Lance Bellers - Fotolia

Get started Bring yourself up to speed with our introductory content.

What happens if you ignore information security compliance?

If an enterprise decides to ignore its information security compliance obligations, what happens? Expert Mike Chapple explains what willful noncompliance means.

What are the penalties for willful noncompliance - a.k.a. when enterprises decide regulatory compliance isn't worth...

the headache so they just don't do it? Does this happen often? Are there any positives to willful noncompliance, or do the cost in potential fines and reputation damage outweigh the cost of investing in information security compliance?

There's no doubt that compliance is a burden and that some of the activities required to demonstrate compliance with laws and regulations don't directly contribute to the security of an organization. That said, I don't know of many enterprises who have decided that they just won't do information security compliance. I do know that different organizations take different approaches to their security and compliance obligations. Some choose to play it by the book and completely document their compliance with every single provision of every regulation. Others take a much looser approach to information security compliance, seeking to generally operate within the spirit of various regulations.

My suspicion is that most organizations lie somewhere in the middle of this spectrum and do engage in a good faith effort to maintain compliant IT operations. Those that fail to comply face a variety of expensive penalties, ranging from civil fines to criminal prosecutions. Merchants that fail to comply with PCI DSS face significant financial penalties and, in the worst case, may jeopardize their ability to participate in future credit card transactions. Organizations and individuals who commit willful breaches of HIPAA may even face jail time for their negligence.

The bottom line is that information security compliance is not optional. Organizations subject to laws and regulations should invest the time and energy required to comply with those obligations.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out how tokenization affects PCI DSS compliance

Learn who should perform the HIPAA and HITECH compliance assessments at your organization

Find out how the new HHS Web portal affects HIPAA data breach reporting

This was last published in December 2015

Dig Deeper on Data privacy issues and compliance