), but can be shown to obey the followng roertes: 19

21 Prooston. Under the condtons of Prooston 1, a) s * ncreases wth data collecton costs k, the hazard rate φ, and wth breach costs as η 1, but decreases wth ID theft costs c and L, securty costs, and the dscount rate r as η 1; b) s ncreases wth k, φ, c, L, and, and decreases wth and r; c) d * ncreases wth c, L,, and r, and decreases wth, k, and φ; d) d ncreases wth c, L,and, decreases wth k and φ; and does vary wth r or. As wth the revous two cases, dsartes between equlbrum and otmal allocatons grow as stolen data become more useful for dentty theft: Prooston 3. Under the condtons of Prooston 1, a) s * and s are ncreasng n η; b) As η 1, s* s < and s, whence s* < s. Prooston 4. Under the condtons of Prooston 1, a) d does not vary wth η, and d * s ncreasng n η as η 1; b) As η 1, d*, whence d* > d. Proostons 3 and 4 offer some nstructve comarsons wth cases 1 and above. As wth the revous cases, as data sllover η ncreases, so does the otental for sklled dentty theft. Although the clubs could resond by better securng ther data aganst breaches, n equlbrum they manly resond by collectng more PID, as n cases 1 and. Unlke cases 1 and, however, the lanner does not try to counter ncreased sllover by collectng more data, but nstead only ncreases data securty. That s, wth endogenous securty, the amount of data col- 0

22 lected d and data securty s functon as substtutes n the reducton of dentty theft, and ths substtuton drves an even sharer wedge between equlbrum and effcent allocatons. The clubs tendency to substtute data for securty also shows u n comarsons of dentty theft rates. These are gven as Prooston 5. Under the condtons of Prooston 1, S a) The rate of sklled dentty theft ρ s greater n the symmetrc equlbrum than for the lanner s allocaton; b) As η 1, the rate of unsklled dentty theft than for the lanner s allocaton; U ρ s less n the symmetrc equlbrum c) For / k bounded, as η 1 the total rate of dentty theft ρ s less n the symmetrc equlbrum than for the lanner s allocaton. Prooston 5(c) shows that, as under cases 1 and, neffcency of the equlbrum may agan be consstent wth low rates of fraud. Identty theft rates are lower n the symmetrc equlbrum than n the lanner s allocaton as η 1. However, Proostons 5(a) and 5(b) show that, n contrast to the revous cases, suresson of fraud s not unform but s concentrated n the unsklled mode of dentty theft. Thus, wth endogenous data securty, aarent success n combatng unsklled dentty theft can be a symtom of falure to deter ts sklled counterart. 5. Attanng effcency Ths secton consders three tyes of olces that have been roosed as remedes for neffcences stemmng from data breaches: (1) reallocatons of the costs of data breaches through the legal system; () mandatng mroved data securty; and (3) regulatory lmts on the amount of PID collected. The frst aroach would ncrease each network s cvl lablty for a data breach,.e., n- 1

23 crease each network s breach costs to = + π, where π > 0 reresents the network s lablty. 3 In the smlfed cases 4.1 and 4. above, effcency can be restored by choosng a level of lablty that causes each club to nternalze the full costs of ts data collecton,.e., by settng π = π* (1 + r)( c+ L) ( / η), (4) Note that f n (18) s relaced wth = + π *, then t follows from (0) that d* = d. Also note that club s lablty for a data breach π * s bounded by the actual loss or economc loss suffered by club j,.e., (1 + r)( c+ L), whch reresents the ractcal lmt of lablty under the U.S. and Canadan legal systems (Chandler 008). A olcy of ncreasng lablty for a data breach may not fare as well n case 4.3 wth endogenous securty. When securty effort s ostve, t can be shown that mosng any lablty u to π * mroves welfare (see Aendx C), but ths tye of olcy cannot smultaneously correct ncentves n d and s, and so does not restore effcency. Intutvely, such a olcy undercorrects securty ncentves, causng the networks to contnue to overcollect ersonal data. The second regulatory aroach, whch has been emhaszed n the U.S., s to mandate mnmum standards for data securty, whle allowng for rvate determnaton of how much PID should be collected. 4 In addton to the obvous beneft of reducng the revalence of data breaches, the model redcts that mroved securty also lessens ncentves to collect PID. The otmal regulatory choce of securty level cannot be exressed n closed form, but n numercal examles (see Table 1 below) t closely aroxmates the lanner s level of securty s. 3 In ractce t can be dffcult to enforce lablty due to contractng lmtatons and uncertanty concernng the source of the stolen data (Schreft 007 and Chandler 008). The analyss here abstracts from such constrants. 4 See Ketel (008) for a dscusson of alcable U.S. laws and regulatons.

