Not complying with data privacy laws can jeopardize an organization’s cybersecurity,
finances, reputation, and more
This article was originally published on the Delphix website here December 1, 2022.
On Dec. 9, 2022, an important data privacy compliance deadline will pass for organizations that process U.S. consumers’ financial data. Under the Gramm-Leach-Bliley Act (GLBA)’s updated Safeguards Rule, organizations have until that day to comply with a series of data security practices that the landmark U.S. financial data privacy law has mandated, which include:
Releasing periodic reports to boards of directors and governing bodies
Instituting secure software development practices
Identifying and managing data based on risk
Implementing and reviewing data access controls
Encrypting data both in transit and at rest
Establishing secure procedures for disposing data
The GLBA is just one of many regulations across the globe with substantial privacy protections— a group that includes the European Union’s General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law (LGPD), and the United States’ Health Insurance Portability and Accountability Act (HIPAA). These laws mandate that organizations within their jurisdiction employ effective data privacy practices to protect personally identifiable information (PII), or what the Safeguards Rule calls nonpublic personal information (NPI).
The stakes for data privacy compliance are high, as non-compliance can result in devastating consequences. Organizations can expect to face four major risks for non-compliance with data privacy laws: inadequate cybersecurity, expensive fines, high individual penalties, and reputational damage.
The Compliance (Cyber)Security Blanket
Compliance and data security go hand-in-hand— if an organization’s systems don’t comply with data privacy standards, there’s a good chance that its data security could be lacking. After all, a major component of data privacy on your compliance is ensuring that consumers’ data is safe from the hands of bad actors who could use the data nefariously.
For instance, the GLBA requires financial institutions to, “protect against any reasonably anticipated threats or hazards” as well as “unauthorized access to, or use of,” customers’ data. The Federal Financial Institutions Examination Council, which audits financial institutions, dictates that these institutions should use strong encryption and key management practices. These practices, of course, improve compliance and security alike. So, even if your organization doesn’t get slapped with a data privacy lawsuit, non-compliance with data privacy regulations reflects poor data controls, a significant liability for your organization.
Non-Compliance Fines Aren’t Fine
If your organization violates a data privacy law, a punitive fine is almost guaranteed. The severity of fines cover a wide spectrum. For instance, every GLBA violation carries a fine of up to $100,000, while LGPD infractions carry a financial penalty of up to 2 percent of the sanctioned organization’s gross revenue, with a maximum fine of 50 million Brazilian Reals (about $9.7 million).
GDPR fines are even more grave— every GDPR violation can cost up to 4 percent of a company’s annual global revenues or €20 million (about $22 million)— whichever is highest. So far, Amazon Europe Core S.a.r.l. incurred the largest-ever GDPR fine when the Luxembourg National Commission for Data Protection levied a whopping $746 million fine on the technology giant for infringements related to Amazon’s advertising targeting system. Even moderate GDPR fines can exceed $10 million.
The Big House Awaits
When a data privacy law is broken, the organization may not be the only party held liable (if at all). While it varies case-by-case, employees within an infringing organization are sometimes penalized, as well.
These penalties can include individual fines and jail time— and like fines, they encompass a wide spectrum of severity. For instance, one individual who violated the U.K.’s Data Protection Act (DPA) in 2018 by stealing and selling customer records to rogue organizations incurred a 6-month prison sentence. Individual penalties under GLBA, meanwhile, are much higher—each violation of the Act can result in fines of up to $10,000 for directors and officers, license revocations, and up to five years of imprisonment.
The new Safeguards Rule requires covered entities to report annually to their boards of directors, effectively putting the protection of PII/NPI directly onto board agendas. So, while prison sentences for GLBA non-compliance are rare, accountable organizations’ board members in particular should be concerned with upholding the interests of their stakeholders via compliance.
Your Reputation Precedes You
The penalties and gravity of a cybersecurity breach that a noncompliant organization experiences can, of course, be measured. Less quantifiable though, is the reputational harm that a non-compliance lawsuit can inflict on organizations. Today’s omnipresent digital media presence ensures that word travels far and fast when organizations break the law— and as Warren Buffett famously said, “it takes 20 years to build a reputation and five minutes to ruin it.”
Reputational damage that an organization suffers as a result of any kind of lawsuit can manifest in two ways, as one business and commercial law firm notes. On the one hand, a lawsuit can hurt the organization’s reputation with the public— yet on the other hand, it can also dissuade companies from doing business with the defendant organization. A data privacy lawsuit naturally implies that an organization is either inept or apathetic in handling consumers’ data, so it could easily inflict both kinds of reputational damage.
Alliance With Compliance
The updated GLBA Safeguards Rule confirms two truths for accountable organizations. First, data privacy is a constantly evolving practice. And second, organizations cannot rest on their laurels when bringing their practices into compliance with these laws due to their evolving nature.
Carrying out the necessary due diligence to ensure compliance with updated regulations is far less severe than risking penalties for noncompliance. The December 9 deadline is fast approaching. Delphix helps many banks and other covered organizations ensure compliance with a variety of data privacy-related regulations, including the GLBA Safeguards Rule, while also bolstering data security.
Learn more about the new GLBA Safeguards Rule and how Delphix can help your organization achieve GLBA compliance.