An analysis of the effectiveness of the EU data breach notification obligation

(1)

An analysis of the effectiveness of the EU data breach

notification obligation

Citation for published version (APA):

Nieuwesteeg, B. F. H., & Faure, M. (2018). An analysis of the effectiveness of the EU data breach

notification obligation. Computer Law and Security Review, 34(6), 1232-1246.

https://doi.org/10.1016/j.clsr.2018.05.026

Document status and date:

Published: 01/12/2018

DOI:

10.1016/j.clsr.2018.05.026

Document Version:

Publisher's PDF, also known as Version of record

Document license:

Taverne

Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can

be important differences between the submitted version and the official published version of record.

People interested in the research are advised to contact the author for the final version of the publication,

or visit the DOI to the publisher's website.

• The final author version and the galley proof are versions of the publication after peer review.

• The final published version features the final layout of the paper including the volume, issue and page

numbers.

Link to publication

General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain

• You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement:

www.umlib.nl/taverne-license Take down policy

If you believe that this document breaches copyright please contact us at:

[email protected]

providing details and we will investigate your claim.

(2)

Availableonlineatwww.sciencedirect.com

journalhomepage:www.elsevier.com/locate/CLSR

An

analysis

of

the

effectiveness

of

the

EU

data

breach

notification

obligation

Bernold

Nieuwesteeg

a,∗

_,

_Michael

_Faure

b

a _Erasmus_University_Rotterdam,_The_Netherlands

b _Erasmus_University_Rotterdam_and_Maastricht_University,_The_Netherlands

a

r

t

i

c

l

e

i

n

f

o

Articlehistory:

Keywords:

Databreachnotificationobligation GDPR

Socialwelfareanalysis Dataprotectionauthority Deterrence

Disclosurethreshold Digitalfirstaidkit

a

b

s

t

r

a

c

t

InthispaperwestudythelawandeconomicsoftheEUdatabreachnotificationobligation (EUDBNO),whichispartofthegeneraldataprotectionregulation.Westartour discus-sionwiththeoriginsandaimsoftheEUDBNO.Followingthis,westudythesocialbenefits oftheDBNO andthe conditions forthesesocialbenefits toemerge.Next,we analyse whethertherewouldbespontaneousnotificationwithouttheexistenceofaDBNO.We dis-cusshowthenationalDPAs,thatareresponsiblefortheexecutionoftheEUDBNO,can suf-ficientlyinducedatacontrollerstocomplywiththeregulation.Wealsodiscussthescopeof theregulationfromasocialwelfareperspective,inparticulartheconditions,whichtrigger anotificationfromdatacontrollers.

1. Introduction

InNovember 7,2016theErasmusUniversity Rotterdam ex-perienced alargedata breachaffecting17,000individuals.1

Thedata breach wasnotified tothe Dutch DataProtection Agency(DPA)andtotheindividualsaffected.2_We_were_also

affected and notified and experienced the practicaleffects ofdatabreachdisclosure.Thispaperwillperformalawand

economicsanalysisontheEuropeanUniondatabreach noti-ficationobligation(Hereafter‘EUDBNO’or‘theDBNO’)as in-corporatedinArticles33and34oftheGeneralDataProtection Regulation2016/679,hereafter:GDPR).3_The_EU_DBNO_imposes

anobligationonorganizationstodisclosecertainbreachesof personaldatatoanotificationauthorityandtoaffected indi-viduals(hereafter:datasubjects).Wewillanalysewhetherthe EUDBNOiseffectiveinincreasingsocialwelfare.Inaddition, wewillproposerecommendationsfortheexpostexecution andenforcementofthisimportantpieceoflegislation.4

∗_{Corresponding}_author:_Erasmus_University_Rotterdam,_Burgemeester_Oudlaan_50,₃₀₆₂_PA_Rotterdam,_The_Netherlands. E-mailaddress:[email protected](B.Nieuwesteeg).

1_See_JP_Buntinx,_‘Erasmus_University_Data_Breach_Exposes_Students’_Medical_and_Financial_{Information’}₍_The_Merkle,₃₀_November₂₀₁₆₎

https://themerkle.com/erasmus-university-data-breach-exposes-students-medical-and-financial-information/accessed16May2018.

2_The_Dutch_Data_Protection_Authority_is_called_the_Autoriteit_{Persoonsgegevens,}_see_{www.autoriteitpersoonsgegevens.nl}_accessed₁₆ May2018.

3_Regulation_(EU)_2016/679_on_the_protection_of_natural_persons_with_regard_to_the_processing_of_personal_data_and_on_the_free_movement ofsuchdata,andrepealingDirective95/46/EC[2016]OJL119/1.

4_Those _breaches _of _personal_data _can_be _both _analogue _and _digital._In _practice, _losses _of _personal _data _are _mostly _occurring within a digital infrastructure, because the majority of personal data recordsis storedonline in our digitalizedsociety. In this paperwewillprimarilyfocusonpersonaldatabreachesinthedigitalsociety.

https://doi.org/10.1016/j.clsr.2018.05.026

(3)

Ourcoremethodologywillbealawandeconomics anal-ysisofincentivesandoptimalenforcement.5 _{Unfortunately,}

thereislittleempiricalresearchavailable,especiallyonthe EUDBNO,sinceatthetimeofconductingthisresearch,the EUDBNOdidnotyetapplyandhencenodatabreachdatahad beengenerated.Moreover,thereisnoreliabledata,for exam-pleconcerningtheeffectsofobligationstodisclosebreaches ofpersonaldataintheEU.TheentireEUDBNOistherefore largelybasedonassumptionsonhowdatacontrollerswill re-acttotheDBNO,giventheparticularsanctioningregime.Even theoretically,itisdifficulttopredicttheeffectsoftheregime asitstronglydependsonspecificassumptions.Whileour con-tributionaimstoexplainandanalysethevariouseffectsof theEUDBNO,wewillalsostatewhenwemakethesespecific assumptions.Inaddition,wewillutilizetheliteratureonthe effectivenessofDBNOsintheUS.IntheUS,moststateshavea DBNOandconsequentlythereisempiricalresearchregarding thedatabreachnotifications.6_This_stream_of_literature_has

coveredregulatoryimpact,7_{effectiveness}_in_reducing_identity

theft,8 _economic_effects,9 _perceptions_from _the_private

sec-tor10_and_{the need to}_integrate_the_US_state_level_laws_into_a

federallaw.11

Tothebestofourknowledge,alawandeconomics analy-sisofthenewDBNOintheEuropeanUnionhasnotyetbeen performed.12_A_thorough_(ex_ante_and_ex_post)_scrutiny_of_the

effectsoftheDBNOcontributestothedevelopmentofEUlaw andimplementingEUdataprotectionpolicy.13

Thispaperisstructuredasfollows.InSection2,we intro-ducetheEUDBNO,itsorigins,aimsanditsembedded posi-tionintheGeneralDataProtectionRegulation.Wealsodiscuss otherbreachnotificationobligationsintheEUandcompare

5_See_in_this_respect_also_A._Mitchell_Polinsky_and_Steven_Shavell, HandbookofLawandEconomics(vol.1,1st_edn,_Elsevier₂₀₀₇₎_chapter 6.

6_See http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

(accessed16May2018)forabriefoverviewregardingthe legisla-tivestatusofUSDBNOs.

7_Jane_Winn,_‘Are_{“Better” Security}_Breach_Notification_Laws Pos-sible?’(2009)24BerkeleyTechnologyLawJournal1133.

8_Sasha_Romanosky,_Rahul_Telang_and_Alessandro_Acquisiti,_‘Do Data Breach Disclosure LawsReduceIdentity Theft?’ (2011) 30 JournalofPolicyAnalysisandManagement256.

9_Thomas_Lenard _and_Paul _Rubin,_‘Much_Ado_About Notifica-tion’(2016)29Regulation44;StefanLaubeandRainerBöhme,‘The economicsofmandatorysecuritybreachreportingtoauthorities’ (2016)2JournalofCybersecurity29,usesatheoreticalmodeland alsoinvolvesEUlaw.

