Understanding the Consequences/Risk of Non-Compliance

Non-compliance refers to the failure of an individual or an organization to comply with applicable laws, regulations, or ethical standards that govern their industry or profession and may lead to financial and non-financial penalties, reputational damage, and financial losses.

An area of focus in the current era of digitization, organizations require to comply with rapidly changing laws/ regulations related to privacy, data security as one of the primary concerns is related to handling of data/ information as these areas are prone to increasing/ emerging risks.

In this blog, we discuss some important audits and certifications to mitigate the risk arising from the technology infra of the organization as well as any outsourcing service provider engaged by the organization. 

• PCI-DSS Audit & certification: Compliance essential/ mandatory for organization storing, processing, or transmitting cardholder data.
• HIPAA Audit & Certification: Compliance essential/ mandatory for organization in the health industry storing, processing, or transmitting PHI data to ensure privacy, confidentiality, access etc. of patients’ health data/ records.
• GDPR Audit & Certification:  A global standard for evaluating data privacy and security, wherein changing technology world including use of cloud.         

These indicative audits and certifications provide comfort to the organization to mitigate some types of risks mentioned below:

Regulatory Risk :  Impacts the Organization both financially, reputation wise and sometimes invites lawsuits. The risk is more prominent in today’s world of increasing digitization prompting increased control/ surveillance on data/ information security. For example, non-compliance of PCI-DSS can invite fines, penalties, or even cancel a license depending on the severity of the breach and these amounts can range from $5,000 to $100,000 per month, depending on the organization's size, transaction volume, and the seriousness of the breach.

Reputational Risk :  Non-compliance can damage an organization’s reputation, leading to devaluation of brand, reduced profits, difficulty in securing investment, increased cost of capital, and the inability to recruit or retain talent. The impact of reputational damage can be long-lasting, and it can take years to rebuild a positive image, as 70% to 80% of market value comes from intangible assets such as brand equity, intellectual capital, and goodwill.

Forbes Insight report  discovered that 46% of the companies had suffered reputational damage after getting involved in a data breach, and 19% of them suffered brand damage because of third-party security breach.

Legal Risk :  Arises from Legal/criminal action for non-compliance with laws/ regulations – some common non-compliances relate to money laundering, data security/ privacy. Some violations are resultant from lawsuits can result in fines, imprisonment, and refunding of any money received through the theft, access, or disclosure of personal data/information.

Other Risks :  Even after paying fines and penalties, businesses can be subjected to costly regulatory audits for years to come. Legal expenses to face the lawsuits by clients/ affected parties, Compensation cost to be paid to the customers for compromised data, cost of card replacement. Security breaches resulting from non-compliance might lead to loss of critical business data, Inability to deliver sustained earnings in future growth, higher PE multiples, augmenting capital at a lower cost thereby impacting the overall performance/ existence of the Organization.

Some examples of the organizations, which have faced regulatory action on PCI-DSS, HIPPA, GDPR recently over the years include : 

• 2023- Banner Health, was fined $1,250,000 for HIPAA Security rule violation, which impacted 2.81 million individuals.
• 2022- the Data Protection Commission (DPC) issued a fine to Meta Platforms Ireland Ltd. (Instagram) of €405m including a fine of €20m for the infringement of Article 6(1).
• 2022- Oklahoma State University – Center for Health Sciences, fined $875,000, for violating HIPAA norms (Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications & an unauthorized disclosure) involving 279,865 individuals.
• 2021- Amazon Europe was fined €746 million by Luxembourg’s National Commission for Data Protection (CNPD), for using  customer data for targeted advertising purposes.
• 2019- the  ICO  announced  the intention to issue  €204,6 million (£183.39 million) to British Airways for violation of GDPR (Article 32  and  Art. 5 (1) f), for  processing a significant amount of personal data without adequate security measures in place.  This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack, which resulted in hackers stealing personal data of more than 400.000 customers.
• 2019- Capital One Bank suffered one of the biggest data breaches, exposing the personal and payment information of more than 106 million customers, for which directed pay $190 million in settlement apart from levy of penalty of $80 million by Office of the Comptroller of Currency, Washington.

Some requirements/goals on data security standards like PCI-DSS, HIPAA, and GDPR are listed below:

PCI-DSS

• Build and maintain a secure network,
• Protect cardholder data,
• Maintain a Vulnerability Management program,
• Implement strong access control measures,
• Regularly monitor and test networks, and
• Maintain an Information Security Policy

HIPAA

• HIPAA Privacy
• HIPAA Data security
• HIPAA Notification rules

GDPR

• Data- collection, storage, transmission, analysis processing,
• Privacy and security around personal data which can be any information that relates to a person, such as names, email addresses, IP addresses, eye colour, political affiliation etc.
• Building the GDPR related checks and balances on accessing data / information related to EU.
• Conducting regular information audit.

Conclusion

Cyber, Information Security, and Information Technology risk are emerging to be the most prominent risks in today’s need of digitization by most Organizations, prompting increased Regulatory scrutiny and surveillance on data and security measures, management and governance by Organizations and its service providers.

Non-compliance consequences extend beyond the direct offender, making caution essential when dealing with third-party service providers and supply chain participants.  Organizations need to constantly review the regulatory standards governing their business for adherence to compliance. Conducting compliance self-assessment, engaging specialized independent service provider to evaluate the status of compliance framework to strengthen the systems and procedures.

QRC Support & Offerings

• Having “QRC Assist” for addressing all compliance related requirements, across various jurisdictions, covering various regulatory bodies viz., Central Banks, Insurance regulatory authorities under a single window.
• QRC platform also provides a self-assessment tool for organizations to know their current level of compliance to various data security related compliances.
• Detailed assessment/ audit services and certifications in respect of compliance requirements to address PCI-DSS, HIPAA, GDPR, SOC/SSAE Assessments and Security related services like VA and PT, Web Application security testing, API Security and configuration audits, ISO requirements etc.