'Privacy Auditing: An Exploratory Study' by Penica Cortez and David Hay (University of Auckland)
reports
an exploratory study of privacy breaches in the U.S. from 2005-2011 to explore potential benefits of data privacy auditing. Privacy auditing is a mechanism to help organisations to be vigilant in protecting information privacy, and to avoid penalties or damage to reputation and losing customer trust. Recently, privacy audits have been imposed on several high-profile organizations, but little is known about the benefits of privacy audits. We examined whether companies with privacy disclosures in their audited financial statements (as a proxy for privacy audits) were more or less likely to incur subsequent privacy breaches, and whether companies incurring breaches were more or less likely to make privacy disclosures. The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a breach of privacy related to credit cards are more likely to disclose privacy risks afterwards. Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading. These results may be related to the risk of privacy breaches. Privacy disclosure in the regulatory risks section of a 10K report is associated with a larger number of records affected by a breach of privacy. We also examined the extent of damages arising from privacy breaches, but there are not enough observations to draw a conclusion.
The authors conclude -
The current study has been motivated by media, professional and academic attention devoted to information privacy concerns and possible benefits of privacy auditing.To provide initial evidence for possible economic benefits of data privacy auditing, the current study examined whether privacy disclosure in the audited financial statements as a proxy for privacy auditing was associated with the type of privacy breach. We found that there are significant associations, and these suggest possible impacts of privacy auditing. Some types of breach are less frequent when there is a privacy disclosure before the breach occurs; while in other cases, the disclosure is more frequent after a breach. We also investigated the relationship between having privacy policies audited and the number of total records breached. These were associated with type of disclosure. We examined total damages. These results were not as clear, partly due to the small number of observations available.
Because this issue is very new and topical, only limited information is available. This gives rise to a number of limitations. Firstly, the use of disclosures in 10K reports regarding data privacy as a proxy for privacy auditing is a clear limitation of the study. Audit reports or disclosures disclosing actual privacy auditing are not available. As a result a proxy measure has been applied. This is a limitation because even though having a statement about privacy in the 10K report may indicate the company's commitment to data privacy, these companies may not necessarily have their privacy policy audited. However, statements in 10K reports regarding privacy serve as a reasonable proxy because auditors have the responsibility to make sure that these statements are not misleading.
In addition, the website primarily used to collect data regarding privacy breaches may not contain a comprehensive list of privacy breaches. It is restricted to U.S. companies and breaches; and, information regarding breaches is primarily gathered from news reports collected by and/or reported to other non-profit public organisations advocating for privacy. The number of actual privacy breaches can be expected to be larger than what is reported in the media. Several U. S. states have enacted security breach notification laws requiring that the public or relevant authorities be notified when a breach occur (Gunasekara, 2012). Databases maintained by the states may therefore be used for greater data availability and larger sample size in future.