Do you remember any of these organizations: TJX, AOL, Sony, the State of South Carolina, Adobe, LinkedIn, Target, Yahoo, OPM, Home Depot, JP Morgan, Anthem, Ashley Madison, Yahoo (again), and Equifax? These guys all made huge headlines because they were victims of massive data breaches.

Notice they all “take your privacy very seriously” in their sad, apologetic press releases explaining what went wrong. Most resulted in management shakeups and ended some C-level executives’ careers due to their lack of action. At the end of the day, the CEO is responsible for the company and blaming anyone else is no longer effective. This sends a crystal clear message that data breaches can and do carry personal liability for executives. Lets save the conversation about golden parachutes and token offering of a year of credit monitoring for another time.

In the short-term, all of these organizations incurred huge market share hits, loss of trust, regulatory fines, and slews of lawsuits. The Target breach came at an especially bad time, right before the 2014 holiday shopping season. This resulted in a 50 percent loss in profit vs. their prior year. Surveys taken after the fact say there is a certain percentage (which varies wildly) of customers who won’t shop at a retailer or do business with a company who has been breached. That doesn’t seem to play out in reality. Plenty of people are still shopping at Target, Home Depot, and the others. The breached organizations, for the most part, have since fully recovered financially and regained our trust. The financial recovery was inevitably carried by the consumer. We pay for these things with higher prices and more fees paid to the retailers, banks and others involved.

At least we as a customer can choose to do business with a retailer or not. This isn’t the case with organizations such as the State of South Carolina department of revenue or the US Office of Personnel Management. Nor can we choose to opt out of our information being collected, repackaged, resold, and profited by data brokers such as Equifax. That last one will take some time for us to discover all of the details. When that happens, we’ll talk about Equifax as well.

We’ve created an incentive structure which is true is some cases: it’s can be less costly to deal with a breach as opposed to investing the required effort and resources to prevent it in the first place. Adding insult to injury, it can be more profitable to capitalize on the breach be selling products and services to the victims! Quick history lesson: the Ford Pinto debacle. This thinking is short-sighted because when that breach occurs, organizations gamble whether legislation or regulation will force them to implement said security efforts that should have been in place from the beginning.

Do we think about these things when we swipe a card or log into any website? These organizations were either lazy, shortsighted, inconsistent, or negligent; and they failed to invest in adequate security to protect their important information… your important information. Did these organizations learn from their mistakes? I’m sure some improved. What about others out there, are they learning? Unfortunately, they’re not. The breaches keep occurring, so what does that tell you? Actions speak and these companies apparently don’t all “take your privacy very seriously.”