Our paper "Liability for data breaches: a proposal for a revenue-based sanctioning approach", concerning the use of sanctions to spur security investments, has been accepted for presentation at the 7th International Conference on Network and System Security (NSS 2013), to be held in Madrid on June 3-4, 2013.
We analyse a sanctioning approach for service providers to spur them into investing more in security. Sanctions are imposed on service providers for data breaches affecting their customers. Their amount is proportional to the company's turnaround. This approach represents an alternative to damage sharing, where sanctions are proportional to the loss incurred by customers, so that the damage suffered by customers is actually shared between them and the service provider. The damage sharing approach has been analysed in our previous papers "A Game-Theoretic Formulation of Security Investment Decisions under Ex-ante Regulation" and "Damage Sharing May Not Be Enough: An Analysis of an Ex-ante Regulation Policy for Data Breaches."
Abstract: Data breaches are a rising concern in personal data man- agement. While the damages due to data breaches fall primarily on the end customer, the service provider should be held liable. A sanctioning approach is proposed to promote a greater responsibility by the service provider, where sanctions are proportional to the service providers rev- enues. The interactions between the customer and the service provider are modelled as a game, where the customer decides the amount of tol- erable loss (a proxy for the amount of information released) and the service provider decides the amount of security investment. The solution of the game for a typical scenario shows that sanctions effectively spur the service provider to invest more in security and lead to a reduced data breach probability.