Christopher M. Cassidy and Bongsug Chae
The U.S. government and commercial sector have opted to use privacy regulations to control the problem of consumer information misuse in the E-business environment. The authors argue that this is undesirable because it does not correct the market failure that causes this “information externality.” Using the Coase theorem, the authors propose that the market failure can be corrected using either property rules or liability rules and that liability rules at a federal level are likely to be most socially efficient. Recommendations for voluntary actions by indus- tries and companies are also provided.
HE FUTURE OF ELECTRONIC BUSINESS heavily relies on consumers’ perception and trust regarding the handling of con- sumer information by online companies.
Within the United States, privacy regulations are currently used to control the problem of consumer information misuse in an electronic business environment. This article argues that this is not desirable for either consumers or on- line companies. We present an approach to ad- dress this increasingly important issue for society, online companies, and individual con- sumers.
According to Nua Internet Surveys (Nua, 2003), the global online population grew to greater than 600 million in 2002, including more than 180 million people in each of three regions: North America, Europe, and Asia. The U.S. Commerce Department has measured con- tinuous growth in American consumer spend- ing, with E-commerce retail sales at $15 billion
in 1999, $28 billion in 2000, $34 billion in 2001, $44 billion in 2002, and $56 billion in 2003 (U.S. Government, 2005). A similar pat- tern of growth is seen in consumer spending on E-commerce services: from $26 billion in 1999 to $50 billion in 2003 (U.S. Government, 2005). Forrester Research forecasts an increase in U.S. E-commerce to $329 billion by 2010 (Sy- mons, 2005).
Yet, at the retail level, there appears to be a serious barrier for electronic business to attain its full potential. This barrier is consumers’ con- cern about personal information handling by firms in the electronic marketplace (Hemphill, 2002). Whereas the potential for harm is also a concern in the offline world, the importance of information handling is exaggerated in the on- line world. New E-business technologies have substantially increased the ability of online mer- chants to collect, monitor, target, profile, and even sell personal information about customers
CHRISTOPHER M. CASSIDY is an assistant professor at Marshall University. His research interests are strategic management, corporate governance, and business ethics. His research has appeared in Advances in Strategic Management, Journal of Business Case Studies, and Information Ethics. He can be reached at firstname.lastname@example.org.
BONGSUG CHAE is an assistant professor at Kansas State University. His research interests are enterprise systems, knowledge management systems, and supply chain management. His research has appeared in Information Resource Management Journal and Journal of KMCI. He can be reached at email@example.com.
76 W W W . I S M – J O U R N A L . C O M S U M M E R 2 0 0 6
to third parties. The online environment also undermines a precondition necessary for com- merce: trust. The pseudo-anonymity of the In- ternet, where people generally do not see, hear, or know the person with whom they transact, reduces the likelihood of successful legal remedies in the event of fraud or decep- tion. Combining these factors with the number and prominence of media stories depicting on- line firms that have violated and worked against consumers’ interests and preferences — including Amazon, DoubleClick, RealNet- works, Toys R Us, America Online, etc. — peo- ple have the perception, if not the reality, that consumers need strong protection in the on- line environment.
A number of reports have documented that consumers are concerned about the security of their personal data in the electronic market- place. The Global Online Retailing report by Ernst & Young (2001) indicates that for Web site visitors, personal information handling by Web sites is the major concern: “They want their history, behavior, and data protected.” Ac- cording to Poulsen (2000), a survey by the American Express Company shows that nearly four out of five current and potential Internet users around the globe have security and priva- cy concerns. A 2005 survey by RSA Security found that 82.7 percent of respondents felt threatened by identity theft and 83.2 percent felt threatened by online fraud (PR Newswire, 2005). This type of concern makes consumers hesitant to give out credit card information on- line, or create a personal portal on a Web site. In addition, consumers increasingly distrust businesses’ ability to handle their personal in- formation and are less confident about compli- ance with existing laws and professed organizational practices. A study by the Annen- berg Public Policy Center of the University of Pennsylvania indicates that 95 percent of peo- ple using the Internet at home agreed “they should have the legal right to know every- thing” about the information Web sites collect from them (Annenberg, 2003).
One immediate, negative consequence of this mistrust is that consumers either decline to provide personal information or provide in- accurate information. One survey concluded that almost 95 percent of online users had de- clined to provide personal information to on- line sites (Hoffman & Novak, 1999). A survey report of AT&T Labs found that online users indicated they would be more likely to pro- vide personal information if there were laws and policies in force (AT&T, 1999). This kind
of mistrust represents a serious threat and business risk to the prosperity and financial success of any firm offering its products and/or services through E-business technologies. Cus- tomers suffer from unwanted and even waste- ful advertising materials and potential harm caused by misuse and use of their information by companies. Concerns over personal infor- mation online appear to be a major barrier to the Internet economy. Despite these concerns, 80 percent of consumers desire personalized Internet content, according to a Choicestream survey (Kerner, 2005). These statistics indicate that consumers are attracted to the benefits of the online environment, but they worry about the potential for harm. The crucial question is how to balance the two.
“Privacy” is a hot topic in many countries’ political arenas (Rubin & Lenard, 2001). To date, U.S. society has focused on privacy solu- tions to problems related to consumer informa- tion. More than five years ago, a BusinessWeek/ Harris poll found that 57 percent of Americans believe the government should pass privacy laws now restricting how personal information can be collected and used on the Internet (Garfinkel, 2000). Online privacy has been the subject of several major bills introduced in the U.S. Congress since 1999–2000, and the issue has remained important (EPIC, 2005). An em- phasis on privacy issues in the online environ- ment can be found in recent academic literature as well (e.g., Moores & Dhillon, 2003; Liu, Marchewka, Lu, & Yu, 2004). Yet despite governmental action and industry attention, the issue has not gone away.
We recognize that privacy is an issue em- bedded in the larger issue of how consumer in- formation is used, and it is specifically related to the misuse of information. Information is a good with unique characteristics that make it unlike other tangible goods. The use of con- sumer information sometimes results in bene- fits that are unjustly transferred to entities other than the consumer, and also in harms that are unjustly transferred to the consumer. Society has chosen to deal with this transfer, described by economists as an externality, us- ing a regulatory solution generally referred to as privacy.
