What is the market failure in data storage and protection at the retail level?

There’s been another accident and data leak from Home Depot, and some people are claiming the company was negligent, so I was thinking what kind of market failure might be present.

One problem is this.  They store your credit card number whether you buy one thing at the store or make fifty trips over the course of two years.  So, if you don’t trust a store, at the margin you only get one chance to make a decision whether to give them your credit card number by shopping there or not.  You are comparing the total expected consumer surplus from having a relationship with the store at all against the data privacy risk.  Such blunt, once-and-for-all trade-offs are not always conducive to good marginal incentives.

If I made one purchase at Home Depot a year ago, I don’t seem to obtain more safety by refusing to make more purchases now, at least provided I am using the same credit card.  So many consumers have little incentive to turn against the lax retailer and so excess laxity persists.

The data protection market might work better if, in case you would make more shopping trips to the more trustworthy stores, that in turn would lead to your data being marginally better protected.  A bit like eating more of your meals in safer restaurants to minimize the chance of getting sick.  But the logic of storage, based on a one-time receipt of the critical information, means these marginal choices don’t matter so much (they should matter more for people who lose their credit cards a lot and get new reissued cards with new numbers, or matter more to the extent the company sequentially constructs separate databases; bravo to you if you lose your credit cards a lot, you are conferring a social external benefit on others by inducing companies to care more about data protection at the margin).

Ideally we would like a system where the intermediary would reissue a new credit card number to you each time you buy something.

In the meantime, the incentive is to concentrate all of your retail purchases on one card, and use that card somewhat indiscriminately at the margin.  At the same time you should concentrate all of your auto-renewals on a different card.  You would then hold one or two other cards in reserve, as back-ups for when these first-tier cards fail you.

I sometimes think that all of my credit card information is stolen, all of the time, for practical purposes.  My only protection is then the ubiquity of theft, the large number of competing credit cards available for use, and the incentives of the stationary bandit not to reap too high a harvest from the stolen information too quickly.  What is then the size of the “tax” I pay each year and how does it compare to standard yearly credit card fees?  After all, the credit card companies, they have my credit card number too.

Comments

Comments for this post are closed