Digital Safety
The Governance Problem Nobody Wants to Own
QUICK SUMMARY
We have built robust defenses inside our organizations while the data economy that surrounds them operates with almost no rules. Closing that gap requires governance at a scale that security frameworks alone were never designed to provide.
We have built robust defenses inside our organizations while the data economy that surrounds them operates with almost no rules. Closing that gap requires governance at a scale that security frameworks alone were never designed to provide.
Digital Safety Series | Post 2B of 5: Digital Safety for the Modern Professional
The opt-out form for Findem’s data broker service exists. It is titled “Do not sell or share my personal information.” It contains a mechanism for requesting that your data be removed from the company’s database. You will not find it by searching Google, because Findem embedded code in the page instructing search engines to exclude it from results. When Senator Maggie Hassan’s office sent the company a letter asking it to remove that code and explain the practice, Findem did not respond. When committee staff followed up, Findem did not respond to that either. Its mandatory 2024 disclosures showed the company had failed to process 80 percent of the privacy requests it had received, citing, without elaboration, insufficient data.
This is the opt-out system for one of the most sensitive categories of commercial data in America. A hidden form, at a company that does not answer letters from the United States Senate.
The Opt-Out Illusion
Senator Hassan’s investigation, released in February 2026, examined five data brokers that had been identified in an August 2025 Wired report for hiding their opt-out pages from search engines: Comscore, Findem, IQVIA Digital, Telesign, and 6sense. All five had embedded “no index” code on their opt-out pages, effectively rendering them invisible to anyone who did not already know the exact URL.
Four of the five made changes after receiving the senator’s letter. Comscore removed the code, attributing its presence to a 2003 page version it could not explain. Telesign said it had been unaware that its own third-party SEO tool excluded the page by default until the Wired story ran. 6sense disputed parts of the characterization but removed the code anyway. IQVIA replaced its opt-out page with a version hosted by a vendor, which also lacked the exclusion code.
Findem did nothing and said nothing.
The FTC described this pattern in a 2014 report that has not been superseded by any federal legislation in the twelve years since. Data broker opt-out options, the agency wrote, are “largely invisible and incomplete,” making it difficult for consumers to understand or exercise them. In May 2025, the Trump Administration rescinded a proposed CFPB rule that would have imposed new restrictions on broker activity under the Fair Credit Reporting Act. The regulatory posture remains what it has been for decades: deference.
“Opt-out options are largely invisible and incomplete.” — Federal Trade Commission
The Supply Chain Security Frameworks Were Not Built For
The security profession has spent twenty years building perimeter defenses. Firewalls, endpoint detection, zero-trust architecture, identity and access management. These tools work for what they were designed to do: protect what sits inside an organization’s boundary.
The data broker problem sits outside that boundary, by design. An employee’s home address may exist in hundreds of databases your security team has never audited, governed by policies your organization has no role in setting, sold to buyers whose intentions you cannot vet. The same is true of their financial history, their inferred health data, their location patterns, their family members’ names. None of it is on your network. All of it is available to anyone with a credit card and a data broker account, or to anyone patient enough to wait for the next breach.
“This is the uncomfortable truth: we have built an economy where data is both an asset and an attack surface.”
The aggregation pipelines that power commercial targeting also power criminal profiling. We have enterprise-grade controls protecting organizational perimeters while the data supply chain that surrounds those perimeters operates under rules written before anyone grasped what modern aggregation at scale would produce.
Generative AI has accelerated the timeline. Building a detailed, actionable profile of a specific individual once required significant time and resources. It can now be automated in seconds. The cost of targeted fraud drops as the cost of profiling drops. The attack surface expands without any change to the underlying data. As Justin Sherman, a Senior Fellow at Duke University’s Sanford School of Public Policy, told the House Committee on Energy and Commerce: bad actors do not need to hack American databases when so much can be legally purchased from brokers that do very little customer vetting.
The question this raises is one that security frameworks were not designed to answer. Governing data flows across ecosystems that span thousands of companies, most of them outside any single organization’s visibility or control, is a regulatory problem. Security teams can harden their own perimeters. They cannot, by themselves, govern what happens to data after it leaves.
So ask yourself: when did you last treat the data supply chain as part of your organization’s threat model? If the answer is never, that is the gap worth closing first.
Who Is Actually Getting Hit
An assumption persists in security awareness culture that the typical scam victim is older, less educated, or less digitally fluent. The data suggests otherwise. Research from the Global Anti-Scam Alliance, surveying 46,000 adults across 42 countries, found Gen Z and Millennials to be the age groups most likely to lose money to scams. Among U.S. respondents specifically, the survey estimated roughly 59.6 million American adults lost money to scams over the survey period, averaging $1,086 per victim (Feedzai / GASA Global State of Scams Report, 2025).
