ESG Investing and Data Privacy
By Nate Velarde | March 31, 2019
Much of the focus on how to better protect individuals’ data privacy revolves around legal remedies and more stringent regulatory requirements. Market-based solutions are either not discussed or seen as unrealistic, ineffective or impractical. However, the “market” in the form of “responsible” or “sustainable” driven investors are imposing market discipline on companies with insufficient data privacy safeguards through lower share prices and redirecting investment capital to those companies with lower data privacy risks. Responsible investing as a market force is poised to grow dramatically. Blackrock, the world’s largest asset manager, is forecasting that responsible investing strategies will comprise 21% of total fund assets by 2028, up from only 3% today.
Responsible investing involves the integration of environmental, social and governance (“ESG”) factors into investment processes and decision-making. Many investors recognize that ESG information about companies is vital to understand a company’s business model, strategy and management quality. Several academic studies have shown that good corporate sustainability performance is associated with good financial results and superior investment returns. The best known ESG factors having financial relevance are those related to climate change. The reason for this is that climate change is no longer a hypothetical threat, but one that is real with multi-billion dollar consequences for investment portfolios.
Why Do ESG Investors Care About Data Privacy?
ESG investors are becoming increasing focused on data privacy issues. Under the ESG framework, data privacy is considered a human rights issue – falling under the “S” of ESG. Privacy is a fundamental human right, according to international norms established by the United Nations, the US and EU constitutions, but it is increasingly at odds with the business models of technology companies. As these companies have become more reliant on personal data collection, processing and distribution, they have faced increased scrutiny from users and regulators, heightening reputational, litigation and regulatory risks.
Data has been dubbed the “new oil”, the commodity that powers the digital economy. But, as investors are finding, scandals caused by privacy breaches can be just as damaging to tech behemoths as oil spills are to fossil fuel companies. Facebook-Cambridge Analytica was the tech industry’s Exxon-Valdez moment in regards to data privacy. $120 billion was wiped off Facebook’s market value in the aftermath of the scandal. Many of the sellers were ESG investors who sold the stock because of what they perceived as Facebook’s poor data stewardship.
For ESG investors, data privacy risk has become a crucial metric in assessing the companies in which they invest. ESG funds are pushing companies to be more transparent in their data-handling processes (collection, use and protection) and privacy safeguards with shareholders. ESG investors want companies to be proactive and self-regulate rather than wait for government involvement, which often tends to be overbearing and ultimately, more damaging to long-term profitability.
How ESG Investors Advocate for Data Privacy
ESG investors have three levers to advocate for stronger privacy safeguards – one carrot and two sticks. The first is dialog with senior management. As shareholders and/or potential shareholders, ESG investors are given the opportunity to meet regularly with the CEO, CFO and other key executives. ESG investors use their management face time to discuss business opportunities and risks, of which privacy, is top of mind. ESG investors can highlight any deficiencies in privacy policies (relative to what they see as industry best practice) and advocate for increased management and board oversight, spending on privacy and security audits and staff training and helping shift the mindset of executives towards designing in privacy into their products and servives. The key message ESG investors convey to tech executives is that companies that are better at better managing privacy risks have a lower probability of suffering incidents that can meaningfully impact their share price. Any direct incremental expenses associated with privacy risk mitigation is miniscule (in dollar terms) compared to the benefits of a higher share price valuation that is associated with lower risk.
As demonstrated by the Facebook-Cambridge Analytica share price sell-off in mid-2018, ESG investors’ second lever is to vote with their feet and sell their shares if companies fall short of data privacy expectations. Large share price declines are never pleasant, but they are often temporary. As long as business model profitability is not permanently impaired, the share price will eventually recover in most cases. Management may not feel enough pain to see through the hard work of implementing the technical and cultural changes required to adequately protect their users’ data. This is when ESG investors’ third lever can be deployed. Acting in concert with other shareholders, ESG investors’ can engage in a proxy fight and vote to replace the company management and/or board with one more focused on data privacy concerns. The mere threat of a proxy fight has proved to be a powerful catalyst for change at many companies across many industries. While this has yet to happen specifically in regards to data privacy, given the growing market power of ESG investors and their focus on privacy issues, that day is likely to come sooner, rather than later.
Data privacy researchers and advocates should establish relationships with ESG investors, ESG research firms (Sustainlytics) and influential proxy voting advisory firms (Institutional Shareholder Services and Glass-Lewis), to highlight concerns, make recommendations and mold the overall data privacy conversation at publicly traded technology companies. Data privacy advocacy through ESG investors is a more direct, and likely, much faster route to positive change (albeit, incremental) than litigation or regulation.