Data privacy is no longer just an IT issue; it’s a core business risk. With personal data being one of the most valuable commodities in today’s economy, companies must navigate a patchwork of regulations, evolving threats, and growing consumer concerns.

Daniel Cotter of Dickinson Wright sums it up well here observing that “This is an area that has many layers like an onion; you peel them back and find more complexity each time.”

What Counts as Personal Data?

Lauren Silvestri Burke of Morgan, Lewis & Bockius LLP emphasizes the need to first identify what information is at risk. Much of this information is protected not only by ethical standards but also by legal and regulatory obligations. Understanding the scope of ‘personal data’ is critical for compliance.

‘Personal Data’ spans several categories including:

• Personally Identifiable Information (PII): Identifiers such as names, dates of birth, Social Security numbers, passport details, usernames, and passwords. These are prime targets for identity theft and financial fraud.
• Client and Business Data: Trade secrets, customer lists, pricing data, employee records, and other confidential information in a company’s possession. Loss or misuse of this data can result in lawsuits and reputational damage.
• Infrastructure Data: Sensitive details tied to public or private systems like power grids, transportation systems, or water supplies. Compromise here can lead to not only financial loss but also public safety risks.
• Cloud and Technical Data: Software repositories, source code, and online activity logs are increasingly vulnerable as companies migrate operations to the cloud.

A Patchwork of Laws

One of the toughest challenges for businesses is navigating the patchwork of privacy and data security laws in the United States. Cotter explains that no two state breach laws are the same, which complicates compliance and increases risk for multistate businesses.

Some of the key legal regimes include:

• Federal Trade Commission Act (FTC Act): Bars unfair or deceptive practices, including misleading data protection promises.
• HIPAA/HITECH: Regulates health information.
• Gramm-Leach-Bliley Act (GLBA): Safeguards consumer financial data.
• Sarbanes-Oxley (SOX): Imposes record-keeping obligations on public companies.
• Payment Card Industry Data Security Standards (PCI DSS): Industry rules for handling payment card data.
• State laws such as CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), and others: Typically include rights to access, delete, or opt out of data sharing.

For global companies, additional regulations such as the EU’s GDPR or Brazil’s LGPD must also be considered. Collectively, this patchwork forces businesses to create compliance programs that address overlapping and sometimes conflicting requirements. A ‘highest common denominator’ approach, meeting the strictest requirements across jurisdictions, can often reduce risk.

Evolving Threats

The cyber threat environment is dynamic and growing more sophisticated. Burke highlights the sharp increase in breaches and ransomware events, noting that these attacks are both costly and damaging to reputation. Beyond financial loss, breaches can undermine consumer trust, harm stock prices, and invite regulatory scrutiny.

Threats often fall into four broad categories:

• Phishing and Social Engineering: Attackers trick employees into handing over access or credentials.
• Ransomware: Malicious code encrypts data and demands payment for release.
• Network Interruptions: Attacks disrupt or disable operations entirely, causing loss of revenue.
• Hardware Exploits: Targeting vulnerabilities in physical or virtual systems.

Phishing attempts that once looked suspicious due to spelling errors or odd formatting are now polished and convincing. In some cases, attackers use voice or image cloning to impersonate executives.

Kyle Miller of Dentons adds that artificial intelligence has only amplified risks. As Miller puts it: “Defenders have to be perfect every time; attackers only need to succeed once.”

Business Impact and Risk Management

The financial, legal, and reputational fallout from breaches can be devastating. Cotter explains that attackers often linger in systems for weeks or months before striking, making it difficult to trace or contain breaches when they finally unfold. The lag between compromise and detection often determines how severe the damage will be.

The risks are multifaceted and include:

• Contractual Exposure: Failure to safeguard data can violate vendor or customer agreements.
• Regulatory Penalties: Violations of HIPAA, GLBA, or state privacy laws carry fines.
• Litigation: Class actions and shareholder lawsuits often follow breaches.
• M&A Liabilities: Acquiring a business may also mean inheriting undisclosed security problems. Companies can inherit significant risks if diligence on cybersecurity is inadequate.

Cyber insurance can help, but it is not a silver bullet. Insurers often dictate breach response through preselected panel counsel and forensic experts, which can complicate a company’s preferred strategy. Policy fine print also matters, as coverage gaps are common.

The Social Media and Cookie Trap

Privacy concerns extend well beyond hacking incidents. Every day, online tools create exposure too. Burke points out that people share vast amounts of information through platforms like Facebook, LinkedIn, and TikTok, making these spaces fertile ground for criminals.

Regulators are also increasingly targeting cookie banners and online tracking practices. Miller describes a recent California enforcement action in which a company paid $1.5 million for failing to honor consumer opt-out preferences. Even though its website offered a ‘do not track’ option, user data was still passed along to social media and advertising partners. This reflects a broader trend; state attorneys general are scrutinizing whether cookie tools actually work as promised.

Practical Steps for Businesses

So what can companies do to prepare?

A few practical measures stand out:

1. Data Mapping: Identify what information you hold, where it is stored, and who has access. This is the foundation for effective governance.
2. Contract Management: Strengthen vendor contracts with explicit data protection obligations and audit rights.
3. Employee Training: Teach staff how to recognize phishing attempts and reinforce the importance of secure practices.
4. Testing: Regularly run penetration tests, vulnerability scans, and tabletop exercises to simulate breach scenarios.
5. Incident Response Planning: Establish relationships with forensic experts and legal counsel before an incident occurs.
6. Legal Monitoring: Stay informed of evolving state and international privacy laws, updating policies and programs accordingly.

Cotter stresses that compliance is not optional and requires expertise: “When you are doing business in this brave new world, make sure you consult experts. The laws, the threats, and the obligations only keep expanding.”

Conclusion

Data privacy compliance is now a boardroom issue, not just a back-office task. Businesses must contend with expanding legal obligations, sophisticated cyber threats, and regulators who increasingly demand that opt-outs and consent tools function as advertised. Companies that adopt proactive strategies, layered defenses, clear contracts, staff training, and responsive legal planning will be better prepared for the challenges ahead.

To learn more about this topic, view Data Privacy Compliance. The quoted remarks referenced in this article were made either during this webinar or shortly thereafter during post-webinar interviews with the panelists. Readers may also be interested to read other articles about cybersecurity.

This article was originally published here.

©2025. DailyDAC^TM, LLC d/b/a/ Financial Poise^TM. This article is subject to the disclaimers found here.