If your business stores credit card information (PCI), works with sensitive health care documents (HIPAA), or works with personal financial information (GLBA), you have business compliance regulations to abide by. These can be tricky to navigate, especially when you’re running a small-to-medium business while wearing multiple hats. Even more complicated – compliance isn’t simply a “one and done” deal. You have to regularly ensure you’re up to standards.
If you’re trying to do this all on your own, we recommend reaching out to a third-party provider, like your IT team, for help.
Why Is Compliance So Complicated
Rules around each regulatory compliance entity differ vastly. Some have clear guidelines for what a violation looks like and the penalty. Others take a more “loosey goosey” approach, which means a lot of reading between the lines and crossing your fingers. Not exactly the place you want to be with your livelihood. Because of these “guidelines/rules,” it’s incredibly easy to not know when you’re not compliant. This introduces a higher possibility for large fines, litigation, and even loss of business.
Many of these regulatory rules have clauses involving cybersecurity, which further complicates the matter. If you’re not compliant, you’re also likely at higher risk for a data breach, and that’s the last thing any business needs.
Repercussions for Regulatory Compliance Failure
Whether you fall under HIPAA, PCI, GBLA, or another form of compliance, failure to meet the requirements can result in hefty fines.
When you’re non-compliant for HIPAA, financial ramifications can range from up to 100k per year to 1.5 million per year. More troubling is that you and your business can be charged for violations, resulting in both criminal and civil penalties.
Example: Failing to perform an organization-wide risk analysis that measures the potential for protected health information (PHI) to be vulnerable to exposure.
Fines for failing to meet PCI regulations range from 5k to 10k, with the possibility of lawsuits and damage to your business reputation.
Example: Failing to implement access control protocols and changing default settings. These are just two examples. A full list can be found here.
Grahm-Leech-Blighly Act penalties are two-fold: the organization faces up to 100k and officers/directors can be charged up to 10k each, in addition to lawsuits and damaged business reputation.
Example: Failing to provide consumers with prior notice of information-sharing policies or failing to allow for an opt-out of private information sharing with non-affiliated entities.
The financial damage is immense, but it doesn’t begin to scratch the surface in regards to the cost of downtime your business faces if non-compliant. So how can you determine where you fall before it’s too late?
How to Determine Your Regulatory Compliance Risk
First, you need to know where your gaps are, how many you have, and how to fix them. There are a few different types of cybersecurity tests, but we highly recommend a Vulnerability Scan. You can learn about the three different ways to test your cybersecurity here.
Once you’ve determined where you have holes (nearly every business does), your IT provider or your Vulnerability Scan team can close those gaps.
Once you’ve scanned and repaired, it doesn’t stop there. You need to keep a wary, watchful eye on your data. Hackers target businesses of all sizes and revenues. We recommend talking to your provider about setting up a schedule to be tested.
Who Should I Use for Compliance Monitoring?
- See if your current provider offers these services. If not, give us a call.
- If you’re on the hunt for a new provider, look for a fully managed service that can proactively monitor your network and see if they also do vulnerability scans.
Not sure where you fall on the regulatory compliance responsibilities list? Take our questionnaire to find out.