10_Deirdre_Mulligan_and_Fred_Schneider,_‘Doctrine_for Cybersecu-rity’(2011)140Daedalus70.

11_Fabio_Bisogni,_‘Proving_Limits_of_State_Data_Breach_Notification Laws:IsaFederalLawtheMostAdequateSolution?’(2016)6 Jour-nalofInformationPolicy154.

12_Such_an_analysis_did_not_take_place_at_a_Member_State_level ei-ther.SomeEUcountries,suchasGermany,Ireland,Italy,Lithuania, Luxemburg,MaltaandtheNetherlandsindependentlyadopteda DBNObeforetheentryintoforceoftheGDPR.

13_The_only_research_we_are_aware_of_scrutinizing_the_EU_DBNO_is fromPauldeHertandVagelisPapakonstantinou,‘ThenewGeneral DataProtectionRegulation:Stillasoundsystemfortheprotection ofindividuals?’(2016)32ComputerLawandSecurityReview179, 191,whotakeamorelegalapproach.

theEUDBNOwithstatelevelDBNOsintheUS.InSection3, wediscussthesocialcostsandbenefitsoftheDBNOrelative tothethresholdofnotification.Section4discusseswhether organizationswould have sufficient incentivesto notify,in theabsenceoftheregulation.Wediscussthereasonsto be-lieve thatthese incentives are likelyto beinsufficientand conclude that amarket failure is likelyto exist inthe ab-senceofregulation.InSection5,wediscusswhetherandin whichcasestheDBNO isjustifiedincorrectingthis market failure.Indoingso,wealsotakethepubliccostsofthe regu-lationintoaccount.InSection6,wecontinueourdiscussion byanalysingwhetherthecurrentlegislativedesignofthe up-comingDBNOiscapableofinducingorganizationstonotify atanacceptablesocialcost.Thesectiondiscussesseveral so-ciallyidealdesignchoicesforoptimizingthesocialpotential oftheDBNOandcomparesthemwiththeactualchoicesmade bytheEUlegislator.Wewillalsodiscussincentiveschemes relatedtotheimplementationoftheDBNOthattheEU leg-islatordidnotincludeintheactualtextoftheDBNO,such asrewardingcomplianceandtheenforcementofsanctions.

Section7discussestheoptimalnotificationthresholdforboth Article33(notificationtotheDPA)andArticle34(notification todatasubjects)andSection8willprovidesomeconcluding remarks.

2. The

European

union

data

breach

notification

obligation

Thissectionwillstartbybrieflyintroducingtheoriginsand specificcharacteristicsoftheEUDBNOinSection2.1.Section 2.2willshortlydiscussotherEUDBNOscurrentlyinforcein the EU,which mostly concerna certainsector ortopic.As statedintheintroduction,thestudyutilizestheliteratureon theeffectivenessofDBNOsintheUS.IntheUS,moststates haveaDBNOandconsequentlythereisempiricalresearch re-gardingthedatabreachnotifications.14_Section_2.3_discusses

thesimilaritiesanddifferencesbetweentheEUandUSDBNO regimes.

2.1. TheDBNOintheGDPR

TheDBNOispartoftheextensivelegislativedataprotection packageknownastheGeneralDataProtectionRegulation ab-breviatedasGDPR.TheGDPRregulatesmanyaspectsrelated tothe processingofpersonaldatasuchasbasic principles (Article5),lawfulness ofprocessingand individualconsent (Article6)andrightsofindividualsthathaveprovidedtheir datatoathirdparty(Section2oftheGDPR).TheGDPRentered intoforceonMay24,2016andappliesafteratwo-year tran-sitionperiodfromMay25,2018.15_Contrary _to_its

predeces-sor,Directive95/46/EC,16_the_GDPR_will_equally_apply_directly

toeverycitizenandorganizationfallingwithinthescopeof

14_Op._cit._NCSL.org_(n_6). 15_GDPR,_Art._99.

16_Directive_95/46/EC_on_the_protection_of_individuals_with_regard totheprocessingofpersonaldataandonthefreemovementof suchdata[1995]OJL281/31(DataProtectionDirective).

(4)

EuropeanUnionlaw.17_Hence,_the_GDPR_will_be_an_influential

pieceoflegislation.TheGDPRprovidesfortheDBNOin Arti-cles2(2),4(7),4(12),33,34and83(4):

Article4(12)definesapersonaldatabreachas‘abreach of security leading to the accidental or unlawful destruc-tion, loss, alteration, unauthorised disclosure of, or access to,personaldatatransmitted,storedorotherwiseprocessed’. Thedefinitionthusfocusesontheconsequencesofthedata breach.In doingso,the EUlegislator incorporatesthe ‘CIA triad’ of confidentiality,integrity or availability ofpersonal data.18 _Possible_differences_in_the_origin_of_the_data_breach,

forinstancewhetheradatabreachisintentionalornegligent, arenotrelevantfordefiningadatabreach.

Articles 4 (7) states which entities have to notify data breaches.These‘datacontrollers’canbelegalpersonsor pub-licauthorities.Hence,theDBNOappliestobothpublicand pri-vateorganisations.

Article2(2)excludescertaindatabreachesfromthe notifi-cationduty.Datathat(a)fallsoutsidethescopeofEUlaw;(b) fallswithinthescopeofChapter2ofTitleVoftheTEU;(c)is carriedoutbyanaturalpersonforpersonaluseor(most no-tably)(d)isusedfortheexecutionofcriminalprosecutiondo nothavetobenotifiedwhenbreached.

Articles33and34regulatetheactualobligationtodisclose adatabreach.19_There_is_an_apparent_difference_in_notifying_a

databreachtoadataprotectionauthority(DPA,Article33)or tothedatasubjectsaffected(Article34).Withrespecttothe former,adatacontrollerhastonotifytheDPA‘unlessthe per-sonaldatabreachisunlikelytoresultinarisktotherightsand freedomsofnaturalpersons’.20_Hence,_this_{‘likelihood’}_is_the

keythresholdfornotifyingtheDPA.Article33(1)further spec-ifiesthatthenotificationshouldbeassoonaspossible,and notlaterthan72hafterthedatabreach.However,thisis ap-parentlynotaredline,becauseifitisnotfeasibletodoso,the organizationcannotifylater,buthastospecifythereasons whyitdoesso.Under33(3),thedatacontrollerhastoinclude thenatureofthebreach,itsconsequencesfordatasubjects, adescriptionofcounter-measuresundertakenandacontact point.Whenpossible,theorganizationshouldalsoincludethe typeandnumberofaffecteddatasubjectsandtheamountof records,whichhavebeenbreached.

Article34showsthatthethresholdformandatory notifi-cationtodatasubjectsishigheronseveralpointscompared totherequirementsfornotifyingtheDPAexArticle33.First, notificationtodatasubjectsisonlymandatorywhenthedata breachis‘likelytoresultinahighrisktotherightsand free-doms’ofdatasubjects.Hence,whereinArticle33acertainrisk 17_Directive_95/46/EC_(Data_Protection_Directive)_did_not_contain_a requirementtonotifydatabreaches.

18_Shari _L. _Pfleeger, _‘A _Framework _for _Security _{Requirements’} (1991)10Computers&Security515,518.

19_Of_less_importance_for_this_paper_it_the_obligation_under Arti-cle33(2)whichstatesthatdataprocessors,whichprocessdata onbehalfofthecontroller,havetheobligationtonotifythe con-trollerwithoutunduedelayafterbecomingawareofapersonal databreach.

