Wherever organizations are in the digital transformation process or security compliance scale, the cost of doing nothing can be devastating. If in a regulated industry, breach fees and fines are not only subject to the cost of data recovery and reputation repair, but also the cost of regulatory fines for lack of due diligence and protection of data. Personal information protection and data regulations exist in healthcare (HIPAA), financial (SEC), and firearms (CMMC, ITAR) to name a few sectors. Organizations with operations in the European Union are subject to GDPR for protection of identifiable data.
Examples of Regulatory Consequences and Fines
- HHS may assess civil penalties when it discovers a HIPAA violation. The penalty amount depends on the facts
- For violations where the covered entity does not know about the violation (and by exercising reasonable diligence, would not have known about the violation), the penalty amount is between $119 and $59,522 for each violation.
- If the violation is due to reasonable cause, the penalty amount is between $1,191 and $59,522 for each
- For corrected violations that are caused by willful neglect, the penalty amount is between $11,904 and $59,522 for each
- For violations caused by willful neglect that are not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.
- Specific case penalties and settlement amounts for 2020 can be referenced here – https://www.hipaajournal.com/2020-hipaa-violation- cases-and-penalties/
- In 2020, the SEC issued penalties resulting from judgments and orders totaling about $4.68 billion, an increase of 8% over 2019 that was fueled by major awards against companies including Telegram Group ($1.2 billion) and Wells Fargo ($500 million). 1
- Firearms manufacturers are subject to ITAR (International Traffic in Arms Regulations) compliance where violators could be fined up to $1 million per The Secretary of State could also choose to impart civil penalties up to $500,000. These civil penalties can be reduced if organizations take action to correct the violations. 2
- In April of 2018, the State Department fined FLIR Systems, Inc $30 million in civil penalties for transferring USML data to dual national employees. Part of the penalty requires that FLIR implement better compliance measures and hire an outside official to oversee their agreement with the State Department.
- In 2007 ITT took a $100 million fine to the face for exporting night-vision technology illegally. ITT thought they could work around the restrictions, the Government didn’t agree with their interpretation of the rules. 3
Businesses across all industries felt an adverse impact from COVID-19, as it was by far the greatest external challenge in 2020. To cope with the pandemic, businesses had to reconsider many of their operating assumptions including a remote workforce and new technology and automation investments.
LBMC’s Business Outlook Report noted that high-growth firms have recognized one of the key lessons from the global pandemic—IT and cybersecurity facilitate business. That is why the high-growth firms are prioritizing both IT and cybersecurity investments. What is equally interesting is looking at no-growth firms. They are trying to emulate the high-growth firms by investing in IT but are missing the equally important investment in cybersecurity.
If your organization is looking to invest in technology in 2021, now is the time to get your digital transformation plan right. Strategic thinking now about where you may need to level up for enhanced efficiencies and a clear understanding of which technology tools to invest in will help you reach your growth goals. Let us know what you need to succeed this year.
Sources:
1 https://www.cfo.com/risk-compliance/2020/11/sec-fines-from-enforcement-hit-record-4-68b/
2 https://www.ftptoday.com/blog/itar-requirements-the-consequences-of-non-compliance