The risks and costs associated with disregarding regulations can be tremendously damaging.
Privacy regulations
California Senate Bill 1386
- Requirement: Protection of any confidential information about California residents. This includes driver’s license, Social Security, bank account and credit/debit card account numbers.
- Applies to: Every public or private organization conducting business with California residents.
- Penalty for noncompliance: Fines from potential class-action lawsuits are determined on a case-by-case basis.
The 2002 Sarbanes-Oxley Act
- Requirement: To ensure that the information each corporation makes available to current and potential shareholders provides a true and accurate picture of the financial state of the company.
- Applies to: All publicly traded corporations.
- Penalty for noncompliance: Fines by the Security Exchange Commission and imprisoned for up to 20 years.
FACTA (Fair Trade and Credit Transaction Act of 2003)
- Requirement: Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
- Applies to: Any person who maintains or otherwise possesses consumer information for a business purpose.
- Penalty for noncompliance: Civil liability in which an employee can recover actual damages from his/her employer for all damages incurred from identity theft.
Gramm-Leach-Biley Act
- Requirement: Protection of a customer or consumer’s personal financial data, including name, address, Social Security number, account numbers or nonpublic personal data.
- Applies to: Financial institutions, banks, investment companies, credit unions or any of their partners that collect and retain nonpublic personal data.
- Penalty for noncompliance: Regulatory fines can be levied. CEOs and board members can be held personally liable.
HIPAA, Health Insurance Portability and Accountability Act
- Requirement: Protection of a patient’s medical records and other personal healthcare information.
- Applies to: All companies that transmit healthcare information, including healthcare providers and healthcare benefit plans.
- Penalty for noncompliance: Fines of $250,000 can be levied; criminal prosecution can occur and can result in jail time of up to 10 years.
PCI, The Payment Card Industry Data Security Standard
- Requirement: To protect the privacy and confidentiality of the data specific to payment card information.
- Applies to: Any organization that accepts, acquires, transmits, processes, or stores data that contains payment card information.
- Penalty for noncompliance: Fines range from $5,000 to $500,000, which is levied by banks and credit card institutions. Banks may fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines.
Environmental regulations
Risks associates with environmental protection and hazardous waste arise primarily from two regulations:
- RCRA (The Resource Conservation and Recovery Act): Regulates the use, transportation and disposal of hazardous wastes.
- CERCLA (The Comprehensive Environmental Recovery, Compensation and Liability Act): Assigns liability for the cleanup of hazardous materials disposed of improperly.