Apathy may be the largest threat to data privacy today. Threat actors and scammers certainly contribute as the most well-known threat, but that’s not what companies should be talking about. In fact, we’re already having that conversation, and it’s not working.
We are a data-driven world; there’s no getting around that. Our data ensures business operations function smoothly so, as consumers, we can reap the rewards – and businesses can meet their bottom lines.
Businesses are the guardians of our data, and we have certain laws in place to ensure that data is safeguarded. But what happens when those laws are outdated?
The Modern Scammer
Imagine this: You’re a grandmother who lives in a different state than your adult children and recently your email and phone number were flagged as part one of the many data incidents companies report.
A couple of months go by, and you receive a call from who you thought was your child’s friend – they’re in trouble and only need one thousand dollars to bail them out. At first, you’re skeptical, but they know where your relative’s living (or the general area), they know basic information about your life and small tidbits that prove they aren’t entirely a stranger. You pay them the money out of concern.
Just like that, you’ve fallen victim to one of the most popular scams happening right now going beyond the traditional credit card fraud. Scammers only need a tiny bit of information to lead them to more, like a digital breadcrumb trail. Imitating credible figures like family members helps them strike gold and puts you at risk. 83% of all financial losses recorded in the Federal Bureau of Investigation’s 2024 Internet Crime Complain Center (IC3) were associated with cyber-related fraud, and people older than 60 experienced the most.
Scammers are becoming more sophisticated and having more success, but our approach to data privacy and security isn’t matching. Instead, consumers and companies are falling into data apathy.
A Stagnant Regulatory Landscape
The regulatory landscape varies across countries. While some have strong privacy laws, the United States lags in comprehensive privacy regulations. Our patchwork of state-by-state legislation does not hold against the European Union’s General Data Protection Regulation (GDPR), and like anything else, companies will find loopholes to meet the minimum expected.
One particularly egregious example happened just last year: National Public Data.
This specific incident happened in August 2024, after data brokers National Public Data exposed millions of American citizens’ personal data (emails, phone numbers, Social Security numbers, etc.) to third-party hackers. The impact this incident had was further exacerbated by the company failing to report the breach for a whole week.
How was this possible? National Public Data, like any other data broker, scraped online sources so they could pull and access personal data without ever having to get permission from the data’s owners. Data brokers aren’t held to the same regulatory standards as our payment information is through the Payment Card Industry (PCI), unfortunately.
These brokers aren’t obligated to conduct annual audits and controls through any such federal legislation, so they don’t.
Apathy strikes again as these same companies know the risks, know our laws are outdated, and they choose to follow the letter of the law rather than seeing the spirit of its intent.
The Social Contract: Consumer Privacy and Business Value
Consumers are numb to their data and companies are choosing ignorance. How do we fix it? By forward-thinking and adopting future-proofing data techniques.
We’re data-driven, so that aspect of the consumer-to-company relationship likely isn’t changing. Your favorite restaurant will still ask for your email address to send those discount codes, because that data is their gold.
While consumers need to be aware that even basic information could bring cyber trouble their way, it’s on companies to do a better job securing the data willingly (or unwillingly) provided to them. National Public Data found this out the hard way after filing for bankruptcy shortly after they hit national headlines.
Bankruptcy is certainly the extreme end of consequences, but regardless, these institutions aren’t holding their end of a vital social contract.
We’ve entered a new type of relationship with consumers and companies in tandem – one where consumers are so apathetic about their data that discount code is worth the risk of a data breach, and companies no longer view the consequences of violating consumer trust as harshly.
Data Privacy is Tricky – Not Impossible
Companies need our data, and they usually place it into databases or datasets they can later reference. This makes privacy tricky. Twenty years ago, common rationale followed that removing direct identifiers such as names or street addresses from a dataset meant that dataset was anonymous. Unsurprisingly, we’ve since learned there is nothing anonymous about it.
Data anonymization techniques like tokenization and pseudonymization, however, can minimize data exposure while still enabling these companies to perform valuable analytics such as data matching.
By ensuring the data is never seen in the clear by another human while the system associates that data with a placeholder, it offers an extra layer of protection against threat actors even if they manage to exfiltrate the data.
No one system or solution is perfect, but it’s important we continuously modernize our approach.
Emerging technologies like homomorphic encryption, which allows mathematical functions on encrypted data, show promise for the future. Synthetic data, which generates fictional individuals with the same characteristics as real people, is another exciting development. Some companies are involving Chief Privacy Officers in their ranks, and there are whole countries building better frameworks.
According to the 2025 Verizon Data Breach Investigations Report, third-party breaches doubled from last year’s report, increasing from 15% to 30%, even as breaches involving a human element remained roughly the same at 60%.
While Generative AI (GenAI), is a rightfully hot security topic for many, the report also notes a worrying trend for data security: 15% of employees routinely accessed GenAI tools on corporate devices at least once every 15 days with non-corporate account identifiers (emails, for example.)
Time will tell between now and 2026 how GenAI will impact data security, but it’s already clear companies need to take third-party breaches and how they handle their data more seriously. We must strive to do better in the United States. By not critically looking at the security systems and frameworks we’ve built here, and making necessary changes, we are openly allowing consumer and proprietary data to be stolen and abused.
Businesses need to care more about the data they collect and how they plan to secure it while retaining its value. By doing this, they will improve consumer trust while positively impacting their bottom line.