24 The thrd aroach seeks to mrove ncentves by lmtng the amount of data collected, whle allowng the networks to choose ther levels of securty. 5 It can be shown (see Aendx C) that the otmal lmt on data collected corresonds to the level of data d that the lanner would collect. Through the substtuton effect outlned above, ths also ncreases the clubs ncentves to kee ther data secure. To better gauge the effcacy of the varous regulatory aroaches, allocatons were comuted numercally. Table 1 below dslays some tycal results. Parameter values for the examle are c+ L= 10; = 1; β = 0.9; φ = 0.5; η = 0.9; k = 0.5; = 0.1. These arameter values satsfy the condtons for Proostons 1-5. They allow for consderable data sllover ( 0.9 η = ) and lace a hgh value on rvacy of PID (( k / ) = 5). reach costs are small relatve to the other drect costs of dentty theft c+ L, reflectng the cost fgures cted n Secton 3.5. To facltate comarsons, the normalzatons K = 0 and uf(1 F) = 1 are adoted. Columns 1 and of the Table gve the numercal values of the allocaton ( ds, ) n each case; columns 3, 4, and 5 dslay the rates of unsklled, sklled, and total dentty theft. 6 Allocatons are welfare ranked accordng to the lanner s objectve <Insert Table 1 here> C, dslayed n column 6. Allocatons 1 and n the Table llustrate the comarsons stated n Proostons 3, 4, and 5. In symmetrc equlbrum, the networks collect over four tmes as much data as n the effcent allocaton, but sklled dentty theft rses because securty effort s also reduced. Unsklled den- 5 Ths regulatory aroach has not been emhaszed n the U.S. However, an examle of ths tye of olcy can be found n the Euroean Unon Prvacy Drectve, whch restrcts the collecton of some tyes of ersonal data. 6 Snce uf(1-f) s normalzed to one n the examles, the dentty theft rates n column 4 of Table 1 do not reresent gross dentty theft rates, but nstead reresent the roorton of frauds who are successful at mersonaton. 3

25 tty theft s suressed n the symmetrc equlbrum, but the welfare cost of ths suresson s hgh snce so much data s collected. Imosng lablty π * for data breaches (Allocaton 3) ncreases securty effort and reduces sklled dentty theft, but does not fully correct ncentves. etter results are obtaned by constranng securty to the effcent level (Allocaton 4), whch essentally relcates the lanner s allocaton. Note, however, that ths allocaton requres almost comlete eradcaton of data breaches. An aarently less strngent (though, n the U.S., least aled n ractce) olcy of constranng PID to the level referred by the lanner (Allocaton 5) does almost as well n welfare terms. Inevtably, there s no free lunch: Allocaton 5 has the hghest dentty theft rate of any of the allocatons studed. 6. Relatonsh to the Lterature The above analyss bulds on models of exchange n search-theoretc envronments. Many aers n ths lterature examne fraudulent transactons, ncludng counterfetng (Green and Weber 1996; Kultt 1996; Monnet 005; Wllamson 00; Nosal and Wallace 006; Cavalcant and Nosal 007) and varous other tyes of fraud (Kahn et al. 005, Camera and L 008, Kahn and Roberds 008). What s new here s the consderaton of an emrcally sgnfcant tye of transactons fraud stemmng from the theft of dentfyng data. The framework resented also draws on the lterature on the economcs of nformaton securty (Anderson and Moore 006). Varan (004) resents a game-theoretc model n whch system relablty (e.g., deterrence of dentty theft) s modeled as a ublc good wthn a network of agents. Varan s model s extended by Grossklags et al. (008) to allow for ndvdual nsurance (e.g., securty effort) aganst system falures. The envronment above s smlar to these models n the sense that knowledge of PID functons as a club good wthn each transactons network, sulyng a network-wde level of 4

26 securty aganst fraud. However, the focus here s on otental negatve sllovers across networks: rovson of the same good (data) that suresses dentty theft for one club ncreases the lkelhood of dentty theft for the other. Effcent management of ersonal data strkes a balance between wthn-club benefts and cross-club costs. 7. Concluson Ths aer has resented a model n whch dentty theft arses endogenously and the concet of effcent confdentalty for ersonal dentfyng nformaton (PID) has meanng. An allocaton rovdes effcent confdentalty f the amount of PID shared for dentty verfcaton and the securty of that data allow grous of agents to engage n benefcal transactons at mnmal cost. Consstent wth the oular wsdom, neffcences can arse due to sllovers from one grou of agents decsons along these dmensons to another s. Ineffcent outcomes are comatble wth emrcal atterns of dentty theft that are emhaszed n ndustry dscussons. Interventons such as regulaton of securty ractces can mrove welfare, but the multdmensonal nature of the securty roblem means that attanng effcency may be roblematc. These results have been develoed n the context of a artcular methodology, one that abstracts from many of the comlextes of modern nsttutons. However, the basc dea behnd ths aroach that the comlaton, exchange, and storage of PID, deste ts rsks and costs, can enable otherwse nfeasble ntertemoral exchanges of goods can be generalzed and should rovde metus for further research. 5

27 Table 1: Numercal comarson of allocatons 1. Planner s allocaton. Symmetrc equlbrum 3. Lablty π * for data breaches 4. Regulated securty 5. Regulated data collecton 1. PID collected d. Securty level s 3. Unsklled ID theft 100* ρ U 4. Sklled ID theft 100* ρ S 5. Total ID theft 100* ρ 6. Steadystate costs C

