Coase Theorem in the World of Data Breaches

“This is a really serious security issue, and we’re taking it really seriously,…..I’m glad we found this, but it definitely is an issue that this happened in the first place.”

— Facebook CEO Mark Zuckerburg

(after the company’s security breach that exposed the personal information of 30 million users.[1])

We now live in a world of data. Every single day, each one of us generates some very personal data about what we see, where we go, who we talk to, what we think and even who we are. Data is quickly becoming one of the most critical factors of production in the current market economy. Yet, it also brings negative externalities that cannot and should not be ignored for the market to function effectively. Many economists have proposed theories and tools to tackle the problem of externalities. In this article, I am going to specifically focus on the solution proposed by Ronald Coase in 1960, and show how the theory can be applied to the modern world of data.

When the Market Fails

Before diving into the Coase Theorem, we first need to first talk about “externality”, which can be defined as the positive or negative consequences of economic activities on third parties [2]. The externality is considered to be a form of market failure — as it is the spillover effect of the consumption or production of a good that is not reflected in the price of the good [3]. That is, the market equilibrium fails to capture and reflect the real cost/benefit of economic activity. Some everyday externalities that people encounter including air pollution and cigarette smoking. Another classic example of a negative externality is described by Garrett Hardin in his scientific paper named “The Tragedy of the Commons”, which discusses how individuals tend to exploit shared resources so the demand greatly outweighs supply, and the resource becomes unavailable for the whole [4].

Pollution is a classic example of a negative externality.

Coase Theorem: Assigning Property Rights to Tackle Externalities

Prior to Ronald H. Coase, who was awarded the Nobel Prize for Economics in 1991, economists were prone to consider corrective government actions as the solutions to externalities. For instance, by setting numerical limits on activities with external effects (Command and Control regulation), placing a subsidy to increase consumption of positive externalities, and internalizing the externalities using price system (Pigouvian tax). However, in his publication “The Problem of Social Cost” in 1960, Coase argues that there is a real danger that such government intervention in the economic system, in fact, leads to the protection of those responsible for harmful effects [5]. Instead, he suggests that the market can potentially solve the problem of externalities by itself if property rights are complete and parties can negotiate costlessly.

“We may speak of a person owning land and using it as a factor of production but what the land-owner in fact possesses is the right to carry out a circumscribed list of actions.”

— — C., Ronald (1960). The Problem of Social Cost.

To see how this economic theory can be applied to a real-world problem, let’s take a quick look into the Cap-and-Trade system.

Cap-and-Trade: A real-world application of Coase Theorem

Facing the global challenge of climate change, the European Union created the world’s first international Emission Trading System (ETS) in 2005 with the goal to reduce greenhouse gas emissions. The EU ETS works on a Cap-and-Trade principle — — A cap is set on the total amount of certain greenhouse gases that can be emitted by installations in the system. The cap is reduced over time so that total emissions fall. Within the cap, companies can receive or buy emission allowances which they can trade with one another as needed [6]. In other words, the cap to some extent represents the right to emit certain greenhouse gases, whereas the trading reflects the negotiations Coase argues that can lead to more efficient market allocation.

“Trading brings flexibility that ensures emissions are cut where it costs least to do so. A robust carbon price also promotes investment in clean, low-carbon technologies.”

— The European Commission

According to the EU, the ETS has shown good results as the cap on emissions from power stations and other fixed installations is reduced by 1.74% every year between 2013 -2020 [7], and the emissions are estimated to be 43% lower than in 2005 by 2030 [8].

Coase Theorem in the World of Data Breaches

Living at the age of big data, data breaches have become increasingly common in our daily lives. According to the Identity Theft Resource Center, the number of significant breaches at US businesses, government agencies, and other organizations reached 1300 in 2017, compared to less than 200 in 2005 [9]. This increase is partly due to the fact that the world’s volume of data has grown exponentially over the past decade, giving cybercriminals a greater opportunity to expose massive volumes of data in a single breach [10].

Although it is normally defined as an “incident” where information is stolen or taken from a system without the knowledge or authorization of the system’s owner [11], I suggest viewing data breach (especially those ones involving personal information) as a modern form of negative externality. It is because when the data that institutions captured from individuals to run their business get breached, individuals get spillover effects in terms of privacy and financial loss. Yet, the liabilities of such harm are not clearly defined and therefore taken into account within the market mechanism.

“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.”

— Google Official Statement disclosing the data leak affecting up to 500,000 accounts [12].

