Verizon – Cyber Security and Data Privacy (2018)
In September 2017, the Co-Director of the SEC’s Enforcement Division announced the creation of a “Cyber Unit” stating, “Cyber-related threats and misconduct are among the greatest risks facing investors and the securities industry.” Prior to becoming the Chairman of the SEC, Jay Clayton wrote that “cyber-threats are among the most urgent risk to America’s economic and national security and the personal safety of its citizens.”
In the United Kingdom, a Parliamentary committee studying cyber security recommended: “To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.”
Verizon has made several policy commitments regarding data privacy and data security. However, there is significant evidence that Verizon has not been successful at implementing those commitments and/or faces significant challenges to doing so.
In 2016, Fortune reported that “Verizon’s division that helps Fortune 500 companies respond to data breaches, suffered a data breach of its own … [including] information on some 1.5 million customers of Verizon Enterprise.”
In July 2017, the Washington Post reported that a “communication breakdown and a vacationing employee were the reasons it took more than a week to close a leak [in June] that contained data belonging to 6 million Verizon customers.”
In October 2017, it was announced that all 3 billion accounts in subsidiary Yahoo had been breached prior to its acquisition by Verizon.
With its acquisition of AOL and Yahoo and the combination of these firms into a new digital media and advertising company called Oath, Verizon now reportedly aims in coming years to double its advertising reach to 2 billion people in Latin America, Asia and Europe. CNBC reported that Oath is “working with third parties to provide more transparency in telling marketers where their ads are running.” This will require sharing information and will depend on the security and policies of vendors and other third-party partners. When asked about recent data breaches, Oath’s chief revenue officer, John DeVine, “called it an ‘industry problem’ and pointed to the latest hack involving Equifax,” according to CNBC.
As these risks are significant, we believe it is advisable for the board to explore integrating cyber security and data privacy metrics into executive compensation.
Resolved: Verizon shareholders request the appropriate board committee(s) publish a report (at reasonable expense, within a reasonable time, and omitting confidential or propriety information) assessing the feasibility of integrating cyber security and data privacy metrics into the performance measures of senior executives under the company’s compensation incentive plans.
Supporting Statement: Currently, Verizon links senior executive compensation to diversity metrics and carbon intensity metrics. Cyber security and data privacy are vitally important issues for Verizon and should be integrated as appropriate into senior executive compensation as we believe it would incentivize leadership to reduce needless risk, enhance financial performance, and increase accountability.