Data breaches and identity theft

An environment is analyzed in which agents join clubs (payment networks) in order to facilitate trade. The networks compile personal identifying data (PID) so as to match transactors to transactions histories. Technological limitations cause the networks’ data management practices to impact each otherʹs incidence and costs of identity theft. Too much data collection and too little security arise in equilibrium with noncooperative networks compared to the efficient allocation. A number of potential remedies are analyzed: (1) reallocations of data-breach costs, (2) mandated security levels, and (3) mandated limits on the amount of data collected.