Crime and fraud related to personal information are on the rise.
In light of the identity theft, financial fraud and even medical identity theft scenarios being perpetrated, regulators are seeking and often receiving greater enforcement powers.
In the US, the HITECH Act has drastically changed the cost of compliance failures related to protected health information. The US Department of Health and Human Services (HHS) has shown a clear course for conducting more audits of companies after it was criticized in an inspector general report for not doing enough.
The UK Information Commissioner has been granted authority to impose fines of up to US$800,000 for serious privacy breaches.
The HITECH Act also brought business associates under the HHS enforcement umbrella — a significant number of organizations, many of which were previously far from the HHS reach. Furthermore, the HITECH Act calls for the Federal Trade Commission (FTC) and state attorneys general to take an active role in enforcing health information privacy and security.
In other countries, regulators such as national data protection authorities and financial and telecommunications regulators have become more active with inquiries, audits and enforcement activities — sometimes in response to employee and customer complaints, other times as part of proactive initiatives.
Many have been seeking stronger enforcement powers and sanctions. For example, in the United Kingdom, the Information Commissioner has increased the level of vigilance for pursuing cases and has been granted authority to impose fines of up to US$800,000 for serious privacy breaches.
The year 2010 will bring about an increased number of regulatory audits and fines paid by organizations that do not implement privacy controls effectively.
The increased number of industries and jurisdictions that are subjected to breach notification requirements is likely to drive much of that activity. Note that the HITECH Act requires organizations to report incidents directly to the HHS or the FTC, and some of the breach notification laws models also put notification to the regulator as a key requirement.
Ask yourself
With the expectation of more vigilant enforcement and higher fines for noncompliance, have you:
- Reviewed your compliance with the regulations affecting your operations across different jurisdictions?
- Updated your processes and controls to adequately meet your compliance requirements?
