Information Technology and Ethics/Why compliance management?

Compliance Management

Compliance management is a process that enables companies to make sure that they are following industry standard regulations i.e., the correct set of rules and regulations to make sure that the data is protected in a better way. It is also important to have proper compliance management because nowadays companies have access to a large pool of data hence making it very important for them to follow certain compliances hence companies spend a lot in hiring lawyers etc to make sure that they are compliant. Some of the common compliances are CCPA, FERPA, CMMC, etc. If the said compliance in their sectors is not followed, they might be subject to large files such as:[1]:

  1. The penalty for non-compliance with HIPAA can range from $100 to $50000 per individual violation.
  2. The penalty for non-compliance with the PCI DSS ranges from $5000 to $10000 per month till the time the compliance is achieved.
  3. The GDPR has a maximum violation of €20 million or 4% of the annual turnover, whichever is higher.

And if the company still does not follow, the compliance fines tend to multiply.

Let’s talk about the type of data subject to cyber security compliance, it includes[2]:

  1. PII data: It includes the date of birth, first/last name, address, Social Security number, mother's maiden name, etc.
  2. Financial information: it includes credit card numbers, expiration date, CVV, bank account details, PINs, credit history, account summary, etc.
  3. PHI data: it includes medical history, insurance, record, appointment history, prescriptions record, hospital, admission record, etc.

Other types of information include race, religion, marital status, biometric data, email address, username, passwords, etc.

It is important to have a better compliance team to save the company from data breaches, protect the reputation, protect from fines, maintain customer trust, etc. According to the compliance management lifecycle, the following are the pillars of compliance[2]:

  1. Attack surface monitoring: It includes looking for vulnerabilities in the system or bugs that might open back doors.
  2. Risk prioritization: Once the vulnerabilities are known, it should be prioritized on the basis of the impact that they might have on the data.
  3. Remediate risk: Once the prioritization is complete immediate steps should be taken to fix the issue or minimize the effect.
  4. Report compliance efforts: It means documenting the efforts that were taken to minimize or fix the issue in order to keep the seniors and auditors in the loop.

Examples:

The protected health information (PHI) of 2,743 people was made public by a software attack on Anchorage Community Mental Health Services (ACMHS) in 2012. The breach happened because ACMHS didn't apply the required security changes and fixes, which left their systems open to attack. According to a study by the U.S. Department of Health and Human Services (HHS), ACMHS broke HIPAA Security Rules by failing to put in place sufficient security measures and perform regular updates.

In 2012, (ACMHS) Anchorage Community Mental Health Services database was attacked leaking protected health information (PHI) of 2,743 individuals. This breach was due to failure of ACMHS to apply required security updates and patches, making its systems vulnerable. An investigation held by the U.S. Department of Health and Human Services (HHS) revealed that ACMHS had neglected to implement security measures and perform updates, violating HIPAA Security Rules.

ACMHS got a $150,000 fine and had to make a plan to fix the problem. As part of this plan, a full risk review and the creation of a risk management strategy were both done to stop future leaks. The event shows how important it is to follow strict hacking rules and the serious effects of not following HIPAA rules

Cybersecurity Compliance vs. Cybersecurity Compliance Management

Cybersecurity compliance is often seen as just an organization having to "follow rules" or being "up to standard" but it goes a lot deeper than that. Cybersecurity compliance is the different standards, regulations, and requirements that are created to protect important data and systems that are in place. It is the certain steps that organizations have to take to be up to industry standards and to meet the certain legal frameworks. In order to be cybersecurity compliant, organizations have to be: [3]

  1. Following specific technical requirements (like encryption standards)
  2. Implementing required security controls
  3. Meeting data protection standards
  4. Documenting security practices
  5. Passing audits and assessments

How does Cybersecurity Compliance Differ from Cybersecurity Compliance Management?

Cybersecurity compliance management is a process that makes sure that organizations meet all the different cybersecurity compliance requirements that organizations have to meet. The steps an organization might need to take include doing different things like:[4]

  1. Identifying applicable regulations and requirements
  2. Developing and implementing policies and procedures
  3. Conducting regular risk assessments
  4. Monitoring systems for compliance issues
  5. Training employees on compliance requirements
  6. Responding to compliance violations
  7. Reporting to regulatory bodies
  8. Continuously improving compliance processes


Overall, the two concepts overlap a lot and build off one another. The main difference between the two concepts is that compliance is the goal or state but compliance management is the structured approach and the process that is taken to be compliant and to achieve the goal.

