It’s Data Privacy Week, the annual international awareness initiative from the National Cybersecurity Alliance (NCA) aimed at empowering individuals and businesses to value individual privacy, safeguard data, and build trust.
“Your online activities generate a treasure trove of data – from your interests to your purchases, as well as your online behaviors, and it is collected by websites, apps, devices, services, and companies across the globe, and can even include data about your physical self, such as health data,” the NCA says.
The week, cybersecurity experts from many companies shared their data privacy and risk advice with us. Let’s hear what they had to say
Are Your Security Apps Putting You At Risk?
“We rely on an array of data privacy and security apps: VPNs, password managers, ad blockers, dark web monitors and more,” comments Ifrah Arif, Product Manager at PureVPN. “They can conflict with one another, failing users when they’re needed most.”
He says non-integrated security tools from different vendors can actually drive ‘alert storms’ that put sensitive info at risk.
Notification storms typically happen when an individual is using incompatible, non-integrated password managers, VPNs, dark web monitors, trackers, ad blockers , and other security tools from differing vendors.
“The storm arises when tools roll out uncoordinated alerts and notifications to get the user’s attention. One tool mistakes another tool’s attempt to do its job as a threat and sends users alerts. The resulting ‘alert fatigue’ often drives users to close their VPN or password manager, opening their devices to threats and exposing themselves to data theft and fraud,” Arif adds.
He cites a study from 2025 that found that 44% of users receive overlapping alerts, and 38% of those receiving overlapping alerts say they ignore them.
“That’s why it’s important to use an integrated suite of security tools – a single unified platform. That way, instead of juggling multiple apps competing for your attention and overriding one another, you get a single, intelligent alert stream and a single place to act on it.”
Tracking Technologies and Data Privacy
Ian Cohen, CEO and Founder at Lokker, adds: “Data Privacy Week 2026 marks a watershed moment: plaintiffs’ attorneys and regulators are no longer asking whether organizations have compliant policies. They’re demanding proof of how data is processed in practice.”
He said the finalization of California’s Risk Assessment and Cybersecurity Audit regulations and the CCPA (mandates and penalties now in place as of January 1st) foreshadow regulatory trends to come.
“The popular tracking technologies companies use to personalize visitors’ experiences have emerged as the primary enforcement focal point. Their widespread deployment, reliance on third parties, and tendency to change without notice place them squarely within the definition of high-risk processing.”
Cohen adds that litigation and enforcement measures will put the spotlight on whether organizations can demonstrate visibility into and control of these tracking technologies.
This matters, he says, because 78% of sites deploy session replay tools that courts are treating as wiretap violations, and 49.2% of S&P 500 companies include the Meta Pixel despite its status as a frequent litigation target.
“Risk exists regardless of whether consent banners are present or policies are well-drafted,” Cohen continues.”The convergence of private rights of action, operational regulatory mandates, and California’s expanding pen registry framework, through CIPA enforcement and class action activities, creates an environment in which technical privacy missteps can become costly litigated events overnight if neglected or mismanaged.
“To protect themselves and their customers, organizations need continuous visibility, defensible documentation, and clear remediation capabilities. Moving from static representations to operational proof isn’t optional anymore. It’s the foundation of modern privacy compliance.”
From Documentation Theater to Operational Proof
“For businesses with websites, virtually every one, privacy compliance is moving from documentation theater to operational proof,” says Michael Bell, CEO and co-Founder Suzu Labs. “The regulatory environment no longer accepts “we have a policy” as sufficient. Regulators and plaintiffs now ask ‘can you prove what actually happens?”
Bell calls this the 92.7% Problem: “Nearly all websites load third-party trackers before user consent is given. That’s not a configuration problem at the margins. That’s an industry-wide failure of the consent model as implemented. The banner exists. The policy exists. The trackers fire anyway.”
“This is exactly the gap between stated controls and actual controls that creates legal exposure. When plaintiffs’ attorneys or regulators examine what’s technically happening versus what disclosures claim, they find daylight. This daylight becomes litigation.”
The Foundation of Data Privacy
Brent Torre, GM of Backup Continuity and SaaS Protection, Kaseya, says: “Data privacy cannot exist without cyber resilience. As organisations face an evolving threat landscape and increasingly complex compliance requirements, the ability to recover quickly has become inseparable from privacy protection. Organisations face mounting pressure to demonstrate both data protection and operational resilience.”
According to him, vendors need to help technicians navigate these challenges with a resilience-first approach. “Regulations like HIPAA, PCI DSS, CMMC, and CJIS require robust data retention policies, encryption, access controls, and disaster recovery capabilities. A unified BCDR platform needs to address these requirements with hardened appliances, immutable cloud storage using write-once, read-many formats, and FIPS validated encryption.”
