Blog
← Back to Blog
December 20, 2018 cybersecurity

2018 Cybersecurity Year in Review: The Privacy Era Begins

Year-end technology review Year in review and reflection

2018 was less explosive than 2017 in terms of headline-grabbing attacks. But it was far more significant in terms of structural change. GDPR took effect. Privacy regulation advanced worldwide. The conversation about data rights, corporate responsibility, and the true cost of "free" services fundamentally shifted.

The Big Events

May: GDPR Takes Effect

The European Union's General Data Protection Regulation went live. Companies scrambled. Privacy policies flooded inboxes. And for the first time, there was a comprehensive, enforceable framework for data protection that actually had teeth (4% of global revenue in fines).

September: Marriott Confirms the M&A Problem

Marriott disclosed a 500-million-record breach that started in 2014 in Starwood systems. The compromise persisted for four years, undetected, after Marriott acquired the company. It's the clearest demonstration yet that acquisitions inherit their vendor's security problems.

Throughout: Privacy Consciousness

California pushed the CCPA toward passage. The UK's ICO started enforcing GDPR. US Congress held hearings on data privacy. States drafted their own privacy laws. The regulatory momentum is undeniable.

By the Numbers

  • 1,244 data breaches reported in 2018 (down from 1,579 in 2017, possibly due to better security or better underreporting)
  • 446.5 million records compromised (down from previous years, but still enormous)
  • $4% GDPR fines as a percentage of global revenue (creating actual teeth for privacy enforcement)
  • $500 million records lost in Marriott breach alone

What This Means

1. The Privacy Conversation Is Mainstream

Privacy went from a niche compliance issue to something every organization thinks about. Boards discuss it. Customers ask about it. Regulators enforce it.

2. Regulation Is Coming

GDPR set the template. The US will follow with similar frameworks. The California Consumer Privacy Act will likely pass. Other states are drafting laws. Practices need to prepare for a privacy-regulated future.

3. Data is Liability

For years, companies treated data collection as purely beneficial: more data = better targeting = more revenue. Now, data is understood as liability. It needs to be protected, disclosed, and in some cases, deleted.

4. M&A Due Diligence Must Include IT

Marriott learned the hard way that inherited security problems are real problems. Any organization acquiring another business needs IT security assessment as part of due diligence.

Heading Into 2019

Cloud adoption accelerating. AI and machine learning being weaponized. The supply chain remaining a critical attack vector. Ransomware evolving. Healthcare remaining a top target. And privacy regulation setting the stage for how organizations manage data.

2018 was about privacy awakening. 2019 will be about adaptation.