Different Types of Compliance Include

NIST

  • Overview

The NIST Cybersecurity Framework (NIST CSF) was introduced in February 2014 by the National Institute of Standards and Technology (NIST) and considered one of the most widely adopted cybersecurity frameworks. NIST was originally founded by the U.S. Congress in 1901 to support the U.S. industrial competitiveness, but as of 2024 it has become a part of the U.S. Department of Commerce.[5]

The framework was established to guide organizations on how to safely access, manage, and store their data to prevent potential security risks. It helps organizations identify vulnerabilities, prioritize risk mitigation, and ensure regular monitoring practices. The framework is flexible and can be customized to work according to the organizational needs and applicable for both critical and noncritical infrastructures, NIST CSF is adopted across multiple sectors, including healthcare, energy, finance, federal agencies, and private firms.

  • Purpose

The NIST Cybersecurity Framework aims to provide organizations with a list of standards and requirements to effectively address cybersecurity challenges. It allows them to evaluate their security protocols, identify areas for improvement, and develop risk management plans. As stated by NIST Director Laurie E. Locascio "CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve."[6]

  • Core Functions

The NIST CSF is organized around five core functions: identify function assets, environment, and data to better understand the organizational system before implementing any security metrics, protects organizational resources through remote maintenance and access controls by enforcing activities such as access control, detects unusual network and physical behavior through regular vulnerabilities scans, responds effectively to forensics analysis and, recovers systems of assets affected by cybersecurity incidents.  

GDPR

General Data Protection Regulation (GDPR) is a comprehensive privacy and security law in the world. It was drafted and implemented by the European Union on May 25, 2018. It aims to protect the data of EU citizens by imposing obligations and organizations anywhere in the world collecting the data of citizens of the EU. Violating the terms of GDPR regulations can lead to fines of up to 20 million euros.  The General Data Protection Regulation (GDPR) was enacted by the European Union in 2018. It regulates data protection and aims to enhance data privacy as well as strengthening data security. It also relies on different principles, such as confidentiality, accountability, and lawfulness.[7] GDPR is applicable to businesses that handle the personal data of EU citizens. A plethora of measures are implemented. The first one is performing Data Protection Impact Assessments (DPIAs). The next measure taken is Designating Data Protection Officers (DPOs) to monitor compliance. Organizational and technical precautions are integrated to guarantee the security and privacy of personal data with DPOs. It is mandatory for organizations to acquire consent before handling any data processing. It is very important that businesses obtain the explicit consent of individuals before gathering and processing their personal data is one of the key principles of the GDPR. Any company that operates within the EU or EEA, and any business that has recourse to the personal data of individuals within the EU or tracks the behavior of an individual within the EU, is bound by the GDPR. Organizations must also offer comprehensive privacy notices, and accommodate for individuals to exercise their personal data rights. This includes the right to access, modify, or delete their data. Penalties for non-compliance to the GDPR may include fines as much as €20 million or 4% of international annual turnover, usually whichever is larger.[8]

According to the NYTimes, google was fined 50 million euros for not properly disclosing to users how data is collected across its services like its own search engines like Google and its services like Maps and YouTube. This penalty is considered one of the largest under the EU privacy law i.e., GDPR. There are some GDPR compliance checklists that must be followed by every US company dealing with European citizens' data.

  • Conducting information audit for EU personal data.
  • Inform the customers about the reason behind the processing of their data.
  • Assess the data processing activities and improve the protection
  • Data controllers should make sure that they have a data processing agreement with the vendors.
  • A designated data protection officer should be appointed especially by the larger organization.
  • Non-EU organizations are required to appoint a representative based in one of the EU member states.
  • Duties should be known during the event of data breach.
  • Organizations should comply with cross-border transfer laws.

Top GDPR fines till date:

  • Meta

It was fined a total of 405 million euros for violating children privacy through the publication of email addresses and phone numbers.

  • Clearview AI Inc.