Privacy is a regulatory approach to the use of information that legally restricts the collec- tion, use, and dissemination of particular types of information. This approach prohibits any use or misuse that might result in huge costs for some consumers. In this article we argue that privacy, as with most regulatory approaches,
hese statistics indicate that consumers are attracted to the benefits of the online environment, but they worry about the potential for harm.
77I N F O R M A T I O N S Y S T E M S M A N A G E M E N T S U M M E R 2 0 0 6
addresses the costs associated with informa- tion misuse but ignores the benefits associated with information use. In short, privacy address- es the symptom of a problem, the symptom be- ing the injury and the problem being the externality, while leaving the externality uncor- rected.
It is our contention that fixing the informa- tion externality will make information markets more efficient and balance benefits with harms, thus helping E-business to attain its full potential. This approach is derived from Ronald Coase’s Nobel prize–winning theory concern- ing the assignment of entitlements and is di- rectly applicable to the debate surrounding the issue of consumer information in E-business.
The next section offers a critique of privacy regulation on electronic business and then ex- plains why the debate exists by describing the basic characteristics of consumer or personal information. In this section we further define and discuss the concept of externalities. We then integrate an economic and legal discus- sion of externalities inherent in the problem of consumer information to suggest alternative ways to correct them.
WHY A PRIVACY APPROACH IS INADEQUATE Little progress can be made in understanding the information externality without first under- standing the costs and benefits of privacy. Pri- vacy advocates argue that a consumer’s personal information can be used to inflict harm on that consumer. For example, a con- sumer’s credit card and identity information can be stolen, inflicting high costs or damaging reputations. E-mail addresses and telephone numbers can be collected and spammed, wast- ing precious time and resources. Because these harms are undesirable and because people should be protected from harm, society must prevent the misuse of consumer information through privacy.
Among the classic citations in the privacy literature is Brandeis and Warren (1890), who viewed privacy as a negative right “to be let alone.” The concept of privacy has evolved over the last century to the positive right to be kept free from harm. In this vein, Rotenberg (2001) stated that “the protection of privacy in law is central to the American legal tradition.”
Privacy, as it has been enacted in law, most resembles inalienable rights (Calabresi and Melamed, 1972) that impose protective be- haviors on others. Inalienable rights are the
strongest form of protection available to safe- guard individuals. Unlike property rights, which are quite limited, inalienable rights can- not be exchanged or sold. An individual may choose to leave these rights unexercised; how- ever, the individual cannot disavow them. Fa- miliar examples include the right to be free from governmental coercion in the realm of speech, assembly, and worship. Excessive po- lice powers are reigned in by the right to due process, proscriptions against self-incrimina- tion, and the right to be free from torture and other cruel or unusual punishments. Equal op- portunity is predicated on the right to be free from discrimination based on sex, race, color, national origin, and religion. Calabresi and Melamed’s analysis suggests that inalienable rights are so strong that they should be used only when potential harms to individuals are significant and when alternative methods of protection are inadequate.
As with freedom of conscience and equal opportunity, an inalienable right to privacy would be justified if the following conditions exist: (1) the harms cannot be avoided, (2) the harms are severe, and (3) privacy rights are the only efficient method to reduce the harm.
What is frequently ignored in privacy dis- cussions is that some injury is unavoidable when people interact through commerce (Cal- abresi and Melamed, 1972). Accidental disclo- sures of personal information will cause injury to some people. Unscrupulous people will at- tempt to defraud others by using their personal information. Even with the most intrusive of law enforcement, society cannot eliminate this harm entirely.
It must also be understood that restrictions on the use of consumer information in the form of privacy rights will prevent the benefi- cial uses as well as the harmful uses. There is an opportunity cost to society if privacy restric- tions prevent the use of individual information to create benefits. Utilitarian thinking suggests that it would not be unethical for society to compare the costs and benefits of privacy with other alternatives and choose the option through some calculus that balances the needs of society with the need to protect individuals from harm (Mill, 1987; Velasquez, 1992; Baron, 2000; Steiner and Steiner, 2003).
Given the preceding discussion, it should be noted that harms can be reduced in number and magnitude when individuals exercise due care with respect to their own personal infor- mation. People can take preventative steps to minimize the harm from information misuse:
rivacy advocates argue that a consumer’s personal information can be used to inflict harm on that consumer.
78 W W W . I S M – J O U R N A L . C O M S U M M E R 2 0 0 6
(1) they can withhold personal information from companies that do not have a proven abil- ity to protect it, or (2) they can withdraw from or avoid the online environment. Both reduce the likelihood of and aggregate harm to society. On the other hand, advocates for privacy rights generally ignore or trivialize the very real costs incurred when inalienable rights are adopted in society.
Society incurs several costs through the adoption of inalienable privacy rights. The first cost is that many benefits of freely flowing in- formation cannot be obtained (Barron and Stat- en, 2000). For example, regulatory restrictions on the use of personal medical information make it difficult, slow, and expensive to han- dle. The second cost is that regulatory solutions lag behind technological advances. When tech- nology advances to the point where individual harms can be mechanically avoided, the law may take years or decades to catch up. As F. A. Hayek and Milton Friedman argue, regulatory costs are insidious, large in magnitude, and af- fect everyone (Hayek, 1944; Friedman, 1962). If the economic intuition from other regulatory situations can be applied to privacy, then it might suggest that, in aggregate, privacy costs dwarf privacy benefits. Additionally, there are alternatives to the privacy solution, which will be analyzed later in this article.
In summary, society should evaluate the al- ternative solutions for managing personal infor- mation before adopting privacy rights. This consideration is important for E-business to at- tain its full potential. We begin an examination of the alternatives by discussing the character- istics of information and the problem of the in- formation externality.
THE MARKET PROBLEM WITH PRIVACY REGULATION Information is a beneficial economic good. Businesses’ use of consumer information, such as names, addresses, and phone numbers, is beneficial to consumers because it allows busi- nesses to communicate with or deliver goods to consumers. Consumers recognize that the use of their information for communications related to new product offerings or safety re- calls is valuable. Consumers rarely dispute such beneficial uses of their personal information. The privacy issue becomes relevant only when consumer information is misused or consum- ers suffer harm related to their information.
