Privacy Breach Fines: How Much Would Non-Compliance Cost Your Business?
Why would a non-profit healthcare services organization leave 71 cardboard boxes containing several thousand patient records unattended in a doctor’s driveway when she wasn’t even home?
“Deficiencies in its HIPAA compliance program” is how the U.S. Department of Health and Human Services Office for Civil Rights (OCR) described the 2009 incident. Those deficiencies ended up costing the organization $800,000 in a settlement of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Of course, HIPAA (and HITECH) aren't the only privacy laws that can result in privacy breach fines and other penalties.
A summary of privacy act legislation shows that the Fair & Accurate Credit Transaction Act (FACTA), which governs the rights of consumers to access their credit information, can result in privacy fines up to $1000 for damages plus punitive damages and costs of action.
Financial reporting companies that do not comply with the Sarbanes-Oxley Act (SOX) risk multi-million dollar fines and imprisonment.
Violators of the Gramm-Leach-Bliley Act (GLBA), which protects financial privacy can receive individual fines up to $1,000,000 or 1 million dollars and imprisonment.
The Economic Espionage Act (EEA) protects ‘trade secrets’, and organizations that don’t comply can face fines of $5- to $10-million while individuals can be fined from $250,000 to $5 million and imprisoned.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) protects personal information during all commercial activities, and there is no limit on monetary damages.
Despite all of the hefty fines, Shred-it's U.S. Privacy Legislation infographic says that 95% of large organizations and 76% of small businesses are only somewhat aware of their legal obligations.
Furthermore, our Fourth Annual Security Tracker showed that one in five C-suite executives have never performed a security audit, down 13% from 2013. Almost half of small business owners surveyed do not conduct regular audits of their security protocols, while three in 10 have never even performed an audit.
The following best practices support compliance – and help companies avoid privacy breach fines.
- Implement privacy policies and procedures, and create a culture of security in the company from the top down.
- Appoint a designated privacy officer who has a comprehensive understanding of the company’s legal obligations and internal privacy policies.
- Provide on-going employee training, and make security an integral part of office procedures. For example, implement a Clean Desk policy.
- Make the most of compliance spending by identifying areas in the business that need to be addressed. “The better you understand the risks your organization is facing, the better you can target and allocate your resources,” said an industry expert in this article.
- Partner with a reliable shredding company for secure information destruction. Whether confidential information is collected and stored in digital or paper formats or both, it must be securely destroyed when no longer needed. A reliable document destruction company provides locked consoles for the workplace, on or off site shredding and a certificate of destruction after every shred.
What is the level of document security in your workplace? Fill out this information security risk assessment to find out.