20_As_such,_it_is_quite_peculiar_that_the_Article_speaks_of_a likeli-hoodtoresultinarisk,sinceriskalsocontainstheelementof likeli-hood.(risk=likelihood∗_impact)._Hence,_within_this_paper,_we_will justusethetermrisk.

suffices,inthecaseofArticle34theriskshouldbehigh.The GDPRdoesnotspecifythisgapbetweenriskandhighriskany further.21_Concerning_the_temporality_of_{notification,}_Article

34(1)solelydeterminesthatthisshouldbewithoutundue de-layanddoesnotspecifythe72hofArticle33.Inaddition,the organizationdoesnothavetodescribethenatureofthedata breachandtheamountofdatasubjectsaffectedwhen noti-fyingdatasubjects.Article34(3)heightensthethresholdeven further.ThisArticleprovidesthreepossiblearguments that organizationscanusenottocommunicatetodatasubjects. First,organizationsmayrefrainfromnotifyingdatasubjects whenthedataismadesufficientlydifficulttouse,forinstance withencryption.22_Second,_when_the_organization_has_taken

‘subsequentmeasures’,whichensurethatthehighriskwill nolongermaterialize,theydonotneedtonotify.Third, no-tificationtodatasubjectsisnotnecessarywhenitwouldlay adisproportionateburdenontheorganization.Ergo,thereis quitealargedifferenceintheexecutionofnotificationtothe DPAandtothedatasubject.TheGDPRdoesnotstatethe rea-sonsforthisdifference.However,Article34(4)regulatesthat theDPAmayrequiretheorganizationtostillissuean addi-tionalnotificationtodatasubjectswhentheDPAassessesthat thelikelihood ofadverseconsequencesfordatasubjectsis ‘high’accordingtoArticle34(1).

Article83(4)statesthatasanctionof€10,000,000or2%of theundertakings turnover,whicheverishigher,canbe im-posedwhenthedatacontrollerfailstonotifyadatabreach.23

ThesesanctionsarehighcomparedtothesanctionsintheUS, wherebystatelevelDBNOsusuallyhavesanctionsinthe mag-nitudeof$100,000sorlower.24

ThedejuretextoftheDBNOisdefiniteandwillnotchange inthenearfuture.25_However,_the_ex_post_execution_and

en-forcement ofthe obligation willnecessitate acombination ofknowledgeregardingEUlaw,datasecurityandregulatory enforcement.Therefore,webelievethattheupcomingsocial welfareanalysiscontributestothedevelopmentofEUlawand policyaftertheentryintoforceoftheregulation.

2.2. Othernotificationdutiesofdatabreachescurrently inforceintheEU

TheEUDBNOintheGDPRisnottheonlynotificationdutythat currentlyappliesintheEU.26_In_addition,_on_a_Member_State

21_Op._cit._De_Hert_and_{Papakonstantinou}_(n₁₃₎_191.

22_The_topic_of_encryption_and_DBNOs,_although_not_in_the con-textoftheGDPR,isextensivelydiscussedbyMarkBurdon,Jason ReidandRouhshiLow,‘Encryptionsafeharboursanddatabreach notificationlaws’(2010)26ComputerLaw&SecurityReview520.

23_GDPR,_Art._83(4);_GDPR,_Art.₈₃₍₂₎_specifies_guidelines_for_the de-terminationoftheactualmagnitudeofthesanction.

24_Bernold_Nieuwesteeg,_The_Legal_Position_and_Societal_Effects_of Se-curityBreachNotificationLaws(1st_edn,_deLex₂₀₁₄₎_80.

25_After_all,_there_have_been_more_than_two_decades_in_between theentryintoforceofRegulation2016/679,anditspredecessor, Directive95/46/EC.

26_For_a_more_extensive,_albeit_slightly_out-dated_overview_(since_it discussesthedraft-GDPRandproposedNIS-directive),wereferto SamsonEsayes,‘BreachNotificationRequirementsUnderthe Eu-ropeanUnionLegalFramework:Convergence,Conflicts,and Com-plexityinCompliance’(2014)31J.MarshallJ.Info.Tech.&Privacy L.317.

(5)

level,thereareoftenmanymoreDBNOs,whichcouldoverlap orbereplacedbytheEUDBNO.Inthissection,wewilllimit ourselvesbydiscussingDBNOsthatcouldentailpersonaldata onanEUlevel.

Article4(3)E-privacydirective2009/136/EGamendingdirective 2002/58/ECregulatesadatabreachnotificationobligationfor telecommunicationproviders. Thewordingofthe DBNOin the GDPRhassimilarities withthisdirectivesinceitstates that ‘inthecaseofapersonaldatabreach,theprovider of publicly availableelectroniccommunications servicesshall, withoutunduedelay,notifythepersonaldatabreachtothe competentnationalauthority.Whenthepersonaldatabreach islikely adverselytoaffect thepersonal dataor privacyof asubscriberorindividual,theprovidershallalsonotifythe subscriberorindividualofthebreachwithoutunduedelay’. CommissionRegulation611/2013furtherregulatesthedetails ofdatabreachdisclosureinthecontextoftheE-privacy di-rective. The E-privacy directiveand the GDPR are not mu-tuallyexclusive,sincetelecommunicationprovidersalsofall withinthescopeoftheGDPR.However,onsomeelements,the databreachdisclosurerequirementsfortelecommunication providersaresomewhatstricter.Forinstance,thedatabreach has(whenfeasible)tobenotifiedwithin24h(Article2(2) Reg-ulation611/2013)comparedtothe72hthatarerequiredin Articles33and34oftheGDPR.

Article19(2)eIDASRegulation910/2014regulatesthe manda-torydisclosureofabreachofsecurityorthelossofintegrityof trustservicesproviderssuchascertificateauthorities.These lossescouldalsoentailthelossofpersonaldata,andinsofar thebreachorlossofintegrityadverselyaffectsanaturalor legalpersonthispersonshouldalsobenotified.27

Article30andArticle31EUdirective2016/680onthe process-ingofpersonaldatabycompetentauthorities.Paralleltothe leg-islativeprocessGDPR,adirectivewasdraftedthatregulates dataprocessingforcompetentauthorities,suchasthejudicial apparatusofEUMemberStates.Thisdirectivealsoregulates databreachdisclosurebythesecompetentauthoritiestothe supervisoryauthority(Article30)andthedatasubject(Article 31).OneofthemainotherdifferenceswiththeGDPRisthat MemberStatesarefreetoimplementasanctioningsystemas longasthisis‘effective,proportionateanddissuasive’(Article 57).

Article14(3)NIS(networkandinformationsecurity)Directive 2016/1148.TheNISdirectiveregulatescybersecurityfor net-workandinformationsystems,whichare‘essentialservices’ suchas theenergyand utilityindustry.Article14 (3) regu-latesthesecuritybreachnotification.Operatorsofessential servicesshould,withoutunduedelay,incidentshavinga sig-nificantimpactonthecontinuityoftheessentialservicesthey providetoacompetentauthority.28_These_incidents,_such_as

forinstanceacyber-attackonapowergrid,couldalsoentail personaldatabreaches,althoughonecouldexpectthatthese companieswouldseparatelydisclosethesedatabreaches un-dertheGDPRorE-privacydirectiveregime.

27_See_for_a_discussion_of_the_topic:_Axel_Arnbak,_Hadi_Asghari, MichelvanEetenandNicovanEijk,‘SecuritycollapseintheHTTPS market’(2014)57CommunicationsoftheACM47.

28_Which_is_(often)_a_different_authority_than_the_data_protection authorityoftheGDPR.

2.3. DifferencesbetweentheEUandUSlegislation TherearesignificantdifferencesbetweentheDBNOregimes intheEUandUS.Firstly,theEUDBNOisregulatedata cen-tralEuropeanlevelinsteadofatthestatelevelforUSlaws, whicharepartlymucholderthantheEUlaw.29_California_was

thefirstUSstatetoadoptaDBNOin2006andotherstates quicklyfollowed.30_As_of_March_28,_2018,_Alabama_became_the

50thandfinalstatetoenactaDBNO.31_This_patchwork_of_state

levelDBNOshasprovidedsomechallenges.Forinstance,large (national)databreachesthatinvolverecordsofdatasubjects inmultiplesstateshavetobenotifiedaccordingtothe var-ious(slightlydifferent)legal regimes.32 _Therefore,_there_has

beensomeliteratureregardingthedesirabilityofaDBNOona centrallevelintheUS.33_We_will_not_include_this_stream_of

lit-eratureinourmainargumentbecausethepatchworkissueis notrelevantintheEUsincetheDBNOisregulatedatacentral level.

