Privacy Accountability and Penalties for IoT Firms

Risk Anal. 2020 Dec 27. doi: 10.1111/risa.13661. Online ahead of print.


Internet of things (IoT) business partnership are formed by technological partners and traditional manufacturers. IoT sensors and devices capture data from manufacturers' products. Data enforce product/service innovation thanks to data sharing among companies. However, data sharing among firms increases the risk of data breaches. The latter is due to two phenomena: information linkage and privacy interdependency. Data Protection Authorities (DPA) protect data users' rights and fine firms if there is an infringement of privacy laws. DPA sanction the responsible for the infringement of privacy laws. We present two different business scenarios: the first occurs when each firm is a data owner; the second occurs when only the manufacturer is the data owner. For both scenarios, we present two fair penalty schemes that suggest the following: total amount of the fine; and how to share the fine among participants. Penalties critically vary at how innovation networks are structured in IoT industries. Our penalties provide incentives to data sharing since they redistribute firms' responsibility against data breaches. Our penalties may mitigate the risk on the manufacturer if is the unique responsible for data handling.

Keywords: Cooperative game theory; European GDPR; data breach; data sharing; risk mitigation.