Essays on Cybercrime, Privacy, and Information

It next to impossible to participate in the modern economy without involving data. Whether a person is online shopping or applying for a loan, data is being collected and used to make inferences. This shift to a data rich world has had a number of benefits, but it has also raised many questions about privacy, the use of information, and data protection. The amount and quality of available data directly impacts markets, while the organizations holding valuable data are constantly at risk of suffering a cyberattack. This dissertation examines three topics at the intersection of cybercrime, privacy, and information.

In chapter 1, I study how data privacy regulations affect the market for stolen data. I propose a model of the stolen data economy to show how privacy regulations may affect the market. I then introduce a novel dataset of data breaches to study the effects of the European Union's General Data Protection Regulation (GDPR), a policy governing the collection and storage of user data, on the quantity of data available in the illicit market. Using a difference-in-differences design, I find that the GDPR caused a 60 percent reduction in the number of data breaches traded, but no reduction in the aggregate amount of data available. Analyzing the contents of the individual breaches, I find a nearly 70 percent increase in the amount of data they contain. These results are consistent with the model's prediction that low-value hacking targets becoming disproportionally less valuable after the GDPR, which in turn causes higher-value targets to make up a larger portion of post-GDPR data breaches.

Chapter 2 continues with the study of cybercrime but with a focus on how it affects targeted firms, and how those effects depend on whether the firm discussed their risk prior to the event. I create a framework for understanding the effects of risk disclosure both at the initial stages and when the risky event actually occurs. Using a collection of cybersecurity incidents affecting publicly traded firms, I test the predictions of the framework by analyzing the market's reaction to the incidents and how it varies by disclosure status. I find that prior risk disclosure is not in and of itself predictive of how the market will respond to an event, but how the market reacts to the initial risk disclosure is. This chapter focuses on the role of information in markets, which transitions into my final chapter

In chapter 3, I shift my focus to the role of information in consumer credit markets, specifically studying how signal noise affects the credit constraints of borrowers and the risks faced by lenders. In consumer credit markets, credit scores are used as a signal of the creditworthiness of a borrower. Higher credit scores send a positive signal, increasing access to credit. As part of the federal response to the COVID-19 pandemic, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) paused collection on student loans and suspended collections on delinquent loans. The latter provision of the legislation lead to beneficiaries of the policy seeing large increases in their credit score despite not taking personal action to rectify their delinquencies. This added noise to the signal sent by the credit scores. This paper studies the impact of that noise on consumer credit markets. I show that beneficiaries of the policy were more likely to open auto and credit card loans, and more likely to go delinquent on auto loans relative to two distinct control groups.