Brand and reputation – the company’s “goodwill”—reflect customers’ trust. Losing that trust imperils the brand. Public companies believe consumer and employee privacy protection is vital to maintaining trust, according a recent study by the International Association of Privacy Professionals (IAPP). The IAPP reviewed disclosure statements filed by more than 100 publicly traded companies with the U.S. Securities and Exchange Commission, seeking to discover how these companies view privacy risks.
We found that a large percentage of public companies – 83% of those surveyed – are warning investors about cyber attack. Nearly one-half are also concerned that their business partners, vendors, and other third parties might also mishandle sensitive personal information.
Should these companies suffer a data breach, their principal concern is not loss of trade secrets, intellectual property, or other proprietary data. Instead, the number one concern is loss of personally identifiable information (PII). Why? Mishandling PII damages the company’s reputation and brand. Litigation and regulatory enforcement concerns bear mention, but the companies’ chief perceived threat for privacy mishaps is harm to their goodwill.
Consequently, as other IAPP studies show, CEOs and boards are investing in privacy leadership internally, and spreading privacy training and awareness throughout the firm. They are stepping up vendor management programs, and paying closer attention to privacy law compliance. In short, they are recognizing that good privacy hygiene reduces risk, which improves the bottom line.
Form 10-K Filings Provide Risk Forecasts
Pursuant to U.S. securities laws, companies that issue securities are required to file with the SEC annual reports that include a “Form 10-K.” Companies generally file 10-Ks shortly after the close of their fiscal year (typically December 31). Among the items to be disclosed on Form 10-K are the most significant factors that make the securities offered by the company speculative or risky to investors.
The IAPP analyzed Form 10-K disclosures for 2015 filed by U.S. companies ranked in the top 150 by revenue according to Fortune magazine. We excluded from our research results companies that did not list digital information risks or file a 10K at all, and focused on the 114 companies whose Form 10-K disclosed digital risks.
We then categorized the disclosures made by these companies based upon their perceived privacy or security threats; the type of information companies felt was the most vulnerable; the companies’ legal concerns; and the possible business harms associated with these privacy and security risks.
Cybersecurity Tops the List
We found that companies are far more concerned about cyber attack than any other information-related threat. Eighty-six percent of the companies disclosing privacy and security risks in their Form 10-K specify risk of hacking or cyber incidents. The next greatest concern is information mishandling by business partners, vendors, or other third parties (47 percent), followed by damage to information technology systems themselves (45 percent), and employee misuse of data (43 percent).
Notable differences are apparent across industry sectors. Though companies in all sectors are most likely to list cyber-attacks among their 10-K risk disclosures, sectors differ in their likelihood to list third-party misuse among perceived threats. Companies in regulated sectors like healthcare and finance, for example, list risks associated with vendor vulnerabilities almost as frequently as they do threat of cyber attack.
In contrast, companies in the information technology sector—and, indeed, most other sectors—are much less likely to specify third-party misuse as a significant threat. This is remarkable given the rise of information sharing between contracting companies as part of everyday business practice across industries.
We did note that IT companies tended to have the most detailed risk disclosures regarding compliance with U.S. and global privacy laws, and privacy’s impact on business. Companies selling enterprise software, cloud services, and related technologies must build privacy and security into their products and their brands. Because their products are globally distributed, moreover, they are exposed to worldwide data protection compliance concerns.
PII Risk Outweighs IP Concerns
Companies across sectors are more concerned about loss of PII than any other type of data. More than 60 percent reported that unauthorized disclosure of PII was a major risk factor for investors and potential investors, followed by disclosure of confidential information (54 percent). These numbers far exceed corporate concerns about loss of intellectual property or other proprietary information (45 percent). Although losing IP through cyber espionage puts companies at a disadvantage relative to their competitors, it does not necessarily expose them to liability, damage to reputation, or loss of consumer trust like a breach of PII.
Publicly traded U.S. companies are also alerting their investors to privacy legal compliance challenges – 43 percent of companies that disclose privacy risks list a risk of failing to comply with existing privacy and data protection laws and regulations, while 25 percent express concern about the potential for new laws and regulations and the difficulty of keeping up with a constantly shifting legal landscape.
One surprise in our study was a general lack of concern – or, more likely, awareness – regarding compliance with international data protection laws. We expect this to change as companies come to grips with the reality of the European Union’s General Data Protection Regulation, coming into force in May 2018 and introducing fines for non-compliance as high as four percent of global revenue.
Brand and Reputation Most Vulnerable in Breach
Companies present the potential for harm to their brand or reputation as the main source of risk from losing PII or violating privacy legislation. Of the 114 companies that mention a privacy or security risk, 83 percent disclose concerns about reputational harm – a far greater number than those concerned with the risk of civil litigation (60 percent), regulatory enforcement (51 percent), costs of remediation (50 percent), increased expenses on security systems and personnel (42 percent), harm to relationships with consumers (39 percent) and business partners (24 percent), or lost time and productivity after a breach (20 percent).
Investments in privacy provide ROI in multiple ways. For many companies, baking privacy into products and services enhances customer confidence, and thus goodwill. Reducing risk of privacy breach through people, processes, training and awareness also results in fewer privacy incidents, which saves time and money down the road.
For companies doing business in the EU, moreover, privacy simply cannot be ignored or underestimated. The GDPR requires U.S. companies to understand and embrace the EU’s view of privacy as a fundamental right. With penalties for noncompliance ranging from two to four percent of global revenue, the GDPR will undoubtedly make its way into more 10K risk disclosures in 2016.
Have you read?
Written by: Rita Heimes, CIPP/US, Research Director at the International Association of Privacy Professionals.