A fine of 20 million euro was imposed on an AI company in America for collecting selfies and utilizing them to expand its database of approximately 10 billion faces. The company used to then sold its identity verification services to various industries, including law enforcement.

  • Google

Google was fined by AEDP, a Spain’s data protection agency a 10 million euro after the search engine giant was found to be passing the personal data of EU citizens who were requesting erasure of their data to the Lumen Project. The AEDP found that the content removal form Google provided to data subjects for exercising their right to be forgotten was confusing.

After discovery of the search engine giant was giving the Lumen Project access to the personal information of EU individuals who were requesting their data be erased, AEDP, Spain's data protection body, penalized Google 10 million euros. The AEDP discovered that Google's form for material removal, which individuals used to exercise their right to be forgotten, was unclear.

  • Rewe

Rewe, a supermarket chain was imposed a fine a 8 million euro for breaching the GDPR in the year 2022.

COPPA

COPPA is an acronym for the Children’s Online Privacy and Protection Act. It was enacted in 1998. This act focuses on protecting the personal information of kids who are 12 years old and younger. Personal information in question includes, but is not limited to, the name of the child, the address of the home that the child lives in, images of the child, phone number, and more. COPPA protects this information in a variety of different ways. One of the ways COPPA does this is requires a parent or guardian to consent to the collection of information of their children. This is to ensure that parents and guardians are aware of what a company is collecting regarding their child. To add on to this, it is worth mentioning that teachers and schools can be a substitute for the parent’s and guardian’s consent if, “the tool is used for an educational purpose.”[9] Another way that COPPA does this is by requiring companies to, “have a ‘clear and comprehensive’ privacy policy.”[9] By having, “‘a clear comprehensive’ privacy policy,”[9] parents and guardians of the child will have a strong understanding of what information the company is collecting, but also how it could possibly affect them. Additionally, COPPA requires all companies who collect personal information regarding a child to keep this information confidential and secure. Like any personal information, this can be used to identify someone and be used for malicious purposes. Keeping a child’s information confidential and secure ensures that a threat actor doesn’t gain access to this information, thus protecting the child from unauthorized third parties.

Recent COPPA Violations

  • Microsoft
    • One company that has violated COPPA recently is Microsoft. This case was between the United States Government and Microsoft. Microsoft violated this act through using its Xbox gaming system in order to collect, “personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information.”[10] The case was closed with a settlement between Microsoft and the Federal Trade Commission (FTC) by having Microsoft pay twenty million USD to the FTC.
  • Epic Games
    • Another company that recently violated COPPA is Epic Games. Epic Games was found guilty of violating COPPA in 2022. This violation focused on one of Epic Games products, Fortnite, a free-to-play video game. The game consisted of various in-game purchases, such as cosmetic items and in-game currency, that a user can buy using money. The FTC stated that Epic was in violation of COPPA for various reasons. The first being that they failed, “to notify parents, [in order to] obtain, [the parents’] consent.”[11] Due to Epic Games not obtaining parental consent at the time, they were able to collect children's’ information and when a parent wanted to request for the collected information to be deleted from Epic’s systems, they had, “to jump through unreasonable hoops, and sometimes failed to honor such requests.”[11] Another violation that the FTC stated is that Epic Games had default settings that could harm children. This was in reference to, “text and voice communications for users.”[11] Epic had these settings enabled by default in such a way where users who didn’t change the default settings would be forced to communicate with strangers that they may play with online. This caused kids to face various consequences of this such threats and harassment from strangers online. On top of this, the FTC also stated that Epic Games, “used dark patterns to trick users into making unwanted purchases,”[11] and also allowed kids to make various unauthorized purchases without parental consent. These dark patterns are referred to the various methods that epic games used to target anyone in order to get them to make an unintentional in-game purchase. Additionally, anyone, “who disputed wrongful charges with their credit card companies,”[12] would not only lose access to the purchased content but also any authorized purchases and their account. This case was ended by a settlement in which Epic Games not only had to pay 245 million USD to the FTC but also had to provide an opportunity for those affected by the violations to receive a refund for their purchases.

