Strict liability versus negligence in the case of data breach

This study compares the efficiency of the strict liability and negligence rules in the case of a data breach. Contrary to standard results, we demonstrate that the strict liability rule cannot induce the efficient activity and care levels of a data controller. This is mainly due to possible positive externalities from data breaches, unlike in usual tort cases. We show that the negligence rule is more efficient than the strict liability rule if the positive externality is sufficiently large. The main insight is carried over to the case where a data controller uses a data processor to process personal information before selling it in the market. If hackers are explicitly introduced into the model, the care level of the data controller increases with the hacking activity, whereas the latter level decreases with the former. In this model, if the hacker's gain is sufficiently small, the negligence rule can be made more efficient by adjusting due care to a harsher level than the equilibrium care level under strict liability to reduce hacking activity, although a pure strategy equilibrium may not exist for some due care levels.