open
Elsewhere Online twitter Facebook SLS Blogs YouTube SLS Channel Linked In SLSNavigator SLS on Flickr

Regulating Information Security in the EU and the U.S. by Mandating Targeted Transparency

Regulating Information Security in the EU and the U.S. by Mandating Targeted Transparency

Research project

Investigator:

Lukas Feiler

Abstract:

There is little disagreement in the EU and the U.S. about information security (often also referred to as cybersecurity) being an increasingly important issue warranting some extent of regulatory intervention. The regulatory approaches chosen so far in the EU and the U.S. have either (1) required the implementation of security measures; (2) imposed or limited liability for security breaches; (3) imposed criminal sanctions for malicious actors; or (4) mandated the disclosure of security breaches to allow the individuals concerned to take reactive measures.

This paper will show that all these approaches implemented in EU and U.S. law fail to address the problem of information asymmetry. The research in the area of economics of information security has long established that information asymmetry is a fundamental obstacle to any significant improvements. The buyers of software products, online services, or any other services that involve the processing of personal information typically cannot assess the level of information security provided by these products or services. Thus, customers are not willing to pay for security, giving manufacturers and service providers little incentives to bring more secure products and services to the market. This leads to a “market of lemons” where only the relatively unsecure products and services (the “lemons”) are produced and put on the market.

Building on the research in the area of the economics of information security, the paper will show that so-called “targeted transparency” policies (as described by ARCHON FUNG ET AL., FULL DISCLOSURE: THE PERILS AND PROMISE OF TRANSPARENCY (2007)) are particularly well suited to remedy this market failure. The transparency-based policies implemented so far—in particular data security breach notification policies—are not “targeted” in the sense that they are not concerned with reducing information asymmetry; they rather focus on allowing public authorities or individuals concerned to take reactive measures against a notified breach. 

The paper will analyze why targeted transparency policies have not yet been adopted more widely, in particular regarding the security of personal information processing, outages of communications networks, and software security. 

Lastly, the paper will discuss how targeted transparency policies should be formulated to address different actors in the information security landscape (in particular companies processing personal information, communications service providers, and software manufacturers). In this context, the different ways of measuring and expressing information security will be discussed in particular taking into account the advantages and disadvantages of certifications (e.g. Common Criteria certifications for products and ISO 27001-certifications for information security management systems) as compared to metrics based on “real-life” data such as security breaches and publicly reported vulnerabilities.