Another day, another letter telling me a company I’ve never heard of has my personal information, and failed to protect it. Data breach notices feel like a subscription you never agreed to, one that renews automatically and cannot be canceled.
According to the Identity Theft Resource Center’s 2025 Data Breach Report, breach activity in the U.S. hit record levels, affecting hundreds of millions of people. Most breaches trace back to familiar weaknesses such as poor credential management, weak internal controls, inadequate oversight of third-party vendors, and human error exploited through social engineering. These attack vectors may not be new, but the proliferation of AI is making it easier for attackers to exploit them at scale and organizations need to manage data risk with the same seriousness they apply to financial or operational risk.
I know you may be thinking you can “opt-out” of information sharing, but that usually applies to marketing data, not operational reality. Payroll, cloud hosting, customer support, payment processing, background checks, analytics, and identity verification are almost always outsourced.
Even if you opt out of promotional sharing, your data still moves through a web of vendors and every transfer expands the exposure surface and is another potential point of failure. Complexity is not an excuse for weak governance. It is the reason stronger governance is required.
Good data governance means knowing where sensitive data lives, who can access it, why they need access, and how it’s protected. Individuals must also protect themselves: use strong, unique passwords, turn on multi-factor authentication, and consider a credit freeze.
In most areas of commerce, when harm is caused, the party responsible bears the cost of remediation. However, the burden of recovery falls almost entirely on consumers when their personal info is exposed. Offering 24 months of credit monitoring as “remedy,” is the corporate equivalent of a doctor giving you a Band-Aid for a critical gunshot wound and calling it treatment. Keep in mind the use of stolen information doesn’t expire when the monitoring service does.
It’s time to consider policy solutions that reflect the permanence of modern data loss, such as streamlined credit file restoration processes which include pathways to replace compromised identifiers in extreme cases and stronger statutory remedies.
Until there’s a fundamental cultural shift within organizations towards prioritizing consumer data protection, we can expect these breach notifications will continue arriving like unwanted renewal notices.