A comparison of sanctioning approaches for security breaches

Though data breaches causing heavy monetary losses to customers could be reduced by investing more in security, service providers holding customers´ personal data often do not feel enough pressure to heighten their security level. A sanctioning approach, holding the service provider liable for monetary losses resulting from data breaches, may provide the spur to increase security investments. In this paper, we review and compare two approaches to determine sanctions for the service providers, where the sanction is proportional respectively to the expected damage suffered by the customer and to the product of that damage and the service providers´ revenues. The comparison is conducted by examining the game modelling the interaction between the customer and the service provider. In a typical scenario, the approach based on the service provider´s revenues leads to larger security investments (for any degree of exposure of the customer) and to a stronger reduction of the data breach probability.