Do the Benefits of Voluntarily Reporting Serious Data Breaches to the ICO Outweigh the Risk of Monetary Penalties?: A Theoretical Analysis
Winchester Conference on Trust, Risk, Information and the Law, West Downs Campus, University of Winchester, UK, 29 April 2014
18 Pages Posted: 24 Dec 2013 Last revised: 15 Mar 2014
Date Written: December 24, 2013
Abstract
The Upper Information Rights Tribunal in the UK recently held that controllers not required by law to report data breaches are still subject to monetary penalties even if they voluntarily report a breach. The Information Commissioner’s Office (ICO) and some information law experts stated that this holding notwithstanding, the economic benefits of self-reporting still outweigh the risk of penalties since the ICO considers self-reporting a mitigating factor in determining the amount of any fine. This paper attempts a theoretical analysis of controllers’ risk calculi to determine if they are truly better off self-reporting breaches. Based on historic ICO data, we first examine the claim that self-reporting mitigates a penalty’s magnitude. We then investigate whether the mitigation of penalty amounts alone is sufficient to persuade controllers that they are better off self-reporting given their “chances of being fined.” Conventional models use a fixed value for this probability in analyzing economic benefit. Through the employment of the principle of perspectivity, we show that for these models to accurately reflect experience we must modify our definition of the “chances of being fined” and factor in a controller’s decision to report or not report. Modifying the traditional models accordingly, we conclude that controllers as a population are currently not better off self-reporting. We close by offering specific suggestions for the ICO to create conditions where controllers will be better off self-reporting breaches even if they are fined.
Keywords: data protection act, ICO, data breach, cyber security, information law, monetary penalties, voluntary compliance
JEL Classification: A13, B41, C11, C54, K23
Suggested Citation: Suggested Citation