Abstract
It is well understood that security informatics is constrained by the availability of reliable data sources, which limits the development of robust methods for measuring the impact of data breaches. To date, empirical data breach analysis has largely relied upon the use of economic and financial data associated with an organisation as a measure of impact. To provide an alternative, complementary approach, we explore monetary fines resulting from data protection regulatory actions to understand how the data can inform the evaluation of data breaches. The results indicate where context matters and also provide information on the wider challenges faced by organisations managing personal data.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The Data Protection Directive (Directive 95/46/EC) required EU Member States to harmonise national legislation on data protection.
- 2.
- 3.
- 4.
The legislation may be found at http://www.legislation.gov.uk/ukpga/1998/29/contents.
- 5.
- 6.
- 7.
Ponemon Institute: Cost of Data Breach Study: United Kingdom. http://www-03.ibm.com/security/data-breach/.
References
Acquisti, A., Friedman, A., Telang, R.: Is there a cost to privacy breaches? An event study. In: ICIS 2006 Proceedings, p. 94 (2006)
Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J. Comput. Secur. 11(3), 431–448 (2003)
Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. Int. J. Electron. Commer. 9(1), 70–104 (2004)
Cleveland, W., Grosse, E., Shyu, W.: Local regression models. In: Statistical Models in S, pp. 309–376. Chapman & Hall, London (1991)
Edwards, B., Hofmeyr, S., Forrest, S.: Hype and heavy tails: a closer look at data breaches. J. Cybersecur. 2(1), 3–14 (2016)
Heitzenrater, C.D., Simpson, A.C.: Policy, statistics and questions: reflections on UK cyber security disclosures. J. Cybersecur. 2(1), 43 (2016). doi:10.1093/cybsec/tyw008
Information Commissioner’s Office: Information Commissioners guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998 (2015). https://ico.org.uk/media/1043720/ico-guidance-on-monetary-penalties.pdf
Information Commissioner’s Office: ICO Disclosure Log - Response IRQ0630777. https://ico.org.uk/about-the-ico/our-information/disclosure-log/irq0630777/
Information Commissioner’s Office: TalkTalk Telecom Group PLC Monetary Penalty Notice, October 2016. https://ico.org.uk/media/action-weve-taken/mpns/1624087/talktalk-mpn-20160324.pdf, https://ico.org.uk/media/action-weve-taken/mpns/1625131/mpn-talk-talk-group-plc.pdf
Ishiguro, M., Tanaka, H., Matsuura, K., Murase, I.: The effect of information security incidents on corporate values in the Japanese stock market. In: International Workshop on the Economics of Securing the Information Infrastructure (WESII) (2006)
Johnson, M.E., Willey, N.: Usability failures and healthcare data hemorrhages. IEEE Secur. Priv. 9(2), 35–42 (2011)
Liginlal, D., Sim, I., Khansa, L.: How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Comput. Secur. 28(3), 215–228 (2009)
Phua, C.: Protecting organisations from personal data breaches. Comput. Fraud Secur. 2009(1), 13–18 (2009)
Schatz, D., Bashroush, R.: The impact of repeated data breach events on organisations market value. Inf. Comput. Secur. 24(1), 73–92 (2016)
Verendel, V.: Quantified security is a weak hypothesis: a critical survey of results and assumptions. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop, pp. 37–50. ACM (2009)
Acknowledgement
AC would like to thank the EPSRC and the Oxford Radcliffe Scholarship for financial support. The authors would like to thank the anonymous reviewers for their helpful and constructive feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Ceross, A., Simpson, A. (2017). The Use of Data Protection Regulatory Actions as a Data Source for Privacy Economics. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds) Computer Safety, Reliability, and Security . SAFECOMP 2017. Lecture Notes in Computer Science(), vol 10489. Springer, Cham. https://doi.org/10.1007/978-3-319-66284-8_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-66284-8_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66283-1
Online ISBN: 978-3-319-66284-8
eBook Packages: Computer ScienceComputer Science (R0)