Published: December 2021
The U.S. Securities and Exchange Commission requires most publicly traded companies to annually disclose in their Form 10-K submissions potential risk factors to investors. Beginning in 2017, the IAPP studied these disclosures to assess not just whether companies have been disclosing personal data processing practices and privacy regulations as a risk, but also increasingly what business harms the organizations faced for getting privacy wrong.
In this year’s study, the IAPP’s Westin Research team focused on six key industry sectors and reviewed the privacy risk disclosures published by representative companies in each sector. The industry sectors we chose to focus on are business-to-consumer technology, business-to-business technology, banking and finance, traditionally brick-and-mortar retail, pharmaceuticals and health services, and health insurance.
Although each industry sector perceives privacy and security risks through a particular lens, there were clear trends across all sectors:
- The sudden and unexpected shift to working from home due to the COVID-19 pandemic created new and additional information security risks for firms.
- Although cybersecurity concerns have always been the top privacy-related disclosed risk, a significant number of 10-K disclosures emphasized the sophistication and unpredictability of cyberthreats today, including the high potential for a ransomware incident.
- Companies are now fully aware of how interconnected their information systems are with those of their business partners and tech vendors, leading to enhanced security and privacy risks.
- New and proposed privacy regulations in the U.S. and around the world create uncertainty, which creates compliance cost and risk.
- And finally, even existing privacy regulations, like the EU General Data Protection Regulation, are sufficiently dynamic and complex that compliance remains a moving target — especially, in 2021, for personal data transfers from the European Union.
Previous Privacy Risk Study Reports
Listed below are previously published versions of the IAPP Privacy Risk Study report, dating back to 2015.
- Privacy Risk Study 2020
- Privacy Risk Study 2018
- Privacy Risk Study 2017
- Privacy Risk Study 2016
- Privacy Risk Study 2015