Cyber security at Disney would benefit from clear links between senior executive performance metrics and compensation. Cyber security and data privacy are vitally important issues for Disney and should be integrated as appropriate into senior executive compensation to incentivize leadership to reduce needless risk, enhance financial performance, and increase accountability.
In its opposition statement to my proposal, which will be presented at the March 7, 2019 annual shareholders meeting, Disney argues their current program of cyber security at Disney
allows the [Compensation] Committee to incentivize those executives with direct responsibility for data security and data privacy on an individual basis, and does not put undue emphasis on these matters for executives who do not have direct responsibility for these matters. (my emphasis)
The requested report would not limit integration of cyber security metrics to the performance measures of senior executives with “direct responsibility for these matters,” since rewarding executives for risk mitigation by their staff as well as growth generation is critical to Disney maintaining its stature as a trusted brand. By way of analogy, if a parent leaves their child with an unqualified, irresponsible babysitter, they are not absolved of any harm that may ensue, even though the babysitter has direct responsibility over the child during the babysitting period.
Legally, a parent might be charged with child endangerment if they acted irresponsibly without properly vetting the babysitter or going over what to do in an emergency. Disney appears to be allowing the parent to be absolved of responsibility or at least does not put “undue emphasis” on such matters. Just what “undue emphasis” by executives regarding cyber security would be at Disney is not explained. The requested report would provide answers.
Disney may be especially vulnerable due to the depth of information it collects, including about children, who are subject to more stringent data protection laws. High-profile cyber attacks and allegations have given the entertainment industry an image problem. Disney has adopted systems to address these issues. But as we have seen at companies like Equifax, Facebook, Target, and many others, systems can be improved. Linking pay with performance could make a big difference.
The stakes are incredibly high. In September 2017, the Co-Director of the SEC’s Enforcement Division announced the creation of a “Cyber Unit” stating, “Cyber-related threats and misconduct are among the greatest risks facing investors and the securities industry.” Prior to becoming the Chairman of the SEC, Jay Clayton wrote, “cyber-threats are among the most urgent risk to America’s economic and national security and the personal safety of its citizens.”
@PrivacyProf, CEO of The Privacy Professor, about the board’s opposition:Rebecca Herold
I disagree with the Board’s explanation that such metrics are unnecessary to provide to shareholders. And, they most certainly could enhance security and privacy if the shareholders followed up and found a glaringly insufficient data security or privacy practice and demanded that it be addressed. That would enhance security and privacy… but at an expense that the Board probably would not want to invest…
I anticipate Disney’s lawyers are advising not to give such information, since, from most lawyers’ perspectives, the less the public, and apparently in this case shareholders, know about the specifics of the organizations data security and privacy practices, the fewer liabilities they would have in the event of a security incident or privacy breach.
Disney should assess integrating cyber security and data privacy metrics into the performance measures of senior executives under its compensation incentive plans. The proposal does not dictate a outcome or timeline. It does not seek to prescribe how compensations plan would be constructed or how much weight cyber security and data privacy would be given. Assessment of cyber security at Disney will not be burdensome.
Vote to protect our children; vote FOR item #5 on the proxy ballot.