Breaking news of a massive customer breach or blatant privacy abuse dominates the headlines for days. However, months and even years later, affected customers still struggle with the aftermath and firms are still absorbing the costs. By reflecting on these incidents, we glean long-term lessons that help security and risk (S&R) pros improve their firm's overall security posture, its breach response, and its appreciation of privacy law and customer trust. To do this, each year we select and analyze notable incidents from the past 12 months to provide these critical lessons.