Like other economic goods, information provides significant benefits and is costly to
create. For an extremely tangible example of the high cost of information, consider the cost of consumer product safety information related to automobile crash tests. To determine the safety of the various makes and models of cars, under a variety of conditions, researchers must crash a lot of cars and they must do so in a va- riety of ways. The information is beneficial to consumers but is also expensive to create.
Information has several characteristics that distinguish it from other economic goods. The previous example illustrates two of these char- acteristics: non-depletability and non-exclud- ability (Walters, 1993). Once information is created, it can be distributed to any number of additional information consumers at negligible cost. For instance, the information about auto- mobile crash test safety does not require the consumption of additional cars to create dupli- cate reports. The characteristic of non-deple- tablity means that, unlike other products, information is not used up through use. Addi- tionally, once information is created, it is costly to prevent its distribution to unintended con- sumers. Consider the business model of a com- pany creating the automobile crash test safety report for sale to car consumers. If the crash test company wanted to sell the report, they could set the price to cover the cost of the printing as well as a percentage of the cost of all the cars consumed in collecting the re- search data. Once they sold a few copies of the report, a consumer might copy and distribute it to other consumers for only the printing costs. The alternative business model is to sell the report once for the full price of collecting all the data. Regardless of which business mod- el is chosen, the characteristic of non-exclud- ability means that expensive methods must be used to prevent unintended information con- sumers from getting information for which they have not paid (Priest, 1997). The example of online music swapping illustrates this and re- minds us that legal solutions may do little to correct the underlying problem.
The economic implications of non-deplet- ability can be grasped when considering large- scale electronic databases containing consum- er information on thousands or millions of peo- ple. The marginal cost of another database is the marginal cost of a blank CD or other form of data transfer. Toys R Us, a Fortune 500 firm, sold its customer database to Coremetrics. Toys R Us incurred little or no additional cost while being compensated by Coremetrics (Liu, Marchewka, & Mackie, 2003). Non-excludability implies that Toys R Us must engage in expensive
ociety should evaluate the alternative solutions for managing personal information before adopting privacy rights.
79I N F O R M A T I O N S Y S T E M S M A N A G E M E N T S U M M E R 2 0 0 6
contracting or software protections, or resort to post hoc legal remedies, to prevent Corem- etrics from reselling that database to other companies.
The implication of these characteristics is important to the market for information. In a properly functioning market:
❚❚ Consumers pay sellers the full price for goods purchased.
❚❚ Sellers deliver to consumers the total value intrinsic to the goods sold.
Information markets do not function prop- erly in that they are inefficient in the distribu- tion of costs and benefits of traded goods. Information suppliers find it difficult to create and sell information to consumers who might benefit from that information because once the information is sold to one consumer, copies will be made, and some consumers will forgo the purchase of the good by obtaining it from another consumer. This distorts the market for information. The distortion results in what is called an externality (Walters, 1993). An exter- nality exists when producers or consumers do not pay the full costs or receive the full benefits from a market transaction.
Externalities are morally suspect because they allow some buyers and consumers to gain benefits that should belong to others or avoid costs that they should pay. This violates the ethical perspective of distributive justice (Perlman, 1963, 1967). Mass mailers, tele- marketers, and spammers obtain benefit from relatively low-cost methods of contacting con- sumers, but the costs of that marketing are im- posed on consumers. The cost to consumers is the sum of the value of time spent dealing with marketers and the costs of dealing with their communications. The benefits to consumers vary with their desire for those communica- tions. In the example of a marketer that sells a huge database of consumer data to another marketer, each marketer benefits at the ex- pense of the consumer, who must spend addi- tional time and resources dealing with the new marketer. When a business fails to make the necessary investment to safeguard consumer information and is then a victim of a hacker, it is the consumer who must pay the price. Acxi- om Corp (Clampet, 2000) and RealNames (Stellin, 2000) are two companies that failed in their responsibility to protect consumer infor- mation and imposed high costs on consumers.
A final note about information is critical. The value of information is individual and con- text specific. Several examples will suffice to
illustrate this. Different people may experience different costs and benefits concerning their personal information. For instance, health in- formation will have different costs and benefits to (1) healthy patients vs. (2) patients with stig- matized diseases (e.g., AIDs, leprosy, etc.). Indi- viduals may experience different costs and benefits for the same information, depending on how it is used. Personal consumer informa- tion may have one value when in the hands of a trusted and responsible merchant and anoth- er value when in the hands of an Internet spam- mer. The point is that the value of information can vary from person to person and can vary to one person depending on the situation.
Because alternatives to privacy exist, we might find other methods that would be more efficient and produce greater benefits. There are a variety of methods for correcting exter- nalities: regulatory restrictions can specify le- gal and illegal conduct, government can sell the right to create an externality, government can subsidize positive externalities or tax nega- tive externalities, and finally government can assign entitlements that, by themselves, elimi- nate the externality (Ekelund and Tollison, 1994, p. 447). As an example of a tax solution, a mass marketer might be compelled to pay “In- ternet postage” equal to the full cost imposed on all recipients of Internet advertising. A more market-based regulatory solution might com- pel the marketer to pay the recipient of Inter- net advertising some amount determined by the recipient as a precondition for receiving the advertising. Although both solutions would reduce the amount of unwanted advertising, they each present problems. With the first solu- tion comes the difficulty of calculating the full cost to consumers. With the second solution, consumers might solicit unwanted advertising simply for the compensation.
From the previous discussion it can be in- ferred that externalities allow businesses to benefit from consumer information that far ex- ceeds the cost of that information while some consumers are harmed. Further, it can be in- ferred that consumers should benefit from their information to a much greater extent than they do. These cost and benefit transfers be- tween businesses and consumers are lucrative to business and costly to consumers and create strong incentives to violate whatever privacy rules society adopts. Even if society adopts strong privacy rules, financial incentives exist to encourage violations of those rules.
Economists generally agree that, if feasible, the best way to correct externalities is to correct
n externality exists when producers or consumers do not pay the full costs or receive the full benefits from a market transaction.
