In the late 1500s, privateer and explorer Martin Frobisher embarked upon a journey that would net him fame—Frobisher Bay is named for him—but not much fortune. His travels took him to what is now Canada, where he claimed Baffin Island for the Crown because of the vast amounts of gold he found there. He was so convinced he had found great riches that he continued to make multiple trips with increasingly more ships to mine and send the ore home for safekeeping. Queen Elizabeth I even ordered quadruple locks in the Tower of London to guard the trove.

Unfortunately for all, however, what Frobisher had so diligently worked to procure, transport, and store was nothing but iron pyrite—fool’s gold. Once it was discovered that his cache was not real gold, an Italian alchemist was engaged to work his magic and transform the worthless rocks into the gold everyone desired. Needless to say, he was unsuccessful.

I was reminded of this story while attending the Information Governance Conference recently in Connecticut.

You’ve no doubt heard that on Tuesday the European Court of Justice declared the U.S.- EU Safe Harbor invalid. Under European law, the transfer of EU citizens’ personal data to a third country may only occur if the third country ensures adequate protection of that data. A European Commission decision in 2000 declared the United States’ laws and policies provided such adequate protection, through the vehicle of the U.S.- EU Safe Harbor FrameworkNearly 4,500 U.S. companies partake of Safe Harbor protected status – at least until this week’s European Court of Justice’s ruling pulled the plug.

As a result of this ruling, each of the European Union’s 28 national data protection authorities (“DPAs”) now has the power to establish its own rules and regulations for data transfers. Although the U.S. and the European Commission are engaged in continuing negotiations for “Safe Harbor 2.0,” there is no certainty about when the new framework will be established, or even what the framework will be. In the meantime, the question looms – what will the national DPAs do?

 will be missed, but his wisdom will endure. Who else could have observed “No one goes there nowadays. It’s too crowded”? The information governance equivalent is “No one has information anymore. There’s too much of it.” In the last decade we have witnessed the systemic utilitization of computing power. Data used to be housed predominantly within a company’s own systems, but now, through remote storage, SaaS, PaaS, and other cloud solutions, more and more information is hosted by third-party providers. Also, as marketplace forces compel organizations to leverage or outsource functions that used to reside internally, operational service providers increasingly create, receive, maintain, and process information on the organization’s behalf.

It follows that information governance (the organization’s approach to satisfying information compliance and controlling information risk while maximizing information value) can no longer simply be an internally-focused exercise. IG “has come to a fork in the road, and must take it.” Service provider selection, contracting, and oversight are now primary vehicles of information governance – because when it comes to governing your organization’s information, “the future ain’t what it used to be.”

It may still be September, but to countless retailers, Halloween is already here. Passing by displays of spooky items while shopping, the ’80s haunted-house music video “Somebody’s Watching Me” comes to mind: “I always feel like somebody’s watching me, and I have no privacy” (yes, Rockwell has attribution, but Michael rocks the chorus).

The paranoid fellow in the video was worried about the IRS and the mailman – how quaint. In today’s world, high on many consumers’ “creepy stuff” lists is the use of mobile technologies by a growing number of retailers to track customers’ movements in their stores.

Do data breaches cause lasting reputational damage for organizations? We all know breach response is expensive –  just ask Target, which posted data breach-related costs of $162 million through fiscal year 2014, plus another $129 million for the first half of FY2015, all net of $90 million in cyber insurance. That’s a lot of zeros, and it’s not over yet. According to Ponemon’s 2015 Cost of Data Breach study, the average U.S. cost of a “malicious or criminal breach” is $230 per compromised record, $210 per record for a “system glitch” breach, and $198 per record for “human error” breaches. The U.S. breaches in the study averaged more than 28,000 compromised records and an average total cost of over $6.5 million.

But beyond response hard costs, the X factor for many companies is a fear of crippling reputational damage in the wake of a large-scale data breach. As it turns out, such fears may be unfounded, and may also be unhelpful.

At DEF CON you’ll often hear that “every company is receiving penetration testing, but some companies pay for the pleasure.” My take is that every company pays for penetration testing – some companies pay in planned expenditures, but others pay in response costs, reputation loss, business interruption, legal liability, and increased insurance premiums. Or as Claus Moser observed, “Education costs money, but then so does ignorance.”

Last week’s DEF CON post shared insights from DEF CON 23 presenters on the fast-moving threat environment. Below are post-DEF CON observations on strengthening an organization’s cyber risk management strategy.

Cancer Care Group, P.C. settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules on September 2 with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) for $750,000. Cancer Care, a radiation oncology private physician practice located in Indiana, also agreed to adopt a corrective action plan to remedy defects in its HIPAA compliance program.

Faces lit by computers, the hackers’ objectives were clear — attack and defend. At this year’s DEF CON, the largest hacker convention in the United States, pre-qualified teams of hackers from around the globe faced-off in a network-security simulation that combined network sniffing, cryptanalysis, programming, reverse-engineering, and other tactics that would make Lisbeth Salander blush. Back in 1993, the first DEF CON had roughly 100 participants. This year, badges dangled from the necks of nearly 20,000 attendees, including hackers, lawyers, academics, journalists, and government officials.

DEF CON has an edgy narrative — it’s notorious for criminal exploits, wild parties, and Mohawk-fitted outcasts. But that story line is much too simple. And “too simple” is what security researchers—or hackers, depending on your sensibilities—proclaim after they expose the vulnerabilities in products and infrastructure we rely on daily.

Below are highlights and insights from presentations at DEF CON 23 that illustrate the evolving cyber risks and policy dilemmas facing governments, individuals, and the private sector.

“Sorry.” Music service Spotify joins the club as the latest company to apologize to its customers for proposed privacy policy changes. When it comes to bad press, it would be tough to beat Minecraft-founder Markus Persson’s tweet about Spotify: “Hello. As a consumer, I’ve always loved your service. You’re the reason I stopped pirating music. Please consider not being evil.” Spotify promptly threw itself on the mercy of its customers in a short written apology.

While the scope of Spotify’s policy exceeds the scope of data that most companies seek to obtain, it’s a good reminder for all companies to review their own privacy policies. As a company reviews its privacy policy, it should consider these key questions: