The shareholder proposal references a recent study conducted by Carnegie Mellon University’s Cylab that made various recommendations to boards including, annual reviews of privacy and security programs to gage effectiveness and identify gaps and requiring regular privacy and security reports from management. The interest in privacy and security as risk management issues at both the shareholder and board level is increasing. A recent study conducted by Corporate Board Member & FTI Consulting, Inc. surveyed 11,340 corporate directors and 1,957 general counsel regarding legal risks on their radar. For the first time in the 12 years since the study has been conducted, data security was noted as the most prevalent concern among both directors (48 percent) and general counsel (55 percent). This level of concern has almost doubled in the last four years. For instance, in 2008, only 25 percent of directors and 23 percent of general counsel identified data security as an area of great concern. Moreover, 33 percent of general counsel surveyed believe their board is not effective at managing cyber risk. This is one of the lowest ratings among the 13 risk management areas surveyed.
When asked whether their company had a plan in place to manage a data breach should one occur, only 42 percent of directors said their company had a formal Incident Response Plan. Twenty-seven percent responded that their company had no such plan and 31 percent were uncertain. Despite acknowledging such unpreparedness, 77 percent of directors and general counsel still believe their company is prepared to handle a data breach. There is a serious concern, however, given the disconnect between having written response plans and the perception of preparedness. Apple shareholders are recognizing that disconnect and apparently want to ensure that its Board has adequately addressed it. The proposal will be voted on at Apple’s 2013 Annual Meeting.