80 W W W . I S M – J O U R N A L . C O M S U M M E R 2 0 0 6
the market failure that causes them. Correcting the market failure has the advantage that, once it is corrected, all the market participants have the incentive to act in ways that produce the greatest value. Properly functioning markets are economically efficient from the standpoint of utilitarianism and ethically efficient from the standpoint of meritocratic justice. Government regulation of externalities, as in the case of pri- vacy, can reduce some problems but does not correct the underlying market failure, because regulation invariably requires some entities to act against their own interests. In some cases, the market failure cannot be corrected and gov- ernment regulation is the only way to solve the problem. Legislation designed to protect civil rights and prevent the sale of harmful products are examples. Now we turn to an alternative solution to the problem of information exter- nality.
ALTERNATIVE APPROACHES: APPLYING THE COASE THEOREM Ronald Coase won the 1991 Nobel Prize in eco- nomics for his insights into correcting external- ities. Coase (1960) argued that it does not matter to whom entitlements are assigned pro- vided parties are free to bargain. At the time, and in certain circles today, this was a revolu- tionary concept because existing legal practice emphasized that:
1. Only governments, by means of taxes and subsidies, could internalize externalities in economic exchange or production (Pigou, 1920).
2. Entitlements had to be assigned to the victim.
The Coase theorem is important because it showed that society could correct the external- ity if it assigned an entitlement to nongovern- mental entities, and, counterintuitively, it did not matter to which party the entitlement was assigned. Further, the entitlement could be as- signed through the legal institution of liability or the legal institution of property rights. This opened greater latitude in solving externalities. The implication is that the granting of entitle- ments can correct externalities and society doesn’t have to rely solely on invasive govern- ment regulation. The practical implications of the Coase theorem are that by assigning some- one ownership of consumer information, that owner would have the economic incentive to use that information efficiently.
Coase did note that impediments to bar- gaining can reduce the efficiency of markets.
Therefore, the granting of entitlements tends to be an efficient mechanism for correcting ex- ternalities when impediments are low. These impediments, or transaction costs, increase when the parties are unknown or are large in number (Baron, 2000).
Calabresi and Melamed (1972) expanded on Coase’s insights by suggesting practical is- sues, related to transaction costs, to examine when considering entitlements. They define an entitlement as an entity’s ability to own a re- source or take an action under the state’s pro- tection. They distinguish three types of rules or mechanisms for protecting entitlements — property rules, liability rules, and inalienability rules. Calabresi and Melamed warn that these rules are conceptually powerful for under- standing entitlements but tend to converge in some areas and leave gaps in others. The nature of the protection provided by each type of en- titlement is important:
❚❚ Property rules: Property rules prevent a per- son from infringing on the property right holder without the holder’s permission (Baron, 2000). A property right holder pos- sesses control and transfer rights, which gives the right holder (1) decision control — the right to decide if, when, or how to use the property; and (2) transfer control — the right to decide when, to whom, for what price to sell the property. The holder of a property right cannot legally be forced into giving up either control rights or transfer rights. Those rights can be transferred to a buyer only at a price determined by the right holder (Calabresi and Melamed, 1972).
❚❚ Liability rules: Liability rules protect entitle- ment holders differently. Liability rules per- mit infringement but require the infringing person to compensate the entitlement holder for damages. Fair compensation is determined by the market or society, not by the entitlement holder. For example, the recent U.S. Supreme Court decision in Kelo et al. v. City of New London et al. (2004) upheld that private property is protected from local governments only by a liability rule, whereas that same property is pro- tected from nongovernmental agents by a property right. The law of eminent domain allows the government to seize private prop- erty for public purposes and compensate the owner for the violation (Calabresi and Melamed, 1972).
❚❚ Inalienability rules: The First Amendment to the U.S. Constitution provides an example of
ven if society adopts strong privacy rules, financial incentives exist to encourage violations of those rules.
81I N F O R M A T I O N S Y S T E M S M A N A G E M E N T S U M M E R 2 0 0 6
an entitlement protected by an inalienability rule: the right to freedom of expression. This right cannot be given up, even voluntarily. Inalienability rules are used when inflexible and powerful protections are needed to pre- vent harm to people under conditions when alternatives are unlikely to work. Given the tendency of people to surreptitiously dis- criminate against others, the right to be free from discrimination, as provided under Title VII, is another inalienable right that could not have been provided using alternative methods. Alternatively, if property and liabil- ity rules are likely to be effective, inalienabil- ity rules should not be used.
The application of the Coase theorem to the topic of consumer information suggests that either property rules or liability rules could be used to solve the information exter- nality. Precedence exists for using property rights to assign entitlements to specific pieces of information that are unique and identifiable, such as in the case of intellectual property. Al- though the total amount of information that is protected by property rights is relatively small, there is little reason to dismiss its use in pro- tecting consumer information. Precedence also exists for using liability to assign entitle- ments to consumer information, because those who inflict harm on others can be held liable under the law of torts (Whitman and Gergacz, 1991). The law of torts recognizes that individ- uals who are harmed in society are entitled to some form of compensatory justice (Velasquez, 1992). For instance, if one person disseminates damaging but untrue information about anoth- er person, the second person has the right to compensation. If factual information is used improperly, for purposes of prejudicial discrim- ination, the victim has the right to compensa- tion.
Calabresi and Melamed’s Principles The previous section discussed how entitle- ments could be used to solve the information externality through either property rights or li- ability rules. The natural question is, which is the best way to assign entitlements? To answer this question we need to consider the factors outlined by Calabresi and Melamed (1972). Their five criteria are
1. The assignment of entitlements should bal- ance the social benefits (e.g., economic effi- ciency) with the social costs (e.g., harm to individuals). If one entitlement assignment
results in huge net benefits for society and trivial individual costs it is preferable to another assignment with trivial net benefits for society and huge individual costs.
2. In the absence of certainty as to the costs and benefits to society, the entitlement should be granted to the party best able to make such a cost–benefit analysis.
3. When there are alternative means of achiev- ing beneficial outcomes (balancing costs and benefits), the entitlement should be assigned to the party that can do so at the lowest cost.
4. In the absence of certainty as to which party is more efficient at achieving the low- est social costs, the entitlement should be assigned to the party with the lowest trans- action costs.
5. Since markets are inefficient in the pres- ence of high transaction costs, a decision will often have to be made between using market transactions or collective fiat depending on which is most likely to bring us closer to the socially efficient or Pareto optimal result (pp. 1096–1097).
