It's hard for businesses to keep up with changing regulatory requirements, and as a leading IT consulting company we know that many of our clients struggle with priorities. But ignoring security basics that are outlined by these regulations is not a good idea, from many important perspectives.
In certain industry sectors, such as government, healthcare, education and finance, there are very stringent rules around the protection of sensitive data, along with industry specific regulations.
But be aware that it's not only specific industries that fall under compliance requirements for data security.
When it comes to the protection of sensitive customer data, ALL private and public companies need to comply.
The challenge is - comply to what? There is no single data protection law in the U.S.
In fact, there are hundreds of laws at both the federal and state level that are intended to protect the data of U.S. citizens.
It's no surprise that requests for regulatory compliance consulting are often top of list when we are on-boarding new clients, from every type of industry.
Regulatory compliance is a very big deal and the cost of non-compliance can be huge, as we illustrate in the following story!
Why Regulatory Compliance Is Important
A local heath care practice was on a high growth path, acquiring other private practices and integrating them into their environment.
As they continued to add organizations, people and computers, it was becoming clear to us that their risk was increasing when it came to IT security and data protection.
They were risking non-compliance with industry requirements, which in this case was HIPAA.
As part of a security audit, we recommended that basic data encryption software be installed across all laptops and workstations to prevent against compromised data in the event of theft or loss.
In this case, we recommended Microsoft BitLocker which is included in Windows Enterprise, at price point of about $60 per device for 300 devices.
Regulatory Docs Say "What" But Not "How"
However, with so many expenses coming in the door from recent acquisitions, the healtcare clinic had a hard time justifying this expense.
They didn't see how it would add directly add to their bottom line.
Additionally, when they took a look at their specific industry requirements, nowhere did it specifically say that they needed to encrypt devices such as workstations and laptops.
Regulatory requirements such as HIPAA typically do not document exactly what you should or should not do from a technical perspective.
They simply outline the security requirements, and how you implement it is up to you!
An Ounce of Prevention Is Worth A Pound Of Cure
Our recommendation was put on the back burner.
As luck would have it, just a few weeks later one of the staff left a laptop in the back of their car. They weren't gone long, but long enough for someone to do a smash and grab.
And because there was a possibility that there would be customer data on it, legally they had to report the incident to both the governing body and their entire customer base.
The costs mounted up from the PR campaign to legal fees, not to mention the huge fines from HIPAA violations. Harder to account for, but still an important consideration, is loss of business from patients who then chose to deal with a different provider.
The clinic did try to file an insurance claim to recoup these costs, but it was rejected. It was deemed that it was not "commercially reasonable" that they had neglected to implement data encryption on their workstations and laptops.
Regulatory Compliance Matters!
The moral of the story?
The roughly $18,000. for the investment in data encryption software ended up costing the company hundreds of thousands of dollars.
And of course, we ended up installing the software anyway.
Horse. Barn. Door.
Consult with us BEFORE you run into trouble!