CCPA

The California Consumer Privacy Act (CCPA) was enacted in 2018. This act allows consumers to have more authority over the individual data that businesses collect about them. Furthermore, the CCPA regulations offer instructions on how to put the law into effect. Officially, this policy includes the “right to know about the personal information a business collects about them, and how it is used and shared.” Additionally, it includes the “right to delete personal information collected from them, the right to opt-out of the sale or sharing of their personal information,” and lastly, “the right to non-discrimination for exercising their CCPA rights” [13]. Although, it’s also important to note that there are some exceptions to the ‘right to delete’ portion of this act. For instance, if a business has legal obligations to hold onto sensitive data, this portion may not apply. Moreover, in 2023, on January 1st, the CCPA was amended to include further privacy protections. These protections include the right to rectify incorrect personal information, as well as the right to restrict the utilization and disclosure of sensitive personal data [14].

HIPPA Compliance

The Health Insurance Portability and Accountability Act (HIPPA) was enacted in 1996. This act enables nationwide standards to protect an individual’s medical and personal health information. The items covered under HIPPA include but are not limited to healthcare providers, health plans, clearinghouses, and their business associates. The business associated can be the organization that executes the jobs that involve disclosing protected health information (PHI).[15]

As a part of HIPAA compliance there are different sections like breach notification rule, security and privacy rules which companies need to follow in order to enable patients to get access of their data. As according to the HIPAA guidelines companies have about 45 days to process the data from the day the patient submitted the request. This request can be both in regards to data access or data deletion and applies to both existing and new patients of a certain health system. Once the 45 days are passed and the data is not processed, the companies are held liable and can be sued.[16]The HIPAA also give a clear distinction of what data is classified as a PHI or a unsecured PHI. Along with this they also talk about how those data can be stored electronically and used by IT-Healthcare companies and does outline the laws for the same in addition to the traditional healthcare sector that was limited to offline market.. Healthcare organizations must therefore take the necessary steps to adhere to HIPAA rules, including frequent risk assessments, the implementation of suitable security controls, employee training on HIPAA policies and procedures, and timely response to any PHI breaches.[17]

The following are some of the key requirements for HIPAA Compliance:

  1. Privacy Rule: The HIPAA Privacy Rule establishes federal requirements for safeguarding the privacy of people's health information, including the demand that covered businesses seek patients' written consent before revealing their data.
  2. Security Rule: According to the HIPAA Security Rule, covered organizations must put in place administrative, physical, and technical measures to protect the availability, confidentiality, and integrity of electronic protected health information (ePHI).
  3. Breach Notification Rule: The HIPAA Breach Notification Rule mandates that, in the event of an unprotected ePHI breach, covered entities notify impacted people, the Secretary of Health and Human Services, and, in some circumstances, the media.[18]
  4. Enforcement Rule: Procedures for investigations, hearings, and the enforcement of civil monetary penalties for HIPAA rule infractions are established under the HIPAA Enforcement Rule.
  5. Omnibus Rule: The HIPAA Omnibus Rule significantly altered the HIPAA rules, extending liability to business partners of covered businesses, stiffening fines for non-compliance, and enhancing people's access rights to their health information.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard for account data protection, which was the initiative of Payment Card Industry Security Standards Council (PCI SSC), that was founded by American Express, Discover, JCB International, MasterCard and Visa Inc in 2006 [19]. Before PCI DSS was created, each founder had their own security compliance program, then they created PCI DSS and adapt it as a foundation for technical and operational requirements to protect cardholder account data and reduce threats in payment ecosystem. The PCI DSS compliance has been categorized into six group, has 12 requirements along with multiple sections under each requirement. The six groups are as follows:[20]

  1. Build and maintain a secure network and systems.
  2. Protect cardholder data.
  3. Maintain a vulnerability management program.
  4. Implement strong access-control measures.
  5. Regularly monitor and test networks.
  6. Maintain an information security policy.

Each group has multiple requirements, which are as follows:[20]

  1. Install and maintain network security controls.
  2. Apply secure configurations to all system components.
  3. Protect stored account data.
  4. Protect cardholder data with strong cryptography during transmission over open, public networks.
  5. Protect all systems and networks from malicious software.
  6. Develop and maintain secure systems and software.
  7. Restrict access to system components and cardholder data by business need to know.
  8. Identify users and authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Log and monitor all access to system components and cardholder data.
  11. Test security of systems and networks regularly.
  12. Support information security with organizational policies and programs.

