2026 Outlook: Data Security Trends

Keeping a pulse on regulatory changes and emerging risks shapes how PKWARE supports organizations. Additionally, data security trends inform the entire ecosystem, regardless of industry or compliance mandates. In our first webinar of the year, our experts, EJ Pappas, Field CTO, and Glennon Andrews, Divisional VP Business Development, discussed what to expect in 2026. 

Here’s a quick summary of those points. To get all the insights, watch the on-demand webinar, “2026 Outlook: Trends, Regulatory Change, and What’s Ahead for Data Security.” 

There’s a significant difference between checking the box for compliance and truly being audit-ready. Expanding your compliance strategy is a smart business approach. Here’s how you can accomplish this:

• Automated data discovery: Locate all sensitive information for complete visibility. You can’t protect data you don’t know about. Once you have a full picture, you can identify any compliance gaps. You can avoid fines and boost efficiency. 

• Compliance at scale: Ensure protections are consistent across the enterprise. This is also a time-saver, eliminating manual tasks.  

• Centralized enforcement and reporting: Simplify compliance with one source to enforce and report.  

Another data security trend ties directly to expected HIPAA rule changes. These could be finalized by May 2026 and include: 

• Mandatory encryption for all ePHI  

• AES-256 at rest, TLS 1.3 in transit  

• RSA-2048+ for key exchanges  

• Hardware security modules  

• Cybersecurity provisions: Mandatory MFA and anti-malware, vulnerability management, incident response, network segmentation, penetration testing, and access termination 

Preparing for these now is essential. At the crux of this is security that follows data wherever it goes. Pappas also noted that all these rules now apply to the mainframe and that the key to handling risk is through visibility.  

Another regulatory change involves FISMA. In September of 2026, annual assessments will become mandatory. FISMA is a mechanism to audit government agencies and private contractors. Andrews explained the fallout from the CrowdStrike outage, where there was a manipulation of an update which caused significant damage. 

In May of 2026, a final rule could become law regarding cyber incident reporting. It impacts around 300,000 entities. Critical infrastructure organizations must notify CISA within 72 hours of discovering a “covered cybersecurity incident” and within 24 hours of making a ransomware payment.

Proactive cybersecurity activities, like vulnerability scanning, network segmentation, and pen testing, could prevent a breach. However, you can never eliminate all risk. If your organization falls under this rule, there are some other things to have in place to reduce the impact.

Reducing Data Breach Risk 

The first step in reducing the impact of a breach is ensuring you secure all sensitive information at the data level with encryption, redaction, or masking. Second, you can decrease your risk footprint by identifying older files and enforcing retention policies. Third, you can use masking in non-production and AI environments. Masking allows you to de-identify data without losing contextual value. 

Currently, the U.S. does not have a national privacy regulation. Instead, many states have their own. A few updates of note: 

• CCPA: California’s law introduced new cybersecurity audit requirements (due in April of 2028) and automated decision-making . 

• Kentucky and Indiana (effective January 1, 2026): Both are similar to the VA Consumer Data Protection Act and don’t add much new under the provisions the state already has about consumer data.  

• Rhode Island (effective January 1, 2026): This state’s privacy laws regulate how businesses handle consumer data. Of note, the law requires opt-in consent and privacy protections for children, defined as those under 13. 

No data security trends discussion could leave out AI. The technology has pros and cons. On the risk side, AI is a threat actor. These orchestrated attacks have become more sophisticated through social engineering, spear phishing, and deepfakes. 

Andrews pointed out how these tactics have evolved, as more data about each of us is available online. He mentioned how easy it is to create a bot, and we should have concerns about how those can be used against us.  

On the other side, AI has become a pivotal part of data analytics. Companies are adopting it increasingly as a way to gain more value from their information. However, it does come with risk.  

That’s why de-identifying data through masking must be a step before loading it into large language models (LLMs) or other AI environments.  

While Identity and Access Control (IAC) plays a vital role in data security, it should not be your last line of defense. During the webinar, Pappas shared a metaphor to illustrate this. When users are granted access, they essentially hold the “keys” to the front door of your data. But what happens when someone steals those keys? Because credentials can be compromised, you need safeguards to prevent anyone from exfiltrating what’s in your “data rooms.” That’s where data-centric security comes in. Persistent encryption, masking, and redaction protect data at the asset level to ensure what’s in your “data rooms” remains secure.

The year ahead includes challenges and opportunities. As regulations and risks evolve, we’ll be monitoring them to keep you informed.  

For the full conversation between Pappas and Andrews, we invite you to tune into the webinar on demand.