Thirty-five percent of U.S. parents surveyed reported that at least one of their children between 7 and 17 had been scammed. Seventy-three percent of adults globally said they were confident they could recognize a scam. Twenty-three percent lost money anyway. The confidence gap is not a knowledge problem. The verification methods most people rely on, checking for typos, looking for social media presence, confirming a website has HTTPS, are inadequate against fraud that is built on accurate personal data and AI-assisted personalization.
The FBI’s 2024 Internet Crime Report, covered in Post 2A, recorded $16.6 billion in total cybercrime losses. The vast majority of those losses were not technical exploits. They were fraud built on personalized data and social engineering.
What Practitioners Can Actually Do
The structural problem requires structural solutions, meaning regulation, enforcement, and governance frameworks that do not currently exist at the federal level. That does not make individual and organizational action irrelevant. It means being clear-eyed about what those actions can and cannot accomplish.
- Search your own name across major data brokers. Tools like DeleteMe, Privacy Bee, and Kanary will show you what is currently being sold about you. Running this exercise with a leadership team, and showing them the results with their names on it, moves the conversation in ways that abstract threat briefings do not.
- Submit opt-out requests to the major aggregators. Start with Spokeo, Whitepages, BeenVerified, Intelius, Acxiom, LexisNexis, and Epsilon. Automated services like DeleteMe handle this across hundreds of brokers for a modest annual fee. For senior executives whose profiles represent elevated targeting risk, this is worth treating as a baseline security hygiene measure rather than an optional personal choice.
- Place a credit freeze at all three bureaus. Equifax, Experian, and TransUnion all offer free credit freezes. A freeze prevents new accounts from being opened in your name without your explicit authorization. It is one of the most effective individual-level defenses available and costs nothing.
- Audit your organization’s public exposure. Job postings, LinkedIn profiles, executive bios, and press releases create a detailed map of your organization’s structure, personnel, and operational patterns. Review this material through the lens of social engineering. Adjust what you can.
- Incorporate data broker risk into vendor assessments. Data brokers are embedded in the supply chains of HR platforms, identity verification services, marketing analytics tools, and background check providers. Ask vendors directly what data they share downstream, with whom, and under what contractual constraints. Most have not been asked.
- Engage the policy conversation with specifics. The regulatory vacuum that has allowed this industry to operate without meaningful federal oversight is not permanent, but it will not close on its own. Senator Hassan’s investigation is one pressure point. The California Delete Act, which took effect in 2024 and created a single opt-out mechanism for all registered brokers in the state, is a model being watched by other legislatures. The International Association of Privacy Professionals maintains active working groups on data broker regulation where practitioners can contribute technical expertise directly to policy development. Security leaders who engage through these channels are doing work that no technical control can accomplish.
The Actual Bottom Line
The Joint Economic Committee’s finding that four data broker breaches cost Americans $20.9 billion is remarkable not because the number is surprising but because it is the first time anyone has done the math and published it. The industry has operated at this scale, with this kind of consequence, under this level of regulatory inattention, for the better part of thirty years.
The security profession built excellent tools for protecting what sits inside organizational boundaries. The data supply chain surrounding those boundaries has not received commensurate attention, from industry or from regulators. Closing that gap requires governance at a scale that security frameworks alone were never designed to provide. That means building technical defenses and making the case for structural change at the same time.
Your data is already out there. The question is what we do about the system that put it there.
About This Series: Digital Safety for the Modern Professional is a five-part content series from The Cyber Guild, a community dedicated to cybersecurity leadership, cross-sector collaboration, and building an inclusive workforce prepared for the challenges ahead. Follow SaferShift for more insights on Digital Safety from Tiziana Barrow.
Key Sources: JEC Senate Minority Report, February 27, 2026. FBI IC3 2024 Internet Crime Report, April 2025. Feedzai / GASA Global State of Scams 2025. FTC Data Brokers Report, May 2014. CFPB Protecting Americans from Harmful Data Broker Practices, December 2024. Privacy Rights Clearinghouse, 2024.
Are you ready to take the next step in your cybersecurity journey?
The Cyber Guild connects leaders, practitioners, and emerging talent through events, mentorship, and community.
👉 Explore upcoming events
👉 Subscribe to our mailing list
👉 Learn more about RISE Mentorship
