Privacy Disclosure and Auditing: An Exploratory Study

• In Event: Internal Controls

Abstract

This paper reports a study of privacy breaches in the U.S. from 2005-2011. We explore potential benefits of data privacy disclosure and auditing. Privacy auditing is a mechanism to help organisations to be vigilant in protecting information privacy, and to avoid penalties or damage to reputation and loss of customer trust. Recently, privacy audits have been imposed on several high-profile organizations, but little is known about the benefits of privacy audits. We examine whether companies with privacy disclosures in their audited financial statements (as a proxy for privacy audits) are more or less likely to incur subsequent privacy breaches, and whether companies incurring breaches are more or less likely to make privacy disclosures. The results show that there are empirical regularities. For most types of breach, and in our overall results, companies suffering a breach of privacy are more likely to disclose privacy risks afterwards. For some types of breach (unintended disclosure), disclosure of the risks is negatively related to subsequent privacy breaches although for some other types (intentional insider disclosure), disclosure before a breach is positively related to subsequent breaches. There are potential benefits from greater use of privacy disclosure and auditing, and this area is worthy of further investigation.

Authors

• David C Hay, University of Auckland

• Penica Cortez, University of Auckland