Compliance is not a choice. Compliance is mandatory. Non-compliance attracts the penal provisions under different applicable acts.
The Sarbanes Oxley Act was enacted as a reaction to a number of corporate accounting scandals. Companies that are not compliant with the provisions of the act can expect to lose their exchange listing, lose their D & O insurance or face heavy fines and imprisonment. Investors will have little or no confidence in non-compliant business entities. CEOs or CFOs, who provide wrong certifications, can be fined up to a million dollars for un-willful wrong doing and up to 5 million for willful wrong doing. They can be imprisoned for a period of ten years or twenty years depending on the “mens rea” (guilt) proved.
The Health Insurance Portability and Accountability Act (HIPAA), is applicable to all health care service providers and their associates. Failure to comply with the provisions of the Act can attract a variety of penalties. Service providers can be penalized for failure to comply with the requirements and standards of the Act. The Secretary can impose a penalty of not more than $100 for each general violation of the act. The total value of penalties imposed during a calendar year can total up to $25,000.
Wrong disclosure of individually identifiable health information can attract penalty. If the violation is willfully committed, a penalty of up to $50,000 can be imposed with imprisonment for one year or both. If the offense is committed under false pretences, a fine of $100,000 can be imposed with imprisonment of up to 5 years or both. If the information is disclosed for commercial advantages, a fine of $250,000 can be imposed with imprisonment of up to 10 years or both.
Penalties under the data protection act and the PCI-DSS, establishes penalties of up to $500,000 for security breaches by non-compliant merchants. The merchants will also be faced with increased audit requirements, campus wide shut down of credit card activity, cost of printing and postage for customer notification mailing, cost of staff during security recovery, loss of business and loss of customer confidence.
The Data Protection Act penalizes non-compliant data controllers. They must be registered under the data protection act in order to be eligible to process personal information. Failure to register can attract prosecution. If the data controller or their agents treat personal information in ways that have not been specified under the registry, they can be penalized under the criminal or civil sanctions of the Act.
Failure to comply can be expensive.