28 References Anderson, K.., E. Durbn, and M.A. Salnger, 008. Identty Theft, Journal of Economc Persectves, Anderson, R. and T. Moore, 006. The Economcs of Informaton Securty, Scence 314, ank for Internatonal Settlements, Commttee on Payment and Settlement Systems, 008. Statstcs on Payment and Settlement Systems n Selected Countres. ank for Internatonal Settlements, asel. oyd, J.H. and E.C. Prescott, Dynamc Coaltons: Engnes of Growth, Amercan Economc Assocaton Paers and Proceedngs, Camera, G. and Y. L, 008. Another Examle of a Credt System that Co-exsts wth Money. Journal of Money, Credt, and ankng 40: Cavalcant, R. and E. Nosal, 007. Counterfetng as Prvate Money n Mechansm Desgn. Workng aer, Federal Reserve ank of Cleveland. Caruso, D., 007, Securng very mortant data: Your own, New York Tmes, October 7. Chandler, J.A., 008. Neglgence Lablty for reaches of Data Securty, ankng and Fnance Law Revew 3: Cheney, J., 004. Identty Theft: Where Do We Go From Here? Payment Cards Center Conference Center, Federal Reserve ank of Phladelha. Coggeshall, Stehen, 007. ID Theft Knows No oundares, ecommerce Tmes, Arl 13, Dow Jones and Comany Inc., 008a, New ayment card data mantra s Don t need t, don t store t, Wall Street Journal, Setember 16. Dow Jones and Comany Inc., 008b. Data breaches surass 007 level, but busnesses rarely are enalzed, Wall Street Journal, Setember 9. Douglas, D.D., 008. Merchant Lablty for Payment Card Securty reaches, Electronc ankng Law & Commerce Reort 13, 1-7. Exeran, 006. PrecseID: An ntegrated aroach to the world of dentty rsk management. Avalable onlne at Gordon, G.R., D.J. Rebovch, K.-S. Choo, and J.. Gordon, 007. Identty Fraud Trends and Patterns: uldng a Data-ased Foundaton for Proactve Enforcement. Workng Paer, Center for Identty Management and Informaton Protecton, Utca College. 7

29 Green, E. J. and W. Weber, Wll the New $100 ll Decrease Counterfetng? Federal Reserve ank of Mnneaols Quarterly Revew 0(3), Greene, M.N., 009. Dvded we fall: Fghtng ayments fraud together, Federal Reserve ank of Chcago Economc Persectves 1 st Quarter, Grossklags, J., N. Chrstn, and J. Chuang, 008. Securty nvestment (falures) n fve economc envronments: A comarson of homogeneous and heterogeneous user agents. Accessed onlne at wes008.econnfosec.org/aers/grossklags.df. Javeln Research, Identty Fraud Survey Reort. Avalable onlne at Kahn, C. M., J. McAndrews, and W. Roberds, 005. Money s Prvacy, Internatonal Economc Revew 46, Kahn, C. M. and W. Roberds, 008. Credt and Identty Theft, Journal of Monetary Economcs 55, Ketel, P., 008. Legslatve Resonses to Data reaches and Informaton Securty Falures. Payment Card Center Dscusson Paer,, Federal Reserve ank of Phladelha. Krshbaum, M.D., 006. Protectng Aganst Fraud n the Next TechAde. Avalable onlne at Kyotak, N. and Wrght, R., On Money as a Medum of Exchange, Journal of Poltcal Economy 97, Kocherlakota, N. R., Money s Memory, Journal of Economc Theory 81, Kultt, K., A Monetary Economy wth Counterfetng, Journal of Economcs 63, LoPuck, L., 001. Human Identfcaton Theory and the Identty Theft Problem, Texas Law Revew 80, LoPuck, L., 003. Dd Prvacy Cause Identty Theft? Hastngs Law Journal 54, Martn, A., M. Orlando, and D. Skee, 008. Payment Networks n a Search Model of Money, Revew of Economc Dynamcs 11, McGrath, J.C. and Ann Kjos, 006. Informaton Securty, Data reaches, and Protectng Cardholder Informaton: Facng u to the Challenges. Payment Cards Center Conference Summary, Federal Reserve ank of Phladelha. Monnet, C., 005. Counterfetng and nflaton, workng aer, Euroean Central ank. Monnet, C. and W. Roberds, 008. Otmal Prcng of Payments Servces, Journal of Monetary Economcs 55,

30 Nosal, E. and N. Wallace, 006. A Model of the (Threat of) Counterfetng, Journal of Monetary Economcs 54, Ponemon Insttute, LLC, Annual Study: Cost of a Data reach. Avalable onlne at Schreft, S. L., 007. Rsks of Identty Theft: Can the Market Protect the Payment System? Federal Reserve ank of Kansas Cty Economc Revew (Fourth Quarter), Solove, D., 003. Identty Theft, Prvacy, and the Archtecture of Vulnerablty, Hastngs Law Journal 54, Solove, D., 004. The New Vulnerablty: Data Securty and Personal Informaton, Workng Paer, George Washngton Unversty Law School. Swartz, Jon, and yron Acohdo, 007. Who s guardng your data n the cybervault? Choce- Pont redeemed tself but not all brokers as careful, USA Today, Arl. Swre, P. P., 003. Effcent Confdentalty for Prvacy, Securty and Confdental usness Informaton, rookngs-wharton Paers on Fnancal Servces, Synovate, 007. Federal Trade Commsson 006 Identty Theft Reort. Avalable onlne at Varan, H., Markets for Informaton Goods. Avalable onlne at eole.school.berkeley.edu/~hal/paers/jaan/. Varan, H., 004. System Relablty and Free Rdng. Avalable onlne at eole.school.berkeley.edu/~hal/paers/004/relablty. Unted States Government Accountablty Offce, 007. Personal Informaton: Data reaches Are Frequent, but Evdence of Resultng Identty Theft s Lmted; However, the Full Extent s Unknown. Reort GAO Wllamson, S.D., 00. Prvate Money and Counterfetng, Federal Reserve ank of Rchmond Economc Quarterly 88(3),

