Information Security and Economics

8 11 2012

Although the administrative, risk management and technical solutions etc., surrounding information security make up the bulk of the areas that affect information assurance goals, there are also individual economic incentives that surround the actions of the many stakeholders that form the chain of information security. First, it has to be established that security is like a commons, where there is almost always an externality, in the economic sense, where individuals, for example, can cause air pollution that affects others, or where individuals that leave their machines unpatched, do not solely bear the entirety of the consequences of their actions. In fact, what ends up happening is that the consequences these actions end up affecting others. This externality applies more so to information insecurity in that if these consequences were not externalized, there would be proper incentives to ensure each stakeholder in the chain of information security does his or her part to contribute to the information assurance goals. Consider many years back when there was some raucous involving ChoicePoint with regard to how it treated the information-security matters it was in. The ChoicePoint case was a case of externalities where consequences of ChoicePoint’s business model and actions were bore by others that did not benefit directly from ChoicePoint’s activities. Back then ChoicePoint was a company that essentially traded dossiers of people’s aggregated personal data intelligence, as informational services with corporations, governments, and individual clients, in exchange for money.

But, the real story here is that in 2005, ChoicePoint was embroiled in controversy over how it has treated the dossiers of people it had collected over the years. There had been a number of cyber attacks on ChoicePoint’s infrastructure that led to the exfiltration of vast amounts of peoples’ dossiers. In addition, the people whose dossiers were exfiltrated were not direct parties to the transactions with ChoicePoint, and so were unwitting that vast amounts of personal information about them had been aggregated, and that a repository of the same aggregated data had been breached. However, one of the main issues that brought about litigation with ChoicePoint was not the breach per se, it was more about the accuracy of the information in ChoicePoint’s databases and how that data was been used and the effect of the use. A case in point was that of Mary Boris, whose dossier with ChoicePoint had inaccurate data that implied that Mary Boris had filed four residential damage claims and therefore was a risky customer that the insurance companies do not want to insure.

Mary Boris contended that the dossier compiled about her was inaccurate and requested that ChoicePoint correct the data, yet no correction resulted and so litigation ensued. The errors illustrated problems within ChoicePoint’s CLUE database as well as structural procedural issues that negatively impacted individuals’ dossiers regardless of accuracy. Particularly when it is the case that the economic incentives to secure and keep accurate the information is not there for the stakeholders involved in the acquisition, storage and transport of these sorts of information. It could be argued that ChoicePoint did not do enough to protect the confidentiality, integrity, and accuracy of information on its databases. In fact, ChoicePoint only protected its peoples’ dossiers with an effort that was commensurate to the monetary value that the ChoicePoint places on each of those same dossiers. A Harvard Business School case study on ChoicePoint stated that “ChoicePoint generally assumed that information received from a reliable source [such as the government,] was accurate unless a complaint was registered [with them].”(ChoicePoint, Pg. 5) In the same case study, it was stated that ChoicePoint, in dealing with the Texas DPS, made the conscious decision to only update its databases of public records once a month instead of everyday, as the Texas DPS did, because it was costly. There is no doubt that if ChoicePoint was liable for inaccuracies in its data, they would have strived to get accurate records more often.

The millions of people whose dossiers had been compiled into ChoicePoint’s databases were not necessarily ChoicePoint’s direct customers. So the people whose dossiers ChoicePoint had did not have the power to switch credit agencies. They had neither the power of economic pressure nor market power that they could use as leverage to impact the problem. The fact was that ChoicePoint did not assume the costs of identity theft, so ChoicePoint did not take the costs of preventing identity theft into account when calculating the costs that needed to be allocated to preventing identity theft or improving data security, in the way it would have allocated had it thought the very existence of its business model relied on the confidentiality, integrity, and accuracy of the information it houses. Despite ChoicePoint being made to pay damages for errors in data it provides, ChoicePoint stood to gain from the transactions of trading personal information it sourced from public sources, while the harms of inaccurate data was bore by individuals whose dossiers have been erroneously aggregated. Even when ChoicePoint did come to the conclusion that the records it had gathered from public sources were indeed inaccurate, it took no action to correct such data because, as it said then, “it could not have a database with “public records” not matching those in the public record.” (ChoicePoint, Pg. 6) The crux of the problem was that the market involved buyers and sellers that do not care about the commodity; the commodity being the dossiers of people.

Considering the fact that ChoicePoint may not have been able to afford the cost of the damages that could ensue due to the harms caused by the lack of privacy, inaccuracy and insecurity, ChoicePoint had an interest in keeping these externalities externalized from itself. Whereas, the proper point of a regulation or liability or a form of remediation of possible market failure, particularly in this situation would be to make the externalities commensurately internalized to the stakeholders whose actions would amount to an economic consequence or harm upon another entity. This is one reason why the economics of the security of information, along with administrative, risk management and technical solutions etc., should be considered when the goals of information assurance are the focus. Why? Because risk and economics are related through liability and property rights, and risk can be transferred. However, liability and property rights have to be clearly established so that when one stakeholder would subsidize another during the transfer of risk, the legal framework will exist to enable it. This sort of transferability is supported under the economic theory known as Coase Theorem. Overall, stakeholder accountability, through establishing liability and property rights has to be established, in the applicable area, in order to get closer to providing information assurance.


Paine, L., & Phillips, Z. (2008). ChoicePoint (A) (Case No. 9-306-001). Boston: Harvard Business School.

Otto, P. N., Anton, A. I., Baumer, D. L. The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of

Personal Information. <;. IEEE Security Privacy Magazine 2007.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: