5.4 Compliance Flashcards
Compliance
Compliance
– Meeting the standards of laws, policies, and
regulations
* A healthy catalog of rules
– Across many aspects of business and life
– Many are industry-specific or situational
* Penalties
– Fines, loss of employment, incarceration
* Scope
– Domestic and international requirements
Compliance reporting
Internal
– Monitor and report on organizational compliance
efforts
– Large organizations have a Central Compliance
Officer (CCO)
– Also used to provide details to customers or
potential investors
* External
– Documentation required by external or industry
regulators
– May require annual or ongoing reporting
– Missing or invalid reporting could result in fines
and/or sanctions
Regulatory compliance
Sarbanes-Oxley Act (SOX)
– The Public Company Accounting Reform and Investor
Protection Act of 2002
* The Health Insurance Portability and Accountability
Act (HIPAA)
– Extensive healthcare standards for storage, use, and
transmission of health care information
* The Gramm-Leach-Bliley Act of 1999 (GLBA)
– Disclosure of privacy information from financial
institutions
HIPAA non-compliance fines and sanctions
Fine of up to $50,000, or up to 1 year in prison, or both;
(Class 6 Felony)
* Under false pretenses; a fine of up to $100,000, up to 5
years in prison, or both; (Class 5 Felony)
* Intent to sell, transfer, or use individually identifiable
health information for commercial advantage, personal
gain, or malicious harm, a fine up to $250,000, or up to
10 years in prison, or both. (Class 4 Felony)
* Civil fines; maximum is $100 for each violation, with the
total amount not to exceed $25,000 for all violations
of an identical requirement or prohibition during a
calendar year. (Class 3 Felony)
Reputational damage
Getting hacked isn’t a great look
– Organizations are often required to disclose
– Stock prices drop, at least for the short term
* October 2016 - Uber breach
– 25.6 million Names, email addresses, mobile phone
numbers
* Didn’t publicly announce it until November 2017
– Allegedly paid the hackers $100,000 and had them
sign an NDA
– 2018 - Uber paid $148 million in fines
* Hackers pleaded guilty in October 2019
– May 2023 - Uber’s former Chief Security Officer
sentenced
– Three years probation and a $50,000 fine
Other consequences
Loss of license
– Significant economic sanction
– Organization cannot sell products
– Others cannot purchase from a sanctioned company
– May be expensive to re-license
* Contractual impacts
– Some business deals may require a minimum
compliance level
– Without compliance, the contract may be in breach
– May be resolved with or without a court of law
Compliance monitoring
Compliance monitoring
– Ensure compliance in day-to-day operations
* Due diligence/care
– A duty to act honestly and in good faith
– Investigate and verify
– Due care tends to refer to internal activities
– Due diligence is often associated with third-party
activities
* Attestation and acknowledgment
– Someone must “sign off” on formal compliance
documentation
– Ultimately responsible if the documentation
is incorrect
* Internal and external
– Monitor compliance with internal tools
– Provide access or information to third-party
participants
– May require ongoing monitoring of third-party
operations
* Automation
– A must-have for large organizations
– Can be quite different across vertical markets
– Many third-party monitoring systems
– Collect data from people and systems
– Compile the data and report
Privacy legal implications
A constantly evolving set of guidelines
– We’re all concerned about privacy
* Local/regional
– State and local governments set privacy limits
– Legal information, vehicle registration details,
medical licensing
* National
– Privacy laws for everyone in a country
– HIPAA, online privacy for children under 13, etc.
* Global - Many countries are working together for privacy
GDPR - General Data Protection Regulation
European Union regulation
– Data protection and privacy for individuals in the EU
– Name, address, photo, email address, bank details,
posts on social networking websites, medical
information, a computer’s IP address, etc.
* Controls export of personal data
– Users can decide where their data goes
– Can request removal of data from search engines
* Gives “data subjects” control of their personal data
– A right to be forgotten
Data subject
Any information relating to an identified or identifiable
natural person
– An individual with personal data
* This includes everyone
– Name, ID number, address information, genetic
makeup, physical characteristics, location data, etc.
– You are the data subject
* Laws and regulations
– Privacy is ideally defined from the perspective of the
data subject
Data responsibilities
High-level data relationships
– Organizational responsibilities, not always technical
* Data owner
– Accountable for specific data, often a senior officer
– VP of Sales owns the customer relationship data
– Treasurer owns the financial information
Data roles
Data controller
– Manages the purposes and means by which personal
data is processed
* Data processor
– Processes data on behalf of the data controller
– Often a third-party or different group
* Payroll controller and processor
– Payroll department (data controller) defines payroll
amounts and timeframes
– Payroll company (data processor) processes payroll
and stores employee information
Data inventory and retention
What data does your organization store?
– You should document your data inventory
* Data inventory
– A listing of all managed data
– Owner, update frequency, format of the data
* Internal use
– Project collaboration, IT security, data quality checks
* External use
– Select data to share publicly
– Follow existing laws and regulations
