cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

The Cost of Noncompliance

Level 11

When it comes to the technical aspects of PCI DSS, HIPAA, SOX, and other regulatory frameworks, the goals are often the same: to protect the privacy and security of sensitive data. But the motivators for businesses to comply with these regulatory schemes varies greatly.

Penalties for Noncompliance

Regulatory Compliance Framework

Industry

Scope

Year

Established

Governing Body

Penalties

PCI DSS

Payment Card Industry Data Security Standards

Applies to any organization that accepts credit cards for payment

2004

Payment Card Industry Security Standards Council (PCI SSC)[1]

  • Fines up to $200,000/violation
  • Censure from credit card transactions

HIPAA

Health Insurance Portability and Accountability Act[2]

Applies to healthcare-related businesses deemed either covered entities or business associates by law

1996

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR)

  • Up to $50,000 per record
  • Maximum on $1.5M/year

SOX

Sarbanes–Oxley Act

Applies to any publicly traded company

2002

The Security and Exchange Commission (SEC)

  • Fines up to $5M
  • Up to 20 years in prison

NCUA

National Credit Union Association

Applies to credit unions

1934
(r. 2013)

NCUA is the federal agency assigned to enforce a broad range of consumer regulations that apply to federally chartered credit unions and, to a lesser degree, federally insured state chartered

credit unions.[3]

  • Dissolve your credit union
  • Civil money penalties

GLBA

Gramm-Leach-Bliley Act

Applies to financial institutions that offer products or services to individuals, like loans, financial or investment advice, or insurance

1999

Federal Trade Commission (FTC)

  • $100,000 per violation
  • Up to 5 years in prison

FISMA

Federal Information Security Management Act

Applies to the federal government and companies with government contracts

2002

Office of Management and Budget (OMB), a child agency of the Executive Office of the President of the United States

  • Loss of federal funding
  • Censure from future contracts

This list only represents a fraction of the entire regulatory compliance structures that govern the use of information technology and processes involved in maintaining the confidentiality, integrity, and availability of sensitive data of all types.

Yes, there are monetary fines for noncompliance or unlawful uses or disclosures of sensitive information – the chart above provides an overview of that – and for most, that alone offers plenty of incentive to comply. But beyond this, businesses should be aware of the many other consequences that can result from non-compliance or any other form of negligence that results in a breach.

Indirect Consequences of Noncompliance

Noncompliance whether validated by audits, or discovered as the result of a breach, can be devastating for a business. Though, when a breach occurs, its impact often extends well beyond the fines and penalties levied by enforcement agencies. It can include the cost of detecting the root cause of a breach, remediating it, and notifying those affected. Further, the cost balloons when you factor in legal expenditures, business-related expenses, and loss of revenues faced by damaged brand reputation.

As if IT pros did not have enough to worry about these days, yes, unfortunately compliance too falls into their laps. But depending on the industries they serve and the types of data their business interacts with, what compliance actually entails can be quite different.

Regulatory Compliance and the Intersection with IT

Without a doubt, there are many aspects of data security standards and compliance regulations that overshadow everything from IT decision-making and purchasing, to configurations, and the policies and procedures a company must create and enforce to uphold this important task.

Organizations looking to comply with a particular regulatory framework must understand that no one solution, and no one vendor, can help prepare them for all aspects of compliance. It is important that IT professionals understand the objectives of every compliance framework they are subject to, and plan accordingly. 


[1] The PCI SSC was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Participating organizations include merchants, payment card-issuing banks, processors, developers, and other vendors.

[2] The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, prompted the adoption of Health Information Technology. This act is recognized as giving “teeth” to HIPAA as it established stricter requirements by establishing the Privacy, Security, and Breach Notification Rules, as well as stiffer penalties for violations. The HIPAA Omnibus Rule, which went into effect in 2013, further strengthened the OCR’s ability to enforce compliance, and clearly defined the responsibility of compliance for all parties that interact with electronic protected health information (ePHI).

[3] It is important to note that in the financial world, guidance from the Federal Financial Institute of Examiners Council (FFIEC) to a bank is mandatory because the guidance specifies the standards that the examiner will use to evaluate the bank. Credit unions technically fall under a different regulator than banks, however, the National Credit Union Association closely follows the FFIEC guidance.

1606_LEM_Compliance-Campaign_WP_640x200_Intro.png

37 Comments
Level 12

It's all black and white, except for the parts that are gray.  Thankfully professional auditors can handle those gray areas, right?

For those DoD folks that are bound by the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs)

Regulatory Compliance Framework = DISA STIGs

Industry Scope = Federal Government

Year Established = ~2005

Governing Body = DISA

Penalties = Various, pending severity and connection status.

Handy information that! Shame I can't download the white paper, my address isn't in the US

MVP
MVP

silverbacksays​, send me your email address and I'll email it to you.

Level 11

Thanks for contributing this info!

I just replied to  your PM mate. Thanks

MVP
MVP

On it's way..

The above list seems to cover not only everything at my job, but most things outside my job, too.

I think the fear of PCI fines may be less than fear of "Censure from credit card transactions."  It's one thing to pay a fine, but it's another much larger issue to be prevented from participating in credit card payments.

MVP
MVP

exactly...

Level 11

Absolutely, being essentially cut-off from using one or more credit card brands to collect payment can be a major detriment to a business - even more so than a one-off fine.

   Very nice breakdown. My company lives under the false sense of security that since it is privately-held it does not need to adhere any of these standards. (Granted, we are a wine & spirits distributor so HIPAA and many of the others do not apply)

   I've spent many years trying to convince them that we should be working towards those standards so that we have something to measure our security-level and risk mitigation against. It's been an uphill battle to say the least.