Take Facebook’s security breach in September 2018 as an example. 30 million people (more than the whole population of Australia) had their names and contact details leaked, and within which 14 million of them further had their sensitive information (include gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, education, work etc) exposed to the attackers [13]. With the significant harm that this “incident” brought to people’s privacy, what Facebook did was apologizing, saying that it was “a breach of trust” and that they “promise to do better” for the users [14]. Yet no matter how sincere those apologies might be, they cannot and will not solve the core of the problem.

Data breaches cause great harm to society as well as individuals. However, such negative externalities are not well captured and reflected in the market.

It is, however, not to suggest solving data breaches with one-fits-for-all governmental regulations. Because according to Coase, we need to recognize the reciprocal nature of the problem. That is, a data breach cannot happen without Facebook failing to secure its data, but at the same time, it also cannot take place without the users willingly inputting data to the platform. So what is missing here, based on the Coase Theorem, is the clear definition of the rights to data.

In the World of Data where Property Rights are defined and defended

Based on Coase Theorem, the property rights to data, in fact, refer to the rights to carry out a circumscribed list of actions. A couple of examples of actions shall include:

• Right to control access to one’s data
• Right to monetize one’s data
• Right to donate/give away one’s data
• Right to defend the privacy of one’s data
• …….

When the above rights to data are clearly defined, individuals are empowered to have legal recourse and bargaining power against a “data breach incident” that inflicts their rights. In the case of Facebook, for example, users will be able to confront Facebook in court for its failure to defend the user’s data privacy and use the data only for the permitted purpose (intentionally or not). Or even before the outbreak of a data breach, which seems inevitable for centralized data storage, users can already negotiate terms with Facebook for the potential risks that Facebook exposes them to. Facing such confrontation and consequences, Facebook will be forced to better capture the costs and risks it bears when storing/utilizing its users’ data. This might lead to a change of business model for Facebook or a new user-platform relationship where Facebook openly compensates users for the risks they are exposed to.

In short, as argued by Coase, once the rights to data are clarified, parties can openly negotiate terms and compensations resulted from the negative externalities — just like how we do with greenhouse gases — and therefore lead to better market equilibrium.

Baby step at a time to tackle market failures in the world of data

The Facebook data breach is not the first of its kind, and unfortunately will not be the last. In fact, it is estimated that data breaches will just become more frequent, bigger and more expensive in the near future. Therefore, although Coase Theorem, similar to all economic theories, has its limitations with real-world applications, it still sheds lights on how defining the rights to data can be the first step toward solving digital world negative externality such as data breach and enabling a better-functioned market mechanism in the long-term.

References

[1] The New York Times (Sep 2018). Facebook Security Breach Exposes Accounts of 50 Million Users. Available at: https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html

[2] Quickonomics. Positive Externalities vs Negative Externalities. Available at: https://quickonomics.com/positive-externalities-vs-negative-externalities/

[3] Intelligent Economist. Introduction to externalities. Available at: https://www.intelligenteconomist.com/externalities/

[4] Investopedia. Tragedy Of The Commons. Available at: https://www.investopedia.com/terms/t/tragedy-of-the-commons.asp

[5] C., Ronald (1960). The Problem of Social Cost.

[6] European Commission. EU Emissions Trading System (EU ETS). Available at: https://ec.europa.eu/clima/policies/ets_en

[7] European Commission. EU Emissions Trading System (EU ETS). Available at: https://ec.europa.eu/clima/sites/clima/files/factsheet_ets_en.pdf

[8] European Commission. EU Emissions Trading System (EU ETS). Available at: https://ec.europa.eu/clima/policies/ets_en

[9] Priceonomics. Why Security Breaches Just Keep Getting Bigger and More Expensive. Available at: https://priceonomics.com/why-security-breaches-just-keep-getting-bigger-and/

[10] Digital Guardian (Jan 2019). The History of Data Breaches. Available at: https://digitalguardian.com/blog/history-data-breaches

[11] Trend Micro. Data Breach. Available at: http://www.trendmicro.tw/vinfo/us/security/definition/data-breach

[12] Google (Oct 2018). Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+. Available at: https://www.blog.google/technology/safety-security/project-strobe/

[13] Facebook Newsroom (Oct 2018), An Update on the Security Issue. Available at: https://newsroom.fb.com/news/2018/10/update-on-security-issue/

[14] The Verge (Mar 2018). Mark Zuckerberg apologizes for Facebook’s data privacy scandal in full-page newspaper ads. Available at: https://www.theverge.com/2018/3/25/17161398/facebook-mark-zuckerberg-apology-cambridge-analytica-full-page-newspapers-ads