Liability for Data Breaches: A Proposal for a Revenue-Based Sanctioning Approach
Data breaches are a rising concern in personal data management. While the damages due to data breaches fall primarily on the end customer, the service provider should be held liable. A sanctioning approach is proposed to promote a greater responsibility by the service provider, where sanctions are proportional to the service providers revenues. The interactions between the customer and the service provider are modelled as a game, where the customer decides the amount of tolerable loss (a proxy for the amount of information released) and the service provider decides the amount of security investment. The solution of the game for a typical scenario shows that sanctions effectively spur the service provider to invest more in security and lead to a reduced data breach probability.
KeywordsSecurity investments Data Breaches Sanctions Privacy Security economics
Unable to display preview. Download preview PDF.
- 1.Verizon Risk Team. 2011 Data Breach Investigations Report. Technical report, Verizon (2011)Google Scholar
- 2.Verizon Risk Team. 2012 Data Breach Investigations Report. Technical report, Verizon (2011)Google Scholar
- 4.Acquisti, A., John, L., Loewenstein, G.: What is privacy worth. In: Twenty First Workshop on Information Systems and Economics (WISE), pp. 14–15 (2009)Google Scholar
- 8.European Commission. Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM (2012) 11 final (Co-decision procedure) (January 25, 2012)Google Scholar
- 9.The Practical Law Company. The PLC multi-jurisdictional guide to data protection (June 1, 2012), http://uk.practicallaw.com/5-518-8056
- 10.Gibbons, R.: A Primer in Game Theory. Prentice-Hall (1992)Google Scholar
- 11.Javelin: 2011 identity fraud survey report. Technical report, Javelin Strategy (2011)Google Scholar
- 12.Osservatorio eCommerce B2c. B2c eCommerce in Italy (in Italian). Technical report, Netcomm-School of Management of Politecnico di Milano (2011)Google Scholar
- 13.Casaleggio Associati. E-commerce in Italy 2011 (in Italian). Technical report (April 2011), http://www.casaleggio.it/e-commerce/
- 14.AGCOM (Italian Communications Regulatory Authority). Annual report (2011), http://www.agcom.it