Calabresi and Melamed’s principles general- ly follow the philosophy underlying the Coase theorem. These principles focus on net social benefit, where total benefits exceed total costs, and specifically address externalities.
Assigning the Entitlement and Choosing an Entitlement Rule According to the Coase theorem, assignment of an entitlement would resolve the informa- tion externality. In the case of consumer infor- mation, that entitlement could be assigned to one of three separate entities: (1) the specific consumer described by the information, (2) a business that loaded the consumer’s informa- tion or caused the information to be loaded into a database, or (3) a third-party business (e.g., DoubleClick) that compiled a particular database from existing sources. Although the Coase theorem indicates that we do not need to worry about who receives the entitlement, transaction cost analysis suggests that the as- signment to one entity might be more efficient than assignment to another.
According to the prior discussion and the five principles suggested by Calabresi and Melamed (1972), we know that:
1. Information sharing contains positive net benefits.
82 W W W . I S M – J O U R N A L . C O M S U M M E R 2 0 0 6
2. Consumers suffer from substantial harms when information is misused, and the value of those claimed harms can be inflated by opportunistic consumers or reduced by careful behavior.
3. Business is in the unique position to be able to determine the most efficient method of protecting consumers from information misuse.
4. As the central repository of consumer infor- mation, business has the lowest transaction cost and thus should shoulder the costs of protecting consumers from harm.
Because of the high transaction costs (Sin- gleton, 1998; Baron, 2000; Nott, 2003), it would be inefficient to assign property rights to individual consumers. Consider the high cost of online banking if individual consumers had the right to withdraw their information from databases that monitor creditworthiness. To compensate for unforeseeable risks, online banks would have to raise interest rates and lower credit limits on any individual who with- drew from the system.
In points 3 and 4 above, businesses are sin- gled out as efficient because they have fewer transaction costs. It is important to note that database archivists may be more efficient pro- tectors of consumers than businesses in gener- al because they have fewer transaction costs (e.g., Acxiom Corp). On the other hand, unless we hold those archivists accountable for the harms they cause directly and indirectly (e.g., security leaks), they will have little incentive to minimize the harm to consumers.
The choice of entitlement rule, between property rights and liability, is the next major question. If society decides to solve the infor- mation problem using a property rule, it will as- sign control rights, much like ownership rights, to specific pieces or components of in- formation, similar to the way it provides for patent and trademark protections. The “owner” of “consumer information” would hold exclu- sive rights to the use, handling, and distribu- tion of that information. In each of these three cases, the owner would hold veto authority over the use, handling, and distribution of a consumer’s information. In this vein, commen- tators (Bibas, 1994; Laudon, 1996) and the pri- vate sector generally prefer market-based, contractual solutions to personal information protection over the strict regulatory regime. Here, consumer information is a commodity to be exchanged with monetary rewards. The use of information would be prohibited unless it
was properly purchased or leased. Restrictions on leased information, intended to protect con- sumers, are likely to be difficult to specify in ad- vance, quite complex, and costly. The enforcement mechanisms need to remedy vio- lations of such rules are likely to be even more costly and difficult to manage.
The liability approach would permit the selling or leasing of information, but instead of cumbersome prohibitions on use, the users of information would be held accountable for damages resulting from the misuse of accurate information or the use of inaccurate informa- tion. Liability rules allow more flexibility in the use of information but hold the users of infor- mation responsible for harms inflicted and re- quire restitution to those harmed. Of the two approaches, the liability approach — which re- quires a system to monitor both data collectors and database archivists in E-business for both improper use and incorrect information — is likely to be more efficient than a property rights–based system of contracting that needs to anticipate problems and remedy violations of contracts.
Thus, the liability approach appears to be more efficient and can ultimately correct the problem of information externality in an E-busi- ness environment. When society agrees to adopt a liability approach, the entitlement is as- signed to online companies and they are liable for any damage or harm caused by their ac- tions. E-business studies (Gefen, Karahanna, and Straub, 2003; Pavlou, 2003; Suh and Han, 2003) have suggested that trust is critical for the acceptance of electronic commerce. A lia- bility approach is expected to lead to a dramat- ic increase in consumer trust, and more online transactions by consumers are likely to occur. Thus, both entities — consumers and online companies — will receive benefits from this li- ability approach, and at the same time electron- ic business can reach its full potential.
IMPLICATIONS FOR IMPLEMENTING THE LIABILITY APPROACH FOR E-BUSINESS Implementing the liability approach requires certain actions from two important entities in society — government and online companies — for the full potential of electronic business.
The Role of Government From a more practical point of view, the imple- mentation of a liability rule in countries such as the United States might take precedence from
83I N F O R M A T I O N S Y S T E M S M A N A G E M E N T S U M M E R 2 0 0 6
the existing law of torts that assesses responsi- bility on the basis of proposed, current, or his- torical standards. Two currently used standards — negligence and strict liability — are impor- tant to this discussion. Negligence requires that the culprit both caused damage and intended to act improperly. Behaviors are considered im- proper if the actor failed to exercise “due care.” Strict liability requires only that the culprit caused damage (Whitman and Gergacz, 1991). Strict liability removes the necessity of proving intent: “The law evolved because it is often not feasible for a consumer to prove negligence” (Birnbaum, 1988, p. 142).
Our social intuition and procedures for dealing with huge amounts of consumer infor- mation are relatively new, and little definitive guidance exists on what is proper or improper behavior. This would make it very difficult and costly to determine consistent standards for negligence. Because it is unlikely that most consumers have the resources to obtain enough information to prosecute online com- panies under a negligence standard, the strict liability standard would seem to be the most vi- able in this situation. We therefore argue:
The government needs to formalize a law of strict liability which provides or- ganizations with basic but clear guiding principles for collecting, using, and dis- tributing consumer information.
The United States has neither enacted com- prehensive data protection legislation nor des- ignated an independent agency to oversee information privacy issues at the federal level. No federal law governs the collection, use, and storage of personal information by the private sector (Banisar, 2000; Baumer, Earp, and Poin- dexter, 2004). Because federal privacy protec- tion has been enacted at a basic level, the various states have enacted more comprehen- sive legislation that lacks standardization. The resulting patchwork of laws makes business compliance both complex and expensive (Heller, 2002). It also makes enforcement by state authorities problematic because these laws can be enforced only within one state’s ju- risdiction. This has led to calls for more federal standardization (Vijayan, 2003).
