....revenues can be the right basis to do it.
Proposals for holding the service provider liable for damages suffered by its customers due to data breaches have been submitted in the past. In our papers "Liability for Data Breaches: A Proposal for a Revenue-Based Sanctioning Approach" and "Damage Sharing May Not Be Enough: An Analysis of an Ex-ante Regulation Policy for Data Breaches", we analysed a policy sanctioning the service provider whose customers have suffered the data breach. The sanction was set to be a fraction of the monetary damage suffered by the customer, so that the damage is actually shared between the customer and the service provider. Our analysis, based on a game-theoretic model, shows that such policy requires the service provider to cover for a large fraction of the damage to be effective. Our papers have been presented at the IFIP TC 11 Information Security and Privacy Conference SEC 2012 (you can download the presentation here) and the 9th International Conference on Trust, Privacy & Security in Digital Business Trustbus 2012 (you can download the presentation here).
Instead, a sanctioning policy that has found its way in some national legislations sets sanctions proportional to the revenues of the service provider (its turnover). That's the case for France and South Africa (see the review of national legislations here). We have accordingly examined the impact of this policy and presented our results at the 7th International Conference on Network and System Security NSS 2013, held in Madrid in June. You can download both our paper "Liability for Data Breaches: A Proposal for a Revenue-Based Sanctioning Approach" and the presentation. We have found, again through a game-theoretic analysis, that revenue-based sanctions lead the service provider to increase its investments in security and reduce the probability of data breaches, while inducing a more relaxed attitude of the customer to release its personal data. Regulating the actual fraction of the service provider's turnover (which cannot exceed 5% in France and 10% in South Africa) can be quite a delicate matter, since its impact is remarkably nonlinear.
