I wonder if the publisher's re-ID loss, L, and the related assumption that the attacker's gain is equivalent to the publisher's loss, are appropriate model assumptions? These seem to be based upon the assumption that the attacker's gain (equivalently, by assumption, publisher's loss) is a one time gain(loss), but this may not be correct. Because these are information, not physical products, once the record has been re-ID'ed, the potential loss is potentially extremely large, and not static, because the same information could be sold by the attacker to any number of third parties as new calls arise for this information. As these assumptions are essential controlling parameters in the model, it seems important to analyze these assumptions carefully.