Without a standardized system to protect personal information when consumers venture online, electronic commerce will never reach its full potential. For this reason, we argue:
The U.S. government should fulfill its lawmaking role as an economic standard
setter by enacting a system that permits useful and efficient uses of information while specifying a liability system to protect both companies and consumers from injury using the standard of strict liability.
The law of strict liability should be flexible and minimal enough so that both companies and consumers, acting in the course of their normal activities, can act in economically effi- cient ways. It should also be broad enough to recognize injuries and deter misuse. These changes to the legal system would increase consumer confidence and lead to market effi- ciency and increased transactions, as well as ethical data management.
One example of strict liability would be the default rule–based approach proposed by legal scholars (Kang, 1998; Samuelson, 2000) to gov- ern uses and disclosures of consumer informa- tion. A default rule is a rule of law that can be superceded by a contract, trust, will, or other legally effective agreement. Contract law, for example, can be divided into two kinds of rules (Barnett, 1992):
❚❚ Default rules, which can be modified by agreement of the parties
❚❚ Mandatory rules, which will be enforced even if the parties to a contract attempt to override or modify them
To this end, Kang (1998) argues in favor of a default rule that allows only “functionally nec- essary” processing of consumer information unless the parties expressly agree otherwise. He proposes a statute that translates academic theory into legislative practice. The liability law can grant consumers a protectable interest in their personal information without grounding that interest in property law. It can do so by set- ting a default rule or a uniform federal law for- bidding certain activities with respect to this information, such as unauthorized collection or use unless the consumer has agreed to these activities (Kang, 1998). Samuelson (2000) pro- poses trade secrecy law, which remains a tort law that has a number of default rules to guide consumer information handling by companies. Trade secrecy for consumer information would allow three things. First, it protects the interests of consumers to restrict access to and unautho- rized uses of private information. Second, it can give companies and consumers control over commercial exploitations of their secret and private information. Finally, it can set and
84 W W W . I S M – J O U R N A L . C O M S U M M E R 2 0 0 6
enforce minimum standards of commercial mo- rality (p. 137).
Drawn from the arguments and recommen- dation of Kang and Samuelson, some specific default rules can be considered for a liability law by the government:
1. Consumer information should not be used beyond the original purpose without obtaining permission from consumers.
2. The acquisition of consumer information by a third party by “improper means or in breach of confidence” should be prohibited (Samuelson, 2000).
3. Companies that collect, transfer, and use consumer information in the online envi- ronment should be required to have con- sumer information policies that are based on industry best practices as well as norma- tive, ethical standards.
We argue that a liability law reflecting these de- fault rules needs to be enacted for electronic business.
Voluntary Roles: Industry Groups and Individual Companies One reason why society adopts liability rules is to increase “precaution” in an actor’s decisions and actions. With liability rules, industry associ- ations and individual companies should be pro- active. As society adopts more stringent liability rules, evolving from negligence to strict liability, this encourages greater precau- tion. The use of less stringent liability rules leads to lower levels of precaution and less pro- activity.
The absence of comprehensive strict liabil- ity standards related to consumer information has led to the use of negligence standards. A negligence rule holds a business liable for dam- ages only if due care has not been taken in un- dertaking the collection, use, and distribution of consumer information in both electronic and physical settings. Negligence rules do not encourage efficient “precaution” on the part of business. For example, in one recent case the court assigned liability to Docusearch.com for damages caused by selling personal informa- tion, using a negligence standard. In another case, EarthLink won $16 million in a spam case to directly compensate it for malicious attacks from mass marketers (Roberts, 2003). Although this illustrates that a negligence standard can be successfully applied, we have little confi- dence in either the consistency of this ap- proach or the degree of protection provided.
An example of a proactive approach is the adoption of different seal programs (e.g., On- line Privacy Alliance, TRUSTe, and BBBOnline) by industry and trade associations (Moores and Dhillon, 2003). According to a Greenfield On- line survey, 84 percent of consumers indicated that third-party recognition of an E-business firm would make them more likely to purchase from that firm (Hemphill, 2002). Another pro- active mechanism that could be adopted by in- dustry and trade associations is a reputation system (Resnick, Zeckhauser, Friedman, and Kuwabara, 2000). Currently, reputation sys- tems or similar customer feedback systems/ forums are popularly used in Web sites such as EBay. After a transaction, buyers and sellers have the opportunity to rate each other and leave comments. Similarly, industry and trade associations can develop reputation systems in which customers rate online companies based on their past experiences with the companies’ products and services as well as practices of consumer information handling. Through such systems, industry and trade associations can protect their industry, trustful online firms, and consumers. Institution-based trust has been found to be important for building effective on- line marketplaces (Pavlou and Gefen, 2004).
Resolving conflicts between consumers and companies in court is costly. Avoidance of harm is ideal. The ideal liability approach would encourage all parties to prevent or min- imize injuries in the online environment. This suggests that online firms need to be preventa- tive, rather than reactive, and cautious about the potential misuse of consumer information. Several major corporations, including IBM, AT&T, Microsoft, EarthLink, DoubleClick, and 24/7 Media, have attempted to achieve this by creating the position of chief privacy officer (CPO) to oversee company relations with their consumers and other firms (Hemphill, 2002).
Online firms should invest in addressing consumer concerns of security and informa- tion handling. Consumers report that security and information handling disclosure on Web sites are characteristics of an effective business- to-consumer Web site (Ranganathan and Ganapathy, 2002). Recent studies also indicate that perceptions of lack of security and infor- mation handling disclosure lower consumer trust in the Web site and influence behavioral intentions to purchase online (Liu et al., 2004).
Individual companies need to commit to the fair collection, transfer, and use of consum- er information; adhere to some basic principles of fair information practices; and prepare their
e argue that a liability law reflecting these default rules needs to be enacted for electronic business.
85I N F O R M A T I O N S Y S T E M S M A N A G E M E N T S U M M E R 2 0 0 6
own practice guidelines and policies. At least four core aspects should be considered in de- veloping fair information practices: notice, choice, access, and security (Pitofsky, 2000). Applying the Federal Trade Commission’s rec- ommendations, for example, to the financial in- dustry, individual companies should:
❚❚ Provide consumers clear and conspicuous notice of their information practices.