The first version according to Payment Card Industry Security Standards Council (PCI SSC) is v1.1 available in their archives[21] which was released in Sep, 2006, the latest version is v4.0.1[20]. Both versions have the same categories and requirements, but the newer version includes additional sections under each requirement to address gaps and challenges of today's digital world. First time evaluation of an entity against a PCI DSS is called an initial PCI DSS assessment. This means that the entity has never gone through a prior assessment, resulted in submission of a compliance validation document, which includes Attestations of Compliance (AOC), Self-Assessment Questionnaires (SAQ), or Report on Compliance (ROC)[20]. After the initial evaluation, annual evaluations are based on the requirements from the payment card industry (PCI) companies. The compliance validation criteria are divided by the PCI providers into different levels, each with different requirements for merchants and service providers.

The penalty and fines for PCI DSS non-compliance are imposed by the PCI providers depending on the contract and level of merchant/service provider. PCI provider impose fines directly on merchant and in a case where payment providers are involved, card brands fine service provider and then service providers fine the merchant. Some of the companies that face penalties are mentioned below:

  • British Airways
    • In 2018, attackers compromised British Airways' website and mobile app, stealing personal and financial information of around 400,000 customers[22]. "The attackers gained access to British Airways' network using compromised credentials from an employee of a third-party cargo handler, Swissport. Initially restricted to a Citrix environment, the hackers broke out and escalated their privileges after discovering an unsecured administrator password in plaintext. They then modified BA's systems to harvest customer details as they were input, redirecting users to a bogus website designed to skim payment information before sending them back to BA's" site[23].The UK Information Commissioner's Office (ICO) initially fine British Airways for £183 million under the General Data Protection Regulation (GDPR) but it was later reduced to £20 million in October 2020, due financial impact of the COVID-19 pandemic.[22]
  • Home Depot
    • Home Depot encountered one of the largest data breaches in retail history, in which hackers access credit and debit card information of approximately 56 million customers. In April 2024, the attackers gained initial access to Home Depot’s network using a third-party vendor's credentials, then they find a vulnerability in Microsoft’s Windows operating system to gain elevated privileges through which they identify 7,500 self-checkout lanes. In June 2024, the attackers deployed custom-built malware on -of-sale (POS) system, which bypass antivirus software, captured credit and debit card along with email address information. The credit and debit card information were then sold online on dark web, and the email information was used for phishing scams in September, 2024. The Secret Service later notified Home Depot about the breach[24]. Home Depot paid $17.5 million in a multistate settlement[25].
  • Target
    • In 2013, hackers stole 40 million credit and debit records and 70 million customer record, larger than the Home Depot breach. Fazio Mechanical Services, a third-party contractor for Target, fell victim to a phishing attack. This company remotely accessed Target’s network for billing purposes and general management. The emails sent to Fazio Mechanical Services contained malware that stole their employee’s credentials, enabling hacker to access system, which they used as an entry point to access Target's Network. The malware was not identified until an investigation began in collaboration with government agencies, and the malware was finally removed from Target’s network by December 15th, 2013[26]. The case was filed by multiple states which was settle down in 2017, when Target agreed to pay multi-jurisdictional resolution of $18.5 Million[27].

SOC2 Compliance

As organizations continue to rely on technology to run their operations, the need for robust security measures becomes paramount. SOC 2 compliance has become one of the most important criteria for service providers and vendors to have controls in place to protect their customers' data.  We take a closer look at the five Trust Service Principles of SOC 2 and the benefits of achieving compliance. This principle focuses on protecting data from unauthorized access, disclosure, and destruction. Controls based on this principle include access control, encryption, and auditing of security events. availability: This principle focuses on ensuring that the system can be operated and used as agreed with the customer. Management based on this principle includes plans for redundancy, backup, and disaster recovery.

This principle focuses on ensuring that system processing is complete, accurate, timely and authorized. Controls based on this principle include input validation, data reconciliation, and error handling. This principle focuses on ensuring sensitive data is protected from unauthorized access or disclosure. Controls based on this principle include access control, encryption, and data classification. This principle focuses on ensuring that personal information is collected, used, stored, and disclosed in accordance with the organization's privacy policy and relevant laws and regulations. Controls based on this principle include data minimization, consent management, and data subject rights.

