Liability for Data Breaches: A Proposal for a Revenue-Based Sanctioning Approach

  • Maurizio Naldi
  • Marta Flamini
  • Giuseppe D’Acquisto
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


Data breaches are a rising concern in personal data management. While the damages due to data breaches fall primarily on the end customer, the service provider should be held liable. A sanctioning approach is proposed to promote a greater responsibility by the service provider, where sanctions are proportional to the service providers revenues. The interactions between the customer and the service provider are modelled as a game, where the customer decides the amount of tolerable loss (a proxy for the amount of information released) and the service provider decides the amount of security investment. The solution of the game for a typical scenario shows that sanctions effectively spur the service provider to invest more in security and lead to a reduced data breach probability.


Security investments Data Breaches Sanctions Privacy Security economics 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Verizon Risk Team. 2011 Data Breach Investigations Report. Technical report, Verizon (2011)Google Scholar
  2. 2.
    Verizon Risk Team. 2012 Data Breach Investigations Report. Technical report, Verizon (2011)Google Scholar
  3. 3.
    Hoffmann, L.: Risky business. Commun. ACM 54(11), 20–22 (2011)CrossRefGoogle Scholar
  4. 4.
    Acquisti, A., John, L., Loewenstein, G.: What is privacy worth. In: Twenty First Workshop on Information Systems and Economics (WISE), pp. 14–15 (2009)Google Scholar
  5. 5.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)CrossRefGoogle Scholar
  6. 6.
    D’Acquisto, G., Flamini, M., Naldi, M.: A game-theoretic formulation of security investment decisions under ex-ante regulation. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 412–423. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  7. 7.
    D’Acquisto, G., Flamini, M., Naldi, M.: Damage sharing may not be enough: An analysis of an ex-ante regulation policy for data breaches. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 149–160. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    European Commission. Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM (2012) 11 final (Co-decision procedure) (January 25, 2012)Google Scholar
  9. 9.
    The Practical Law Company. The PLC multi-jurisdictional guide to data protection (June 1, 2012),
  10. 10.
    Gibbons, R.: A Primer in Game Theory. Prentice-Hall (1992)Google Scholar
  11. 11.
    Javelin: 2011 identity fraud survey report. Technical report, Javelin Strategy (2011)Google Scholar
  12. 12.
    Osservatorio eCommerce B2c. B2c eCommerce in Italy (in Italian). Technical report, Netcomm-School of Management of Politecnico di Milano (2011)Google Scholar
  13. 13.
    Casaleggio Associati. E-commerce in Italy 2011 (in Italian). Technical report (April 2011),
  14. 14.
    AGCOM (Italian Communications Regulatory Authority). Annual report (2011),

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Maurizio Naldi
    • 1
  • Marta Flamini
    • 2
  • Giuseppe D’Acquisto
    • 1
  1. 1.Università di Roma Tor VergataRomaItaly
  2. 2.Università Telematica Internazionale UNINETTUNORomaItaly

Personalised recommendations