Secondly,concerningthesanctioningregime,whichisone ofthecornerstonesforourlawandeconomicsanalysis,there arealsosomenotabledifferences.IntheUS,the administra-tivepenaltiesforDBNOsareusuallytwoordersofmagnitude lower thaninthe EUDBNO.Forinstance,the Virginiadata breachnotificationlaw,whichhasoneofthehighest sanc-tionsintheUS,allowsforanimpositionofa$150,000fine.34

However,intheUS,privacyclassactionscouldbeamuchmore significantcostfororganizations.35

Thirdly,themainreasond’êtreoftheUSandEUDBNOis dif-ferent.Section3.2willshowthattherearethreesocialbenefits forDBNOs:therighttoknowfordatasubjectsthatdataislost orharmed,informationdiffusionregardingdatabreachesand thepossibilitytoclaimdamagesbythesesamedatasubjects. FortheEuropeanUnion,theprotectionofpersonaldataand therighttoknowhasbeentheprimaryreasontoadopttheEU DBNOsinceitispartoftheGeneralDataProtectionRegulation. IntheUS,themultitudeofthethreesocialbenefits,especially therighttoknowand informationdiffusion,are positioned moreequally.36

Hence,wewilltakethepeculiaritiesoftheEUlegalregime into account in order to facilitate transplantation of the

29_Ibid_155.

30_Op._Cit._Nieuwesteeg_(n_24).

31_Aleksandra _Vold, _‘That’s _All _Folks! _Alabama _Becomes ₅₀th State With Breach Notification Law’ (Thompson Coburn LLP,11 April 2018) https://www.thompsoncoburn.com/insights/blogs/ cybersecurity-bits-and-bytes/post/2018-04-11/that-s-all-folks! -alabama-becomes-50th-state-with-breach-notification-law

accessed16May2018.

32 _For_instance,_the_thresholds_and_legal_language_between_the USstatelevelDBNOsdiffer.SeeMarkBurdon,BillLaneandPaul vonNessen,‘Themandatorynotificationofdatabreaches:Issues arisingforAustralianandEUlegaldevelopments’(2010)26 Com-puterLaw&SecurityReview115.

33_See_for_instance:_Fabio_Bisogni,_‘Proving_Limits_of_State_Data BreachNotificationLaws:IsaFederalLawtheMostAdequate So-lution’(2016)6JournalofInformationPolicy154.

34_Code_of_Virginia_{§18.2-186.6.}

35_Sasha_Romanosky,_David_Hoffman_and_Alessandro_Acquisti, ‘EmpiricalAnalysisofDataBreachLitigation’(2014)11Journalof EmpiricalLegalStudies74.

(6)

lessonslearnedontheothersideoftheAtlantic.Forinstance, inpursuingthesocialbenefitofinformationdiffusioninthe EUDBNO,oneshouldbecognizantofthefactthatinformation diffusionaboutpersonaldatabreachesandmutuallearning hasnotbeenthemainstartingpointofthelegislativeprocess thathasledtotheGDPRandtheDBNO.

3. The

social

benefits

and

costs

of

the

DBNO

ThissectiondiscussesthesocialbenefitsoftheDBNO gen-erally.Thestartingpointhereisthatthesocialbenefitsofthe DBNOdependonthedisclosurethreshold.Section3.1will fur-ther introducethis ‘threshold’ perspective. Section 3.2 will discussthesocialbenefitsofaDBNO,whileSection3.3will discussitssocialcosts.

3.1. Thethreshold

TheEUlegislatordefinesthedatabreachnotification thresh-old inthe GDPR:data breachesthatresultin a‘risktothe rightsandfreedomsofnaturalpersons’inthecaseof notify-ingtheDPA(Article33).Inthecaseofnotificationtoaffected datasubjects,thisriskshouldbe‘high’(Article34).Naturally, somedatabreachesaremoreriskythanothersare.37_Identity

thefthasahighrisk,creditcardthefthasalowerriskandthe theftofcertainpasswordsandusernamesofnon-vital web-sites, aswellasencrypted data,haveanevenlower risk.38

Hence,theoretically,thesedatabreachescanbeplottedona riskcontinuum.ThetwothresholdswithintheEUDBNOare certainpointsonthisriskcontinuum.Thispaperdiscusses towhatextentthesocialoutcomesoftheregulationchange whentheriskthresholdisinterpretedmoreorlessstrictlyand consequentlymoreorfewerdatabreacheshavetobe noti-fied.Tobeprecise,wewillobservethe driversforachange inprivateandsocialoptimawhenthethresholdshifts.39_In Section7,wewillalsodiscusswhetheritissociallydesirable todistinguishbetweenthresholdsfornotifyingtotheDPAand tothedatasubjectsaffected.Intheupcomingsections,wewill primarilyfocusontheprivateandsocialbenefitsandcosts ofnotificationtodatasubjectsexArticle34GDPR.InSection 7.1wewilladdressthedifferentsituationoftheobligationto notifytheDPA.

37_This _paper _does_not _aim _to _provide _an _extensive _overview ofpersonaldatabreachesandtheirriskforindividuals, organi-zationsandsociety.Forthepotentialconsequencesofpersonal data breachesandtheir risksforindividualsandorganizations seeinteraliaVerizon,‘DataBreachInvestigationsReport’http:// www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

accessed16May2018

38_GDPR, _Art. ₃₃₍₃₎ _under_c; _Compare _for_instance _the _Steam hack which also included creditcard theft,but also less vital username information: Casey Johnston, ‘ValveconfirmsSteam hack: credit cards,personal info may be stolen’ (Ars Technica,

11 November 2011) https://arstechnica.com/gaming/2011/11/ valve-confirms-steam-hack-credit-cards-personal-info-may- be-stolen/accessed16May2018.

39_We _assume _that _data _breaches _carry _a _similar _amount _of records(beingaffectedconsumers).

3.2. Thesocialbenefits

Thissectionwilldiscussthesocialbenefitsofdatabreach dis-closuretodatasubjects.First,andforemostfortheGDPR,the socialbenefitofdatabreachdisclosureistheimplementation ofthedatasubjects’‘righttoknow’thattheirdatahasbeen compromised.This‘righttoknow’isanaspectofthe funda-mentalrightontheprotectionofpersonaldata,enshrinedin theCharterofFundamentalRightsoftheEuropeanUnionand theEuropeanConventionofHumanRights.40_The_protection

ofpersonaldatahasbeentheprimaryreasonfortheEuropean UniontoadopttheGDPRandthereintheEUDBNO.41_The

so-cialbenefitofthe‘righttoknow’isintangible.Inaddition,its intrinsicvaluevariesamongschoolsofthought.Ononeside ofthespectrum,thereisastreamofliteraturethatprioritizes fundamentalrightsbyqualifyingitas‘afirstlineofdefence’.42

Ontheothersideofthespectrum,thereisliteraturethat ar-guesthattherighttoknowhasalimitedvalue,43supported byempiricalresearchthatevaluatesthelowmonetaryvalue consumersattachtothisright.44_The_valuation_of_the_right_to

knowwill,inademocraticsociety,bedecidedbythe policy-makeraccordingtothepreferencesofthevoter.Inaddition, thevalueoftherighttoknowwillstronglydependuponthe natureofthedatabreach.Forexample,itmaybemore im-portantforanindividualtobeawareofanidentitytheftthan ofthelossofausernameorpasswordforaSteamaccount(a platformformobilegaming).45

Second,databreachdisclosurewillresultinadditional in-centivesfordatasecurityimprovementsforindividualsand organizations.Thereareshortandlong-termeffectsand di-rectandindirecteffectsofthediffusionofdatabreach disclo-sureinformation.46_Data_breach_disclosure_has_a_short-_term

direct impact on mitigating and avoiding consumer47 _and

40_Charter_of_Fundamental_Rights_of_the_European_Union_[2012] OJC326/1,Art.8;EuropeanConventionofHumanRights,Art.7. TherighttoknowisdescribedclearlyinArticle8(2)oftheCharter, whichstatesthat“everyonehastherightofaccesstodatawhich hasbeencollectedconcerninghimorher,andtherighttohaveit rectified”.

41_GDPR,_Art._1.

