Skip to main content
SpringerLink
Log in

The Use of Data Protection Regulatory Actions as a Data Source for Privacy Economics

  • Conference paper
  • First Online:
Computer Safety, Reliability, and Security (SAFECOMP 2017)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10489))

Included in the following conference series:

Abstract

It is well understood that security informatics is constrained by the availability of reliable data sources, which limits the development of robust methods for measuring the impact of data breaches. To date, empirical data breach analysis has largely relied upon the use of economic and financial data associated with an organisation as a measure of impact. To provide an alternative, complementary approach, we explore monetary fines resulting from data protection regulatory actions to understand how the data can inform the evaluation of data breaches. The results indicate where context matters and also provide information on the wider challenges faced by organisations managing personal data.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The Data Protection Directive (Directive 95/46/EC) required EU Member States to harmonise national legislation on data protection.

  2. 2.

    https://www.ftc.gov/news-events/press-releases/2013/02/path-social-networking-app-settles-ftc-charges-it-deceived.

  3. 3.

    https://www.ftc.gov/news-events/press-releases/2016/12/operators-ashleymadisoncom-settle-ftc-state-charges-resulting.

  4. 4.

    The legislation may be found at http://www.legislation.gov.uk/ukpga/1998/29/contents.

  5. 5.

    https://www.gov.uk/government/publications/cyber-security-breaches-survey-2016.

  6. 6.

    https://ico.org.uk/media/action-weve-taken/csvs/1042752/civil-monetary-penalties.csv.

  7. 7.

    Ponemon Institute: Cost of Data Breach Study: United Kingdom. http://www-03.ibm.com/security/data-breach/.

References

  1. Acquisti, A., Friedman, A., Telang, R.: Is there a cost to privacy breaches? An event study. In: ICIS 2006 Proceedings, p. 94 (2006)

    Google Scholar 

  2. Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J. Comput. Secur. 11(3), 431–448 (2003)

    Article  Google Scholar 

  3. Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. Int. J. Electron. Commer. 9(1), 70–104 (2004)

    Google Scholar 

  4. Cleveland, W., Grosse, E., Shyu, W.: Local regression models. In: Statistical Models in S, pp. 309–376. Chapman & Hall, London (1991)

    Google Scholar 

  5. Edwards, B., Hofmeyr, S., Forrest, S.: Hype and heavy tails: a closer look at data breaches. J. Cybersecur. 2(1), 3–14 (2016)

    Article  Google Scholar 

  6. Heitzenrater, C.D., Simpson, A.C.: Policy, statistics and questions: reflections on UK cyber security disclosures. J. Cybersecur. 2(1), 43 (2016). doi:10.1093/cybsec/tyw008

    Article  Google Scholar 

  7. Information Commissioner’s Office: Information Commissioners guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998 (2015). https://ico.org.uk/media/1043720/ico-guidance-on-monetary-penalties.pdf

  8. Information Commissioner’s Office: ICO Disclosure Log - Response IRQ0630777. https://ico.org.uk/about-the-ico/our-information/disclosure-log/irq0630777/

  9. Information Commissioner’s Office: TalkTalk Telecom Group PLC Monetary Penalty Notice, October 2016. https://ico.org.uk/media/action-weve-taken/mpns/1624087/talktalk-mpn-20160324.pdf, https://ico.org.uk/media/action-weve-taken/mpns/1625131/mpn-talk-talk-group-plc.pdf

  10. Ishiguro, M., Tanaka, H., Matsuura, K., Murase, I.: The effect of information security incidents on corporate values in the Japanese stock market. In: International Workshop on the Economics of Securing the Information Infrastructure (WESII) (2006)

    Google Scholar 

  11. Johnson, M.E., Willey, N.: Usability failures and healthcare data hemorrhages. IEEE Secur. Priv. 9(2), 35–42 (2011)

    Article  Google Scholar 

  12. Liginlal, D., Sim, I., Khansa, L.: How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Comput. Secur. 28(3), 215–228 (2009)

    Article  Google Scholar 

  13. Phua, C.: Protecting organisations from personal data breaches. Comput. Fraud Secur. 2009(1), 13–18 (2009)

    Article  Google Scholar 

  14. Schatz, D., Bashroush, R.: The impact of repeated data breach events on organisations market value. Inf. Comput. Secur. 24(1), 73–92 (2016)

    Article  Google Scholar 

  15. Verendel, V.: Quantified security is a weak hypothesis: a critical survey of results and assumptions. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop, pp. 37–50. ACM (2009)

    Google Scholar 

Download references

Acknowledgement

AC would like to thank the EPSRC and the Oxford Radcliffe Scholarship for financial support. The authors would like to thank the anonymous reviewers for their helpful and constructive feedback.

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Oxford, Oxford, UK

    Aaron Ceross & Andrew Simpson

Authors
  1. Aaron Ceross
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrew Simpson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aaron Ceross .

Editor information

Editors and Affiliations

  1. Fondazione Bruno Kessler, Trento, Italy

    Stefano Tonetta

  2. Austrian Institute of Technology GmbH, Vienna, Austria

    Erwin Schoitsch

  3. Thales Transportation Systems GmbH, Ditzingen, Germany

    Friedemann Bitsch

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Ceross, A., Simpson, A. (2017). The Use of Data Protection Regulatory Actions as a Data Source for Privacy Economics. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds) Computer Safety, Reliability, and Security . SAFECOMP 2017. Lecture Notes in Computer Science(), vol 10489. Springer, Cham. https://doi.org/10.1007/978-3-319-66284-8_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66284-8_29

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66283-1

  • Online ISBN: 978-3-319-66284-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation