Boo! Spooky season is here, and while ghosts and goblins might be fun, privacy and security scares are not. As we creep closer to the end of the year, it’s time to shine a flashlight on potential compliance gaps, lurking scams, and cybersecurity vulnerabilities that could haunt your business. Make sure your organization is ready to face the privacy and security challenges of the season—no tricks, just treats!

1. 1. Websites, apps, and privacy policies should meet Oregon Privacy Requirements by end of year. On January 1, 2026, the Oregon Consumer Privacy Act (OCPA) 30-day cure period expires. Today, the Oregon AG must give organizations 30 days to fix privacy violations before they face a penalty. Come January, compliance gaps, especially those that are in plain sight, will be even more risky. The Attorney General may bring an action to seek a civil penalty of up to $7,500 per violation. This means that if a website doesn’t display a privacy policy or have a cookie banner, the company could be fined for unlawfully collecting personal information from every Oregonian who visited the website. While AGs rarely use their maximum fining authority, the fines can add up quickly for those with popular websites.
   2. Be on the lookout for scams! Verify the accuracy all payment details. Wire transfer fraud increases during the holidays as fraudsters exploit increased transaction volumes and holiday-related stress, often by changing wiring instructions, account information, or impersonating officials to pressure victims into sending money quickly. Always verify payment details and instructions through a separate, independent contact method before sending funds. For example, if a vendor calls from an unknown number saying, “We need $38,000 right away [so we can pay employees a holiday bonus / close our books / avoid tax implications]—here is the routing information,” verify the information using existing records or via known contact information. For example, send an email or text message to the usual contact: “Hi Bob, just checking you want me to wire this payment to a new bank account. The account number is different than the one we’ve used for prior transactions.” If the company receives an email with new wiring instructions or a link to an unfamiliar website to complete a payment transaction, stop to verify the information.
   3. Don’t have the kind of holiday season Krispy Kreme had last year! On Black Friday 2024, Krispy Kreme detected unauthorized activity on its network. The alert was the first indicator of cyber-attack that would take the company’s online ordering system offline until December 30, 2024. In a require Securities and Exchange Commission filing, on December 11, 2024, the company reported: “The expected costs related to the incident, including the loss of revenues from digital sales during the recovery period, fees for our cybersecurity experts and other advisors, and costs to restore any impacted systems, are reasonably likely to have a material impact on the Company’s results of operations and financial condition.” After online ordering was restored, Krispy Kreme’s investigation continued for months. In May 2025, the company notified nearly 62,000 people that in their information, including Social Security numbers, financial account information, passport numbers, and biometric data, was stolen as part of the holiday cyber-attack. Hackers strike around the holidays, believing security teams may be understaffed, IT monitoring may be relaxed, and incident responders may be out of reach. Now is the time to check the effectiveness of security measures, remind employees of security best practices, and review incident reporting and response protocols.

As the fog rolls in on 2025, don’t let privacy and security skeletons rattle your business. Whether it’s meeting Oregon’s privacy requirements, dodging holiday scams, or fortifying cybersecurity defenses, a little preparation now can help save you from a frightful future. Stay vigilant, stay compliant, and make this season a thriller for all the right reasons!

The opinions expressed herein are solely those of the authors. This article does not constitute legal advice. For legal advice for your situation, you should contact an attorney.