Americans remain exposed to cyber threats despite law meant to protect consumers

In 2007, as new data protection rules were coming into play, particularly with the proposed Cyber-Security Enhancement and Consumer Data Protection Act of 2006, my company published a piece in BusinessWeek titled: “Oops, Darn It, We Lost Your PIN.”

The headline was meant to be unsettling. It highlighted how casually some companies seemed to handle consumers’ most sensitive data, treating it more like an operational detail than a matter of personal trust. 

At that time, retailers and financial institutions were revealing breaches involving exposed credit card data. Regulators responded with new requirements for encryption to protect sensitive information. 

The expectation was clear. Once encryption became mandatory, large-scale exposure of personal data would decline. We thought the problem was essentially solved. But it wasn’t. 

Nearly twenty years later, breaches are larger, faster, and more automated. The targets have spread far beyond credit cards to include health records, payroll systems, intellectual property, and critical infrastructure.

The problem is not a lack of cybersecurity tools. It is that we treated encryption as a compliance task instead of a necessary safeguard.

Compliance Became the Goal

Early data protection laws established an important baseline: encrypt sensitive information.

However, over time, compliance became an exercise of checking boxes, where the barest minimum implementation – if any – was acceptable. Compliance may have been a goal, but was left unenforced and unmonitored. Often a solution was purchased to satisfy an audit, but once the auditor left the building, attention to compliance lost its focus.  

Inevitable fines became part of financial strategy. Cyber insurance helped cushion the impact. Exposure became a risk to manage, not a failure to prevent. If implementing encryption was difficult or costly, the impact of a breach became just a cost of doing business.

For consumers whose Social Security numbers and medical histories are repeatedly exposed, the response often looks the same: a notification letter and an offer of “one year of free credit monitoring.” I have a pile of these on my desk. That is not meaningful protection. It is damage control and an acknowledgment that stronger safeguards were not in place from the start.

AI Has Changed the Economics

The threat landscape today is not what regulators imagined in 2007.

Artificial intelligence allows for automated vulnerability scanning, highly targeted phishing, and rapid credential theft. Attack timelines that once took weeks now unfold in hours.

We have created faster alarms, while attackers have developed quicker break-ins. Public discussions still focus on detection: how quickly breaches are found, how effectively response teams act.

Those metrics are important, but they only describe what happens after a compromise. 

The more crucial question is this: if attackers gain access, can they use the data?

Encryption, when integrated into system architecture and managed centrally, determines that outcome. Stolen data can either be read and sold, or it cannot. That is not a matter of probability. It is definitive.

Enforcement Has Not Kept Pace

Many laws require encryption. However, enforcement often focuses on disclosure timelines and reporting requirements rather than on system design.

Regulators should shift focus from post-breach paperwork to whether encryption is designed into systems. Corporate boards should also see encryption not as a technical detail but as an essential consumer protection measure.

When encryption is fragmented or seen as optional, the public pays the price.

The Lesson, Twenty Years Later

Two decades after “Oops, Darn It, We Lost Your PIN,” the headline could run again, only with much larger figures attached. 

We have more spending, more tools, and more rules. Still, personal data continues to be exposed widely.

The lesson is not that regulation was misguided. It is that compliance without a strong focus on system design is not enough, especially in an age of AI-driven attacks. 

Breaches may be unavoidable. Widespread exposure of usable data is not. 

Encryption is not optional. It never was.