A Study of Compensation in Personal Identifiable Information Leakage

The organizations and companies that have the leakage of personal identifiable information (sometimes
abbreviated as PII) should take a lot of necessary actions such as investigation, public relations,
and compensation for customers. Especially, in Japan, mass media tend to broadcast security news
and these information leakage incidents as daily news. Therefore, the organizations or companies are
also interested in incident prevention and incident handling planning. On the other hand, it is pointed
out that there is the difficulty of understanding cost-benefit of security investments. On top of that,
the compensation for the victims in personal identifiable information leakage is not prescribed in regulation
or guidelines, and there are only few cases of the civil trials for the compensation. Therefore,
compensations are determined by past examples. In this paper, firstly, the authors briefly explores
the model for security incidents cost-benefit analysis. Secondly, by the evaluation of real examples
and JO model, which is a current famous estimation model of compensation for personal identifiable
information leakage, the authors show that the actual compensation in Japan, and then the gap between
the model and real examples. Finally, the authors points out the considerable points for model
in future sophistication.