Cost of Compliance
Data compliance follows specific data protection and data management regulations to ensure the safety of sensitive data. There are many different forms of sensitive data, but the most heavily scrutinized type of sensitive data is customer PII (or personally identifiable information). For a business to run effectively, they need access to their customer’s PII, such as name, email address, physical mailing address, etc. so that they can effectively do business with that customer. However, challenges arise when companies do not properly store, protect, and manage that PII, resulting in unintentionally exposing that data to malicious entities.
That’s where compliance comes in. Compliance bodies such as PCI-DSS, GDPR, HIPPA, CCPA (to name a few) all provide mandates to maintain proper security of sensitive data. These compliance initiatives vary in the different industries they regulate, and the enforcement varies depending on the country. However, their primary objective is to protect citizens’ or clients’ data within the said businesses.
Notably, although the client or citizen’s safety and well-being is the primary concern, these organizations are now collecting hundreds of millions of dollars per year through compliance failures sustained by businesses in every business sector and every size. These numbers are growing so large that upwards of 60% of small businesses will go out of business within six months of a significant data breach.
PCI-DSS (or Payment Card Industry Data Security Standard) is a data security standard that oversees the storage, management, and transmission of branded credit card information. This standard (mandated by the major credit card brands and administered by PCI-DSS) increases oversight and control over a merchant’s handling of the customer’s credit card data to reduce credit card fraud risk.
The associated cost to meet and maintain PCI-DSS can range from $1,000 to 70,000 dollars USD. These costs account for a company’s Self-Assessment Questionnaire (SAQ), external Qualified Security Assessor (QSA), firm-specific Internal Security Assessor (ISA), internal audits, storage remediation, and other associated considerations.
The associated fines resulting from a PCI-DSS compliance failure can range from $5,000 – to 100,000 dollars USD per month in penalties and fines until a merchant maintains compliance. Following a PCI-DSS audit failure, the merchant can see up to five years of brand scrutiny by the major credit card brands, ensuring the merchant remains compliant.
General Data Protection Regulation (GDPR) is a data protection regulation in the EU. The new law applies to any organization that stores, processes, or transmits EU citizens’ sensitive data. It’s important to note here that organizations that practice within the US and do business with EU citizens must comply with GDPR. This law means that all organizations need to comply with GPDR even if they aren’t a company based in the EU. They might provide services for EU citizens through a processor or controller with a direct connection to a physically located company in the EU. This regulation adds additional oversight in how organizations delete sensitive user data upon the data owner’s request. Under GDPR law, if a data owner requests an organization to delete the user’s personally identifiable information, that organization has thirty days to do so or sustain a compliance failure.
The associated cost to meet and maintain GDPR can range from The$10,000 – 400,000 dollars USD depending on the organization’s size, with fortune 500 companies spending up to 16 million to meet GDPR compliance. These costs account for a company’s dedicated Data Protection Officer, Recording procession related to data storage and transmission, storage remediation, training & procedures, GAP assessment, voluntary data auditing, monitoring compliance.
The associated fines resulting from a GDPR compliance failure can be up to $22,000,000 dollars USD or 4% of annual revenue. These fines can be in place until an organization remediates their compliance failure and is found to be GDPR compliant.
The California Consumer Privacy Act (CCPA) is a state statute that provides regulatory guidelines for organizations storing, managing and transmitting sensitive PII of California residents. CCPA like GDPR also require that organizations delete sensitive PII should the data owner request for the deletion of the data. This statute also intends that residents know what personal data is being stored about them, know whether the data is being sold, have the ability to say no to the sale of their data, have access to their data, and not be discriminated against through the misuse of their data.
The associated cost to meet and maintain GDPR can range from $50,000 – $450,000 dollars USD depending on the size of the organization. These costs account for a company’s associated legal costs, storage and technology remediation, internal training & procedures, GAP assessment, voluntary data auditing, continued monitoring for compliance.
The associated fines resulting from a CCPA compliance failure can be up to $750 dollars USD per lost record. Importantly, this is a fine per record exposed, so exposing 1,000 records 10 times would result in a compliance fine of $7,500,000.
The Health Insurance Portability and Accountability Act (CCPA) was enacted by Congress under President Bill Clinton in the 1990s. HIPPA intends to modernize the transmission, storage, and retrieval of personally identifiable health information and stipulate how personally identifiable health information is protected. Since health-related information is so sensitive, it’s also highly targeted by malicious users and under the highest compliance scrutiny level. This unique aspect of health-related PII results in a health care breach’s average cost, costing upwards of 6.45 million dollars USD. HIPPA is unique as well in the sense that citizens can form a class-action lawsuit against healthcare-related organizations related to HIPPA violations. In extreme cases, organizations failing to maintain HIPPA can result in jail time.
The associated cost to meet and maintain HIPPA can range from $10,000 – $100,000 dollars USD depending on the size of the organization. These costs account for a company’s associated legal costs, updated Notice of Privacy Practices, Breach notification technology remediation, HIPPA specific IT system & services, internal training & procedures, GAP assessment, voluntary data auditing, continued monitoring for compliance.
The associated fines resulting from a HIPPA compliance failure can be up to $50,000 dollars USD per exposed record. These fines can result in a max of $1,500,000 per year fine.