The Effectiveness of Privacy Audits
This study concludes that there is a benefit to forcing companies to undergo privacy audits: “The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a breach of privacy related to credit cards are more likely to disclose privacy risks afterwards. Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading.”
Julien Couvreur • July 9, 2013 2:53 PM
Could you comment on what you see as the difference between security and privacy considerations?
Personally, I treat the two the same, except that privacy involves a unique set of risks.
The paper also uses “privacy breach” and “security breach” interchangeably.
In that light, I don’t see anything surprising or unexpected in this paper: audits are a way to enumerate and evaluate risks and mitigations (for features, security, privacy, …), so they should improve those. Otherwise, what’s the point?