Assessing liability arising from information security breaches in data privacy

To counter threats, information security measures need to be employed in a way that adequately protects personally-identifiable data, and a privacy framework must be implemented. Assessing liability in an information security context is a means to reduce exacerbated social costs that are likely to arise. Apportioning costs between the information owner and information security service providers is also desirable because it may lead to reduced transaction costs, rendering the provision of information security services more attractive for both service providers and users. This paper reviews certain drivers and shortcomings associated with data privacy as it relates to cyber attacks, with a special focus on the European legal framework. It then briefly presents a liability assessment model that is adapted for the purpose of data privacy breaches of information security. Finally, a sample assessment is carried out of the liability of actors with regard to data privacy.