Many organizations must meet a specific standard of laws, policies, and regulations. In this video, you’ll learn about regulatory compliance, reputational damage, compliance monitoring, and more.
Compliance is the process of meeting a series of standards. These standards may be created by regulations or laws, or they might be an agreement that you make with a third party. There may be extensive amounts of compliance that are required by your organization, and many of these may be based upon your type of business or laws associated with your area of the country.
One of the most important considerations, though, when dealing with compliance is there are often penalties if you are not in compliance. These penalties could be fines. They could be loss of employment for yourself or others, and in worst cases, it may involve incarceration. There may be compliance based on the laws of your particular country, or this compliance may be international.
Many organizations will perform their own internal compliance checks. Often, this is associated with a Central Compliance Officer, or CCO. This is an individual responsible for making sure that the entire organization is complying with state, local, federal, and any other requirements. This is also the office that is responsible for informing others of the compliance status of the organization.
You might also have external compliance requirements, especially when working with a third party that has set requirements for your company. This may also require ongoing reporting, so you may have to create a compliance report every year or in an interval determined by the compliance itself. If the reporting is incorrect, or you miss one of those reporting periods, there could be penalties or sanctions associated with that mistake.
A good example of regulatory compliance would be the Sarbanes-Oxley Act, or SOX. This is formally known as the Public Company Accounting Reform and Investor Protection Act of 2002. If you’re in the health care field, you’re probably familiar with the compliance associated with HIPAA. This is the Health Insurance Portability and Accountability Act. This compliance ensures that everyone’s medical information in the United States remains private.
And another regulatory compliance would be the Gramm-Leach-Bliley Act of 1999, or GLBA. If you’re in the United States, you’ll occasionally get a note from your financial institution that describes their privacy information, and that is due to the Gramm-Leach-Bliley Act.
We mentioned earlier that there can be significant penalties for being out of compliance. A good example of this are the HIPAA noncompliance fines and sanctions. It’s important to understand what the results might be for not being in compliance. It could be a fine of up to $50,000 US dollars or up to one year in prison or both of those, because that would be a Class 6 Felony.
If this compliance is done under false pretenses, the fine goes up to $100,000, up to five years in prison, or both, and that would be a Class 5 Felony. If there is an intent to sell, transfer, or use individually-identifiable health information for commercial advantage, personal gain, or malicious harm, the fine goes up to $250,000 or up to 10 years in prison. And for other civil fines, the maximum would be $100 for each violation, with the total amount not to exceed $25,000 for all violations of an identical requirement. This is a good example of why we spend so much time and money making sure that our organizations are in compliance with everything that’s expected of us.
There’s also reputational damage that might occur, if you fall out of compliance. For example, many states have requirements for disclosure, if an organization is hacked or breached, and the reputational damage of disclosing that hack could cause stock prices to drop, at least in a short term, with that organization. A good example of how reputational damage could harm a company started in October of 2016. The company Uber was breached, and 25.6 million names, email addresses, and phone numbers were exfiltrated from their systems. However, Uber didn’t announce this breach until November of 2017, over a year later, and in the meantime, they allegedly paid the hackers $100,000 to have them keep quiet by using a non-disclosure agreement.
This caught up to the company in 2018, and Uber had to pay $148 million in fines. The hackers owned up to this and pled guilty in October of 2019. In May, 2023, Uber’s former chief security officer was sentenced and got three years probation and a $50,000 fine. The company would have been in compliance if they announced the breach originally, instead of trying to keep the breach quiet and have it go away. This ultimately affected the company financially and reputationally.
These aren’t the only things that could happen if you’re not in compliance. You could lose a particular license that is associated with that compliance. This could be a significant economic hit to the company, especially if that license is required to sell the company’s product. Other organizations may also be limited from purchasing from any other company that is sanctioned, and it might be very expensive to regain that license in the future.
Some compliance is done at a contractual level, where there is an agreement between two organizations to stay in compliance, and if a company doesn’t maintain that compliance, the contract is then breached. Since this is between two private organizations, it is possible to resolve this out-of-compliance issue between the two organizations without any type of legal proceeding. You can see how being out of compliance might affect an organization negatively, and that’s why a lot of organizations will have individuals that are specifically tasked with compliance monitoring.
You might often hear the terms “Due diligence” and “Due care” associated with compliance monitoring. This is a way to describe how the companies are acting in good faith and honestly about the terms of the compliance. Normally, the activities that you’re doing internally are referred to as due care, and any activities that you perform with a third party would be based on due diligence. It’s very common to have the executive who’s in charge of this compliance process to be the one who signs off stating that the compliance is indeed in good standing. We refer to this as “Attestation” and “Acknowledgment” and ultimately, it’s the executive who is responsible for making sure that all of that information is done in good faith.
As you can imagine, a large company with many types of products may have a significant amount of compliance requirements, and that’s why it’s important to provide ongoing monitoring of the compliance. Normally, you would use internal tools in the organization to keep track of where the status is of all of the compliance tasks. This may be something that is completely internal, or you may have to interact with third parties to gather more information to determine if you’re truly in compliance. That’s why many organizations will find ways to automate this process as much as possible.
The compliance requirements are quite different between different types of companies, and this automation will vary a great deal from one company to another. Fortunately, there is a large market of automated compliance monitoring systems that collect data from people, from third parties, and from other parts of the organization. A company can use these automated processes to collect as much compliance information as possible, compile reports, and make sure that they are always up to date with all of their compliance details.