2018 was an interesting year, with cybersecurity at the forefront in media. We saw dozens of high-profile breaches (e.g., Facebook, Orbitz, MyFitnessPal) and many more low-profile incidents. Cybersecurity preparedness assessments and testing have become a standard cost of doing business. Ransomware is a household term. The EU’s General Data Protection Regulation (GDPR) went into effect, and we saw the first GDPR enforcement action.

Here are some of the key privacy and security trends to prepare for as 2019 gets underway:

1. 2019 is the year of privacy regulations — The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, which means companies across the globe will have to develop their CCPA compliance programs this year. High-profile breaches continue to cause Congressional grandstanding in the U.S., which could very well result in nationwide privacy regulation. Whether or not that comes to fruition, we expect more states to adopt privacy regulations like the CCPA. 
2. Microsoft Office 365 will continue to be heavily targeted — In the past two years, there has been a steady increase in attacks against Microsoft Office 365users. While Microsoft has invested significantly in the security of Office 365, many companies aren’t taking full advantage of the available security settings. Attackers typically steal Office 365 credentials and find a login mechanism that can bypass multi-factor authentication (MFA), if MFA is in place. Then, the attackers download the victim’s full mailbox and utilize it to target individuals that the victim corresponds with. We’ve seen dozens of successful attacks in this vein. We expect the frequency of attacks to increase as more companies move to Office 365.
3. Major vendors will announce major breaches — We have already seen some major vendors, both large and boutique, announce breaches that have impacted many clients. The trend is likely to continue this year, as more companies have developed detection methodologies that can identify a breach and lead to notifications.
4. More acquisition failures will result from cybersecurity incidents — The failure of Colorado Timberline, a private equity-backed printing company that shut down due to a ransomware attack, resulted in the loss of significant investor equity because of the company’s inability to respond to a cybersecurity incident. Even public companies have suffered tremendous valuation consequences due to breaches. Private equity-backed or in-process companies often underspend on security and necessary IT upgrades to show higher profits and thereby better valuations. However, underspending in these areas at prospective portfolio companies exposes the risk for attacks which can result in tail events, such as a complete shutdown of the company.
5. Major consumer data vendors will be exposed — A myriad of data providers that aggregate consumer data (e.g., location data from mobile apps, purchasing preferences from search results, and demographic/socioeconomic data) will likely be exposed for the data they hold and sell to thousands of clients globally. We have already started to see some of the data exposed through reporting by major newspapers, such as the New York Times. As consumers become more aware of the ability to de-anonymize their personal data, regulatory bodies will push back with new rules and stringent enforcement actions.