Economic Analysis of Tort Law, Why Bother?
In previous posts (here and here), I suggested that analytical modeling can be useful to better understand data breaches, information disclosure laws and the costs to both companies and individuals because of these laws. I’d like to now expand on those ideas.
To be clear, there are many kinds of models and modeling approaches but what I’m interested in is the economic analysis of tort law. For those not aware, this approach is concerned with the cost of accidents to an injurer and a victim and it analyzes how various policy rules (typically regulation or liability) can minimize the sum of those costs.
The way I’ve come to interpret and apply models (e.g. mathematical equations) is to illustrate how agent’s incentives change under different policy interventions. For example, if companies are forced to notify consumers of a data breach, will they be induced to spend more or less money protecting consumer data? Will individuals take more or less care once notified? Will these actions together increase or decrease overall social costs?
I don’t claim to be an expert on analytical modeling, but from the work that I’ve done related to data breach disclosure laws, I’ve gained a great deal of appreciation for this style of research and much of what I’ve learned has come from (once again) the amazing Alessandro Acquisti and the brilliant mathematician, Richard Sharp. And so, I wanted to take a few paragraphs to share what I think are some of the key benefits.
Normative vs. Postive Analysis. Those interested in law and economics would have likely seen discussions regarding normative vs. positive analysis. A normative approach addresses whether a particular policy should, or should not be implemented. E.g. should people have a right to conceal their guns? Should schools be segregated by sex? Should we raise gasoline taxes? Positive analysis, on the other hand, helps determine changes in behavior if people had the right to conceal their guns, went to segregated schools, or paid higher gas taxes. As a researcher who studies law and economics, I’m interested in the positive analysis.
Defining Variables. First of all, whenever you model the behavior of a system, you’ll be forced to think very hard about the variables involved, how these variables change in relation to other variables, which variables are within the control of the agents (endogenous) and which are imposed by an external entity (exogenous). For example, unilateral-care accident models assume that costs are imposed on victims (that they have no ability to reduce harm), while bilateral-care accident models allow victims to take actions to reduce their harm (e.g. as I have described with information disclosure). This isn’t as easy as it sounds, even for simple models. But it’s a crucial step. I’ve found that it pays to be as meticulous, exhaustive and clear as possible when describing each variable and its function. Best to have all this ready early rather than scramble when pressed by a reviewer later.
Enumerating Costs. In the economic analysis of accidents (e.g. data breaches), analytical modeling forces us to really understand and enumerate all the different kinds of costs incurred by both injurers and victims (companies and consumers). That is, it forces us to not just identify that there may be many types of costs involved, but to consider which are borne exclusively by each party and which are shared between them; which costs represent a social loss, and which one’s don’t.
Assumptions are Useful and Good. Assumptions can be awkward to both read and write, but they are necessary. As a reader, I appreciate that it’s easy to become frustrated by a model thinking that the assumptions make it too simple, too unrealistic, and should therefore be dismissed. Someone once said, “All models are wrong. Some are useful.” As a reader, that’s the key: I don’t focus on everything that the model lacks, but instead try to recognize and appreciate what it offers. A black and white photograph is an abstraction of reality. But if you’re only trying to explain shadows, will it matter that you lack color? As a modeler, if we’ve properly defined the context of our problem and established the reader’s expectations, then the assumptions provide not excuses behind which to hide, but opportunities upon which to expand and explore our results.
Simulation. Sometimes models become complicated enough that analytical analysis is either not possible or unrevealing. In these cases, simulation or computational modeling can be very useful. In particular, if you’re looking to prove the existence of some behavior, a simulation is ideal. For example, is it always the case that increasing a firm’s liability will produce better outcomes?
Minimization vs. Optimization. The implicit assumption with these models is that each agent behaves rationally (they’re trying to minimize their own private costs) while the social planner is trying to minimize the sum of these costs. And of course, individual incentives are generally not aligned with social incentives – this is what creates externalities.
I mentioned that agents seek to minimize costs. They do this by adjusting some key variable that you, as the modeler, have defined. Often in these models, that variable is either the level of care (activities that prevent an accident or data breach) or level of activity (amount of a risky behavior that could lead to an accident). To restate: agents minimize their costs by optimizing their level of care.
The social planner, then, seeks to minimize the sum of the costs to both victims and injurers (consumers and companies). But, notice that we’re minimizing costs, not accidents. That is, we have to recognize that if companies invested in the socially optimal amount of data security (i.e. the level of security that minimizes overall social cost), breaches must still occur. And there will still be identity theft. And this is okay. To eliminate data breaches would require excessive resources. One of the most nagging questions in information security has always been: how much should we spend on security? If you accept the statements above, and given that data breaches and identity theft certainly occur, then you must also consider this: companies may already be spending exactly the right amount now. This won’t be a popular statement for privacy or consumer advocates, but, it’s important to understand that the lowest social cost is achieved when companies spend more on security, but not excessively more. And it’s possible they’re already doing that.
Back to the modeling exercise.
Comparative Statics. As the modeler, you’ll likely also want to tease the model to understand how the outputs change by manipulating some parameter of interest (what we call comparative statics). This will be driven by your research question. For example, general types of questions that we might ask are:
– What happens to an agent’s behavior (costs) when we change from policy intervention X to policy intervention Y?
– What happens to an agent’s behavior (costs) when I, as a policy maker, manipulate a certain parameter?
– What conditions must exist to obtain the best result?
And specific to my work:
Q1: Will firms invest more in data security if they are forced to notify consumers of a data breach? Will consumers incur lower cost?
Q2: How will a breached company’s behavior change if it is forced to pay a fine proportional to the size of the breach (what I’ve called a breach tax)?
Q3: How much liability should a company bear in order to minimize social costs?
In fact, let me actually answer a couple of those questions.
Q1: How much liability should a company bear in order to minimize social cost? Many might suggest that companies should be strictly liable to victims for any costs resulting from a data breach – after all, they caused the breach in the first place, right? Well, if consumers are able to mitigate losses from identity theft (say, as a consequence of disclosure notices), then I would argue that social costs will be minimized only when liability is shared among the company and consumer (yes, the victim). Legal scholars will recognize this as the efficiency versus fairness argument. While it may not be fair to have consumers bear some portion of their harm, it’s efficient for them to take some measures to mitigate loss.
Q2: Recall that there are a number of federal laws that hold companies liable to consumers for a fixed amount (not some portion of consumer loss) for simply violating the law. For example, the Privacy Act allows recovery of at least $1000 for unauthorized disclosure of personal information by a government agency. What effect would this fine (breach tax) have on firm and consumer behaviors and costs? Well, the answer is quite straightforward: firm costs will increase (naturally), which forces them to invest more in data security because the benefit in avoiding a future breach increases. Next, consumer costs decrease (they get a lump sum), but their actions will be unchanged. That is, they have no more or less incentive to take additional measures to mitigate any future losses from identity theft.
An important note is that while the analytical modeling can help illustrate how behaviors change, there are limitations. For instance, we cannot ask questions such as: what should be the amount of tax imposed on a company in order to have it invest in the right amount of security? Or: how many dollars are saved by imposing data breach disclosure laws? These questions are quantitative and (obviously) require empirical analysis.
Hopefully this post has helped readers understand and appreciate the benefits (and limitations) of analytical modeling – at least as it applies to the economic analysis of data breaches. For those further interested, we presented a related paper at a conference at Harvard earlier this year (Workshop on the Economics of Information Security). A draft version of the paper is available here.