Faces lit by computers, the hackers’ objectives were clear — attack and defend. At this year’s DEF CON, the largest hacker convention in the United States, pre-qualified teams of hackers from around the globe faced-off in a network-security simulation that combined network sniffing, cryptanalysis, programming, reverse-engineering, and other tactics that would make Lisbeth Salander blush. Back in 1993, the first DEF CON had roughly 100 participants. This year, badges dangled from the necks of nearly 20,000 attendees, including hackers, lawyers, academics, journalists, and government officials.

DEF CON has an edgy narrative — it’s notorious for criminal exploits, wild parties, and Mohawk-fitted outcasts. But that story line is much too simple. And “too simple” is what security researchers—or hackers, depending on your sensibilities—proclaim after they expose the vulnerabilities in products and infrastructure we rely on daily.

Below are highlights and insights from presentations at DEF CON 23 that illustrate the evolving cyber risks and policy dilemmas facing governments, individuals, and the private sector.

“Sorry.” Music service Spotify joins the club as the latest company to apologize to its customers for proposed privacy policy changes. When it comes to bad press, it would be tough to beat Minecraft-founder Markus Persson’s tweet about Spotify: “Hello. As a consumer, I’ve always loved your service. You’re the reason I stopped pirating music. Please consider not being evil.” Spotify promptly threw itself on the mercy of its customers in a short written apology.

While the scope of Spotify’s policy exceeds the scope of data that most companies seek to obtain, it’s a good reminder for all companies to review their own privacy policies. As a company reviews its privacy policy, it should consider these key questions:

Folks of a certain age, and fans of “Guardians of the Galaxy’s” Awesome Mix vol. 1, have a hard time forgetting that late ‘70s song by Rupert Holmes, “Escape” (“If you like piña coladas, getting caught in the rain….”). But for millions of subscribers to infidelity website AshleyMadison, there’s no easy escape from hackers’ public disclosure of subscribers’ personal information. In the ensuing schadenfreude-field-day, and amidst early reports of extortion attempts and even suicides, there’s an important lesson to remember. Whether or not a company’s business model is broken vows, broken promises in a privacy policy can have severe repercussions.

Months. Actually, years. That’s how long the notion has been brewing that the Federal Trade Commission has no authority to enforce reasonable data security under the unfairness prong of FTC Act Section 5. The stakes are high – the FTC can pursue essentially any commercial company under the FTC Act for unfair or deceptive trade practices in interstate commerce. And if the FTC indeed has the authority to take any such company to court for “unfair” data security practices under Section 5, without any FTC regulations under Section 5 setting standards for exactly what constitutes adequate data security… well, one can appreciate why many in the general business community are uneasy.

When the FTC sued Wyndham in federal court for inadequate data security, Wyndham raised every argument its lawyers could think of to dismiss the FTC’s unfairness claims.  After failing to convince the trial court, Wyndham next took an interlocutory appeal to the Third Circuit Court of Appeals, the first appellate court to ever consider this issue, and asked that the FTC be stopped. But instead of a red light (a ruling of no FTC authority) or a yellow light (a ruling on other grounds), the Third Circuit Court of Appeal’s decision, handed down this week, gives the FTC a clear green light to pursue its claims against Wyndham for alleged unreasonable data security as an unfair business practice.

Costs continue to mount for Target as the company works to put its massive 2013 data breach behind it. Target and Visa recently announced an agreement for Target to reimburse Visa card issuers as much as $67 million for costs associated with the historic breach. The settlement is considerably larger, and more likely to succeed, than the proposed $19 million deal between Target and MasterCard that issuers previously rejected as too low.

With a click of a button, a former employee can communicate to a large audience of connections made during his career. Such communications often involve the former employee enticing co-workers or customers to follow them to the new employer. If left unrestricted, a former employee’s social media use can damage the former employer’s customer and employee relationships. To protect relationships with employees and customers, employers should include a social media provision in their non-solicitation agreements.

Do you often feel that despite best efforts to circle the wagons your information security team is fighting a losing battle with broken down tools? Even though information security budgets have increased in the last couple of years—likely in response to the very visible increase in high-profile data breaches—discretionary budget dollars are scarce. I recently heard the poker term “dead money”  used to describe that large portion of every IT budget that has been committed long before it is received, much like the money we all must dedicate to mortgages, utilities, food, and transportation. Thus, for every $100 of total IT spend, we may be left with just $0.60 for new baubles and geegaws, as my grandmother used to say.

It’s tempting to “gild the lily” when applying for cyber insurance. Insurers are still getting their arms around how to underwrite cyber risks, and so applications commonly feature a lengthy questionnaire about security controls and safeguards. Often folks in the insured’s Finance or Risk departments handle the application process, with minimal involvement by IT Security and Legal. The result can be questionnaire responses that are, well, “aspirational.”

The problem is that the insured’s representations in the application usually become part of the policy, with coverage conditioned on the representations being accurate when made, and also on an ongoing basis. If the questionnaire responses are later deemed to be material misrepresentations, or if what was represented changes materially, then coverage may be lost. With cyber insurance applications, gilding the lily can result in gelding of coverage.

Last Friday, when Amazon’s market cap pushed past Walmart’s, the headlines almost wrote themselves – “Internet Retailer Amazon Topples Traditional Retailer Walmart,” or the like. The lead angle? Amazon’s information-based business model had surpassed Walmart’s old-school, bricks and mortar business concept. Just one problem – totally wrong lead, with the totally wrong point.

For years, federal district courts have reliably dismissed data breach consumer class actions at the outset, citing the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. Defendants’ tried-and-true argument goes like this:  (1) under Clapper, plaintiffs must allege at least an imminent risk of a concrete injury to have standing under Article III of the U.S. Constitution; (2) the data breach plaintiffs haven’t alleged such an injury, and any future alleged injuries are too speculative; (3) so no standing, and no case.  But last week, in Remijas v. Neiman Marcus Group, the Seventh Circuit disagreed. The Neiman Marcus decision pumps new life into consumer data breach claims, and plaintiffs will undoubtedly argue that it sounds a death knell for Clapper in data breach litigation.