This website uses cookies.

By clicking the "Accept" button or continuing to browse our site, you agree to first-party and session-only cookies being stored on your device to enhance site navigation and analyze site performance and traffic. For more information on our use of cookies, please see our Privacy Policy.

  1. Home
  2. ASSA Annual Meeting
  3. 2024
  4. Program
  5. Firms and Data: Privacy, Monitoring, and Cybersecurity
« Back to Results

Firms and Data: Privacy, Monitoring, and Cybersecurity

Paper Session

Saturday, Jan. 6, 2024 2:30 PM - 4:30 PM (CST)

Convention Center, 303 B/C
Hosted By: American Economic Association
  • Chair: Joel Waldfogel, University of Minnesota

Upgraded Software and Embedded Improvements: Tracking Vulnerabilities and Bugs on the Web

Raviv Murciano-Goroff
,
Boston University
Ran Zhuo
,
Harvard University
Shane Greenstein
,
Harvard Business School

Abstract

We empirically investigate user propensity to upgrade and patch existing software using the methods developed by Murciano-Goroff, Zhuo, and Greenstein (2021). We document five million months of web server usage at over 150,000 US medium and large firms between 2000 and 2018. We focus on quasi-natural experiments after the appearance of a severe security bug. We find enormous variance in the firm-specific attentiveness to patch software in response to a security vulnerability. A reverse causality occurs due to a correlation between the (low) propensity to upgrade and a (high) prevalence of software containing known security vulnerabilities. We develop hazard model approaches that account for firm-specific proclivities to upgrade and fit a subset of data with a range of explanatory variables. We find a significant propensity to upgrade because a new version has appeared, suggesting many users gain protection against vulnerabilities as a byproduct of routine administrative processes that support maintaining frontier software. Users accelerate upgrading when their webserver supports electronic commerce instead of merely an informational or coordinating role. We also find deceleration when users support an incredibly complex IT operation. These findings are consistent with models of high costs of disrupting operations. In addition, they have counterintuitive implications for the timing of announcements about vulnerabilities and the release of patches.

(Under) Investment in Cyber Skills and Data Protection Enforcement: Evidence from Activity Logs of the UK Information Commissioner's Office

Pantelis Koutroumpis
,
University of Oxford
Farshad Ravasan
,
University of Oxford
Taheya Tarannum
,
University of Oxford

Abstract

Data breaches account for a significant share of cyberattacks. While they severely impact customers—who lose valuable personal data, they often have a limited effect on the operations of the data-holding companies. This might lead firms to underinvest in cybersecurity. Do stronger data protection laws alleviate the effects of these misaligned incentives? Using the universe of online job postings from the UK, we answer this question by examining the link between firms’ cybersecurity hirings and stronger data protection laws and enforcement. We study two institutional changes that affect data protection enforcement by the Information Commissioner’s Office (ICO). The first change is the removal of the requirement to prove substantial damage and distress in 2015, which gave greater discretion to the ICO to issue monetary penalties. The second one is the enactment of the Data Protection Act 2018, which significantly raised the ceiling of monetary penalties. To study these changes, we assemble a novel dataset with more than 5,000 supervisory actions from ICO activity logs and measure industry-level exposure to ICO enforcement. Combining sectoral variation with the timing of the legal changes, we show that stronger data protection enforcement significantly increases the demand for cybersecurity skills by up to 52%. The effect is particularly strong among data-intensive firms, firms using cloud technologies, and firms with higher cash holdings. While regulation is effective in boosting investment in cybersecurity skills, we find that it slows down the firm dynamics, reducing the entry rate by up to 12%, and increasing the exit rate by up to 13%.

Regulatory Compliance with Limited Enforceability: Evidence from Privacy Policies

Bernhard Ganglmair
,
University of Mannheim
Julia Krämer
,
Erasmus University Rotterdam
Jacopo Gambato
,
University of Mannheim

Abstract

The EU General Data Protection Regulation (GDPR) of 2018 introduced stringent transparency rules compelling firms to disclose the nature of their data collection, processing, and use in accessible and readable language. The disclosure requirement is objective, and its compliance is verifiable. However, readability is subjective and vague, making it difficult to enforce. We examine the effect of this asymmetric enforceability of regulatory rules on firms' compliance using a large sample of privacy policies from German firms between 2014 and 2021, matched with firm-level and industry-level information. We use text-as-data techniques to construct measures of disclosure and readability and show that firms responded to the GDPR's transparency requirements by significantly increasing information disclosure. However, the readability of their privacy policies did not improve and, in some cases, worsened. Larger firms and those in concentrated industries demonstrated higher compliance levels with the readability requirement, potentially due to heightened regulatory scrutiny. We emphasize the significance of regulatory capacity, as higher-budget regulators (German state-level data protection authorities) with better enforcement capabilities foster improved compliance with the vague rules and guidance of the readability requirement. This study sheds light on the intricate dynamics between enforceability, compliance, and the role of verifiability within regulatory frameworks.

Designing Monitoring Programs: Screening with Dynamic Incentives

Sam Goldberg
,
Stanford University

Abstract

I study the design of voluntary consumer monitoring programs in auto-insurance, using data from more than 2 million unique drivers. Monitoring technology tracks driving behaviors and provides performance incentives for improved driving, in the form of discounts on future premiums. The efficacy of these programs depends on who chooses to participate and their ability to influence driver risk. Because drivers anticipate performance incentives when making their participation decision, these goals are fundamentally tied. I estimate a model with both selection and moral hazard using unique variation in both performance and participation discounts. Through the lens of the model, I non-parametrically recover the joint distribution of drivers risk characteristics. I use my model to perform two counterfactuals of interest. First, I separate the screening and risk adjustment effects and estimate the welfare of monitoring programs in this setting. Second, I write down a simple firm profit function in order to estimate the optimal monitoring program.

Discussant(s)
Joel Waldfogel
,
University of Minnesota
Mert Demirer
,
Massachusetts Institute of Technology
Guy Aridor
,
Northwestern University
Tesary Lin
,
Boston University
JEL Classifications
  • L8 - Industry Studies: Services
  • D8 - Information, Knowledge, and Uncertainty