Published: December 2020
The U.S. Securities and Exchange Commission requires most publicly traded companies to annually disclose in their Form 10-K submissions potential risk factors to investors. Beginning in 2017, the IAPP studied these disclosures to assess not just whether companies have been disclosing personal data processing practices and privacy regulations as a risk, but also increasingly what business harms the organizations faced for getting privacy wrong.
For the first several years of our study, we reviewed the risk disclosures of up to 150 of the largest publicly traded companies in the U.S., across industries, attempting to quantify their collective sense of privacy risk. This year, the IAPP’s Westin Research team took a different approach, focusing on six key industry sectors and reviewing the privacy risk disclosures published by a selection of five companies in each sector. The industry sectors we chose to focus on are business-to-consumer technology, business-to-business technology, pharmaceuticals and health services, banking and finance, brick-and-mortar retail, and health insurance.
We found that across industries, there is growing concern about the cost of compliance with a rapidly evolving privacy regulatory landscape. Even industries structured for regulatory compliance, such as the financial services and health/pharma industry sectors, see privacy law compliance as at least a short-term business risk due to the global variance in privacy laws, concerns about lawful international data transfers, and the interconnectedness of data storage and analytics services with multiple third parties.