SOC 2 compliance demonstrates an organization's commitment to security and privacy and can enhance reputation and credibility with customers and partners. SOC 2 compliances can give companies a competitive advantage over competitors who may not have gone through the same rigorous review process. crisis management: SOC 2 compliance helps organizations identify and remediate potential security risks and vulnerabilities, thereby improving their overall security posture. SOC 2 compliance helps organizations meet the security and privacy requirements of industry-specific regulations such as HIPAA and PCI DSS. Being SOC 2 compliant can increase customer confidence in your organization's data protection capabilities, which can lead to increased customer loyalty and retention.

Data Security Strategies in Compliance Management

From a broad perspective on regulatory compliance, we now shift our focus to the specifics of data security. It's essential to see how these frameworks are applied in practice to protect sensitive information. This section explores the foundational mechanisms and technologies critical to compliance management. Data protection is central to compliance management, crucial for organizational control, and automation requirements in various industries. By examining specific strategies like encryption, access control, and continuous monitoring, we aim to demonstrate how organizations can meet regulatory expectations to effectively safeguard critical data.

Security Infrastructure and Technologies

Encryption: Primarily used to protect data on the move and at rest, employing algorithms that encrypt data, accessible only to individuals with decryption keys.[28]

Firewalls and Intrusion Detection Systems (IDS): Firewalls serve as barriers between an organization's secure internal networks and potentially unsafe external networks. IDS systems monitor network traffic to detect and respond to suspicious activities. [29]

Data Masking and Tokenization: These techniques ensure that sensitive data remains anonymous or obscured in environments like testing or analytics, enhancing security while maintaining functionality.[30]

Access Controls and Authentication

Role-based Access Control (RBAC): This security methodology restricts access to information based on individuals' roles within an organization, ensuring access is limited to necessary information for their duties.[31]

Multi-factor Authentication (MFA): Enhances security by requiring multiple verification forms from users before access to systems or data is granted, significantly reducing unauthorized access risks.[31]

Monitoring and Auditing

Continuous Monitoring: Involves the constant observation of system activities to quickly identify and mitigate potential security threats.[32][30]

Regular Audits: Essential for evaluating the effectiveness of security measures and identifying potential improvements to enhance data protection.[32]

Policies and Training

Data Security Policies: Organizations create and enforce policies that dictate data handling, sharing, and protection. These policies are regularly updated to address new threats and compliance requirements.[33][30]

Employee Training Programs: Employees receive regular training on data security importance and specific protocols to protect sensitive information, ensuring widespread compliance.[34]

Incident Management and Recovery

Incident Response Plans: Detailed plans that outline immediate actions, mitigation strategies, and notification procedures for efficiently managing data breaches or security incidents.[35]

Backup and Disaster Recovery: Regular backups and comprehensive disaster recovery plans ensure data recovery and operational continuity in case of data loss or system failures.[36]

Third-party and Vendor Management

Vendor Security Assessments: Conducts thorough security assessments of vendors and third parties handling sensitive data to ensure compliance with data protection standards.[15]

Consequences of Non-Compliance and Why it is Ethically Important

Non-compliance can result in serious consequences for organizations such as fines, damaged reputations, and a lack of trust amongst consumers.

Financial Penalties

  • HIPPA: Violations of HIPPA can result in fines from $100-$50,000 per violation
  • PCI DSS: Violations of PCI DSS can result in $5,000-$10,000 per month until compliance is achieved
  • GDPR: Violations of GDPR can result in fines up to €20,000,000 or 4% of global turnover (whichever is higher) for serious violations[37]

Reputation Damage and Loss of Organizational Trust

On top of financial losses, non-compliance damages any organizations reputation and credibility. In cases of data breaches, the leakage of a person's PII/PHI can result in a loss of customer trust and public credibility as all data, including medical data on a person has become leaked. One case of this, Anchorage Community Mental Health Services[38], PHI (Protected Health Information) of over 2,700 individuals was leaked as a result of unpatched security vulnerabilities. On top of paying a fine of $150,000, going through a data breach of this scale for a non-profit medical institute can result in a decline in customer acquisition and retention through the following negative PR and a drop in contributions from donors.

