Do the Benefits of Voluntarily Reporting Serious Data Breaches to the ICO Outweigh the Risk of Monetary Penalties?: A Theoretical Analysis

Winchester Conference on Trust, Risk, Information and the Law, West Downs Campus, University of Winchester, UK, 29 April 2014

18 Pages Posted: 24 Dec 2013 Last revised: 15 Mar 2014

See all articles by Jack Manhire

Jack Manhire

Texas A&M University School of Innovation; Bush School of Government & Public Service

Date Written: December 24, 2013

Abstract

The Upper Information Rights Tribunal in the UK recently held that controllers not required by law to report data breaches are still subject to monetary penalties even if they voluntarily report a breach. The Information Commissioner’s Office (ICO) and some information law experts stated that this holding notwithstanding, the economic benefits of self-reporting still outweigh the risk of penalties since the ICO considers self-reporting a mitigating factor in determining the amount of any fine. This paper attempts a theoretical analysis of controllers’ risk calculi to determine if they are truly better off self-reporting breaches. Based on historic ICO data, we first examine the claim that self-reporting mitigates a penalty’s magnitude. We then investigate whether the mitigation of penalty amounts alone is sufficient to persuade controllers that they are better off self-reporting given their “chances of being fined.” Conventional models use a fixed value for this probability in analyzing economic benefit. Through the employment of the principle of perspectivity, we show that for these models to accurately reflect experience we must modify our definition of the “chances of being fined” and factor in a controller’s decision to report or not report. Modifying the traditional models accordingly, we conclude that controllers as a population are currently not better off self-reporting. We close by offering specific suggestions for the ICO to create conditions where controllers will be better off self-reporting breaches even if they are fined.

Keywords: data protection act, ICO, data breach, cyber security, information law, monetary penalties, voluntary compliance

JEL Classification: A13, B41, C11, C54, K23

Suggested Citation

Manhire, Jack, Do the Benefits of Voluntarily Reporting Serious Data Breaches to the ICO Outweigh the Risk of Monetary Penalties?: A Theoretical Analysis (December 24, 2013). Winchester Conference on Trust, Risk, Information and the Law, West Downs Campus, University of Winchester, UK, 29 April 2014, Available at SSRN: https://ssrn.com/abstract=2371729

Jack Manhire (Contact Author)

Texas A&M University School of Innovation

1249 TAMU
College Station, TX 77843-1249
United States

Bush School of Government & Public Service ( email )

4220 TAMU
College Station, TX 76845
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
185
Abstract Views
1,339
rank
200,223
PlumX Metrics