What If an Organization Does Not Comply with Compliance Laws?

Of course you wouldn’t break a law, right? But asking what would happen if your organization doesn’t comply with compliance laws is a fair question. Let’s look at an example of an individual compliance issue to understand why.

It is a law to come to a complete stop at a stop sign, yet many people ignore it. This scenario is a form of risk management. Many people consider it an acceptable risk to approach slowly and, if there is no traffic, continue without coming to a complete stop. The threat of another car exists, yet many people feel safe enough with the slow approach and rolling stop. There is always the threat of a police officer pulling you over and issuing a ticket. Yet how often is this enforced? If it were, what is the punishment? Given the likelihood of being pulled over by law enforcement, combined with what is likely a bearable fine, many people decide the risk is low and the benefit of noncompliance outweighs the risk.

Organizations have spent and continue to spend large sums of money to achieve and maintain regulatory and industry compliance. This is especially true as regulations have placed greater accountability on individuals within an organization. Noncompliance can result in huge fines as well as jail time. Some regulations are subject to strict liability. Strict liability means even if there wasn’t intent, government agencies can levy huge fines on organizations and some individuals can spend years in prison. Even greater punishments are in store where intent can be proven!

In addition to the financial and reputational consequences of noncompliance, organizations can also experience operational consequences. This can happen, for example, in the case of compliance standards imposed by the payment card industry. Potential consequences include payment card–imposed operational restrictions and even loss of card-processing privileges.

The Payment Card Industry Data Security Standard (PCI DSS) is an industry-created standard that applies to organizations that process credit cards. Companies that meet a specific threshold for large volumes of credit card transactions are required to achieve compliance.

Regulators are typically charged with performing their own audits of an organization to ensure compliance with applicable laws. It is not surprising that regulators may perform such a regulator exam following the publicity of a major data breach. This may seem unfair. A company just went through a major information security breach, and then a regulator performs an exam. But consider the regulator’s intent. Regulators need to understand the type and nature of a breach so other organizations can benefit. New laws or regulators may be needed to keep pace with hacker innovations. Additionally, companies that have been hacked may not be fully transparent about the incident. Consequently, a regulator may be seen as “getting to the truth” to restore public confidence.

Regardless of the regulator's motivation, when violations of laws and industry norms are found the penalties can be significant. Consider the article published on March 5, 2021, entitled “The biggest data breach fines, penalties, and settlements so far” (Swinhoe 2022). The article included $1.3 billion in regulator fines. The article identified some of the biggest companies in the United States, including the top five fines, as follows:

• Equifax: Fined (at least) $575 million

  • Result from a 2017 breach of personal and financial information of nearly 150 million people due to unpatched databases.

• Home Depot: Fined ~$200 million

  • The result from a 2014 breach of 50 million customer credit card and personal information from its payment system.

• Uber: Fined $148 million

  • The result from a 2016 breach of 57 million user accounts in its web app and failure to report. In fact, the company reportedly paid the hacker $100,000 to keep the breach under wraps.

• Yahoo: Fined $85 million

  • The result from a 2013 breach of 3 billion accounts. Additionally, Yahoo settles a class-action lawsuit from its customers for $50 million.

• Capital One: Fined $80 million

  • The result from a 2019 breach of 100 million customers in the United States and 6 million in Canada through a configuration vulnerability in a web application firewall.

The complete list of companies’ fined is too large to enumerate and include many household names such as Morgan Stanley (fined $60 million in 2020), British Airways (fined $26.2 million related to a 2018 breach), Marriott International (fined $23.7 million in 2020), Target (fined $18.5 million in 2017), Ticketmaster (fined $10 million in 2021), and Google (fined $7.5 million in 2020).

While many of these companies have deep pockets, many small companies do not. A recent study suggests that 60% of small businesses fold within 6 months of a cyberbreach (Galvin 2018). Small businesses may not have the expertise to protect their IT infrastructure or resources to survive the aftermath.