It may still be September, but to countless retailers, Halloween is already here. Passing by displays of spooky items while shopping, the ’80s haunted-house music video “Somebody’s Watching Me” comes to mind: “I always feel like somebody’s watching me, and I have no privacy” (yes, Rockwell has attribution, but Michael rocks the chorus).

The paranoid fellow in the video was worried about the IRS and the mailman – how quaint. In today’s world, high on many consumers’ “creepy stuff” lists is the use of mobile technologies by a growing number of retailers to track customers’ movements in their stores.

Do data breaches cause lasting reputational damage for organizations? We all know breach response is expensive –  just ask Target, which posted data breach-related costs of $162 million through fiscal year 2014, plus another $129 million for the first half of FY2015, all net of $90 million in cyber insurance. That’s a lot of zeros, and it’s not over yet. According to Ponemon’s 2015 Cost of Data Breach study, the average U.S. cost of a “malicious or criminal breach” is $230 per compromised record, $210 per record for a “system glitch” breach, and $198 per record for “human error” breaches. The U.S. breaches in the study averaged more than 28,000 compromised records and an average total cost of over $6.5 million.

But beyond response hard costs, the X factor for many companies is a fear of crippling reputational damage in the wake of a large-scale data breach. As it turns out, such fears may be unfounded, and may also be unhelpful.

At DEF CON you’ll often hear that “every company is receiving penetration testing, but some companies pay for the pleasure.” My take is that every company pays for penetration testing – some companies pay in planned expenditures, but others pay in response costs, reputation loss, business interruption, legal liability, and increased insurance premiums. Or as Claus Moser observed, “Education costs money, but then so does ignorance.”

Last week’s DEF CON post shared insights from DEF CON 23 presenters on the fast-moving threat environment. Below are post-DEF CON observations on strengthening an organization’s cyber risk management strategy.

Cancer Care Group, P.C. settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules on September 2 with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) for $750,000. Cancer Care, a radiation oncology private physician practice located in Indiana, also agreed to adopt a corrective action plan to remedy defects in its HIPAA compliance program.

Faces lit by computers, the hackers’ objectives were clear — attack and defend. At this year’s DEF CON, the largest hacker convention in the United States, pre-qualified teams of hackers from around the globe faced-off in a network-security simulation that combined network sniffing, cryptanalysis, programming, reverse-engineering, and other tactics that would make Lisbeth Salander blush. Back in 1993, the first DEF CON had roughly 100 participants. This year, badges dangled from the necks of nearly 20,000 attendees, including hackers, lawyers, academics, journalists, and government officials.

DEF CON has an edgy narrative — it’s notorious for criminal exploits, wild parties, and Mohawk-fitted outcasts. But that story line is much too simple. And “too simple” is what security researchers—or hackers, depending on your sensibilities—proclaim after they expose the vulnerabilities in products and infrastructure we rely on daily.

Below are highlights and insights from presentations at DEF CON 23 that illustrate the evolving cyber risks and policy dilemmas facing governments, individuals, and the private sector.

“Sorry.” Music service Spotify joins the club as the latest company to apologize to its customers for proposed privacy policy changes. When it comes to bad press, it would be tough to beat Minecraft-founder Markus Persson’s tweet about Spotify: “Hello. As a consumer, I’ve always loved your service. You’re the reason I stopped pirating music. Please consider not being evil.” Spotify promptly threw itself on the mercy of its customers in a short written apology.

While the scope of Spotify’s policy exceeds the scope of data that most companies seek to obtain, it’s a good reminder for all companies to review their own privacy policies. As a company reviews its privacy policy, it should consider these key questions:

Folks of a certain age, and fans of “Guardians of the Galaxy’s” Awesome Mix vol. 1, have a hard time forgetting that late ‘70s song by Rupert Holmes, “Escape” (“If you like piña coladas, getting caught in the rain….”). But for millions of subscribers to infidelity website AshleyMadison, there’s no easy escape from hackers’ public disclosure of subscribers’ personal information. In the ensuing schadenfreude-field-day, and amidst early reports of extortion attempts and even suicides, there’s an important lesson to remember. Whether or not a company’s business model is broken vows, broken promises in a privacy policy can have severe repercussions.

Months. Actually, years. That’s how long the notion has been brewing that the Federal Trade Commission has no authority to enforce reasonable data security under the unfairness prong of FTC Act Section 5. The stakes are high – the FTC can pursue essentially any commercial company under the FTC Act for unfair or deceptive trade practices in interstate commerce. And if the FTC indeed has the authority to take any such company to court for “unfair” data security practices under Section 5, without any FTC regulations under Section 5 setting standards for exactly what constitutes adequate data security… well, one can appreciate why many in the general business community are uneasy.

When the FTC sued Wyndham in federal court for inadequate data security, Wyndham raised every argument its lawyers could think of to dismiss the FTC’s unfairness claims.  After failing to convince the trial court, Wyndham next took an interlocutory appeal to the Third Circuit Court of Appeals, the first appellate court to ever consider this issue, and asked that the FTC be stopped. But instead of a red light (a ruling of no FTC authority) or a yellow light (a ruling on other grounds), the Third Circuit Court of Appeal’s decision, handed down this week, gives the FTC a clear green light to pursue its claims against Wyndham for alleged unreasonable data security as an unfair business practice.

Costs continue to mount for Target as the company works to put its massive 2013 data breach behind it. Target and Visa recently announced an agreement for Target to reimburse Visa card issuers as much as $67 million for costs associated with the historic breach. The settlement is considerably larger, and more likely to succeed, than the proposed $19 million deal between Target and MasterCard that issuers previously rejected as too low.

With a click of a button, a former employee can communicate to a large audience of connections made during his career. Such communications often involve the former employee enticing co-workers or customers to follow them to the new employer. If left unrestricted, a former employee’s social media use can damage the former employer’s customer and employee relationships. To protect relationships with employees and customers, employers should include a social media provision in their non-solicitation agreements.