31 Aendces Aendx A. Transactons n the model ackground uyers and sellers are matched accordng to a smle search rocess. The search secfcaton s smlar to that emloyed n standard frst-generaton search models (Kyotak and Wrght 1989), but dffers slghtly n that t forces every ossble tye of match to occur wthn a fnte tme nterval. Ths feature s convenent for the analyss above because t searates fraud rsk (the rsk that an agent engages n a transacton wth no ntent to reay, whch s the focus of the aer) as oosed to credt rsk (the rsk that a known agent cannot reay). Under the matchng secfcaton descrbed below, an agent s fraudulent ntent s always revealed, once a certan amount of tme has assed. Agents decson roblems can then be reduced to a sequence of statc decson roblems, whch reduces model comlexty. It s clear from credt ndustry dscussons (e.g., Exeran 006 and Greene 009) that the searaton of fraud and credt rsk reresents an abstracton. In ractce, there s always some overla of these tyes of rsk. Consder the case where a erson ales for a credt card, receves the card, uses the card to make urchases, and then never makes a ayment on the bll. ecause the cardholder s ncome, dentty, and nclnaton towards fraudulent actvty are not erfectly known to the card ssuer, t s not always clear whether such a loss should be classfed as a fraud loss or a credt loss. A cardholder may fraudulently clam to have been defrauded as a way of evadng credt lmts, further confoundng credt and fraud rsk. Nonetheless, t s customary wthn the credt ndustry to concetually (and statstcally) searate these two tyes of rsk. A 30

32 consumer who ales for a credt card, for examle, may be assgned an dentty rsk score as well as the more famlar credt score. Matchng secfcaton Agents n the model are matched accordng to ther tyes. It s convenent to thnk of an agent s tye as hs locaton, although the model does not rely on geograhy. Wthn each grou G, tyes are dstrbuted unformly over the unt nterval. There s a unt measure of agents of each tye. Legtmate agents resde only on a measurable subset of locatons Ω and frauds resde at locatons c c Ω, where ( ) μ Ω = F. At the end of each dscrete erod, a randomly selected subset of tyes vansh and are relaced wth agents of the same tye. The robablty of relacement s β for both frauds and legtmate agents. Agents wthn each grou wsh to consume the goods roduced by all other tyes of agents of the same grou. Tme begns at date t = 0. Durng the ntal nterval t [0,1), nondurable goods of tye y, y [0,1), are avalable for urchase and consumton at tme y, when each tye-y agent can suly a unt measure of good y. Intutvely, otental consumers of tye y y journey to locaton y to urchase and consume good y. Ths rocess s reeated durng subsequent unt ntervals;.e., at any tme 0 t, goods of tye yt () t t and consumton, where t denotes the nteger art of t. are avalable for urchase Over all tmes t 0, roducton wthn grou moses an nstantaneous dsutlty of ( () ) mcδ y t y dt on tye-y agents, where c > 0, δ s Drac s delta functon, and m s the measure of goods each agent sules. For tye- y agents, where y y, tme t consumton of one unt of a tye-y good yelds nstantaneous utlty udt, where u > c> 0. At each tme t, otental 31

33 consumers of tye y yt ( ) are randomly matched wth one (and only one) roducer wthn the same grou of tye y( t ), wth..d. matchng over tme, so that all transactons are between agents wthout any revous contact. Trade among agents wthn a grou s facltated by a central authorty (or court ) wth three lmted and secfc owers. Frst, the central authorty can observe an agent s actons as a roducer (.e., whether an agent has suled goods durng a tme nterval [0,1), [1,), ). Second, at dscrete dates n = 0,1,,, the court can ublcly announce the observed acton. Thrd, the court can, when makng ths announcement, mose a nonecunary enalty of X > 0 utls on an agent who has refused to suly a good, rovded that the agent can be dentfed. Sustanng exchange wth costless dentfcaton As descrbed above, agents n each grou form a transactons club. Club membersh enttles the agent to a (flow) unt of a consumton good from any other club member n return for agreeng to rovde hs own tye of good to other club members, at some ont durng each unt nterval of tme. At subsequent dscrete dates n = 1,,, the center ublcly announces the default of any club members who have not suled goods and moses enalty on nonroducers (a enalty of X utls) who are then excluded from the club. Membersh n each club subsequently s oened to newborn agents. Suose that all legtmate agents of grou and tye y y decde to jon club, and that frauds do not. For a legtmate agent of tye y [0,1) n grou, the value of club membersh durng the nterval t [ n, n+ 1) s gven by ( δ ) u mc ( y y ) dy = u(1 F) mc (5) y Ω 3

