Verizon – Cyber Security and Data privacy (2019)
In September 2017, the Co-Director of the SEC’s Enforcement Division announced the creation of a “Cyber Unit” stating, “Cyber-related threats and misconduct are among the greatest risks facing investors and the securities industry.”
In February 2018, in issuing guidance for preparing disclosures about cybersecurity risks and incidents, Chairman Clayton emphasized “cybersecurity is critical to the operations of companies and our markets.”
In the United Kingdom, a Parliamentary committee studying cyber security recommended: “To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.”
Consistent with that recommendation, Consolidated Edison’s long-term incentive plan includes cyber security.
Verizon has made several policy commitments regarding data privacy and data security. However, there is significant evidence that Verizon has not been successful at implementing those commitments, faces significant challenges to doing so, and/or engages in risky behavior.
In 2016, Fortune reported that “Verizon’s division that helps Fortune 500 companies respond to data breaches, suffered a data breach of its own … [including] information on some 1.5 million customers of Verizon Enterprise.”
In July 2017, the Washington Post reported that a “communication breakdown and a vacationing employee were the reasons it took more than a week to close a leak [in June] that contained data belonging to 6 million Verizon customers.”
In October 2017, it was announced that all 3 billion accounts in subsidiary Yahoo had been breached prior to its acquisition by Verizon.
In 2018, following revelations from Senator Ron Wyden that about 75 companies had access to Verizon customers’ locations, the company announced it would wind down the relationships where it allowed that access.
While the tech industry refuses to scan emails for information to sell to advertisers, Verizon unit Oath continues to do so and pitches these services to advertisers.
As these risks are significant, we believe it is advisable for the board to explore integrating cyber security and data privacy performance measures into the Verizon executive compensation program.
Resolved: Verizon shareholders request the Human Resources Committee of the Board of Directors publish a report (at reasonable expense, within a reasonable time, and omitting confidential or propriety information) assessing the feasibility of integrating cyber security and data privacy performance measures into the Verizon executive compensation program which it describes in its annual proxy materials.
Supporting Statement: According to pages 34 and 35 of Verizon’s 2018 proxy materials, the Verizon Short-Term Incentive Plan included adjusted EPS, free cash flow, total revenue, and diversity and sustainability. Cyber security and data privacy are vitally important issues for Verizon and should be included too, as we believe it would incentivize leadership to reduce risk, enhance financial performance, and increase accountability.