What happens if you ignore information security compliance?

What are the penalties for willful noncompliance - a.k.a. when enterprises decide regulatory compliance isn't worth...

the headache so they just don't do it? Does this happen often? Are there any positives to willful noncompliance, or do the cost in potential fines and reputation damage outweigh the cost of investing in information security compliance?

There's no doubt that compliance is a burden and that some of the activities required to demonstrate compliance with laws and regulations don't directly contribute to the security of an organization. That said, I don't know of many enterprises who have decided that they just won't do information security compliance. I do know that different organizations take different approaches to their security and compliance obligations. Some choose to play it by the book and completely document their compliance with every single provision of every regulation. Others take a much looser approach to information security compliance, seeking to generally operate within the spirit of various regulations.

My suspicion is that most organizations lie somewhere in the middle of this spectrum and do engage in a good faith effort to maintain compliant IT operations. Those that fail to comply face a variety of expensive penalties, ranging from civil fines to criminal prosecutions. Merchants that fail to comply with PCI DSS face significant financial penalties and, in the worst case, may jeopardize their ability to participate in future credit card transactions. Organizations and individuals who commit willful breaches of HIPAA may even face jail time for their negligence.

The bottom line is that information security compliance is not optional. Organizations subject to laws and regulations should invest the time and energy required to comply with those obligations.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)