Abstract
Data breaches are a rising concern in personal data management. While the damages due to data breaches fall primarily on the end customer, the service provider should be held liable. A sanctioning approach is proposed to promote a greater responsibility by the service provider, where sanctions are proportional to the service providers revenues. The interactions between the customer and the service provider are modelled as a game, where the customer decides the amount of tolerable loss (a proxy for the amount of information released) and the service provider decides the amount of security investment. The solution of the game for a typical scenario shows that sanctions effectively spur the service provider to invest more in security and lead to a reduced data breach probability.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Verizon Risk Team. 2011 Data Breach Investigations Report. Technical report, Verizon (2011)
Verizon Risk Team. 2012 Data Breach Investigations Report. Technical report, Verizon (2011)
Hoffmann, L.: Risky business. Commun. ACM 54(11), 20–22 (2011)
Acquisti, A., John, L., Loewenstein, G.: What is privacy worth. In: Twenty First Workshop on Information Systems and Economics (WISE), pp. 14–15 (2009)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)
D’Acquisto, G., Flamini, M., Naldi, M.: A game-theoretic formulation of security investment decisions under ex-ante regulation. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 412–423. Springer, Heidelberg (2012)
D’Acquisto, G., Flamini, M., Naldi, M.: Damage sharing may not be enough: An analysis of an ex-ante regulation policy for data breaches. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 149–160. Springer, Heidelberg (2012)
European Commission. Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM (2012) 11 final (Co-decision procedure) (January 25, 2012)
The Practical Law Company. The PLC multi-jurisdictional guide to data protection (June 1, 2012), http://uk.practicallaw.com/5-518-8056
Gibbons, R.: A Primer in Game Theory. Prentice-Hall (1992)
Javelin: 2011 identity fraud survey report. Technical report, Javelin Strategy (2011)
Osservatorio eCommerce B2c. B2c eCommerce in Italy (in Italian). Technical report, Netcomm-School of Management of Politecnico di Milano (2011)
Casaleggio Associati. E-commerce in Italy 2011 (in Italian). Technical report (April 2011), http://www.casaleggio.it/e-commerce/
AGCOM (Italian Communications Regulatory Authority). Annual report (2011), http://www.agcom.it
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Naldi, M., Flamini, M., D’Acquisto, G. (2013). Liability for Data Breaches: A Proposal for a Revenue-Based Sanctioning Approach. In: Lopez, J., Huang, X., Sandhu, R. (eds) Network and System Security. NSS 2013. Lecture Notes in Computer Science, vol 7873. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38631-2_20
Download citation
DOI: https://doi.org/10.1007/978-3-642-38631-2_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38630-5
Online ISBN: 978-3-642-38631-2
eBook Packages: Computer ScienceComputer Science (R0)