The risks and costs associated with disregarding regulations can be tremendously damaging.

Privacy regulations

California Senate Bill 1386

  • Requirement: Protection of any confidential information about California residents. This includes driver’s license, Social Security, bank account and credit/debit card account numbers.
  • Applies to: Every public or private organization conducting business with California residents.
  • Penalty for noncompliance: Fines from potential class-action lawsuits are determined on a case-by-case basis.

 The 2002 Sarbanes-Oxley Act

  • Requirement: To ensure that the information each corporation makes available to current and potential shareholders provides a true and accurate picture of the financial state of the company.
  • Applies to: All publicly traded corporations.
  • Penalty for noncompliance:  Fines by the Security Exchange Commission and imprisoned for up to 20 years.

FACTA (Fair Trade and Credit Transaction Act of 2003)

  • Requirement: Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
  • Applies to: Any person who maintains or otherwise possesses consumer information for a business purpose.
  • Penalty for noncompliance: Civil liability in which an employee can recover actual damages from his/her employer for all damages incurred from identity theft.

Gramm-Leach-Biley Act

  • Requirement: Protection of a customer or consumer’s personal financial data, including name, address, Social Security number, account numbers or nonpublic personal data.
  • Applies to: Financial institutions, banks, investment companies, credit unions or any of their partners that collect and retain nonpublic personal data.
  • Penalty for noncompliance: Regulatory fines can be levied. CEOs and board members can be held personally liable.

HIPAA, Health Insurance Portability and Accountability Act

  • Requirement: Protection of a patient’s medical records and other personal healthcare information.
  • Applies to: All companies that transmit healthcare information, including healthcare providers and healthcare benefit plans.
  • Penalty for noncompliance: Fines of $250,000 can be levied; criminal prosecution can occur and can result in jail time of up to 10 years.

PCI, The Payment Card Industry Data Security Standard

  • Requirement:  To protect the privacy and confidentiality of the data specific to payment card information.
  • Applies to:  Any organization that accepts, acquires, transmits, processes, or stores data that contains payment card information.
  • Penalty for noncompliance:   Fines range from $5,000 to $500,000, which is levied by banks and credit card institutions. Banks may fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines.

Environmental regulations

Risks associates with environmental protection and hazardous waste arise primarily from two regulations:

  • RCRA (The Resource Conservation and Recovery Act): Regulates the use, transportation and disposal of hazardous wastes.
  • CERCLA (The Comprehensive Environmental Recovery, Compensation and Liability Act): Assigns liability for the cleanup of hazardous materials disposed of improperly.