Request For Research Presentations For the PrivacyCon Conference
Information security controls can help reduce the probability of a breach, but cannot guarantee that one will not occur. In order to reduce the costs of data breaches, firms are faced with competing alternatives. Investments in ex ante security measures can help prevent a breach, but this is costly and may be inefficient; ex post mitigation efforts can help reduce losses following a breach, but would not prevent it from occurring in the first place. We apply the economic analysis of tort and accident law to develop a two-period model that analyzes the interaction between a firm and its consumers. The firm strategically chooses the optimal amount of ex ante security investments and ex post mitigation investments in the case of a breach; consumers, that can engage in ex post mitigation activities. We show that it can be optimal for a firm to invest more in ex post mitigation than in ex ante security protection. However, there also exist situations under which a firm finds it optimal to not invest in ex post mitigation, and simply invest a positive amount ex ante. In addition, we find that a social planner seeking to minimize the social cost from a breach should not incentivize the firm to bear all consumers loss: as long as consumers have feasible tools for mitigating the downstream impact of data breaches, they should be responsible for a fraction of the expected loss caused by the breach.