42_Axel_Arnbak,_Securing_private_{communications:}_protecting_private communications security inEU law- fundamentalrights, functional valuechains,andmarketincentives(1st _edn,_Kluwer _Law Interna-tional2016)Chapter4.

43_Richard_Posner,_Economic_Analysis_of_Law₍₆th_edn,_Aspen_Law_& Business2002)711.

44_Ignacio _Cofone, _‘The _Value _of _Privacy: _Keeping _the _Money Where the Mouth is’ (2014) RILE Working Paper Series 15/2014, http://www.econinfosec.org/archive/weis2015/papers/ WEIS_2015_cofone.pdfaccessed 16 May 2018.

45_This_gradual_decrease_occurs_{independently}_of_the_absolute valueoftherighttoknow,which,assaid,hastobedetermined bysocietaldebate.

46_Op._cit._Romanosky,_Telang_and_Acquisiti_(n₈₎_259;_This_is_also theaimoftheDutchDBNOwhichstatesinitsexplanatory memo-randumthatthecentralavailabilityoftheinformationwill stimu-latetheabilitytolearnoforganizationswhichhavebeenbreached. 47_Paul_Schwartz_and_Edward_Janger,_{‘Notification}_of_Data Secu-rityBreaches’(2007)105MichiganLawReview913,915;Deirdre Mulligan,Security BreachNotificationLaws:ViewsfromChief Secu-rityOfficer (Study Conducted forthe Samuelson Law, Technol-ogy&PublicPolicyClinic,UniversityofCalifornia-BerkeleySchool

(7)

organizationallosses.48_However,_{organizations}_and

individ-ualsmayover-investintheirsecurityimprovements.49_In_the

longterm,accordingtoUSchiefsecurityofficers,databreach disclosurecanfoster“cooperationbetweeninformation secu-ritydepartments”.50_This_diffusion_of_information_has_positive

effects onoverall security.51 _Furthermore,_indirectly,_a_data

breachdisclosureraisesthepublic’sawarenessregarding cy-bersecurity.Similartotherighttoknow,weassumethatthe informationbenefitforsecurityimprovementislowerwhen thesignificanceofthedatabreachriskislower.

Third,thepotentialliabilityclaimthatcanfollowa disclo-sure hasasocialbenefit.Liabilityresultsinbehaviourthat incentivizes organizationstointernalizesomeofthe exter-nalitiesincybersecurity.Quitenaturally,individualscanonly claimdamageswhenadatabreachdisclosurebecomespublic andtheyareawareofit.Liabilitycanevenaccumulateinclass actions.52

3.3. Thesocialcosts

Therearealsosocialcostsofdatabreachdisclosure.First, in-dividualsandorganizationswhosedatahavebeenbreached incurdirectcostsbecausetheyhavetospendtimeandmoney inordertoanalyseandmitigatetheirimpact.Thismightbea minorcostperrecord,butifhundredsofthousandsofrecords arebeingbreached,thenumbersquicklyaddup.53_The_cost

ofconsumeractionsmightbegreaterthanexpectedbecause consumerscanspendseveralhoursoftimeontheiraccounts and imposecostsonfirmsbyrequestingmoreinformation on,forinstance,newcreditcards.LenardandRubinestimate thatthis costis$10perdatasubject.54_Second,_an_increase

intheamountofnotificationscanleadtoadecreaseinthe positiveeffectsofdisclosure,becausedatasubjectscanpay lessattention toeach individualdatabreach.Subsequently, theinformationdiffusionbecomeslessmeaningfuland even-tuallyalldatabreachescouldjustbeperceivedasirrelevant information.55_We_label_this_effect_{‘notification}_fatigue’._Thus,

ofLaw,2007)23,availablethroughhttps://www.law.berkeley.edu/ files/cso_study.pdfaccessed 16May 2018.Thisdiscussion is linked tothetimingofthenotificationstudiedbyFabioBisogni,‘Data BreachesandtheDilemmasinNotifyingCustomers’(2015), pre-sentedatThefourteenthAnnualWorkshopontheEconomicsof InformationSecurity,Delft,22-23June2015.Thefasterthe disclo-suretakesplace,themorebenefitsforconsumers.Weexpectthis tobeequaloversignificance.

48_Op._cit._Romanosky,_Telang_and_Acquisti_(n₈₎_258. 49_Op._cit._Lenard_and_Rubin_(n₉₎_48.

50_Op._cit._Mulligan_(n₄₇₎_18.

51_Hulisi_Ogut,_Srinivasan_Raghunathan_and_Nirup_M._Menon, ‘In-formationSecurityRiskManagementthroughSelf-Protectionand Insurance’(2005)TheUniversityofTexasSchoolofManagement 1,31.

52_Especially_in_the_US,_see_op._cit._Romanosky,_Hoffman_and Ac-quisti(n8).

53_For_instance_a_consumer_spends₁₀_minutes_on_gaining knowl-edgeaboutadatabreach,atan18europerhouropportunitycost, a100.000recordbreachcancostssociety300.000euro.Thesecosts arepubliccostsinsofarastheyarenotbeingcompensatedbythe privateorganization.

54_Op._cit._Lenard_and_Rubin_(n₉₎_47._It_is_more_likely_to_be_on_the uppersideofthespectrum.

Table 1 – Social costs and benefits. Socialbenefits Marginal

social benefits relativetoa decreasing notification threshold

Socialcosts Marginalsocial costsrelativetoa decreasing notification threshold

Righttoknow Decreasing Administrative costs(data subjectside) Minor decrease Information diffusion Decreasing Notification fatigue Increasing Liability Decreasing Over-reactionin

restricting security

Decreasing

notificationfatiguedoesnot onlyaffectthe benefitsofthe (leastimportant)databreach,butalsohasnegative external-itiestowardsotherdatabreaches.Alldatabreachesbecome less importantwith the introduction ofanadditional data breach (through lowering the threshold).Likewise,as soon asmorenotificationsarebeingmade,forexampleby lower-ingthenotificationthreshold,thebenefitsoftheadditional databreach willdecreaseandthecosts(thenegative exter-nalitytootherdatabreaches)willincrease.Third, organiza-tionsmayover-investinsecuritybecauseofnotifyingthedata breach.However,thisisnotexpectedtobeaverysignificant socialcostbecauseingeneral,organizationshaveincentives tounder-investincybersecurity.56

3.4. Socialcostsversussocialbenefits

Table1belowdisplaysthesocialcostsandbenefitsrelativeto adecreasingnotificationthreshold.

Marginalsocialbenefitsalldecreasewhenlessriskydata breacheshavetobenotified.Themarginaladministrativecost islikelytodecrease,becausethedatasubjectwilltakemore timeinreviewingariskydatabreachthanalessriskydata breach.However,thedecreasewillquicklyflattenout,because acertainbaselineofinvestigativecostshavetobemadeby eachdatasubject.Inaddition,over-investmentby organiza-tions willbeless likelywhenless importantdatabreaches havetobenotified.Notificationfatiguewilllogicallystrongly increasewhenalargerpoolofdatabreacheshavetobe no-tified.Notificationfatiguedrivesoverallmarginalsocialcosts toincreaseandtheminordecreaseofadministrativecostand theoverallminordecreasingeffectofover-investmentcannot compensateforthat.Insum:theremaybepositivesocial ben-efitsfrom notification,butthesecanbereducedbecauseof notificationfatigue.Toreducethatrisk,determiningthe ap-propriatethresholdfornotificationiscrucial(seeSection7). Fornow,weassumethatasmartthresholdwillbedetermined andthatdisclosureisthereforesociallybeneficial.Thatthen leadstothefollowingquestion:

56_Due_to_the_mainly_positive_{externalities}_that_are_present_in cy-bersecurity.

(8)

4. Will

there

be

spontaneous

disclosure

in

the

absence

of

the

obligation?

Thissectiondiscusseswhethertherewillbespontaneous dis-closureintheabsenceoftheobligation.Wewillassessthe pri-vatecostsandbenefitsbecauseofdisclosure.Section4.1will discussprivate benefitsandSection 4.2willdiscussprivate costs.

