论文信息 - Liability for Data Breaches: A Proposal for a Revenue-Based Sanctioning Approach

Liability for Data Breaches: A Proposal for a Revenue-Based Sanctioning Approach

Data breaches are a rising concern in personal data management. While the damages due to data breaches fall primarily on the end customer, the service provider should be held liable. A sanctioning approach is proposed to promote a greater responsibility by the service provider, where sanctions are proportional to the service providers revenues. The interactions between the customer and the service provider are modelled as a game, where the customer decides the amount of tolerable loss (a proxy for the amount of information released) and the service provider decides the amount of security investment. The solution of the game for a typical scenario shows that sanctions effectively spur the service provider to invest more in security and lead to a reduced data breach probability.

[1] Giuseppe D'Acquisto,et al. A Game-Theoretic Formulation of Security Investment Decisions under Ex-ante Regulation , 2012, SEC.

[2] Leah Hoffmann. Risky business , 2011, CACM.

[3] Steven Furnell,et al. Information Security and Privacy Research , 2012, IFIP Advances in Information and Communication Technology.

[4] Giuseppe D'Acquisto,et al. Damage Sharing May Not Be Enough: An Analysis of an Ex-ante Regulation Policy for Data Breaches , 2012, TrustBus.

[5] Robert Gibbons,et al. A primer in game theory , 1992 .

[6] G. Loewenstein,et al. What Is Privacy Worth? , 2013, The Journal of Legal Studies.

[7] Lawrence A. Gordon,et al. The economics of information security investment , 2002, TSEC.