❚❚ Offer consumers basic choices as to how their personal information is used beyond the original purpose.
❚❚ Allow consumers reasonable access to their personal information for review and correc- tion.
❚❚ Take serious actions, both organizational and technological, for the security of their cus- tomers’ information.
Further, the misuse of consumer informa- tion by online firms will not only expose them to more risks (e.g., damages to reputation) and potentially serious financial consequences, but will also increase consumers’ privacy con- cerns. Intense media attention on consumer in- juries, without considering the high costs of privacy or the costs and benefits of alternative solutions, may push the issue of consumer in- formation further away from discussions of the information externality toward privacy solu- tions. This may further drive society to adopt an approach focusing on restrictive privacy laws, based on strong government regulation. As argued previously in the article, this restric- tive approach both ignores market failure and is likely to be harmful to electronic business. Such a restrictive privacy approach to online consumer information can result in the loss of benefits that both consumers and companies can receive through information sharing and reuse. At the same time, the implementation of restrictive privacy laws in electronic business can be very costly to both companies and con- sumers. According to Staten and Cate (2002), some of the potential adverse impacts of man- datory privacy laws requiring explicit consum- er consent for information collection, transfer, or use in the arena of credit card services and products include more offers made to unquali- fied consumers, missed opportunities for tar- geted marketing to qualified consumers, and impaired efforts to prevent credit card–related fraud.
CONCLUSION The U.S. government and commercial sector have opted to use privacy regulations to con- trol an information externality problem: the misuse of consumer information. We argue that this is undesirable because it does not correct the market failure that causes the information externality and leaves the market inefficient. Regulatory solutions constrain society for years or even decades past the point where technol- ogy could solve the problem efficiently. Cor- recting the externality creates incentives for all parties to act efficiently. The Coase theorem suggests that this market failure can be correct- ed using either property rules or liability rules; the externality cannot be solved using inalien- ability rules such as privacy. We suggest that both property and liability rules have costs and benefits, but that liability rules are likely to be the most socially efficient.
A liability approach should include the legal standards of both strict liability and negligence and should be enacted through both regulation and voluntarily adopted industry standards. First, the government should enact a minimal set of legal rules applicable to all online indus- tries and that embodies liability standards. These rules would be flexible enough to take into account unique requirements and risks and minimal enough so that online firms are not unnecessarily constrained. Such a law can increase consumers’ trust in online firms and encourage secure online transactions. For the liability approach to be successful, industries and individual firms should proactively enact self-regulatory codes and norms (e.g., seal pro- grams) and make public their policies and prac- tices for handling consumer information.
In summary, the full potential of E-business cannot be achieved without a better federal ap- proach to the problem of consumer informa- tion misuse. A strict privacy regulation approach should be avoided and a liability ap- proach — with certain roles by government, industries, and individual firms — should be implemented to solve the information external- ity and increase the market efficiency in the electronic marketplace. ▲
References Annenberg. (2003). Most Americans do not
understand how websites use information about them. Public Policy Center of University of Pennsylvania.
AT&T. (1999, April 14). Beyond concern: Understanding net users’ attitudes about online privacy. (AT&T Labs Report Number TR
86 W W W . I S M – J O U R N A L . C O M S U M M E R 2 0 0 6
99.4.3). Retrieved December 1, 2005, from ArXiv Web site: http://arxiv.org/html/cs/ 9904010/report.htm: AT&T Labs
Banisar, D. (2000). Privacy & human rights 2000: An international survey of privacy laws and developments. Washington, DC: The Electronic Privacy Information Center.
Barnett, R. E. (1992). The sound of silence: Default rules and contractual consent. Virginia Law Review, 78.
Baron, D. P. (2000). The Environment of Business, 3e. Upper Saddle River, NJ: Prentice Hall.
Barron, J. M., and Staten, M. (2000). The value of comprehensive credit reports: Lessons from the U.S. experience. Retrieved 25 Oct. 2005, from Privacy Alliance Web site: http://www. privacyalliance.org/resources/research.shtml
Baumer, D. L., Earp, J. B., and Poindexter, J. C. (2004). Internet privacy law: A comparison between the United States and the European Union. Computers and Security, 23, 400–412.
Bibas, S. A. (1994). A contractual approach to data privacy. Harvard Journal of Law and Public Policy, 17, 604–605.
Brandeis, L. D., and Warren, S. (1890). The right to privacy. Harvard Law Review, 193, 195–197.
Calabresi, G., and Melamed, D. A. (1972). Property rules, liability rules and inalienability: One view of the cathedral. Harvard Law Review, 85, 1089–1128.
Clampet, E. (2000, 11 Feb). RealNames is latest hack victim. internetnews.com
Coase, R. H. (1937). The nature of the firm. Econometrica, 4, 386–405.
Coase, R. H. (1960). The problem of social cost. Journal of Law and Economics, 3, 1–44.
Ekelund, R. B., and Tollison, R. D. (1994). Economics. New York, NY: Harper Collins College Publishers.
EPIC (2005, August 9). EPIC bill track: Tracking privacy, speech, and cyber-liberties bills in the 109th Congress. Retrieved 2 Dec 2005 from the Electronic Privacy Information Center Web site: http://www.epic.org/privacy/bill_track.html
Ernst and Young. (2001). Global Online Retailing. Retrieved December 1, 2005, from the Ernst and Young Web site: http://www.ey.com
Friedman, M. (1962). Capitalism and Freedom. Chicago, IL: University of Chicago Press.
Garfinkel, S. L. (2000, June 1). Private matters. CIO Magazine.
Gefen, D., Karahanna, E., and Straub, D. (2003). Trust and TAM in online shopping: An integrated model. MIS Quarterly, 27(1), 51–90.
Hayek, F. A. (1944). The Road to Serfdom. Chicago, IL: The University of Chicago Press.
Heller, M. (2002). After privacy debate, regulatory bill clears panel. American Banker, 167(109), 4.
Hemphill, T. A. (2002). Electronic commerce and consumer privacy: Establishing online trust in the U.S. digital economy. Business and Society Review, 107(2), 221–239.
