Search
  • Kris Somers

2021 - the year in privacy risk review

The U.S. Securities and Exchange Commission requires most publicly traded companies to annually disclose in their Form 10-K submissions potential risk factors to investors. Beginning in 2017, the International Association of Privacy Professionals (IAPP) studied these disclosures to assess not just whether companies have been disclosing personal data processing practices and privacy regulations as a risk, but also increasingly what business harms the organizations faced for getting privacy wrong.


In this year’s study, the IAPP’s Westin Research team focused on six key industry sectors and reviewed the privacy risk disclosures published by representative companies in each sector.


The industry sectors they chose to focus on are business-to-consumer technology, business-to-business technology, banking and finance, traditionally brick-and-mortar retail, pharmaceuticals and health services, and health insurance.

Although each industry sector perceives privacy and security risks through a particular lens, there were clear trends across all sectors:

  • The sudden and unexpected shift to working from home due to the COVID-19 pandemic created new and additional information security risks for firms.

  • Although cybersecurity concerns have always been the top privacy-related disclosed risk, a significant number of 10-K disclosures emphasized the sophistication and unpredictability of cyberthreats today, including the high potential for a ransomware incident.

  • Companies are now fully aware of how interconnected their information systems are with those of their business partners and tech vendors, leading to enhanced security and privacy risks.

  • New and proposed privacy regulations in the U.S. and around the world create uncertainty, which creates compliance cost and risk.

  • And finally, even existing privacy regulations, like the EU General Data Protection Regulation, are sufficiently dynamic and complex that compliance remains a moving target — especially, in 2021, for personal data transfers from the European Union.

You can read the full 2021 report here.




17 views0 comments

Recent Posts

See All