With the increasing dependence on digital systems, cybersecurity is in high demand to secure resources, information, platforms, and identities throughout an organization’s entire technical stack, including online and on-prem systems. Public awareness of the need for security and privacy is on the rise, but companies and government regulations are not keeping pace with the fast-changing threat ecosystem. The goal of this project is to enumerate and explore the concrete ways companies’ security practices can be aligned with current best practices for consumer data protection. Drawing from expectations implied by U.S. state, federal and international law (such as the California Privacy Act, HIPAA and EUGDPR), industry standards and current understanding of effective IT security practice, the guideline developed in this research shows the actions that companies should follow in order to secure their customers’ data and by extent achieve an ethical business practice as well as the grounds to be held accountable for their actions and mistakes. This is all focused from a business perspective: security is approached in terms of a ‘calculated risk’ and the acceptance of consequences instead of the traditional technical-only analysis, which is often incomprehensible to management.