34 for n = 0,1,,. Market clearng requres m= 1 F. Hence, from (5), f all legtmate agents of grou jon club, then the steady-state value of club membersh s gven as V n equaton (1). Ongong membersh n the club requres that a tye-y agent be wllng to suly a unt measure of goods at tme n+ y. Ths requres that the dsutlty of roducng goods, combned wth the dsutlty of the enalty X, be less than the value of contnued club membersh,.e., whch s the same as c X V, (6) (1 F + r) c (1 F) u+ rx. (7) Under condton (7), no legtmate agent who has joned a club ever has an ncentve to defect. If, n addton, no fraud ever has an ncentve to jon the club. Snce c u < X (8) < u, (7) s mled by (8). It follows that under (8), an equlbrum exsts n whch all legtmate agents jon the transactons club formed by agents n ther grou, and all frauds reman outsde the club. Sustanng exchange wth costly dentfcaton When dentfcaton of agents s costly the steady-state value of a legtmate agent s membersh n club s gven by exchange to occur through the clubs. f f V n (10). In ths case, V must satsfy three condtons for 1. Indvdual ratonalty: a legtmate agent refers jonng a club to autarky. Ths requres 0 ; (9) f V. No defecton: legtmate agents n each club have an ncentve to roduce goods for other club members. Ths requres 33

35 Note that under (8), (30) s redundant gven (9). f c X V ; (30) 3. No excluson: a club has an ncentve to admt new generatons of members. Ths requres f V V, (31) where V s the value of mantanng the club wthout admttng new members,.e., ( u c)(1 F) n + rv= u c F β =. (3) n= 0 1 β (1 ) ( )(1 ) A steady-state allocaton s ncentve comatble f (9) and (31) are satsfed for both clubs. 34

36 Aendx : Proofs of Proostons 1-5 Proof of Prooston 1. The roof roceeds n four stes. Frst, we show that any soluton ( ds, ) to frst-order condtons (17) and (1) at equalty reresents a locally otmal and unque resonse by each club when the other club lays ( ds., ) Second, we frst show that under the hyotheses of the Prooston, there s only one such soluton ( d*, s *). Thrd, we verfy that there s no equlbrum wth s = 0. Fourth, we show that ( d*, s *) s ncentve comatble. Ste 1. Frst-order condtons for club s roblem are gven n (17) and (1). Secondorder condtons are gven by ( j ) Φ ( s )( ) 1 ( )( ) j c+ L Φ s c+ L + > 0, d ( d ηd ) 3 3 j ( j ) β Φ ( s ) < 0, d ηd j Φ ( s )( ) 1 ( ( ) j c+ L Φ s c+ L βφ ( s) βφ ( s) < d ( d ηd j) ( d j ηd) ( d j ηd) (33) (34) (35) Condtons (33) and (34) are readly seen to hold when ( d, s ) = ( d, s ). Suffcent condtons j j for (35) to hold are symmetry and β < ( c+ L), whch s mled by β < c+ L. Ste. Rewrte (1) at equalty as β φ( Φ ) ( 1 η ) uf(1 F) 1 ( s) d = D() s. (36) Substtutng (36) nto (17), mosng symmetry, and rearrangng gves the followng quadratc equaton Qz A z+ Az+ Az =, (37) ( ) 0(1 )

37 where z = 1 Φ ( s) and A0 = c+ L, (38) c+ L β η A1 =, (39) (1 η) βφ A = kuf(1 F). (40) (1 η) From the above, Q(0) = A0 > 0 and Q(1) = A1+ A < 0 for φ suffcently large. Qz ( ) therefore has a unque root z* (0,1) ; n artcular, z * = βφ c+ L βη (1 η) ( c+ L) + ( c+ L βη (1 η) ( c+ L) ) + 4( c+ L) kuf(1 F) βφ kuf(1 F). (41) Now defne ( ( 1 ) 1 ) ( d*, s*) = D Φ (1 z*), Φ (1 z*). (4) y constructon, ( d*, s *) satsfes (17) and (1) under symmetry, and s * > 0. Ste 3. From the dscusson n the text, there can be no equlbrum wth s = 0 f (3) s volated, whch occurs for φ > 0 suffcently large. Ste 4. To show ncentve comatblty, suose ntally that F = 0 f, so that V Then the ndvdual-ratonalty and no-excluson condtons are clearly satsfed wth strct nequalty for β suffcently close to unty. Now, for F > 0, let K, k, and aroach zero; more secfcally let ( Kk,, ) < θ where θ > 0 and s the su norm. Then t can be shown that as 1/ θ 0, d * and s * as defned n (4) are bounded by θ and lnθ, resectvely. Ths, n = V turn, mles that f V V as θ 0, as fraud rates and all costs of fraud deterrence are drven to 36

38 zero. Hence, by contnuty, ncentve comatblty must hold for Kk,, and all ostve and suffcently small. Proof of the Corollary to Prooston 1. egn by solvng for ( d, s ). Rewrte frst-order condton () as ( η β ) φ( ) ( 1 η ) uf(1 F) ( c + L) + 1 Φ( s) d = D() s. (43) Substtutng (43) nto condton (19) and rearrangng gves the followng quadratc equaton Qz A z+ Az+ Az =, (44) ( ) 0(1 ) 1 0 where z = 1 Φ ( s) and A0 = c+ L, (45) c+ L+ β A1 =, (46) 1 η ( ( c+ L) + ) A = kuf(1 F) φη β. (47) (1 η) Proceedng as n the roof of the Prooston, Qz ( ) has a unque root z n (0,1) for φ suffcently large. In artcular, z = z φ (1 η) ( c+ L) kuf(1 F) = φ kuf(1 F) ( η( c + L) + β) The lanner s allocaton s then gven as ( ) 1 1 ( ) ( d, s ) = D Φ (1 z ), Φ (1 z ). Second-order condtons for the lanner s roblem are gven by. (48) 37

