All too often, the approach that organizations take to compliance is “out of sight, out of mind,” and it’s not hard to see why. Compliance can be overwhelming. There is no one-size-fits-all solution, with different frameworks, standards and regulations covering different industries or only covering businesses at a certain growth stage. Compliance also consists of a sea of acronyms that can be difficult to understand, and most companies don’t have the time or resources to fully understand what may or may not be required of them. Most companies — especially those just getting off the ground — have a long list of things to address, such as developing products, growing their customer base, and securing funding. Many simply choose to ignore compliance issues that may not even apply to them — until it’s too late.
The truth is that kicking the compliance can down the road can have serious negative repercussions for today’s businesses. As data breaches become more common (and more costly, as IBM’s annual Cost of a Data Breach report makes clear), government regulators have begun taking a closer look at the missteps that lead to those breaches. What’s more, individual companies and even entire industries are conducting more thorough due diligence before agreeing to work with new partners and vendors. Modern compliance frameworks, standards and regulations play a significant role in showing proof of that due diligence, and organizations unaware of the expectations that those new standards and regulations have created may find themselves at a serious disadvantage.
The High Cost of Ignorance
One of the interesting things about many of today’s government regulations is that they tend to differentiate between intentional noncompliance and unintentional noncompliance — but this simply drives home how steep the penalties for even an unintentional violation can be. The California Consumer Privacy Act (CCPA) is a good example. Designed to improve consumer data, the measure stipulates that the state can seek civil penalties of $2,500 for each violation, or $7,500 per intentional violation if the culprit fails to correct the problem within 30 days of being notified. The Health Insurance Portability and Accountability Act of 1996 — better known as HIPAA — operates similarly, with four different violations ranging from lack of knowledge to willful neglect. At the lowest tier, the maximum penalty is about $60,000 per violation, while the highest tier carries a maximum penalty of about $1.8 million per violation.
Both CCPA and HIPAA consider each individual record involved in a data breach to be a “violation.” This means that even an unintentional HIPAA violation can add up quickly if a significant number of patient records are involved — though there is an annual penalty cap. There is no such cap for CCPA violations, and given that modern data breaches tend to involve tens (if not hundreds) of thousands of records, even an unintentional violation can incur a sizable fine. Ask any lawyer, and they will say the same thing: ignorance of the law is not an excuse. Today’s businesses must be aware of the regulations that govern them or risk incurring significant, potentially crippling penalties.
Putting Off Compliance Is Dangerously Shortsighted
There is no blanket approach to compliance, at least not in specific terms. HIPAA, for example, only applies to organizations in the healthcare sector, while CCPA only applies to businesses operating in California and which have a gross annual revenue of more than $25 million or which buy, receive, or sell the personal information of California residents beyond certain thresholds. It makes sense that a business just getting off the ground in Ohio might not prioritize CCPA compliance at a time when $25 million in revenue feels a long way off.
But this approach is shortsighted. California boasts the largest economy of any state in the U.S. — in fact, were it a country, it would have the fifth-largest economy in the world. Any business operating in the U.S. will almost certainly have customers in California, which means they will inevitably need to fall in line with CCPA eventually. What’s more, California is hardly the only jurisdiction with data privacy laws. The European Union paved the way for CCPA with the General Data Protection Regulation (GDPR), a regulation with similarly steep penalties for companies unable or unwilling to effectively protect their data. Want to eventually operate in Europe? Start planning now.
It’s important to bear in mind the impact compliance has on the business itself — an impact that often goes beyond fees and other official penalties. SOC 2 compliance, while not mandated by any government or regulatory body, has become almost mandatory for any organization operating in the cloud. As Software as a Service (SaaS) providers become both more numerous and more popular, organizations want to be sure they can trust their vendors to secure their data effectively. Without a clean SOC 2 report, any organization operating in the cloud will face a serious uphill battle when it comes to generating business. It’s also important to note that potential partners and customers want to see companies maintaining continuous compliance over time, not simply checking it off as a “one and done.” That makes compliance a year-round concern and one that demands considerable attention as the business evolves. Failing to acknowledge the weight of SOC 2 compliance on scalability can be particularly costly, both in terms of lost business and reputational damage.
Compliance is a critical fork in the road. If an organization waits until the moment it needs to comply with GDPR, CCPA, HIPAA, SOC 2, or any one of a host of other compliance frameworks, standards, or regulations, they are already dangerously behind. There is no magic wand that an organization can wave to achieve compliance. It takes time to build and integrate data security tools and policies. It takes time to establish cloud security practices, and to demonstrate their effectiveness. Simply throwing money and bodies at the problem will not help. The best way organizations can help themselves is to become as familiar as possible with the compliance frameworks they fall under — or will eventually fall under — as early as possible.
What You Don’t Know Can Hurt You
When it comes to compliance, ignorance is not bliss. Avoiding compliance will inevitably lead to problems, whether it’s in the form of a growth blocker, costly fine, or just being overwhelmed with rules and requirements to follow. In all cases, the answer is the same: do not kick the can down the road. The sooner an organization identifies and understands the compliance frameworks, standards, and regulations relevant to its operations, the sooner they can begin to plan. Knowledge is just the first step in the compliance world — and what you don’t know can hurt you.