This Data Privacy Day, assess both your privacy policies and resilience posture, Torre adds. “Can you recover within hours? Are your backups tested and immutable? With compliance frameworks evolving rapidly, cyber resilience isn’t just good practice – it’s a regulatory imperative.”
An Ongoing Obligation
“Compliance isn’t a static, box-ticking exercise, it’s an ongoing obligation organizations must be able to evidence at all times,” adds Soniya Bopache, SVP & GM Data Compliance at Arctera. “Data Protection Day is an opportunity to focus on this shared requirement.”
She says as the regulatory landscape evolves, businesses are under growing pressure to demonstrate clear governance over how data is accessed, protected, and recovered, not just in policy, but in practice. “With many individuals unclear on how their personal data is used or controlled, organizations must be able to clearly demonstrate lawful processing, appropriate safeguards, and oversight across the full data lifecycle. This is especially the case as more organisations embed AI into processes.
“Strong compliance isn’t just about avoiding regulatory penalties; it is fundamental to maintaining trust, proving resilience, and sustaining long-term confidence in digital services.”
Risk Could Cancel Reward
‘In 2026, protecting sensitive data is no longer a simple task, especially amidst the threat of AI agents going rogue,” comments Steve Bradford, SVP EMEA at SailPoint. “With 98% of enterprises expected to adopt AI agents in the next twelve months, their business value is undisputed – but risk could just as easily cancel out reward. Worryingly, 80% of enterprises have already reported that their AI agents have taken unauthorised actions, including accessing and sharing sensitive data.”
Bradford says enterprises can’t hope to safeguard company data without managing their AI agents, which require the same level of oversight and access governance as human users. “This Data Privacy Day, the question is no longer just about “who” can access what. It’s about “what” is acting inside your environment, “how” it’s doing so, and “why.” Organizations can take back control by deploying tools that monitor every AI agent’s access to sensitive data, assign clear ownership, and enforce approval workflows before granting or expanding access.”
He adds that AI can o longer be seen as a novelty, and must be treated as a core operational identity within digital ecosystems. “Companies who fail to implement oversight now are exposing themselves, and their data, to significant risk.”
Vulnerability Forecasting
Éireann Leverett, FIRST Liaison and Lead Member of FIRST’s Vulnerability Forecasting Team, says his company is forecasting nearly 60,000 new vulnerabilities in 2026, and it’s entirely possible we will hit 70,000 to 100,000. “Every one of those is a potential doorway to your organization’s sensitive data, and no single security team can patch them all.”
Leverett says te question organizations need to ask right now is: “Are my people and processes ready to handle this volume, and am I prioritizing the vulnerabilities that actually put my data at risk? Forecasting lets defenders stop reacting to every new CVE and start making strategic decisions about where to focus limited resources before attackers exploit the gaps.”
Leaving Attackers with Persistent Access
“Too many organizations treat a breach as ‘resolved’ the moment systems come back online, but failing to fully cleanse systems and validate what data was stolen leaves attackers with persistent access for months or years,” comments Chris Gibson, CEO, FIRST.
“The fundamentals of protecting sensitive data still matter most: segmenting networks, enforcing multi-factor authentication, and ruthlessly retiring old credentials before they become backdoors. But here’s what most organizations miss: no company can solve data breaches and cybersecurity in isolation. The organizations that recover fastest are the ones with trusted networks already in place, sharing threat intelligence and coordinating response before a crisis hits.”
On the Privacy Trade-Off
“Privacy, as most people understand it, cannot truly exist in today’s connected ecosystem,” says Ionut Mihai Chelalau, FIRST Transportation & Mobility SIG Chair and Cybersecurity Consultant at Diconium. “Every time you use an AI assistant, some of your data will ‘leak’ into training datasets, and despite claims of anonymization, device fingerprints and usage patterns leave identifiable traces.”
Chelalu says the uncomfortable truth is that customers worldwide are willingly trading privacy for convenience, and unless strong regulations force the issue, manufacturers won’t voluntarily cut into profit margins to protect data they can monetize.
Designing for Human Limits
“AI in security has a fundamental thermodynamic problem: every tool we add increases system complexity faster than it increases our ability to coordinate that complexity,” says Trey Darley, Standards SIG and Time Security SIG Lead at FIRST and Founder at Proper Tools.
As foundation models scale past trillions of parameters, we’re hitting Gödelian limits: verifying alignment across all possible states becomes formally undecidable, not merely NP-hard.
