Data protection and privacy compliance risks are increasing in number and growing in complexity for all organizations and especially for business organizations. This article provides a bird’s eye view of the available literature and professional reports on the contemporary and very salient issue of data protection risk for companies, also considering the first impacts of recently established privacy laws such as the General Data Protection Regulation in the EU and the California Consumer Protection Act in the US. As a result, corporations’ data protection practices are now also attracting more interest from shareholders and other stakeholders. Recent shareholder class actions indicate that there are potential information asymmetries between shareholders and the management of corporations regarding the assessment of data protection and privacy compliance risks. This article relies on economic analysis to understand why companies are likely to underinvest in data protection practices, given a certain risk environment. The article further analyzes the problem of
misperception of data protection risk as well as its potential drivers. More generally, this article contributes to the assessment of data protection laws in the US and in the EU, focusing on incentives to bring lawsuits against companies after major data breach events on both sides of the Atlantic.