Data‑privacy hits a tipping point

HIPAA enforcement “moved into 2026 with sharper edges, wider apertures, and higher stakes,” legal analysts at Foley Hoag reported, highlighting tighter expectations around vendor oversight and cyber hygiene. foleyhoag.com State-level action accelerated after 2025: Bloomberg Law noted that California, Texas and Virginia are leading 2026 enforcement activity, and roughly 100 state privacy measures were enacted or advanced through 2025. news.bloomberglaw.com Big‑Four and audit‑advisor playbooks put privacy on the ARC agenda: KPMG listed cybersecurity and controls among “eight issues for audit committees in 2026,” and PwC’s 2026 mini‑guide instructs audit and risk committees to treat privacy as enterprise risk rather than a silo. kpmg.com BDO’s 2026 audit‑committee priorities and multiple law‑firm previews warn boards about cross‑jurisdictional liability and coordinated enforcement, raising potential director and corporate exposure if privacy governance is weak. bdo.com Heidrick & Struggles’ 2026 Board Monitor found 45% of new director appointments focused on audit or finance expertise, underscoring demand for candidates who can translate privacy strategy into board‑level oversight; Freshfields’ 2026 data‑law review likewise flagged “more aggressive” enforcement and eroding regulatory silos. heidrick.com California’s new regulator infrastructure — including the California Privacy Protection Agency’s board materials and handbook stemming from the CPRA framework — ratchets regional expectations for Bay Area boards to add directors with privacy or data‑strategy credentials. privacy.ca.gov Recruitment and talent signals show demand: privacy hiring portals list recurring senior roles in San Francisco tech employers, and board marketplaces such as BoardProspects and the Private Directors Association are being cited by search firms as go‑to channels for placing directors with privacy‑and‑risk backgrounds. privacyjobboard.com