4.1. Privatebenefits

First,organizationsexperienceabenefitbecausethe disclo-sureofdatabreachesallowsforthefastermitigationofthe impactofthebreach.Thisreducesdirectcosts.Thisis espe-ciallyrelevantwhenconsumersneedtotakeactionafterthe databreach,suchasrefrainingfromusingstolencreditcard informationorusingoldpasswords.Moreover,aDPAcan po-tentiallyassistinmitigatingthebreachbyprovidingtargeted advice.

4.2. Privatecosts

Besidesbenefits,privatepartiesalsoincurcostswhen disclos-ingdatabreaches.57_First,_there_are_the_{administrative}_costs_of

disclosingdatabreachestotheaffecteddatasubjects. How-ever,themajorriskis(perceived)reputationdamage.The lit-eratureshowsthatdatabreachdisclosuredoeshavelimited singledigit(1or2%)negativemarketvalueimpactontheshort term.58_However,_research_that_focussed_on_the_long_term

sug-gests,“informationsecuritybreacheshaveminimallong-term economicimpact”.59_We_believe_that_the_Target_stock_price

ex-57_These_private_costs,_and_the_necessity_to_balance_these_costs withthesocialbenefitsofDBNOshavebeendebatedinthe liter-ature.Forinstance,MarkBurdon,BillLaneandPaulvonNessen, ‘DatabreachnotificationlawintheEUandAustralia– Whereto now?’(2012)28ComputerLaw&SecurityReview296,307 men-tioncompetingrationales,suchasthe‘dualconflictofeffective consumerprotectionsrelatingtoidentitytheftthreatsand min-imisingcorporatecompliancecosts.’

58_Reputation_damage_is_usually_quantified_as_the_difference_in companyvaluebeforeandafterthedisclosure.SanjayGoeland HanyHawsky,‘Estimatingthemarketimpactofsecuritybreach announcementsonfirmvalues’(2009)46Information& Manage-ment404,408,usedsuchaneventstudymethodology.They mea-suredthemarketvalueofthecompanyafewdaysbeforeandafter thenotionofasecuritybreachandfoundanegativeeffectofon averageabout1%ofthemarketvalue.HuseyinCavusoglu, Biren-draMishraandSrinivasanRaghunathan,‘TheEffectofInternet SecurityBreachAnnouncementonMarketValue:CapitalMarket ReactionsforBreachedFirmsandInternetSecurityDevelopers’ (2004)9InternationalJournalofElectronicCommerce69,71, iden-tifiedthroughasimilarapproachanincidentallossofstockprices of2.1%.Theydiscussdirectandindirectcostsofdatabreaches, butthisisaslightlydifferenttopic,asthispaperisabouttotalk aboutdatabreachdisclosure.PierangeloRosati,MarkCummins, PeterDeeney,FabianGogolin,LisavanderWerffandTheoLynn, ‘Theeffectofdatabreachannouncementsbeyondthestockprice: Empiricalevidenceonmarketactivity’(2017)49International Re-viewofFinancialAnalysis146,152,findthatmarketactivityonthe shorttermslightlyhigherafteradatabreachannouncement.

59_Myung_Ko_and_Carlos_Dorantes,_‘The_impact_of_information se-curitybreachesonfinancialperformanceofthebreachedfirms:

ampleshowsthedifficultyinpointingoutlong-term reputa-tionaldamage.Targetwasthesubjectofaverysignificantdata breachinDecember2013.Fig.1belowdisplaysthegraphofthe stockmarketvalueofTarget.Itisimpossibletoidentifythe dayofthedatabreach,asonothertradingdaysstockprices didfluctuatemorethanduringtheeventinlateDecember.60

Inpractice,thedistributionofrealreputationalcostshasa long-termeffect.Someorganizationwillsuffernosignificant long-termreputationdamage,whileothercompanieswillgo bankruptbecauseofthedisclosureofthedatabreach.61_The

formergrouparelikelytoconsistoforganizationswitha sta-blecustomerbasethatareabletoexploitlock-instrategies andaretoobigtofail.Adatabreachdoesnotreducethe like-lihoodthatconsumersbuytheproductorservicesofthese organizations.The lattergroup has asmall customer base and/oroffersproductswithtrustasacoresellingpoint.62

Nev-ertheless,theperceivedvalueofreputationdamageismore im-portantthanitsobjectivevalue.Asasecurityofficerpointed out,“fearofreputationdamage… drivesorganizationstotake stepstoatleast evaluate,ifnotcorrectand enhance secu-ritymechanisms”.63_{Alternatively,}_consider_the_following_blog

post:“OurheadofITSecurity(ofamajortelecom)toldusonce, ‘wehaveonekeymetric:Don’tshowupintheWallStreet Jour-nalforasecuritybreach.’”64

Athirdissueisliability.Thegenerallogicisthatwhena databreach becomespublic, theopportunity arises forthe publictosueorganizations.Therefore,notifyingdatabreaches raisesthelikelihoodofliabilitycosts.Romanoskyfindsthat whenconsumerssufferfinancialharm,theriskoflitigation increaseswithafactorof3.5.65_However,_two_drivers_mitigate

anempiricalinvestigation’(2006)16JournalofInformation Tech-nologyManagement13,20,usedamatchedsamplecomparison analysisinsteadofeventstudymethodologytoinvestigatethe im-pactofsecuritybreachesonfirmperformance.Theseobservations aboutlong-termimpactshouldbetakenwithcare,becausethe ef-fectofthedatabreachismuchhardertodisentanglefromother exogenousvariablesandhighqualitypaneldataisnotavailable.

60_‘In _the _days _prior_to _Thanksgiving_2013,_someone _installed malwareinTarget’s securityandpaymentssystem designedto stealeverycreditcardusedatthecompany’s1,797U.S.stores.’ SeeMichaelRiley,BenElgin,DuneLawrenceandCarolMatlack, ‘Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It’ (Bloomberg, 17 March 2014) https://www. bloomberg.com/news/articles/2014-03-13/target- missed-warnings-in-epic-hack-of-credit-card-data accessed 16 May 2018.

61_Robert_Layton_and_Paul_A._Watters,_‘A_methodology_for estimat-ingthetangiblecostofdatabreaches’(2014)19Journalof Infor-mationSecurityandApplications321alsoindicatethatfirmscan stillgrow,whilewriting-offsomeexpendituresrelatedto reputa-tiondamage.

62_Compare_for_instance_the₂₀₁₇_Verizon_data_breach_with_the 2011Diginotardatabreach.Theformerdidnotencountermajor issueswhilethelatterwentbankrupt.

64_See _the _following _article _on _Bruce _Schneier’s _blog: _Bruce Schneier, ‘Breach Notification Laws’ (Schneier on Security, 21 January 2009) https://www.schneier.com/blog/archives/2009/01/ state_data_brea.htmlaccessed 16 May 2018.

65_Op._cit._Romanosky,_Hoffman_and_Acquisti_(n₈₎_76._This re-searchisbasedonUSdatawheretheuseofliabilitylawismore commonthaninotherjurisdictions.

(9)

Fig.1– Stockmarketvalueoftargetcorp.

Table 2 – summary of private costs and benefits. Privatebenefits Marginal

private benefits relativetoa decreasing notification threshold

Privatecosts Marginalprivate costsrelativetoa decreasing notification threshold Mitigationof impactand improvement ofsecurity Decreasing Administrative costs Slight decrease Reductionin reputation damage Decreasing Reputational damage Decreasing Additional perceived reputation damage Decreasing

Liabilitycosts Decreasing

this effect.First,awell-planned notificationstrategyfor or-ganizationscanmitigateliabilitycosts.Liabilityriskscanbe reducedwhentheorganizationisabletoshowthatittook ap-propriateactioninnotificationandreductionoftherisk(such asimmediatedisclosureitself).IntheU.S.,thelikelihoodofan organizationbeingsuedissixtimeslowerwhenthe organiza-tionoffersfreecreditmonitoringafterthedatabreach.66

Sec-ond,whenacompanyintentionallyconcealsdatabreaches and they nevertheless becomepublic,it canreasonablybe expected that the likelihood and impact of claims will be higher.Wesummarizeprivatecostsand benefitsinTable2

below.