Ethical Importance

Companies bear the responsibility to protect any personal and sensitive data such as PII (Personally Identifiable Information), financial information, and PHI. If this sensitive data is mishandled and becomes at risk, it can expose massive harm and risk to individuals. On top of the legal compliance that must be followed, companies must follow ethical compliance such as:

  • COPPA[39]: Protecting PII of kids online
  • Honoring Privacy and Consent of Individuals
  • Actively participate in cybersecurity best practices to secure sensitive data
  • Announce any vulnerabilities and data breaches to customers as soon as possible

Damages to Reputation and User Trust

Being in violation of these regulatory frameworks can have serious consequences on companies. While the initial consequences may come in the way of fines or lawsuits that cause financial damage to a company, one of the more permanent long-term consequences is the reputational damage an organization suffers after a cyber breach.  

When organizations fall victim to cyberattacks, cybercriminals can steal a plethora of data from a company. This can include some of peoples most sensitive information, such as addresses, payment data, and even social security numbers. This information is often utilized by attackers to sell on dark markets for money, or to utilize the credentials themselves to commit fraud. Due to the amount of damage that can be caused with users information in the wrong hands, when this information is leaked, it can lead people to believe that their information moving forward is likely not safe within the organization. The number of people that feel this way is quite large, with “75% of consumers expressing their readiness to sever ties with a brand in the aftermath of any cybersecurity issue”.[40] This would mean that a company effectively has the potential to lose the vast majority of it's customer base from the aftermath of one cyber attack, which could put them out of business permanently. Even if an organization has had years of reputation and a reliable customer base, they can lose all of the trust of their current and future users, in a single day.

These attacks don't just impact user trust, they also impact the trust of members within the organization. These cyber breaches can make investors, board members, and partners feel that their money is not safe within the organization, and may take their business elsewhere. This reality has further impacted businesses, with “publicly traded companies experienced a 7.5% drop in their stock values and an average loss of USD 5.4 billion in market cap after a cyber breach”.[41] This severe drop in the value of a company comes due to wavering trust in the company from users, investors, and shareholders, which ultimately results in an organization not only losing financially, but potentially losing their entire business. In this sense, the damages that a company can suffer from a cyber breach expand far beyond financial repercussions, reinforcing how crucial it is for companies to adhere to these frameworks and policies to keep user data safe.

If the Company has no cyber compliance, how to get started?[2]

Now that we have reviewed what cybersecurity compliance is, it is important to understand how to get started in making a Cybersecurity Compliance Program within your organization. Every cybersecurity compliance program is specific to an organization due to its versatility and depth it covers. However, the steps below should be a great starting point for any organization to begin developing its compliance program and gain the benefits to meet regulatory compliance requirements.

  1. Assemble a Designated Compliance Team: The main power behind cybersecurity compliance is your IT staff, however when a comprehensive compliance program is put into place, a compliance team must be formed. For a business to have a strong cybersecurity posture and support compliance procedures, all departments must collaborate.
  2. Make a Risk Analysis Process: You should adhere to the four fundamental phases of the risk analysis process in order to identify and evaluate risks. These include determining which information systems, assets, or networks have access to data, determining the risk level associated with each type of data, applying a formula to analyze the risk, and establishing tolerance by selecting whether to reduce, transfer, reject, or accept any identified hazards.
  3. Enable Controls to Mitigate or Transfer Risk: Setting up security measures to reduce or transfer cybersecurity threats is the next stage. These measures include encryption, network firewalls, password restrictions, staff training, incident response plans, access control, and patch management schedules, among other technological and physical measures.
  4. Create and Implement Policies: Document any policies or instructions that IT teams, staff, and other stakeholders need to follow controls have been put in place. These regulations will also be helpful for future internal and external audits.
  5. Monitor and Respond Quickly: Maintain a constant eye on your compliance program as new laws or revised versions of old ones are passed. A compliance program's objective is to recognize and manage risks and stop cyber threats before they result in a significant data breach. Additionally, it's crucial to have business procedures in place that let you respond rapidly to threats.

