Compliance: No longer just policy guidelines for organizations

Compliance is no longer a theoretical or strategic area of coverage, but rather a clear-and-present threat for businesses.

Shifts in government policy and law enforcement have made compliance standards and regulations into existential threats instead of policy guidelines.

Several landmark pieces of legislation and cases in the U.S. alone have signaled to organizations that becoming compliant with data security standards is no longer a way to placate the boardroom, but rather a means of providing cover in the case of a data breach incident.

For starters, there is the 2024 enforcement of the SEC’s disclosure regulations for data disclosure incidents.

The rules are designed to serve as a deterrent to companies who would seek to suppress or deny the occurrence of an incident in which a company lost sensitive data to an attacker. This would potentially result in long-term damage to the company’s bottom line and a loss to shareholders who were left in the dark about the network infiltration.

Under the new rules, companies are required to investigate reports of data breaches and preserve records. They are also required to promptly report those incidents to the SEC and make the public aware that customer data may have been accessed by a threat actor.

While the law was enacted in the early weeks of 2024, enforcement of the regulations did not begin until the last weeks of the year. Organizations were given something of a grace period as data breaches were not prosecuted and penalized in full until the later months of the year.

At this point, however, companies are set to face the full brunt of the wrath of regulators, as the U.S. sets up to call out organizations that are playing fast and loose when it comes to data security compliance.

The result is increasingly severe penalties and settlement agreements that will bring significant consequences for companies that do not maintain sufficient security policies and protections for their networks and their customer databases.

One such example is the case of URL registrar and site hosting cloud specialist GoDaddy.

The company fell victim to a series of data breaches with the result of the loss of millions of personal details from customers of the hosting firm. It was later found that GoDaddy had long been neglecting some basic security protections regarding customer data.

As a result, the company was leashed to a series of legal requirements, including the implementation of a comprehensive security logging and reporting system. To enforce this, a third party recorder will also be brought in to oversee matters.

In addition to the federal government, states are taking compliance matters into their own hands. New York has been among the leaders in the movement, in no small part because of its position in the global financial market.

Law enforcement officials in New York have brought the hammer down on insurance providers Geico and Traveler’s Insurance for its failures to properly secure customer data and report a data breach.

The result was a fine of $11.3 million and a series of strict compliance requirements that will carry a significant penalty should the company not meet requirements.

The Empire State was not done there. In January, state authorities similarly fined PayPal to the tune of $2 million for its own failings in data security and reporting. While the cash amounts are little more than pocket change for the corporations charged, the message send is loud and clear: secure your customer data or face significant consequences.

Other compliance laws are a bit more vague and controversial. In the state of Texas, a controversial law on adult content and age verification threatens to upend the way companies handle and serve their data, particularly in the media space.

Though they are single states, the population density of Texas, New York and other states with large populations make local legislation a national concern for organizations when it comes to compliance, and many will have to implement state laws into their long-term compliance plans.

The state of compliance is in a turmoil rarely seen, as the Trump administration is being paired with increasingly strict state laws and a newfound emphasis on prosecuting violators.

Executives and boards will need to grasp the importance of compliance and make it a priority both for security and organizational policy going forward.