Why Aren’t Large Retailers Security-Conscious?

I didn’t want to let this pass without commenting on it since it touches on several point I’ve mentioned here from time to time. Tyler Cowen asks, in economistese (“What is the market failure in data storage and protection at the retail level?”, why (large) retailers aren’t more security-conscious:

There’s been another accident and data leak from Home Depot, and some people are claiming the company was negligent, so I was thinking what kind of market failure might be present. One problem is this. They store your credit card number whether you buy one thing at the store or make fifty trips over the course of two years. So, if you don’t trust a store, at the margin you only get one chance to make a decision whether to give them your credit card number by shopping there or not. You are comparing the total expected consumer surplus from having a relationship with the store at all against the data privacy risk. Such blunt, once-and-for-all trade-offs are not always conducive to good marginal incentives.

If Home Depot acted as he is suggesting, there’s more going on than a “market failure”.

Quite a number of years ago the payment card industry agreed on a set of security standards. Under those standards if Home Depot is acting as Dr. Cowen suggests, Home Depot is not “PCI compliant”. Merely storing the credit card is an unacceptable security risk. What they are supposed to do is pass the credit card immediately on to a processing organization that will “tokenize” it and pass the token back to them for storage and re-use. Home Depot should be subject to substantial fines for its recklessness.

IMO laws, regulations, and standards are for the little guys. They are mechanisms by which larger institutions fend off competition from smaller ones. They are rarely enforced against large institutions, the large institutions recognize that, and, consequently, have few incentives to comply.

9 comments… add one
  • ... Link

    Another argument for keeping cash around, contra-ABBA, to cite one example.

  • steve Link

    It is a pretty fair bet that if one large corporation is doing, then their competitors are also. Cutting costs, in the short term, is what matters. No one knows for sure, until they have a problem.

    Steve

  • TastyBits Link

    I am fairly sure that this is not happening. I am assured that the free market will solve everything. The FAA is unnecessary because the airlines care about their passengers.

    The solution is not more regulations. The solution is the courts. Allow compensation of ten times the amount lost through the breach plus legal fees. There would be no class action settlement. It would be open ended, and any damages resulting from the breach would be included.

    There would be no government regulations, but security breaches would be far more costly than security measures.

  • The reason that will never happen, TastyBits, is that large companies can afford expensive lawyers from firms whose senior partners went to school with the judges before whom the cases are tried.

  • Guarneri Link

    More relevant than the old school ties, the big boys can almost always simply outlast you. As investors in smaller businesses, when a seller requests value for a contract with Bigco our response is “my what a nice piece of worthless paper you have there.”

  • Guarneri Link

    And to riff off of ice, you want a market reaction? If it gets bad enough consumers will clog the checkout lines armed with cash or check books.

  • I’ve pointed that out before WRT intellectual property laws. They exist to protect the big guys from you not the other way around. The big guys can freely violate your intellectual property and keep you tied up in court practically indefinitely. The advice I’ve occasionally given to clients is “Find a hungry, young lawyer who’ll work cheap and just tell him to make the big company’s lawyers come to court as much as possible. Make it your life’s work.”

  • TastyBits Link

    I can dream. Between trial lawyers and regulations, I think I dislike regulations more, but next week I may change my mind.

  • Ben Wolf Link

    What is the market failure in data storage and protection at the retail level?

    What market? How does an economist who claims authoritative insight of market-based economics not know how to tell whether a market exists at all?

Leave a Comment