In 2026, Darley says organizations will realize they’ve crossed a Rubicon of complexity. “The answer isn’t more training or more tools, it’s simpler systems that fail safely. Reduce complexity, reduce attack surface, and reduce cognitive load on the human. Security that depends on human perfection is security destined to fail.”
Establish Backup Communication Channels
Hadyn Green, Principal Communications Advisor, FIRST, says: ”When a breach hits, silence about what happened to customer data creates a vacuum that speculation and misinformation fill fast. Organizations should establish backup communication channels across multiple networks and consider letting trusted authorities speak on their behalf. Not to dodge accountability, but to ensure accurate information reaches affected users while your team focuses on containment.”
For Green, the hardest problem in cybersecurity isn’t the technical response, it’s getting people to trust and act on what you’re telling them about their data.
Identity is the New Attack Surface
“Attackers have figured out that compromising identity is easier than directly hacking the software itself,” adds Marc Rubbinaccio, VP of Information Security, Secureframe. “Stolen credentials, hijacked sessions, and abused API tokens are becoming a reliable way to gain access to systems and exfiltrate data. For companies built on cloud infrastructure and third-party integrations, a single compromised service account or API key can give attackers direct access to sensitive data as if they were to compromise a user account.”
The mindset organizations need to have in 2026 is treating every login, token, and OAuth grant as a potential attack vector, Rubbinaccio continues. “Short-lived credentials, least-privilege access, and continuous monitoring are required controls when protecting customer data when managing a modern application.”
AI-Powered Social Engineering
“Phishing is already becoming superpowered through the use of AI, he explains. “In 2026, we’ll see AI-powered social engineering attacks that are nearly indistinguishable from legitimate communications. With social engineering linked to almost every successful cyberattack, threat actors are already using AI to clone voices, copy writing styles, and generate deepfake videos representing people they are not.”
Rubbinaccio says the next wave of defense will require specific training related to the new techniques attackers are using as well as technology improvements such as behavior-based detection and real-time identity verification.”
The AI Compliance Paradox
“93% of companies say security is a top priority, yet 68% leave one or fewer full-time employees to handle compliance while AI-powered attacks surge,” adds Shrav Mehta, CEO, Secureframe. “Teams are spending eight-plus hours a week on paperwork instead of protecting customer data, and manual compliance models are breaking down when the stakes are highest.”
For lean teams facing AI-driven threats, Mehta says the only sustainable path forward is continuous compliance and automation that generates evidence in the background, so your people can focus on actual privacy and security protocols,
“The biggest breaches of 2025 came from preventable failures: reused passwords, unmonitored vendor access, and data that should never have been collected in the first place. When 16 billion credentials leak in a single event, it’s a wake-up call that the fundamentals still matter most,” Mehta adds.
“Organizations need to ask themselves a hard question: if you don’t need to store certain customer data, why are you collecting it? Data minimization isn’t just good privacy hygiene, it’s risk reduction,”
Targeting the Data That Underpins Our Communities
“Cybercriminals are no longer just attacking systems – they are targeting the foundational data that underpins our communities,” says Gregory Statton, Vice President, AI Solutions at Cohesity. “This is not simply a security issue; it’s a signal that we must rethink how AI is used to protect our most sensitive data.”
Statton says the starting point for data privacy today should be simple: ask not what you can do with AI, but what AI can do for you. “In 2026, AI must move beyond hype and generic tools and be treated as a practical problem-solver. Organisations that focus on real business value (with data integrity and privacy built in from the ground up) will be the ones that emerge as winners in the era of AI.”
“Interest in sovereign AI is accelerating as organisations recognise the importance of keeping data within corporate and geographic borders. A sovereign-first approach improves control, compliance, and strategic autonomy, but success depends on balance. Regulations must remain elastic enough to enable innovation without creating isolated data silos or inhibiting creativity.”
Statton believes that effective data protection also requires a shift away from one-size-fits-all platforms.
“AI now enables highly targeted, department-specific solutions where access is limited to those who truly need it. This approach reduces risk while improving speed and precision.”
Technology Alone is Not Enough
Finally, he says technology alone is not enough. “Cybercriminals exploit people as much as systems. Building real resilience means empowering staff, students, and stakeholders to actively participate in data privacy. When human judgment is combined with AI-driven precision, organisations gain a level of protection that generic security tools simply cannot provide.”
Statton says at the heart of AI lies data. “For AI systems to operate effectively, they must be trained on trusted, high-quality data free from tampering. Embedding privacy-by-design principles into the workflow processes and adopting privacy-enhancing technologies such as encryption and access controls, in parallel with continuous employee education, are all important steps in laying the foundation for AI to become the strongest asset in protecting privacy, not our greatest risk.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.