Bruce Schneier’s blog points us to a recent article by Penica Cortez and David Hay. Here’s the Abstract:
This paper reports an exploratory study of privacy breaches in the U.S. from 2005-2011 to explore potential benefits of data privacy auditing. Privacy auditing is a mechanism to help organisations to be vigilant in protecting information privacy, and to avoid penalties or damage to reputation and losing customer trust. Recently, privacy audits have been imposed on several high-profile organizations, but little is known about the benefits of privacy audits. We examined whether companies with privacy disclosures in their audited financial statements (as a proxy for privacy audits) were more or less likely to incur subsequent privacy breaches, and whether companies incurring breaches were more or less likely to make privacy disclosures. The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a breach of privacy related to credit cards are more likely to disclose privacy risks afterwards. Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading. These results may be related to the risk of privacy breaches. Privacy disclosure in the regulatory risks section of a 10K report is associated with a larger number of records affected by a breach of privacy. We also examined the extent of damages arising from privacy breaches, but there are not enough observations to draw a conclusion.
You can download the full article from SSRN.