Plaintext in Review: On Data Privacy, Where Do We Go Next?

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Bitsight. In this issue of Plaintext, we look at new statistics around data privacy. We also note that with five new state data privacy laws going into effect, organizations have to revisit their data protection processes to ensure compliance. If you enjoy Plaintext, please share with friends and colleagues!

States at the Forefront of Privacy Regulation. We live in a time where data is constantly collected, shared, and monetized. Social media platforms, AI chatbots, and connected devices have expanded individual digital footprints, creating more opportunities to abuse personal information. For most organizations, data privacy can no longer be an afterthought: 94% of organizations say their customers won’t buy from them if data is not properly protected (Cisco 2024 Data Privacy Benchmark Study).

Five new state data privacy laws are going into effect this month (Delaware, Iowa, Nebraska, New Hampshire and New Jersey), bringing the number of states with some version of comprehensive consumer data privacy legislation up to 20. Delaware will be focused on the abuse of geolocational data and the data security of emerging artificial intelligence (AI) technologies, Delaware's deputy attorney general John Eakins says.

What new privacy legislation has done for regulators isn't so much putting rules on the books — it's allocating more money toward enforcing lax data privacy among organizations, including money to hire in-house expertise.

Navigating this patchwork of state regulations is not easy. The 2025 State of Privacy report from ISACA found that only 44% of respondents are confident that their organization’s privacy team can ensure data privacy and achieve compliance with new privacy laws and regulations. Only 33 percent of organizations find it easy to understand privacy obligations, with 23 percent considering it difficult.

ISACA’s research suggests enterprises are taking compliance seriously, with 82% of respondents indicating they use a framework or law/regulation to manage privacy, and 68% saying it is mandatory to address privacy with documented policies and procedures.

Dark Reading in Plaintext is brought to you by Bitsight

Cyber threat intelligence now at your fingertips.??

Bitsight Cyber Threat Intelligence offers real-time, actionable insights from the darkest corners of the web to protect businesses from threats before they strike. Protect your organization today!

More Data Is Not Better. Organizations need to be transparent about what data is collected, how it is used, and with whom it is shared. But more importantly, organizations should look at what As Omdia 's Adam Strange notes, there is a strong "The more data, the better" mentality, but organizations are wrestling with what to do with all the data and how to address compliance with data privacy regulations. In a recent Omdia survey, only 11% of respondents said they would be able to identify their entire data estate if asked what percentage of their data they would be confident their organizations could account for. Organizations should explore minimizing data collection, and removing data when they don’t need it.

Can organizations put a hand on heart and claim they even know where all of their data is or that they know?what?it is??

“User Activity” is Sensitive Data. Researchers from data privacy provider Incogni analyzed the permissions of 238 AI-powered Google Chrome browser extensions found that 67% collected user data. While it may not sound like a big deal that 22% of extensions collect user activity, but Incogni warned that it is “one of the most sensitive types of data, as it reflects everything from highly personal data, sensitive company information, and keystrokes to passwords, timestamps, and even behavioral patterns.”

What We Are Reading

• [Bitsight] Bitsight acquires Cyber Threat Intel Leader, Cybersixgill
• The “Cracked” and “Nulled” Cybercrime Forums Are Now Offline
• Using GhostGPT to Write Malicious Code
• The Edge: Security Needs to Start Saying ‘No’ Again
• Dark Reading Commentary: IBM’s Chris "CT" Thomas on AI and the Cyber Trust Mark

Subscribe to get Dark Reading newsletters in your inbox!

What We Heard On-Air

Tune in to our on-demand webinar Tips on Managing Cloud Security in a Hybrid Environment.

"Unlike most on-prem environments, your cloud infrastructure is one configuration mistake away from being exposed to the Internet" Jake Williams, vice-president of R&D at Hunter Security

From Our Library

Check out some of the latest reports from our Dark Reading Library!

• [Bitsight] Stay Ahead of Cyber Threats: Proactive Threat Hunting Guide
• Dark Reading Reports: Understanding Social Engineering Attacks and What to Do About Them
• Tech Insight: Building Blocks for Next-Gen Security Operations
• Dark Reading Reports: What Issues and Challenges Cybersecurity Pros Care About
• Tech Insight: Digging Out of Your Organization's Technical Debt

On That Note

Passwords, They’re A-Changing. NIST no longer recommends changing passwords every 60, 90, or some arbitrary number of days. But that doesn’t mean it’s okay to leave passwords unchanged for years on end, either. Cybercrime forums are flush with lists of stolen/breached passwords, so changing them every so often helps ensure those lists are out of date.

Many password managers now offer a security audit feature to check to see if there are any weak or already-compromised passwords. Change any that are short or easily guessable. Think about long and complex passwords or passphrases. Enable multi-factor authentication where you can, and consider using passkeys where possible.

Dark Reading in Plaintext is brought to you by Bitsight