Hoffman, D. L. and Novak, T. (1999). Building consumer trust online. Communications of the ACM, 42(4), 80–85.
Kang, J. (1998). Information privacy in cyberspace transactions. Stanford Law Review, 50, 1212– 1220.
Kelo et al. v. City of New London et al. 126 U.S. 326 (2004).
Kerner, S. M. (2005, August 16). Consumers want personalization — and privacy. Retrieved October 25, 2005, from Clickz Stats Web site: http://www.clickz.com/
Laudon, K. C. (1996). Markets and Privacy. Communications of the ACM, 39(9), 92–104.
Liu, C., Marchewka, J. T., Lu, J., and Yu, C. (2004). Beyond concern: A privacy-trust-behavioral intention model of electronic commerce. Information & Management, 42(1): 127–142.
Liu, C., Marchewka, J. T., and Mackie, B. (2003). Implementing privacy dimensions within an electronic storefront. In J. R. Mariga (Ed.), Managing E-commerce and Mobile Computing Technologies (pp. 116-131): Idea Group Publishing.
Mill, J. S. (1987). Utilitarianism and other essays — J.S. Mill and Jeremy Bentham. New York, NY: Penguin Books.
Moores, T. T. and Dhillon, G. (2003). Do privacy seals in E-commerce really work? Communications of the ACM, 46(12), 265–271.
Nott, L. (2003). Financial Privacy: An Economic Perspective: Government and Finance Division, Congressional Research Service.
Nua Internet Surveys. (2003). How Many Online? Retrieved 10 Oct. 2004, from Nua Web site: http://www.nua.ie/surveys/how_many_online/ index.html
Pavlou, P. A. (2003). Consumer acceptance of electronic commerce: Integrating trust and risk with the technology acceptance model. International Journal of Electronic Commerce, 7(3), 101–134.
Pavlou, P. A. and Gefen, D. (2004). Building effective online marketplaces with institution-based trust. Information Systems Research, 15(1), 37–59.
Perlman, C. (1963). The Idea of Justice and the Problem of Argument. New York, NY: The Humanities Press.
Perlman, C. (1967). Justice. New York, NY: Random House.
Pigou, A. C. (1920). The Economics of Welfare. London: Macmillan and Co., Ltd.
Pitofsky, R. (2000). Privacy online: Fair information practices in the electronic marketplace: Hearing before the Senate Committee on Commerce, Science, and Transportation, 106th Cong., 2nd Sess. (2000, May 25) (testimony of Robert Pitofsky).
Poulsen, K. (2000, October 24). Survey: Security fears are global. Security Focus. Retrieved December 1, 2005, from Security Focus Web site: http://www.securityfocus.com
87I N F O R M A T I O N S Y S T E M S M A N A G E M E N T S U M M E R 2 0 0 6
Priest, W. C. (1997). An Information Framework for the Planning and Design of Information Highways (Report). Melrose, MA: Center for Information, Technology and Society.
PR Newswire. (2005). Survey captures business impact of banks, online businesses leaving consumers unprotected online. (2005, 18 Aug). Retrieved 26 Oct. 2005, from Lexis Nexis database: http://web.lexis-nexis.com
Ranganathan, C. and Ganapathy, S. (2002). Key dimensions of business-to-consumer Web sites. Information & Management, 39(6), 457–465.
Resnick, P., Zeckhauser, R., Friedman, E., and Kuwabara, K. (2000). Reputation systems. Communications of the ACM, 43(12), 45-48.
Roberts, P. (2003, May 7). Earthlink wins $16 million in spam case. PCWorld. Retrieved October 25 2005 from PCWorld Web site: http://www. pcworld.com
Rotenberg, M. (2001). Privacy in the Commercial World: Hearing before the House Subcommittee on Commerce, Trade, and Consumer Protection: Committee on Energy and Commerce, 107th Congress 1st Sess. (2001, March 1) (testimony of Marc Rotenberg).
Rubin, P. H. and Lenard, T. M. (2001). Privacy and the Commercial Use of Personal Information: Kluwer Academic Publishers.
Samuelson, P. (2000). Privacy as intellectual property. Stanford Law Review, 52.
Singleton, S. (1998, January 22). Privacy as censorship: A skeptical view of proposals to regulate privacy in the private sector. (Cato Policy Analysis No. 295). Retrieved December 1, 2005, from the Cato Policy Institute Web site: http://www.cato.org/pubs/pas/pa-295.html
Staten, M. E. and Cate, F. H. (2002). The adverse impact of opt-in privacy rules on consumers: A case study of retail credit. (White Paper)
Retrieved October 25, 2005, from The Privacy Leadership Initiative Web site: http://www. bbbonline.org
Steiner, G. A. and Steiner, J. F. (2003). Business Government and Society: A Managerial Perspective, 10e. New York, NY: McGraw Hill Companies, Inc.
Stellin, S. (2000, 20 Oct). Lessons in spam: A Nordstrom e-mail goes astray. The New York Times, p. C5.
Suh, B. and Han, I. (2003). The impact of customer trust and perception of security control on the acceptance of electronic commerce. International Journal of Electronic Commerce, 7(3), 135–161.
Symons, J. (2005, September 19). Forrester Research US eCommerce Forecast: Online Retail Sales to Reach $329 Billion by 2010. (Press Release). Cambridge, MA: Forrester Research.
U.S. Government. (2005). E-commerce Multi-sector Reports, 2000-2003. Retrieved October 27, 2005, from the U.S. Department of Commerce Web site: http://www.census.gov/eos/www/ ebusiness614.htm
VanDuifhuizen, R. and Felter, N. (2001, 25 Jan). Consumer privacy threatened on the net. Retrieved October 25, 2005, from the Consumer International Web site: http://www. consumersinternational.org
Velasquez, M. (1992). Business Ethics, 3e. Englewood Cliffs, NJ: Prentice-Hall.
Vijayan, J. (2003). New privacy rules could mean headache for financial services IT. Computerworld, 37, 7.
Walters, S. J. K. (1993). Enterprise, Government and the Public. New York, NY: McGraw-Hill Inc.
Whitman, D. and Gergacz, J. W. (1991). The Legal Environment of Business, 3e. New York, NY: McGraw Hill, Inc.