The Risks of Playing Fast and Loose with Security Compliance

Data is a lot like currency in business today, and you wouldn’t leave wads of cash lying around, right? This about this: Do you collect data efficiently? How do you appropriate it wisely? How do you use it to improve or validate your business case decisions? How do you store it? Who has access? All good questions, but we’re going to hone in on another point that touches on all of these aspects. How do you make sure your company’s data processes—all that information gathering, generating, analyzing and utilizing—are compliant?

More important, what happens if you don’t do an adequate job? It’s tempting to just go through the compliance motions, but that’s entering dangerous territory. Put simply, there are risks of playing fast and loose with information security compliance. Big risks. Let’s break down what you need to know.

What are the Penalties for Willful Noncompliance?

Depending on your industry, you could be subject to a number of privacy and security mandates. Each set of regulations comes with its own set of penalties for noncompliance. There are a ton of regulatory standards in place, so let’s take a closer look at the big two:

PCI DSS. The Payment Card Industry Data Security Standard (PCI DSS) aims to ensure companies that take payments, or otherwise process transactions, do so on a constantly monitored, secure network that protects cardholder information. Organizations that fail to meet the standards must pay significant penalties and, in severe cases, can be banned from future participation in any credit card transactions. Talk about a real bummer for any company that enjoys making a profit!

HIPAA. The Health Insurance Portability and Accountability Act (HIPAA), a multi-faceted body of regulations within the health sector aimed at protecting patient health information (PHI), has some serious consequences for non-compliance. (If you need help with HIPAA compliance and security in the cloud, I wrote about that here.) There are four tiers of offenses, and fines range from financial slaps on the wrist to a maximum of $1.5 million per calendar year for each identical violation. In severe and willful cases, noncompliance can mean criminal prosecution with the potential of up to 10 years of jail time. In addition, civil actions can now be brought on behalf of residents who are affected by HIPAA violations. In short, consequences for HIPAA noncompliance are nothing to sneeze at.

There are a number of compliance rules and regulatory bodies that govern other industries as well. While I cited only two examples above, you can bet they all involve hefty fines, potential prosecution, and the stripping of operational privileges.

If You’re Struggling to Manage Compliance, Try This

If you’re tasked with managing compliance for your business (I’m looking at you, Chief Information Security Officers!), odds are you touch this subject multiple times per day. So what is the best way to ensure compliance and not stretch yourself too thin? Try a few of these suggestions:

• Consider appointing a Chief Compliance Officer (CCO) or compliance committee comprised of department heads within your company. Encourage them to reexamine existing compliance measures and point out any areas for improvement.
• Frequently turn to industry assessment checklists when looking for guidance if you’re curious about how to handle changes in your organization from a compliance perspective.
• Spend time training employees about how they can help in the compliance cause, performing actions like thoughtfully handling and storing data (like patient information or credit card numbers). Teaching them the reason for these requirements rather than simply dictating rules will empower them with a big-picture perspective.
• Constantly educate yourself (and your compliance team, if you have one) about changing compliance regulations. To help with this, join message boards or professional groups dedicated to the regulations that govern your industry. Keeping tabs on new requirements will ensure you’re always one step ahead of compliance rather than trying to play the risky catch-up game.

Are Security and Compliance the Same?

I’ve spent a good deal of time in this post writing about why compliance is so important and how you might consider approaching it. However, one thing that deserves stressing is that security and compliance are not the same. Don’t get so wrapped up in forming a compliance committee or wading through stacks of regulatory requirements that you neglect the overall security of your data.

Your company can be compliant and still have unsecure data. Just think of all the Thanksgivings ruined a few Novembers ago when Target’s catastrophic security breach occurred: 70 million customers had their credit or debit card numbers stolen. A mere two months before that incident, the retail giant was validated as PCI-compliant.

The Target example is proof that to elevate your business, you’ll need to focus on compliance and safety as individual yet necessary components of your well-rounded growth strategy. Compliance provides a baseline of protection, and the rest should come from your robust, multilayered security structure (that begins with the thorough information protection education of each employee).

The Takeaway: Be Compliant

In short, it might seem like a burden to jump through all the compliance hoops relevant to your industry. At times, it can appear these required actions aren’t actually making that large of a contribution to the security of your company. Any IT officer or C-level exec worth his/her salt knows that completely ignoring these rules is not only bad business, but it’s also illegal. I can see, however, how it could seem easy to graze over particular compliance regulations, especially those that seem particularly prickly, redundant, and time-consuming.

At the end of the day, though, putting compliance on the back burner will result in future fires. Ask yourself honestly—are you doing enough? What information security compliance measures have you put in place? If you’ve appointed dedicated compliance personnel, has that been a worthwhile move? I’m curious about your experiences with compliance and how you’ve approached compliance from a resource allocation perspective. I’d love to hear your thoughts.

Additional Resources on this Topic:

What Happens if you Ignore Information Security Compliance?
HIPAA and PCI Compliance Are Not Interchangeable
How Big Data Use in Healthcare Prevents Scams and Fraud

Photo Credit: CarKhabri India Flickr via Compfight cc