39 ( ) ( c+ L) Φ ( s) ( c+ L+ β ) 1 Φ( s) 0, > d d (1 η) c+ L c+ L+ + Φ () s > 0, d d(1 η) ( η( c+ L) + ) ( Φ ( s) ) ( ) ( η ) (1 η)( c+ L) Φ ( s) + ( c+ L+ ) 1 Φ( s) ( c L) ( s) Φ + d (1 η) 4 d (1 η) < 0, (49) (50) (51) whch can be shown to hold for all ostve d and s and hence for ( d, s ). Proof of Prooston. (Sketch). Solutons for d * and d are gven n (59) and (60), resectvely; solutons for s * and s are gven as φ 1 ln(41) and φ 1 ln(48). The Prooston follows from straghtforward dfferentaton of these exressons. Proof of Prooston 3. Part (a). From (41) and (48), both z * and z are clearly decreasng n η, so skll thresholds s * and s must be ncreasng n η. Part (b). From (41) and (48), as η 1, z 0 whle z * converges to βφ c+ L β+ ( c+ L β) + 4( c+ L) kuf(1 F) z > 0. βφ kuf(1 F) (5) Hence, as η 1, 1 s* s =Φ (1 z) whle s dverges. 38

40 Proof of Prooston 4. To analyze d and d *, we frst derve closed-form exressons for these quanttes. To solve for d *, nvert Ds ( ) n (36) and substtute nto frst-order condton (17) to obtan the followng condton n d: Rd = R+ Rd+ Rd =, (53) ( ) where R0 = uf(1 F)( c + L), (54) ( c+ L βη) (1 η) ( c+ L) R1 = βφ(1 η), (55) R = k (56). Smlarly, to solve for condton (19) to obtan the condton d, nvert Ds () n (43) and substtute nto the lanner s frst-order Rd = R+ Rd+ Rd =, (57) ( ) where R0 = R0, R = R, and R 1 =. (58) φ Evdently, d * and d may be exressed as (ostve) roots of R( d ) and R( d ), resectvely. In artcular, d * s gven by 39

41 ( k(1 η) ) 1 ( c+ L βη) (1 η) ( c+ L) + φ β ( c+ L βη) (1 η) ( c+ L) φ β + 4 kuf(1 F)( c + L)(1 η), (59) and 1 d ( k) = kuf(1 F)( c+ L). φ φ (60) Part (a). From (60), d does not deend on η. From (59), d * grows as ( (1 )) 1 ( c L d + β η k η ) =, (61) φ β as η 1, whch s ncreasng n η for c+ L> β. Part (b). From (61), d as η 1, whence d * also dverges. Proof of Prooston 5. (The calculatons n ths secton smlfy notaton by settng uf(1 F) = 1.) Part (a). From frst-order condton (1), the rate of sklled dentty theft n the symmetrc equlbrum s ( 1 Φ( s*) ) 1 Φ( s*) = =. (6) d*(1 η) βφ ( s*) βφ Smlarly, the rate of sklled dentty theft n the lanner s allocaton can be calculated usng (): 1 Φ( s ) =. (63) d (1 η) φη( c+ L) + β [ ] 40

42 Comarng (6) and (63), sklled dentty theft must be lower under the lanner s allocaton. Part (b). The rate of unsklled dentty theft n the symmetrc equlbrum s gven by Φ (*)/ s d*. From the Proostons 3 and 4, Φ(*) s Φ ( s) > 0and d* as η 1, mlyng that unsklled dentty theft s drven to zero as η 1. The rate of unsklled dentty theft under the golden-rule allocaton s gven by Φ ( s )/ d. From the roof of the Corollary to Prooston 1, Φ( ) 1 as η 1 but ostve and does not deend on η. Hence the rate of unsklled dentty theft converges to 1/ d > 0 as η 1. ff s d s Part (c). The calculatons n arts (a) and (b) show that, as η 1, ρ( d*, s*) < ρ( d, s ) 1 < +. φβ d φ( c+ L+ β ) (64) Substtutng for d from the roof of the Corollary to Prooston 1, nequalty (64) reduces to φ + + 4( c+ L) kφ c+ L >, k β ( c+ L+ ) (65) whch must hold for / k bounded and k, > 0 suffcently small. 41

43 Aendx C. Polcy analyss (The calculatons n ths secton smlfy notaton by settng uf(1 F) = 1.) 1. Imosng lablty for a breach Suose that enalty π π * s n effect. Then n symmetrc equlbrum, the clubs choose data length d π, gven by (59) where = + π relaces, and securty level s π, gven by φ 1 ln [RHS(41)], where agan relaces. From Prooston, d π < 0 and s π > 0 for η suffcently close to one, hence d < π d* and s > s*. π Usng the Chan Rule, dc C C dπ d s = d π + s π (66) where ( β )( 1 ( )) ( 1 η ) C ( c+ L) Φ( s) c+ L+ Φ s = k + d d d, (67) C η( c+ L) + β = Φ () s s d( 1 η ). (68) (cf. the lanner s frst-order condtons (19) and ()). ut n equlbrum, d π and s π must satsfy frst-order condtons (17) and (1) where s relaced wth, from whch t can be shown that C d C 0and < 0 s (69) for ( ds, ) = ( d, s). Snce d π < 0 and s π > 0, t follows from (66) that dc / dπ < 0. π π 4