Privatebenefitsandcostsarestronglycorrelatedwiththe magnitudeofthedatabreach risk.Private benefitsbecome higherwhendatabreachesthathavetobenotifiedaremore risky,whiledecreasingwhenbreachesbecomelessrisky.With

66_Ibid_91.

regardtoprivatecosts,weexpecttheseadministrativecostsof disclosuretodecreaseslightly.Thisisrelatedtothe assump-tionthattheadministrativeproceduretoinformcustomers willtakeslightlymoretimewhenthebreachismore signif-icantbecauseitcanbeexpectedthatdatasubjectsdemand moreinformation.Weexpecttheothermarginalprivatecosts to decrease relative to a decreasing notificationthreshold. Concerningabsolutenumbers,privatecostsare(perceivedas) highandcertain,whileprivatebenefitsareindirectand un-certain.Hence,we assume that (at leastin the perception ofthe organization that hasthe notificationduty) the pri-vatecostsofdatabreachdisclosurearehigherthanthe pri-vatebenefits.Ergo,therearefewincentivesforaprivateactor spontaneouslytonotifydatabreachesintheabsenceofthe obligation.67

5. The

case

for

the

DBNO

Section 3 observedthat adata breach notificationhas so-cialbenefits,mostnotablybringinginformationtothemarket thatservesasarighttoknow’andtheinformationdiffusion.

Section4observedthatdatabreachdisclosuremostlikely im-posesa netcost onprivate parties.There willnotinmost

67_Surely,_there_are_data_breaches_for_which_private_benefits_of disclosureexceedprivatecosts.Forinstance,whenthereisa (per-ceived)highlikelihoodthatabreachwillbemadepublicbyathird party.Insucha situationthe differenceinreduced (perceived) reputationdamageandthethreatofliabilityclaimsmayweigh againstdisclosurecosts.Therehavebeencasesofspontaneous disclosureofdatabreachesinthepast,althoughthe‘spontaneity’ ofthesedisclosuresissometimeshardtodisentanglefromlocal legalobligations.Forinstance,intheNetherlands,therehasbeen alocaldatabreachnotificationlawsinceJanuary1,2016untilthe applicationoftheGDPR.Inaddition,contractualobligations be-tweenpartiescouldhavetriggereddatabreachdisclosureinthe past.Also,casesofspontaneousdisclosurearehardtoretrieve sincethereisobviouslynoobligationtonotifyaDPAinthe ab-senceofthelaw.Tothebestofourknowledge,therehasbeenno furtherresearchconductedonthespontaneousdisclosureof per-sonaldatabreachesintheEU.

(10)

Table 3 – Public costs of a DBNO. Publiccosts(costsassociated

withtheoperationofthe legalsystem)a

Marginalpubliccostsrelativetoa decreasingnotification threshold

Adoptioncosts Sunkcosts CostsofDPA Stable

Costsofenforcement Stableforgeneralenforcement,up tothresholdviolationspecific enforcement

Costsofthedigitalfirstaidkit Stable

a _Steven_Shavell,_‘The_Level_of_Litigation:_Private_Versus_Social

Op-timalityofSuitandofSettlement’(1999)19InternationalReviewof LawandEconomics99,100:“Toamplify,theprivatecostofasuit islessthanthesocialcostofasuit,forthatincludestheinjurer’s costsaswellasthepubliccosts(thosecostsassociatedwiththe operationofthejudicialsystem).”

casesbespontaneousdisclosureintheabsenceofthe obli-gation.Thissectionexaminesin5.1whethersocialsurplus is likelyto remain, evenwhen net private costs are taken into accountandarguesthatthereisacaseforregulation.

Section5.2discussesthepubliccostofenforcingtheBDNO.

5.1. IsthereacasefortheDBNO?

Most data breach disclosures impose a cost on data con-trollers.Uptothethreshold,thesocialbenefitsoutweighthe (net)privatecosts.Withinthis area,thereisacasefor reg-ulation.Thesocialoptimalthresholdfordisclosurewillliea notchhigher,becausenetprivatelosseshavetobeaddedto thesocialcosts.Thedatabreachesbelowthethresholdwill haveinsufficientpositiveeffectstocompensateforthe nega-tiveeffectsandgenerateasocialloss.Itbecomesquiteclear thatthisisimportanttogiveadirectionfordistinguishingand clarifyingthethreshold,whichwewilldoinSection7.

5.2. PubliccostoftheDBNO

TherearealsopubliccostsoftheDBNO(Table3).Thefirstis theadoptionoftheregulationassuch.Therearecosts associ-atedwiththediscussionandadoptionoftheregulationbythe EUlegislator.Thesearesunkcostsandtheregulatorcanalso incurthesecostswhentheregulationisnotadopted.There arealsocostsinvolvedinprocessingthenotificationsatthe DPA.Furthermore,thereareenforcementcosts68_and_possible

costsinvolvedinofferingadigitalfirstaidkit,discussedinthe nextsection.

Whenweaddthepubliccoststothenewsocialoptimum, thesociallyoptimalthresholdbecomeshigher.

68_Op._cit._Polinsky_and_Shavell_(n_5);_Sharon_Oded,_‘Inducing cor-poratecompliance:Acompoundcorporateliabilityregime’(2011) 31InternationalReviewofLawandEconomics272,273;George Stigler,‘TheOptimumEnforcementofLaws’(1970)78Journalof PoliticalEconomy526,526.

6. Will

the

EU

DBNO

sufficiently

induce

data

controllers

to

notify?

Section3arguedthatdisclosureissociallybeneficialfora cer-tainareaofdatabreaches(uptothethreshold).Section4 con-cluded that, forthe majority ofthose databreaches, there wouldbeinsufficientincentivesforspontaneousdisclosureby privateparties.Section5arguedthatthereisacasefor regu-lation,becausethesesocialbenefitsarehigherthanprivate costs,providedthatthebenefitsofregulationoutweighthe publiccostsofregulation.Thequestionthissectionaimsto addressiswhethertheEuropeanregulationwillsufficiently inducedatacontrollerstonotifythosedatabreachesforwhich disclosureissociallybeneficial.

6.1. Theadministrativefine

Theadministrative fineis the maindesignparameter that inducesdatacontrollerstonotifywithinArticles33,34and 84(4)theDBNO;especiallyArticle84(4)GDPRgivesDPAsthis power.69 _In_the_case_of_{non-compliance}_with_the_regulation,

DPAsaregrantedthepowertoimposeanadministrativefine of€10,000,000or2%oftheundertakingsturnover,whichever ishigher.70_The_fine_can_be_imposed_when_the_data_controller

concealsadatabreachor doesnotnotifyinduetime.The administrativefinehasseveraltheoreticaladvantages.First, the fine hasa multiplication effect. Thefine hasan effect onceimposed,aswellasthethreatoftheeffectthancanbe executedmultipletimesoncedatacontrollerscomply.Thus, whenthesanction isset atadeterrentlevelthatforces all datacontrollerstocomply,thesanctionitselfiscostless, be-causeitdoesnothavetobeexecuted.Insuchasituation,only thethreatsuffices.71_Moreover,_even_if_the_fine_has_to_be

im-posed,thefineitselfisconsideredasociallycostlesstransfer ofmoney(contrarytootherthreatssuchasimprisonment).72

Last,highersanctionsallowforlowerlevelsofenforcement toremainanidenticallevelofdeterrence.Thehighsanctions inArticle84(4) GDPRconsequentlycould saveenforcement costs.

However,thehighfineinArticle84(4)GDPRalsohasseveral disadvantages.Forsmalldatacontrollers,themaximum de factofinewillbelowerbecauseahighfinewillgobeyondtheir solvency.73_Next,_high_sanctions_can_lead_to_over-_and

under-deterrencewhen the perceptionofthelikelihood of detec-tiondiffersfromtheactuallikelihoodofdetection.74_This

phe-nomenonoccursespeciallywhenthereisalowlikelihoodof 69_Op._cit._Nieuwesteeg_(n₂₄₎_80._The_majority_of_the_DBNOs_in_the worldapplypenaltiesinordertodeternon-compliance.

