author photo
By SecureWorld News Team
Wed | Mar 6, 2019 | 9:01 AM PST

Privacy and cybersecurity are listed for consideration at Disney's 2019 stockholder meeting.

The Walt Disney Company is telling shareholders to vote no on a proposal that might lead to new privacy and cybersecurity metrics being linked to senior executive compensation.

Disagreement about cybersecurity and privacy at Disney

The company's annual report to shareholders starts with a friendly face and a smile.

disney-annual-report-cover-pageBut on page 68, we see a difference of opinion is brewing. Some shareholders are proposing that Disney consider additional security and privacy metrics that could be tied to executive compensation.

disney-security-privacy-metrics-proposalWithout all the caveats, the proposal reads like this:

"Shareholders of The Walt Disney Company ask our board of directors to publish a report assessing the feasibility of integrating additional cybersecurity and data privacy metrics into the performance measures of senior executives...."

And the argument in support of the proposal is a compelling one:

disney-security-privacy-metrics-supporting-statementThey key point is that integrating additional metrics could, "... incentivize leadership to reduce needless risk." And, "rewarding executives for risk mitigation as well as growth generation will better position Disney as a trusted brand."

Disney Board of Directors: vote against studying privacy and security metrics

In response to the proposal, Disney's Board of Directors says the company (and its executives) don't need to look at additional metrics in this area:

disney-privacy-security-responseIs it accurate to say that simply looking at additional metrics "would not promote enhanced protection of data security and data privacy" without at least giving it a shot?

We asked SecureWorld contributor @PrivacyProf Rebecca Herold, who is CEO of The Privacy Professor, about the statement above.

"I disagree with the Board’s explanation that such metrics are unnecessary to provide to shareholders. And, they most certainly could enhance security and privacy if the shareholders followed up and found a glaringly insufficient data security or privacy practice and demanded that it be addressed. That would enhance security and privacy… but at an expense that the Board probably would not want to invest."

Why would Disney be against additional privacy and security metrics?

Why would a company that has built up generations of trust and brand loyalty pass up the opportunity to kick the tires on its security and privacy metrics?

Herold thinks she knows why.

"I anticipate Disney’s lawyers are advising not to give such information, since, from most lawyers’ perspectives, the less the public, and apparently in this case shareholders, know about the specifics of the organization's data security and privacy practices, the fewer liabilities they would have in the event of a security incident or privacy breach."

And she says a challenge with cybersecurity and privacy metrics is that they can be viewed subjectively. Is a score of 8 out of 10 good or bad? Those in privacy and security know that nothing is foolproof and things come down to degrees of risk. But in a court of law or in the court of public opinion, it does not work that way. 

"Some would view an 8 out of 10 as being failing in 20% of the things the organization should be doing to mitigate security and privacy risks to acceptable levels. The CFO and other executives are probably also afraid such news, if made public, would lower their stock value," Herold said.

Who holds the risk at Walt Disney? 

One thing we've heard repeatedly from security leaders at SecureWorld conferences across North America over the last couple of years is that cyber risk is business risk.

And that concept is why Dr. Larry Ponemon of the Ponemon Institute tells us his research shows a significant change taking hold: 

"CISOs are shifting into a coaching role. Lines of business are taking on more responsibility for the risk, and so we're seeing more CISOs go from holding all the risk to becoming more like a coach, helping all lines of business to understand the things that need to be done to ensure cybersecurity."

We have no idea if The Walt Disney Company is a part of this shift.

However, the stockholder report makes clear that when it comes to compensation plans, risk belongs squarely on the shoulders of those in privacy and cybersecurity roles.

"... the program promotes consideration of non-financial performance factors in setting individual awards which includes an assessment of individual executives’ fulfillment of direct responsibilities. The performance of an individual executive with responsibility for data security and privacy matters would already be considered in this context. The Board believes this is the correct approach. It allows the Committee to incentivize those executives with direct responsibility for data security and data privacy on an individual basis, and does not put undue emphasis on these matters for executives who do not have direct responsibility for these matters."

Will this 2019 Disney shareholder proposal to change this get any traction? It depends not only on how shareholders vote, but also if they vote.


Update: the privacy and security metrics proposal was soundly defeated on March 7, 2019, with only 26% of shareholders voting to approve it. 

Read for yourself: Walt Disney Annual Report and Proxy Statement