44 . Analyss of the regulator s roblem when the regulator only sets skll thresholds s As n the roof of Prooston 1, let z = 1 Φ ( s). The roblem of a regulator who only chooses s s equvalent to the followng: mnmze steady-state fraud costs.e., mnmze C over z (0,1), ( c+ L)(1 z) ( c+ L+ β ) z + + kd ln z, d d(1 η) φ (70) subject to the clubs frst-order condton (18), whch we wrte as d = G( z) where 1 1 Gz ( ) = ( c+ L)(1 η) (1 z) + ( c+ L βηz ). (1 η) k (71) Ths regulator s roblem may be comared to the lanner s roblem, whch s equvalent to mnmzng (70) over z (0,1) subject to (0), whch we wrte as d = P( z) where 1 Pz ( ) = [( c+ L)(1 η)(1 z) + ( c+ L+ βz ) ] 1. (1 η) k (7) Substtutng (71) nto (70) and smlfyng, the regulator s roblem s to mnmze ( Pz ( )) k + kg( z) ln z. (73) Gz ( ) φ Ths contrasts wth the lanner s roblem, whch, substtutng (7) nto (70), smlfes to the followng: mnmze ( Pz ( )) k + kp( z) lnz = kp( z) ln z. Pz ( ) φ φ (74) The frst-order condton for the regulator s roblem s Pz ( ) k P( z) P ( z) + G ( z) 1 = 0, Gz ( ) φz (75) whch after some manulaton can be wrtten as 43

45 (( c L) η( η) βη) η( c+ L) + β 3 + z ( G ( z )) = z ( G ( z )) ( P ( z )). 1 η φ (1 η) (76) Squarng both sdes of (76) to elmnate radcals, a soluton to the regulator s roblem requres fndng the roots of a ffth degree olynomal, a roblem for whch there s no general analytcal soluton. Hence ths roblem s analyzed numercally. 3. Analyss of the regulator s roblem when the regulator only sets data length d A regulator who can only determne data length sets d to mnmze C subject to the clubs frst-order condton n s, whch n symmetrc equlbrum s gven by (1). Usng (1) and mosng symmetry, we can elmnate s and smlfy the regulator s roblem to the followng: choose d to mnmze c+ L C = kd ln d + +< constant terms>, (77) φ d whch has soluton dc = d. Evaluatng (1) at d = d and comarng to (), t follows that s s < must hold n the regulated equlbrum. From (1) and the fact that d < d* (Prooston 4) as η 1, t follows that s > s*. Hence, n the regulated equlbrum, securty effort s s ntermedate between the securty effort of the (unregulated) symmetrc equlbrum s * and the securty effort chosen by the lanner s. 44

46 Aendx D: Extenson wth endogenous network sze An alternatve method for controllng data breaches s to allow for the sharng of data resdng n the databases of the two searate clubs (networks). In the model, sharng data across clubs elmnates the ncentve for data breaches because any stolen dentfyng nformaton dulcates exstng nformaton and s automatcally revealed as fraudulent. Exchangng data across clubs can thus be benefcal even though agents n each club never nteract n commerce wth agents of the other grou. In rncle, data sharng could be mlemented n a number of ways. LoPuck (001) rooses the creaton of a government agency that would manage a consoldated database of PID. Incluson n the database would be otonal. Ths aendx consders an alternatve channel for data sharng, whch s the voluntary reference of agents n the two grous to share data across grous. Ths s done by a slght generalzaton of the envronment studed above. In ths generalzed envronment, agents have the oton of transactng through a sngle club or dual clubs (one for each grou of agents). The two grous of agents may be of dfferent sze,.e., let μ( ) = μ and μ( ) = μ. If all legtmate agents decde to form a sngle club, no G A A G data breaches occur n equlbrum, so the club smly comles data of length d on all ts members to maxmze the average er-cata net beneft of legtmate club membersh. That s, the sngle club chooses d to maxmze (cf. exresson (10)) 1 Vs = r uf A (1 F) uf (1 F) ( u c)(1 F) (1 β) K kd μa ( ca+ L) μ ( c + L), d d (78) where the underlnes ndcate average values,.e., u = μaua + μu etc. Let d s denote the choce of data length that maxmzes (78), and let V As, ( V, s ) denote the steady-state value of legtmate 45

