1. Know What Laws Apply to your Organization

It’s not surprising many leaders are unsure about which new laws or regulations apply to their organization. Privacy and security laws, particularly in the U.S., have changed dramatically in the last few years.  As a business grows, expands into new states or countries, adds new services, or leverages new technologies, it may unknowingly trigger new data protection obligations. Whether it’s the Oregon Consumer Privacy Act (OCPA), the EU General Data Protection Regulation (GDPR), updated regulations of the Gramm-Leach-Bliley Act (GLBA), or Colorado’s Artificial Intelligence Act, once an organization understands its requirements, it can  more efficiently prioritize its efforts.

2. Focus on Personal Information, not just PII

The term personally identifiable information ( or “PII”) is a red flag. If an organization uses this term in 2025, privacy and security professionals and data protection regulators will likely infer that the organization needs to update its privacy and security operations. An organization focused on protecting PII may leave a substantial amount of linkable data vulnerable to unauthorized use or access.

Did you know that nearly all Americans can be identified using birthday, gender, and zip code alone?

Recognizing that individuals can easily be identified without the use of PII, the term “PII” has largely been abandoned. Today, the industry, lawmakers, and enforcement officials use terms like ‘personal data’ or ‘personal information,’ which are defined broadly to include information that identifies, or is capable of being associated with or linked to, a particular individual. Personal Information includes direct identifiers, such as a full name or email address, as well as indirect identifiers, such as cookie and device IDs.

3. Conduct a Data Inventory

Keeping in mind the broad definition of personal information, inventory the categories of personal information the organization collects, creates, shares, and stores. What personal information is collected from customers, website visitors, applicants, employees, and business partners?

Keeping an up-to-date data ‎inventory can identify opportunities and help assess risks and compliance gaps. It can also come in handy for situations like a ransomware attack. Knowing what categories of personal information may be implicated in a cybersecurity incident can help a business weigh its ‎options and determine its obligations.

4. Delete Data. Repeat.‎

Deleting personal information that is no longer needed can reduce cybersecurity risks and lower the costs of a data breach. Organizations that have suffered a data breach can find that they are required by law to notify former employees, job candidates, or customers that they haven’t had contact with in many years, because they held on to records for much longer than necessary.

Implementing a data or records retention and deletion policy can reduce (1) real costs, such as the cost of data storage, and (2) potential costs, such as the expense of offering identity theft protection to those implicated in a data breach. A great place to start? Consider how many years employee records should be retained after termination.

5. Give Thanks

Cybersecurity and IT leaders are vital to every organization’s success. But just as they are needed now more than ever, they face a high degree of burnout and mental health challenges. 93% of security leaders say they’ve considered quitting their job due to the high stress and demands. ‎Thank everyone who works to keep information networks and data safe! Reducing turnover among cybersecurity and IT professionals, roles that can take months to fill, can reduce risks.

6. Require Multifactor Authentication (MFA)

Require employees to use MFA. According to Microsoft, more than 99.9% of compromised accounts don’t have MFA, which leaves ‎them vulnerable to password spray, phishing, and password reuse.‎ The consistent use of MFA can reduce security risks.

7. Create an Incident Response Plan

A solid incident response plan can reduce an organization’s financial, reputational, litigation, and employee retention risks in the wake of a security event. Developing a response plan now, and going over it with key employees, can help an organization become more prepared, better resourced, and more thoughtful when the stakes are high.

How will the leadership team communicate if the ‎network is compromised? Who should be called if there is a ransomware attack? Does the response team know how to ‎use Attorney-Client Privilege and the Work Product Doctrine to reduce breach litigation risks?

Planning ahead can reduce risks and the foreseeable challenges of a security incident.

8. Update Privacy Notices

If a business hasn’t updated its privacy statement in the last year, it may be time for a makeover. A good-looking, comprehensive, and accurate privacy ‎statement is a great risk mitigation tool. Having an older “last updated” date at the top of your privacy statement can signal privacy has not been prioritized.

9. Develop an AI Policy

By late 2024, nearly 40% of the U.S. population between 18 and 64 have used generative AI. As many as 23% of employed respondents had used it for work at least once in the preceding week, and 9% used it every workday. Do employees know the ‎guardrails? Implementing an AI Policy is a great way to reduce the risks of sharing sensitive, confidential, or proprietary information with third-party AI services.

10. Implement Rules around Recording

Many people are using notetaking and recording apps to enhance their productivity. This has many organizations on edge, concerned about how such practices can lead to unintentional disclosures of confidential information, privacy violations, and an erosion of trust in the workplace. Implement rules around recordings (in virtual or in-person meetings, trainings, or leadership events) to reduce risks. As many recording apps are powered by generative AI, rules for recordings can be added onto an AI Policy.

11. Know Who Has Access to Your Information

It’s common for a business to (1) share information with service providers, affiliates, marketing vendors, and government officials and (2) rely on others to collect information on their behalf. But, it is uncommon for a business to have a clear view of the third parties with access to their information at any given time. Businesses should compile this list for compliance purposes, as certain privacy laws require providing information about third-party recipients of personal information. Businesses should also compile this information to manage vendor-related security risks. Such a list of third-party recipients of information, which can be created with a data inventory, may include cloud service providers, ‎marketing vendors, business partners, analytics companies, and even staffing services.

12. Finetune Your Templates

Under privacy laws, agreements with third parties that entail the exchange of personal information should include key privacy and security provisions. Has the business updated its vendor agreements or sales templates lately?‎

13. Complete Privacy Impact Assessments

Most state privacy laws require a Privacy Impact Assessment (PIA) for riskier information ‎processing operations. Does the business use customer, employee, or applicant information for purposes, such as automated decision making or profiling, that might require a PIA?

14. Understand What’s Covered by Cybersecurity Insurance

Businesses have many options when it comes to cybersecurity insurance. Coverage can vary, depending on the cause of a security incident and the outcomes. Businesses should review their policies to determine if their coverage is sufficient, considering common risks in their industry and foreseeable costs.

15. Raise Awareness

Privacy and cybersecurity are 24/7 efforts and require all-hands-on-deck. Do all employees have access to training materials? Can they spot the biggest threats and risks? Do they know how to report privacy and security incidents appropriately? Providing ongoing security training, regularly communicating IT best practices, and ensuring that data protection information is easy to find are key to reducing risks.

16. Don’t Let Perfect Be the Enemy of the Good

Privacy and cybersecurity work is tough. With laws, regulations, best practices, and threats in these areas changing rapidly, it is challenging to keep up. The most accomplished professionals in this space report imposter syndrome and become overwhelmed with the relentless change. Don’t let perfection stop you from making meaningful improvements.

This article summarizes aspects of the law and does not constitute legal advice. For legal advice with regard to your situation, you should contact an attorney.