Priceline Group – Privacy and Data Security (2015)
Outcome: Successfully withdrawn after the company committed to update its Board’s Audit Committee charter and proxy materials to include responsibility regarding regulatory, legislative, and reputational privacy and data security risks that confront the company.
Digital technologies and online communications have created extraordinary business opportunities for Priceline; they may also present serious risks to privacy and data security.
Breaches of privacy and data security are a constant threat that can result from company negligence, weak policies or external attacks. Over the past year we have seen numerous breaches at major companies including eBay, Home Depot and Target.
A 2014 Pew poll indicates that only 12% of respondents believe that advertisers can be trusted to do what is right with personal data and 91% of adults “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies. Reputational risk for Priceline is very real.
In the Ponemon Institute’s 2014 “Cost of Data Breach Study: Global Analysis,” sponsored by IBM, the average cost to a company was $3.5 million, 15 percent more than the previous year.
Unauthorized collection, disclosure, or misuse of personal information can cause great harm to individuals and society – including discrimination, identity theft, financial loss, loss of business or employment opportunities, humiliation, reputational damage, questionable government surveillance or physical harm.
We believe Priceline’s Board has a fiduciary and social responsibility to protect company assets that include the personal information of a variety of stakeholders.
Other companies such as Apple, Google, Microsoft, AT&T, Hewlett-Packard and Time Warner Cable have clearly articulated where responsibility for privacy and data protection resides in the company governance structure.
Resolved, shareholders request the Board of Directors publish a report by October 2015, at reasonable expense and excluding confidential or proprietary information, explaining how the Board is overseeing privacy and data security risks.
It should be emphasized that the Proposal is not asking the Company to disclose risks, specific incidents, supplier relationships or legal compliance procedures, but rather, we believe investors need to understand more fully how the Board is overseeing the concerns described above.
• Carnegie Mellon University’s CyLab published a 2012 report (“How Boards and Senior Executives Are Managing Cyber Risks”) which we believe could be instructional in writing this report. Among CyLab’s recommendations for boards:
• “Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility.”
• “Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans.”
• “Conduct an annual review of the enterprise security program and effectiveness of controls, to be reviewed by the board Risk Committee, and ensure that identified gaps or weaknesses are addressed.”
• “Require regular reports from senior management on privacy and security risks.”