The Price for Non-Compliance

The homepage of the Catholic Archdiocese of Seattle is the last place one might expect to see the phrase “IRS TAX FRAUD SCAM” in a bright red box.  The conspicuous red box, which links to a legal notice in four languages and a letter straight from the Archbishop himself, is just one of many painful steps the Archdiocese has had to take in the week following the discovery of a data breach.  The breach exposed social security numbers and other sensitive personal information of some of the Archdiocese’s 90,000 employees and volunteers.

As the bright red notice demonstrates, the Archdiocese must now fulfil mandates from the scary side of legal compliance: what to do after sensitive data has already been compromised.  In some circumstances, the notice and reporting requirements, invasive legal investigations, fines, penalties, and sanctions have driven organizations into bankruptcy.

State and Federal agencies, like the IRS, are on the lookout for signs of data breaches such as the fraudulent tax returns that resulted from the Archdiocese breach.  However, organizations that control sensitive data like identity, financial, or health information are often subject to stringent requirements, like a duty to discover and report data breaches as early as possible.  Some of these requirements vary by state, but they generally involve massive fines that increase with the scale of the breach and any delays in discovering and reporting the breach.  The legal requirements also vary by industry.  For example, financial institutions subject to GLBA must provide their customers with notice every time their privacy policy changes, while schools subject to FERPA stand to lose all Federal funding if they divulge confidential student records to the wrong person.

The costly effects of a data breach do not end there.  Notification requirements can lead to negative media exposure and customer outrage.  Expenses, both voluntary and mandatory, often include legal fees, public relations costs, extra security, and programs aimed at restoring customer goodwill (like Target’s credit monitoring program).  If the Target breach is any example, blaming your organization’s contractors or service providers will do nothing to stem the tide of expenses after your sensitive data is compromised.

In data privacy compliance, an ounce of prevention is often worth a pound of cure.  If your organization deals with sensitive personal data, make sure you are aware of the compliance requirements for your industry and jurisdiction.  Having the right technological solutions in place to protect your data might just make the difference between profit and bankruptcy.

 By Harris Buller, J.D.

This article contains a general discussion and does not constitute legal advice.  If you encounter any of the issues discussed in this article, consult with an attorney.