Cybersecurity: The Economic Benefits of GDPR

In its review of the economic impact of GDPR, five years after its entry into force, the CNIL noted that economic studies on the regulation tend to focus mainly on its costs and only marginally address its benefits. The CNIL undertook to study some of these benefits and provide a quantified analysis. This analysis approaches the topic from a cybersecurity perspective (Articles 32, 33, and 34 GDPR) to highlight the regulation’s positive impacts.

In the economics of cybersecurity, information security is considered an investment decision made by companies. This investment decision follows a profitability logic: cybersecurity investment is weighed against its cost and the risk of cyberattacks.

However, this calculation by companies overlooks a crucial factor — the impact of their investment on the wider society, known in economics as an externality. Because of these externalities, the spontaneous level of cybersecurity investment by companies is suboptimal in the absence of regulation. Regulations like GDPR help correct this market failure by requiring the implementation of security measures that benefit not only the data subject but also businesses and their partners.

Thus, the CNIL chose to study the benefits of GDPR through a quantified analysis focused on cybersecurity. A summary of the main findings from the full report is presented below.

Download the study

The Different Types of Externalities in Cybersecurity

Three main types of externalities can be identified, depending on the economic actor affected: other companies, cybercriminals, and clients/users.

Externalities Affecting Other Companies

A company’s cybersecurity level also depends on the cybersecurity investments of other companies. A computer virus can spread from machine to machine in much the same way as a biological virus spreads through contagion. Consequently, when a company invests in cybersecurity, it helps create a more resilient overall environment against cybercrime—through a mechanism similar to herd immunity:

• In subcontracting relationships, because the data security of the data controller depends on the security level of its subcontractor;
   
• With partner companies or even competitors, who can "benefit" from the high data security standards within a given sector, creating a “virtuous circle.”

However, a company has no incentive to consider the benefits its cybersecurity investments brings to its competitors, which limits its investment in this area.

Externalities for Cybercriminals

Underinvestment in cybersecurity increases the profitability of cybercrime, particularly through ransomware (attacks that aim to extort a ransom).

When security measures are insufficient, attacks are more likely to succeed. The more successful attacks there are, the more cybercriminals can demand large ransoms, knowing that a certain number of victims will eventually pay. Cybercriminals adjust ransom amounts to optimize profits by balancing two factors: on the one hand, a ransom that is too high may discourage victims from paying; on the other hand, a ransom that is too low will not maximize profit.

Since only a few companies are willing to pay very large sums, the optimal strategy depends on the number of successful attacks. If such attacks are rare, it is more profitable to demand moderate ransoms that most victims will agree to pay. However, if successful attacks are common, the probability that a victim company will pay a very high ransom increases. It then becomes more profitable for cybercriminals to set high ransoms to maximize their gains on those few large payments.

Thus, the lack of investment in cybersecurity creates a vicious cycle: it increases the success rate of attacks, strengthens cybercriminals’ ability to demand higher sums, and ultimately boosts both the profitability and the severity of cybercrime.

Externalities Affecting Customers

Data breaches affecting companies often involve the personal data of their customers/users (natural persons). Such data can be used to launch further cyberattacks against the affected individual (phishing, identity theft, credential stuffing). Individuals who suffer the negative consequences from a data breach may not always be able to identify which company is responsible for the leak of their personal data.

When a company discloses a data breach, it risks consequences: reputational damage, decreased valuation, loss of customer trust, etc. To avoid these repercussions, companies might choose not to disclose incidents in the absence of regulation.

This kind of negative externality is suboptimal because it allows the companies in question to escape responsibility for the harm caused to their customers due to their underinvestment in cybersecurity, reducing their incentive to strengthen protections. Moreover, it prevents affected individuals from being vigilant and taking appropriate measures to protect themselves.

The GDPR has made this opacity illegal: data controllers are now required to notify the data protection authority of any breach, and to notify affected individuals when there is a high risk related to a personal data breach. Companies that fail to comply with these obligations face sanctions. By reducing this externality, the GDPR therefore generates benefits for society as a whole.

The Benefits of the GDPR from a Cybersecurity Perspective

Compliance with the GDPR helps combat underinvestment in cybersecurity.

For example, by requiring entities to notify individuals of serious data breaches (Article 34 GDPR), people can choose to stop doing business with companies that do not maintain an adequate level of cybersecurity. This provision therefore helps reduce the externality affecting the company’s customers. The company is held accountable, which incentivises greater investment in cybersecurity.

As such, economic research has examined the consequences related to identity theft:

• By comparing the number of identity theft incidents before and after the implementation of this policy, economists found that data breach notifications lead to a 2.5% to 6.1% decrease in identity theft;
   
• By comparing this decrease with the cost of identity theft in France, it is possible to calculate that between €90 million and €219 million in losses have been avoided in France since 2018, and between €585 million and €1.4 billion across the EU;
   
• Taking into account compensation levels for these losses and the impact of identity theft on victims' trust in online shopping, it can be estimated that 82% of the avoided losses benefit companies.

These gains represent only a small portion of the total benefits brought by GDPR in terms of reducing cybercrime. They reflect the impact of just one of its provisions on a specific type of cybercrime (identity theft). One must also consider the positive effects of GDPR compliance on ransomware, botnets (networks of internet-connected programs), malware, and more. It would be worthwhile for economists to further explore the cybersecurity dimension in order to provide a more comprehensive view of this topic.