There is no 'safe haven' for investors when it comes to data security and the onus is on them to scrutinise management

Natasha Lamb, Corey Johnson and Michael Connor
Published at The Guardian

"Your secrets are safe with us." That basic message is conveyed every day, directly or indirectly, by businesses that handle the personal information of virtually every American.

Looking for a mortgage? Tell us how much you owe and how much you earn. Think you might have a health problem? Tell us your age, gender and medical history. Want to buy a new pair of shoes? Please provide your size, preferred colour, style and zip code – and, by the way, how did that last pair work out for you?

These inquiries may seem like a slight nuisance, but the repercussions are broad. As the global economy shifts to a digital economy, data has become the lifeforce of commerce. Big data is big business, presenting enormous opportunities for economic growth. But not without risk – data privacy and security have quickly become critical business and social risks, leading us to question whether, in fact, our secrets are safe.

How are companies handling those vast terabytes of personal information? Have adequate measures been taken to ensure it can't be hacked by foreign governments, criminals, or thrill-seeking computer activists? And do the companies we place our faith in have appropriate policies and practices to ensure they're protecting the privacy we as consumers want and demand?

Assessing the risks

While privacy is vital to consumers, ensuring proper data management is also critical to investors in publicly-held US companies. Our research shows that even the largest and most sophisticated enterprises may not be adequately prepared to deal with these challenges.

The Securities and Exchange Commission highlighted the importance of the problem in 2011 when it issued guidelines requiring public companies to disclose the material risks of cyber incidents. According to the Ponemon Institute, they're significant. Companies spend $5.5m on average, or roughly $194 per customer, to resolve data breach issues. Ponemon also found breaches can diminish brand value and reputation by 17-31%, or $184m to over $330m.

This February, President Obama declared that the "cyber threat is one of the most serious economic and national security challenges we face as a nation" and that "America's economic prosperity in the 21st century will depend on cybersecurity."

As such, technologically savvy data collection practices are drawing the attention of regulators and legislators. The Federal Trade Commission has opened an inquiry into the practices of data brokers that collect, resell, and analyse consumer data, while, only last month, Senator Jay Rockefeller, chairman of the Senate Committee on Commerce, Science and Transportation, held hearings to determine why the "Do Not Track" consumer privacy mechanism has not been adopted by the online advertising industry.

Role of investors

Despite the growing risks, a 2012 survey of corporate executives by Carnegie Mellon's CyLab concluded that "boards are not actively addressing cyber risk management." And our own research of Fortune 500 companies reveals that large numbers fail to include privacy and data security as a responsibility for any of their board committees.

We believe boards have a fiduciary and social responsibility to protect company assets, including the personal information of their customers. That's why, earlier this year, we introduced shareholder proposals asking three companies – Apple, Amazon and eBay – to explain how their boards oversee privacy risk.

Each of these companies responded similarly and favourably, acknowledging the critical nature of privacy and data security and amending their board committee charters to clarify and improve oversight. We hope to continue a dialogue with Apple, Amazon and eBay in the year ahead, and to expand the dialogue to many more companies. After all, privacy and data security pose material risks across a spectrum of industries.

Big data, bigger challenges

In coming years, privacy and data security are increasingly likely to be perennial issues in the boardroom.

Banks need to be mindful of the dangers of digital red-lining. For instance, if you Google "credit score" or "bankruptcy" might it make it more difficult to get a mortgage? And if it does, does that invite class-action lawsuits, or greater regulation for an industry already suffering severe reputational damage?

Retailers are now combining data collected online and offline with mobile payment systems – despite research showing Americans overwhelmingly reject payment systems that track their movements and share personal information with retailers. Is there a danger of consumer push-back?

And medical records – perhaps the most sensitive information - are increasingly digital. According to the US Department of Health and Human Services, from 2009 to 2012, about 21 million patients had their medical records exposed in data security breaches that were big enough to require that they be reported to the federal government.

There is no "safe haven" for investors when it comes to privacy and data security, as clear risks exist for companies of all shapes and sizes. The onus is on investors to question how management is dealing with these issues. If companies aren't adequately addressing privacy and data security risks – and there's abundant evidence that's the case – shareholders need to highlight the gravity of the issue. For the 21st century digital economy to thrive, we all need assurance our personal secrets are, indeed, safe.

Natasha Lamb is vice president, shareholder advocacy and corporate engagement, at Trillium Asset Management LLC; Corey Johnson is sustainability research analyst at Pax World Funds; Michael Connor is executive director of Open MIC, a non-profit organisation that works with companies and investors on open media issues.