47 club membersh for agents of grou G A ( G ) when PID of length d s s collected. A steadystate equlbrum wth a sngle club exsts when the followng ncentve constrants (analogous to (9), (30), and (31)) are satsfed 1. Indvdual ratonalty, 0 Vs, for = GA, G;. No defecton, c X V, for = G, G ; s A s A 3. No excluson, V V, for = G, G, where V s the value of mantanng the club wthout admttng new members. If, as n Secton 3 above, agents references are symmetrc across grous, t s mmedate that an equlbrum wth a sngle club exsts whenever a symmetrc steady-state equlbrum exsts. Moreover, the sngle-club equlbrum domnates the dual-club equlbrum. For any value of d chosen by the dual clubs, the sngle club can do better wth ths same data because the sngle club s database rovdes a greater beneft n terms of fraud reducton (all frauds must now attemt the more costly unsklled dentty theft) at a lower cost (snce the sngle club ncurs no costs of securng data aganst breaches and no breach costs). In the absence of unanmty, however, conflcts of nterest can arse as to the amount of data the sngle club should comle and retan. Suffcent heterogenety n references can lmt otental effcency gans achevable through voluntary consoldaton of data. To demonstrate ths ont, consder the followng arameterzaton of the model. Suose that the er-unt hyscal cost of comlng and storng data s neglgble, so that the cost arameter k essentally reflects ntangble costs assocated wth the loss of rvacy. Agents n the two grous have dentcal references, excet that agents n grou stored ersonal data ( k A G A and G G A are ndfferent to the rvacy of ther = ε, where ε > 0 s arbtrarly small), whle agents n grou G lace a 46

48 hgher value on confdentalty ( k > k A ). The two grous are of unequal sze: grou A G has unt measure as before, whle grou G has measure μ = μ > 0. Suose that agents n the two grous decde to form a sngle club. The otmal data length for the sngle club s gven by (cf. equaton (15)) d s uf(1 F)( c + L) =, (79) k and from (78), the equlbrum er-cata net beneft of club membersh for an agent of grou s for = G, G. 1 k uf(1 F)( c+ L) Vs, = ( u c)(1 F) (1 β ) K k+ r 1 μ, (80) + k A Now suose each grou decdes to form ts own club. In ths case, agents n grou A are wllng to surrender vrtually lmtless amounts of ersonal nformaton to club G A, whch effectvely recludes the ossblty of fraudulent entry nto ther club. Once assembled, however, club club G A s database s subject to data breaches commtted by sklled frauds seekng access to G. Thus, wth dual clubs, club to maxmze G A chooses A d arbtrarly large as ka 0 and chooses s A 1 VAd, = ( u c)(1 F) (1 β ) K sa μf( 1 Φ( sa) ) β r. (81) Dfferentatng (81), for suffcently large φ, the otmal skll threshold for club ( ) G A s gven by s = φ 1 ln ( μfβφ) /, (8) A whch mles that, wth dual clubs, the equlbrum net beneft of membersh n club G A s 47

49 * 1 VAd, = ( u c)(1 F) (1 β ) K ln + 1. (83) r φ μfφ ecause the PID stored n club A s database s so extensve, club rate of sklled dentty theft: any amount of data d that club stolen from club G A wth suffcent skll. Knowng ths, club G cannot control ts G mght requre for entry can be G chooses a data length d that balances the benefts of reduced unsklled dentty fraud aganst the costs assocated wth the loss of rvacy. Ths data does not need to be well secured because data stolen from club G s database s nsuffcent to gan access to club club G. Hence, wth dual clubs, club G A ; that s, n the lmt there are no breach costs for G s roblem reduces to choosng d to maxmze ( u c)(1 F) 1 Vd, = uf(1 F) r (1 β ) K kd ( c+ L) F( 1 Φ ( sa) )( c+ L) d. (84) Dfferentatng (84) and solvng yelds d uf(1 F)( c + L) =. (85) k Usng (8) and (85), the equlbrum er-cata net beneft of membersh n club of dual clubs can be exressed as G n the case V * d, 1 = r c+ L ( u c)(1 F) (1 β ) K kuf(1 F)( c+ L). φ F (86) For ths arameterzaton, the comarson between the sngle club and dual clubs s stated n the followng: 48

50 Prooston 6. Suose that grous G A and G have heterogeneous references over the rvacy of stored data ( k b > k arbtrarly small) and that the measure of each grou s a μ = 1> μ > 0. Then for φ suffcently large and Kk,,, μ > 0 suffcently small, A a) A steady-state equlbrum exsts for both the sngle club and dual clubs; b) Legtmate agents n both grous are better off under dual clubs than under the sngle club. Proof. The roof of Part (a) follows that of Prooston 1. To show Part (b), let / φ 0. Then, comarng (80) and (83), V > V for μ > 0 suffcently small. Comarng (80) and (86), * Ad, As, V > V under the same condtons. * d, s, Intutvely, Prooston 6 says that, gven suffcent heterogenety, agents may refer to tolerate a certan amount of data theft, as occurs under dual clubs, rather than attemt to elmnate the roblem by formng a sngle club. Agents wth a low value on rvacy allow ther club to comle large amounts of ersonal data because ths deters fraud, even though ths data s subject to breach and msuse. y contrast, agents who lace a hgh value on rvacy wll tolerate a hgher rate of dentty theft, as the cost of keeng more of ther PID rvate. Mergng the two clubs can result n a level of ersonal data collecton that seems excessve to the hgh-rvacy grou but nsuffcent to the low-rvacy grou. More generally, Prooston 6 llustrates how heterogenety can lmt the effcency gans from consoldaton of PID. So long as ths nformaton s shared through voluntary assocatons (rather than mandatory artcaton n a sngle arrangement), dsarate grous of agents n an 49

51 economy may refer to sort nto searate allances wth dfferng levels of ersonal rvacy and data securty. Clearly, heterogenety can also lmt effcency gans attanable through other means as well. Regulatory lmts on data collected, for examle, mght constran grous who lace low value on ther rvacy. 50