The U.S. Securities and Exchange Commission requires most publicly traded companies to annually disclose potential risk factors, including cybersecurity concerns. The IAPP’s second annual study of the disclosure statements of 150 publicly traded companies shows that 100 percent of these companies identify cyber attacks in their 2016 10-K reports as current and ongoing risks, up from 86 percent in reports led in 2015.
Losing customers’ or employees’ personally identifiable information (PII) remains first among disclosed information-related risks (87 percent). Moreover, for those companies disclosing privacy risk, reputational harm is the greatest consequence of concern (95 percent), far more than risk of remediation expenses (66 percent) and legal damages or regulatory penalties (69 percent).
Despite the fear of reputational harm, only 9 percent of companies specifically mention concern over compliance with state data breach laws and regulations. Indeed, companies continue to discuss compliance-related risks in only general terms, with 53 percent of companies citing general compliance with existing U.S. data privacy laws and 37 percent identifying compliance with non-U.S. regulations as risks to their investors. These numbers stand in stark contrast to the 10 percent that specifically mention HIPAA/HI-TECH compliance and less than 6 percent that specifically mention the U.S.-EU data transfer mechanism known as Privacy Shield.
Although more than half of the 150 surveyed disclosure statements mention the introduction of new privacy laws and legal standards as a risk, only about one in 10 (11 percent) specifically name the EU’s forthcoming General Data Protection Regulation as a compliance risk. While these numbers do represent a slight uptick from last year’s findings, we might anticipate more mention of the GDPR in next year’s report due to the GDPR’s May 2018 implementation deadline.
In this study’s Annex we include sample language used by selected companies in various industries to help you identify the emerging nomenclature of privacy risks.