What are the penalties for willful noncompliance - a.k.a. when enterprises decide regulatory compliance isn't worth...
the headache so they just don't do it? Does this happen often? Are there any positives to willful noncompliance, or do the cost in potential fines and reputation damage outweigh the cost of investing in information security compliance?
There's no doubt that compliance is a burden and that some of the activities required to demonstrate compliance with laws and regulations don't directly contribute to the security of an organization. That said, I don't know of many enterprises who have decided that they just won't do information security compliance. I do know that different organizations take different approaches to their security and compliance obligations. Some choose to play it by the book and completely document their compliance with every single provision of every regulation. Others take a much looser approach to information security compliance, seeking to generally operate within the spirit of various regulations.
My suspicion is that most organizations lie somewhere in the middle of this spectrum and do engage in a good faith effort to maintain compliant IT operations. Those that fail to comply face a variety of expensive penalties, ranging from civil fines to criminal prosecutions. Merchants that fail to comply with PCI DSS face significant financial penalties and, in the worst case, may jeopardize their ability to participate in future credit card transactions. Organizations and individuals who commit willful breaches of HIPAA may even face jail time for their negligence.
The bottom line is that information security compliance is not optional. Organizations subject to laws and regulations should invest the time and energy required to comply with those obligations.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out how tokenization affects PCI DSS compliance
Learn who should perform the HIPAA and HITECH compliance assessments at your organization
Find out how the new HHS Web portal affects HIPAA data breach reporting
Dig Deeper on Data privacy issues and compliance
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading