Data breaches are a rising concern in personal data management. While the damages due to data breaches fall primarily on the end customer, the service provider should be held liable. A sanctioning approach is proposed to promote a greater responsibility by the service provider, where sanctions are proportional to the service providers rev- enues. The interactions between the customer and the service provider are modelled as a game, where the customer decides the amount of tolerable loss (a proxy for the amount of information released) and the service provider decides the amount of security investment. The solution of the game for a typical scenario shows that sanctions effectively spur the service provider to invest more in security and lead to a reduced data breach probability.