Privacy Disclosure and Auditing: An Exploratory Study
40 Pages Posted: 30 May 2013 Last revised: 17 Sep 2014
Date Written: September 3, 2014
Abstract
This paper reports a study of privacy breaches in the U.S. from 2005-2011. We explore potential benefits of data privacy disclosure and auditing. Privacy auditing is a mechanism to help organisations to be vigilant in protecting information privacy, and to avoid penalties or damage to reputation and loss of customer trust. Recently, privacy audits have been imposed on several high-profile organizations, but little is known about the benefits of privacy audits. We examine whether companies with privacy disclosures in their audited financial statements (as a proxy for privacy audits) are more or less likely to incur subsequent privacy breaches, and whether companies incurring breaches are more or less likely to make privacy disclosures. The results show that there are empirical regularities. For most types of breach, and in our overall results, companies suffering a breach of privacy are more likely to disclose privacy risks afterwards. For some types of breach (unintended disclosure), disclosure of the risks is negatively related to subsequent privacy breaches although for some other types (intentional insider disclosure), disclosure before a breach is positively related to subsequent breaches. These results show that privacy disclosure in the audited financial statements is associated with certain types of privacy breaches and disclosure in the regulation section is associated with a greater number of records affected by the breach. There are potential benefits from greater use of privacy disclosure and auditing, and this area is worthy of further investigation.
Keywords: Privacy auditing, Data privacy
JEL Classification: L86, M41, O34
Suggested Citation: Suggested Citation