70_GDPR,_Art._83(4).

71_See _Giuseppe _{Dari-Mattiacci} _and _Gerrit _de _Geest, _‘Carrots, sticks,andthemultiplicationeffect’(2010)26JournalofLaw, Eco-nomics, andOrganization 365,365,compare the discussion in

supraSection2.2onperceivedreputationdamage. 72_Op._cit._Polinsky_and_Shavell_(n_5).

73_Also,_in_practice,_it_is_likely_that_most_actual_fines_will_be_lower thanthemaximum,loweringtheirdeterrenteffect.Article83(2) specifiesseveralcircumstancesofthecasethathavetobetaken intoaccountfortheactualdeterminationofthefine,suchas neg-ligenceandmitigationmeasures.

(11)

detection.Tobespecific,datacontrollerscouldbeincentivized tonotifydatabreachesthataresubjecttomandatory notifi-cation(becausetheydonotresultinariskfordatasubjects) justbecausetheywanttobe‘onthesafeside’.Thisassumes thatthedatacontrollersdonothaveexactinformationabout thetwothresholds.Thisisreasonabletoexpect,because cur-rently the thresholdsare notdefined any furtherthan the qualificationof‘risk’or‘highrisk’totherightsandfreedoms ofdatasubjects.Inasituationofover-deterrence,data con-trollerswilldisclosedatabreachesforwhichdisclosureisnot sociallybeneficialandthiswillresultinasocialwelfareloss. Furthermore,ahighadministrativefinecanincentivizedata controllersnottodetectdatabreaches.75_Closely_connected,

peopleshowrisk-seekingbehaviourwhenfacinglosses.This underminesthedeterrenteffectofhighfines.76_A_last

disad-vantageofthe(high)administrativefineisthatitwillpunish the organizationitself(andthus theshareholders and cus-tomers)andnotthepeopleresponsibleforconcealingthedata breach.77

6.2. Enforcementofthefine

TheadministrativefineoftheDBNOishigh,buttheexpected valueoftheadministrativefineisthemagnitudeofthefine multipliedbythelikelihoodofdetection.Hence,itsdeterrent effectlargelydependsontheabilityoftheDPAeffectivelyto enforceatacceptablesocialcost.78_What_should_be_the_level

ofdeterrence?Thelevelofdeterrenceshouldexceedthenet privatecostthatdatacontrollersincurwhendisclosingadata breach.79_This_private_cost_is_not_static_but_varies_across_data

controllers and willalso bedifferent foreach data breach.

Section4concludedthatprivatecostsare(perceivedas)high andcertain,whileprivatebenefitsareindirectanduncertain. Hence,thereisasignificantgap betweenprivatecostsand benefitsthatshouldbeclosedbyanappropriatedeterrent ef-fectoftheDBNOinordertoinduceanorganizationtoprovide sufficientnotification.

Theappropriatelevelofdeterrencecanbeaccomplished throughenforcingtheregulationandbyincreasingthe likeli-hoodofdetection.TheGDPRdoesnotgivefurtherinstruction onhowtoenforcetheobligation,apartfromthestatement that enforcementshould be‘strong’ accordingto Recital7. Thissectionwilldiscussseveralpossibilitiesforenforcement oftheEUDBNO.

75_See_also_A._Mitchell_Polinsky_and_Steven_Shavell,_‘Mandatory versusVoluntaryDisclosureofProductRisks’(2006)HarvardLaw School, John M. Olin Centerfor Law, Economics and Business DiscussionPaperSeries564/2006,4http://www.nber.org/papers/ w12776accessed16May2018.

76_See_the_seminal_article_of_Daniel_Kahneman_and_Amon Tver-sky,‘ProspectTheory:AnAnalysisofDecisionunderRisk’(1979) 47Econometrica263.

77_See_for_a_more_extensive_discussion_op._cit._Polinsky_and_Shavell (n5).

78_See_also_op._cit._{Dari-Mattiacci}_and_De_Geest_(n₇₂₎_and_Gary Becker,‘CrimeandPunishment: AnEconomicApproach’(1968) 76TheJournalofPoliticalEconomy169.Accordingtothetheory ofdeterrence,thestrictnessofthestickequalsthemagnitudeof sanctionstickmultipliedbytheprobabilityofdetection.

79_See_supra_Section₄_.

General enforcement concerns auditing random organiza-tionstoinvestigatewhethertheycomplywiththeDBNO. Gen-eralenforcementischaracterizedbythefactthatitdoesnot dependonthenumberofindividualswho actuallycommit harmfulacts.80_An_example_of_the_current_Dutch_DBNO_that

willbereplacedbytheEUDBNOillustratesthatgeneral en-forcementwillbecostly.81 _Suppose_the_Dutch_DPA_wants_to

achievealikelihoodofdetectionof10%anditwillbeable suc-cessfullytofindadatabreachinhalfofthecaseswhereone hasoccurred.82_Then_it_must_audit_20%_out_of_the_total_number

of132,000organizationsintheNetherlands.83_No_more_than

20organizationsperyearcanbeauditedbyoneFTE.84_Hence,

toaudit20%oneneeds1320FTE.Givenanaverageannual to-talcostforskilledpersonnelof€100,000,theregulatorycosts ofenforcementriseto€132,200,000perannum.In2017,the totalcapacityoftheDutch DPAinNetherlandsis72,5FTE, thatcanonlybepartiallydeployedforenforcement.85

Sup-posethat25%oftheDutchDPAstotalcapacity(18,125FTE) canbedevotedtogeneralenforcementoftheDBNO.This re-sultsinanactuallikelihoodofdetectionofaround0,27%.In addition,generalenforcementcausessignificant administra-tivecostsfortheorganizationsthataresubjecttoanaudit. Manyofthemhavenothingtohideandhavetodevotetime andmoneytotheauditingprocedure,whichaggravatesthe socialcostofgeneralenforcement.Ergo,webelievethat gen-eralenforcementisnotasociallyefficientinstrumentto in-creasethedeterrenteffectoftheDBNO.86

Exanteriskbasedauditingisamoreefficientmeansof audit-ing.Thisapproachstartswithprioritizingsectorsor organiza-tionsthataremostlikelytoviolatetheobligation.IntheUS, forinstance,healthcareandfinancialinstitutionshavebeen subjecttodatabreachesrelativelymoreoftenthanother sec-tors.87_In_addition,_DPAs_can_prioritize_their_enforcement

ef-fortsonthosesectorswherethedisclosureofdatabreachesis mostlikelytoleadtothehighestsocialwelfareincrease. Log-ically,exanteriskbasedauditingreducescostsbecausethe averagelikelihoodofdetectionislikelytoincreaseperaudit. However,thisshouldbeweighedagainstthecostofexante effortsindeterminingtherisk.Whenthesecostsarekept suf-ficientlylow,forinstancethroughdiffusinginformationabout riskassessmentsacrosstheEU,riskbasedauditingis prefer-abletogeneralenforcement.However,alabourintensive au-ditingprocedureislikelytoremain.

80_Op._cit._Oded_(n₆₈₎_273.

81_Op._cit._Laube_and_Böhme_(n₉₎_37.

82_We _assume _50% _likelihood _of _detection_because _data con-trollerscanquiteeasilyactivelyconcealdatabreachesbyfor in-stancingremovinglogfilesaboutthebreach.

83_According _to _the _Dutch _estimation _when _the _DBNO _was adopted.

84_Assuming₁₀_days_FTE_work_for_an_intensive_auditing proce-dure.

85_See_{www.autoriteitpersoonsgegevens.nl}_accessed₁₆_May_2018. TheDutchDPAalsohasothertasks.

86_Op._cit._Laube_and_Böhme_(n₉₎_37.

87_Based_on_the_US_Privacy_Rights_{Clearinghouse}_data_set_that_is forinstanceanalysedbyBenjaminEdwards,StevenHofmeyrand StephanieForrest,‘HypeandHeavyTails:ACloserLookatData Breaches’(2016)2JournalofCybersecurity3,4.