This paper studies firms' data privacy and cybersecurity choices. We emphasize the strategic interdependence between these decisions and demonstrate that security in both the market equilibrium and the social optimum tends to be higher when data is shared. We also identify important market failures in the sense that firms tend to under-invest in security and over-share data. Our welfare analysis of a minimum security standard, disclosure and consumer education policies, liability rules and consumer mitigation strategies highlights the need for a co-ordinated approach to regulation.