ESG Investing

Why Data Privacy Is an ESG Issue

More than one recent corporate scandal has brought data privacy issues into sharp focus, highlighting the serious potential costs that can arise from the misuse and theft of customers’ personal information.

Data Privacy and ESG

Data privacy issues have had consequences for the finances of several high-profile companies. Security breaches at Yahoo, for example, put the personal information of one billion users into the hands of hackers—and ultimately lowered the price Verizon paid to acquire the business last year by $350 million. Increases in security and legal costs at consumer credit reporting agency Equifax pushed its operating expenses to new highs in fall 2017 after a cybersecurity attack compromised the data of nearly 150 million consumers. And in perhaps the best-known case of the recent past, Facebook acknowledged that Cambridge Analytica had harvested data from 87 million customer accounts without users’ clear consent. The company’s costs grew 50% to $7.4 billion in the third quarter of 2018, at least in part due to improvements in data handling and safety.

So it makes sense that data privacy has been under discussion by tech companies and users alike—and has become increasingly important for many environmental, social, and governance (ESG) investors.

As these issues gain attention as a material factor for socially conscious investors, the work of organizations like ESG ratings agency Sustainanalytics gains new relevance. The organization recently published a research paper analyzing the overall data privacy positioning of seven tech giants—Facebook, Apple, Amazon, Netflix, Google, Microsoft, and Twitter, also known as the FAANG+ stocks. Sustainanalytics singled out Apple has having both strong privacy management and a relatively low-risk business model in terms of privacy. “Apple tracks user behavior and extracts insights but limits the monetization of that data to the confines of its own business,” write the report’s authors. “It limits the personal data it can access by design, choosing to house the data it collects locally on user devices.” At the other end of the scale, Sustainanalytics named Amazon and Facebook as being “particularly vulnerable” due to their business models and relatively weak data management programs.

Beyond risks to investors, data privacy issues are human rights issues, which fall under the “S” of ESG. According to Human Rights Watch, “Comprehensive data protection laws are essential for protecting human rights—most obviously, the right to privacy, but also many related freedoms that depend on our ability to make choices about how and with whom we share information about ourselves.”

Encouraging Signs for the Future

In light of the myriad concerns raised by data privacy risks, organizations have begun adopting new precautions and regulations to keep data secure. For example, new General Data Protection Regulation (GDPR) rules aim to help save EU citizens from the costs of privacy and data breaches.

Crucially, the new EU directive, which came into effect in May 2018, has a much-expanded geographical reach compared to the scope of prior data rules, applying to companies that process the data of EU citizens even if the firms themselves are based outside the European Union. Companies in breach of the GDPR can be fined the greater of 4% of their annual revenues or €20 million. There’s no easy route to compliance for some of the biggest technology firms when it comes to such rules. For example, Microsoft claims to have at least 1,600 engineers dedicated to ensuring that its products are compliant with GDPR.

Encouragingly, a recent survey by IBM revealed that almost 60% of firms planned to use GDPR as a catalyst to improve their data privacy, security, and management. It also found that 70% of companies planned to reduce the amount of data they were collecting and managing. Tighter restrictions on privacy and the various well-publicized cyberattacks appear to have already translated into increased investments in cybersecurity. According to research firm Gartner, spending on data security is estimated to rise above $114 billion in 2018, a 12.4% increase from the prior year.

Countries such as China, Russia, Australia, and Germany also have also created their own regulations preventing certain personal data on their citizens from being stored outside their borders. India has become one of the latest countries to consider similar measures on data localization.

While to date the United States has no comprehensive federal law regulating data security—only sector-specific rules such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, along with various state laws—organizations like the Digital and Cyberspace Policy program are putting forward recommendations that would see the US “join other advanced economies in their approach to data protection by creating a single comprehensive data-protection framework.” And according to The Guardian, representatives from Silicon Valley companies like Amazon, Apple, Google, and Twitter have signaled support of the general idea of a federal data security law.

The rising profile of data privacy issues among socially responsible investors and the rest of the world stands to positively impact the lives of billions of people. Many companies’ business models rely heavily on users trusting that their data will be secure, safe not only from hackers but also from the companies themselves. Users want to know that their understanding of how their information is used by a company is accurate—something that hasn’t always been true. So despite improvements, data privacy issues in their full scope haven’t yet been resolved, positioning ESG investing to play an ongoing role in the information-driven, digital world so many participate in.