Industry-Specific Compliance Challenges:

  • Healthcare Industry:[42]

The healthcare sector faces stringent compliance requirements due to the sensitive nature of patient data and the criticality of healthcare services. Organizations in this industry must adhere to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States. HIPAA mandates strict standards for protecting patient privacy and securing electronic health records (EHRs). Additionally, healthcare organizations must comply with regulations specific to medical device manufacturing, pharmaceuticals, and clinical trials, such as the Food and Drug Administration (FDA) regulations in the U.S. Compliance challenges in healthcare include ensuring the security of EHR systems, safeguarding patient confidentiality, and navigating complex data sharing agreements while maintaining compliance with HIPAA and other industry-specific regulations.

The manufacturing sector faces unique compliance challenges related to product safety, environmental regulations, and supply chain management. Manufacturers must comply with regulations such as the Occupational Safety and Health Administration (OSHA) standards for workplace safety, the Environmental Protection Agency (EPA) regulations for waste management and emissions control, and industry-specific standards such as the International Traffic in Arms Regulations (ITAR) for defense-related manufacturing. Compliance challenges in manufacturing include ensuring product quality and safety, minimizing environmental impact, and managing regulatory requirements across global supply chains.

The technology sector operates in a rapidly evolving landscape characterized by innovation, disruption, and intense competition. Technology companies must navigate a complex web of regulations that vary depending on their products, services, and geographical locations. Key regulations affecting the technology industry include the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the U.S., and industry-specific standards such as the International Organization for Standardization (ISO) 27001 for information security management. Compliance challenges in the technology industry include managing vast amounts of customer data, addressing privacy concerns, and ensuring the security of cloud-based services and Internet of Things (IoT) devices.

The finance industry operates within a highly regulated environment to ensure the integrity and stability of financial markets and protect consumer interests. Financial institutions, including banks, insurance companies, and investment firms, must comply with regulations such as the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI DSS). These regulations govern various aspects of financial operations, including data privacy, anti-money laundering (AML), fraud prevention.

Incorporating Ethical Practices of Compliance

As they stand, compliance frameworks are still not enough to deter companies from acting with disregard, potential solutions for noncompliance may include increasing penalties. These would be substantial penalties for those who knowingly violate or fall out of compliance with said laws. However, a proposed and potentially more effective solution might be the implementation of ethical training and awareness within a company’s culture. By incorporating such practices, companies can reduce the distance between employees working on compliance and the data their workflows might be dealing with.

From a research model conducted by Rene Moquin and Robin L. Wakefield, they found that “empirical findings indicate that compliance attitudes result from both consequence and coping appraisals with ethical beliefs having a stronger influence on compliance attitudes compared to the threat of sanctions” [52]. This further strengthens the argument that when employees are made known of the ethics they are bound to, they will consider compliance beyond just a legislative action but an ethical protection. Through the ethical alignment of employees, organizations might be able to proactively protect data and secure systems when they understand the human elements behind the data they deal with. Further reducing the distance that workers have from the real lives in which their data deals; can lead to a culture where unethical practices are called out, prevented, and circumnavigated to reach a fair solution.

Examples of such practices might include walkthroughs of relevant data. In such exercises, employees would be given the time to think and respond to the question, 'What could happen if this data was leaked?'. In doing such practices, employees can think about the cascading effects of mishandled data and how a few lapses in compliance could lead to detrimental changes in a clients life. With this, employees may also be asked to think of the emotional toll occurring when such data is exposed. They might question how a client would feel after finding out personal information has been compromised. One important thing to note is to not rely on the abstract idea of a 'client'. Realistic, personal stories should be tied to faces within these trainings. This allows for a more emotionally motivated response to various questions. Another tool for consideration might be issue identification. This is where a person might write out a potential implementation or feature, and with that think of all the potential ethical implications because of that feature or decision [53].

For such a practice to be successful, a culture of ethical considerations surrounding all relevant company practices must be reinforced by those in higher-level positions. This ensures that a culture engraining ethics into workflows exists consistently. Through practices and tools like these, we can ensure that many ethical considerations are made with all implementations of technology. Protecting user rights at the core without simply aiming for the minimum bar set by laws. Instead, we can foster a community of security and protection of user rights from start to finish.

References

[15] [16] [54] [55] [18] [56] [57] [17] [58] [2] [1] [59] [60] [61]

Category:Book:Information Technology and Ethics#Why%20compliance%20management%3F%20
  1. 1 2 Kost, Edward. 2022. What is Compliance Management in Cybersecurity? