Today’s Washington Post has a follow-up story on the hackers’ purported theft of data from the Virginia Prescription Monitoring Program, which I wrote about here on Tuesday. There is not a lot of new information, although it is perhaps notable that the hackers had threatened to sell the data if it was not “ransomed” by Thursday (yesterday), and so far there seems to be no evidence that this has happened.
The database contains information on individual prescriptions:
The state-run database helps doctors and pharmacies track powerful narcotics and painkillers to reduce the abuse, theft and illegal sale of the controlled substances sold under labels including OxyContin and Vicodin. It was set up as a pilot program in southwestern Virginia in 2003 and went statewide in 2006. About 2,500 health-care professionals have access to the data.
As Bruce Schneier has argued many times, one of the core problems with protecting the security of digital information is that, often, the individual or entity that controls the data does not bear the cost of a security breach. It’s a form of what economists call an agency problem: the person in a position to act does not have the same incentives as the person who is on the hook if things go wrong. In one of his blog posts on identity theft, Schneier says:
Many companies keep large databases of personal data that is useful to these fraudsters. But because the companies don’t shoulder the cost of the fraud, they’re not economically motivated to secure those databases very well. In fact, if your personal data is stolen from their databases, they would much rather not even tell you: Why deal with the bad publicity?
A quote at the end of the Post article illustrates the problem:
State officials say they have no evidence that any personal information is at risk, but they recommend that anyone concerned about possible identity theft keep track of personal financial statements and periodically review credit reports.
The “state officials”, and the departments they run, are not the ones who will bear many of the economic or other costs that may result from the security breach. To borrow another term from economics, those costs are an externality. The situation is very similar to that of environmental regulation, which also deals with externalities. Absent regulation, a factory owner can have an incentive to pollute, because the direct cost of reducing the pollution may greatly exceed the portion of the benefit that accrues to him directly.
Fortunately, we have a worked example of how regulations can help fix this kind of problem. In the 1970s, as part of fair credit practices legislation, Congress shifted the liability for fraudulent credit card charges, beyond the first $50, to the card issuers. Shortly thereafter, it became the norm for any sizable credit-card transactions to be verified in real time, using a card swipe terminal. This did not happen becuase of any technological advance, but because it suddenly was economically worthwhile for the issuers.