Level 11

Thanks for this feedback and for sharing a bit about your experience battling to bring compliance into focus for your organization. I'm sure others can identify with this struggle. I would like to note that when we cover the topic of compliance we often revert back to a common theme: compliant does not equal secure. With this in mind, I believe that if IT security comes first, you'll be in great shape regardless of your company's stance on compliance.

I'd go a step further in defining your idea of compliances versus secure:  If you are in compliance with external auditors' standards, you still should have an internal corporate Security standard with which your equipment and processes should comply.

First complying with the external agency's standards helps keep you out of legal scrutiny, and then securing your systems further, based on your own internal Security Team's recommendations and audits/discoveries, can fill in the holes missed by exceptions, one-offs, and whatever the external agency's standards fail to cover for your business.

I want to be both secure AND compliant, but folks will argue which one is more important.  If you're secure but you don't meet the compliance standards, you're in for a world of scrutiny when the compliance audit occurs--or when a vulnerability you missed is exploited.

But if you're compliant, you at least have that official recognition behind you in the event of a security event occurring and you get audited or sued as a result.

You're correct--being compliant doesn't mean you're secure.  But being secure doesn't mean you're compliant, and compliance violations can result in fines or inconveniences perhaps as bad--or worse--than being found insecure.

Oh what a tangled web our language and intents are!

Level 13

compliance is with everything can be expensive, difficult, and so time consuming...at least with legislation behind us, we have more leverage to petition and gather the funds required.

Level 21

Companies that plan to be compliant need to plan to make resources available to focus on the compliance aspect of the business; otherwise they will likely fail.  Compliance isn't something you do once and then are done, it's something that needs to be managed an maintained in perpetuity.  It's a common mistake to pass an audit and then get lazy which will ultimately cause you to fail subsequent audits.

Security and compliance is people resource intensive, make sure to plan accordingly!

Companies that DON'T plan to be compliant need to plan to be hacked, pay big fines, lose customers, lose lawsuits . . .

Not moving towards compliance is not a viable plan for survival.  We must all adapt and change to accommodate increasing security demands, or we'll be victims, dragging our companies and their clients down with us.

pastedImage_0.png

Level 14

Great chart for comparing penalties.

Level 11

Thanks! I owe a great deal of credit to curtisi for his help and guidance.

Level 17

Great Write up, and break down of the legal consequences of not being compliant. You've got to be good at IT and stay on top of your systems and network!

You onlyneed to select a valid State when you are in the US. I guess the wording is just not clear enough. Just type any other Country in the World into the Field and you can download the paper.

Level 20

And DSS.

Level 20

All that's missing is DISA, DSS, NISPOM, CCRI, and soon RMF.  I always twinge a little when I see DSS in respect to PCI... it has a WHOLE different meaning to us!

Level 14

So true, and RMF is coming...finally!

Level 12

lovely, this is very enlightening

MVP
MVP

Peter Monaghan, CBCP, SCP, ITIL ver.3 wrote:

   Granted, we are a wine & spirits distributor

Do you distribute microbrews?  Hiring?

Level 11

Just wanted to share two articles which highlight some pertinent information regarding both PCI DSS and HIPAA. Check them out on THWACK!

PCI DSS 3.2 is Coming!

HIPAA Phase 2 Audits Are Coming!!​

Level 20

Comply or face the music!

Level 14

Something we must all deal with.  Cover your backside.

MVP
MVP

This is one of those areas where you can see it as either a carrot or a stick. If you see it as the stick - which most do - you try to comply to prevent a punishment/penalty/embarrassment etc. However, I prefer to look at it as a carrot - I see audits as opportunities for someone outside of my organization and set of eyes to look at what we are doing and how we can improve. Security is part of the equation but I also want to provide the best level of service to my customer.

Level 11

Great mentality, and approach! Have you heard about tomorrow's Security Kung Fu webinar? This event seems like it's right up your alley... I hope you can join me there.

Security Kung Fu: Security vs. Compliance Webcast on 5/4

Level 14

More than familiar with the NCUA.... and for those on the Banking side... we have the FDIC....

network defender​ well said.....

Level 11

Yes but do you answer a question where all the individual items are correct and the Final - all of the above.  This would normally be a bubbled answer...

MVP
MVP

Yes, I did attend, love the Security Kung Fu series.

MVP
MVP

I'm still pondering my response for similar reasons.

Level 9

That's an awesome way to look at it. I spent quite a bit of time supporting and training LEM and I can say most people I talked to then saw compliance as a stick. Its sometimes a pain to deal with an audit, yes, but at the same time there are some good principles of network security that are met, by default, when you ensure compliance.

Level 15

Funny, when I was in manufacturing eons ago and SOX was just introduced, those exact words were told to me by our Internal Auditors.    Great Minds!!!!

Level 11

Glad you enjoyed it! Just a heads up, we have made all the Security Kung Fu Sessions available for on-demand access. Check them out here: Security Kung Fu Webcast Series

About the Author
While serving as Product Marketing Manager at SolarWinds, I led the messaging and strategic marketing direction for over 13 products from the Security and Tools Portfolios. My introduction to the IT space came in the five years I spent working for an Austin-based colocation, managed hosting, and private cloud provider that assisted businesses in the healthcare, financial services, education and various other industries with high security needs and sensitive data. In that time, I learned a lot about the hosting industry, IT service management, physical and technical security, and of course... regulatory compliance.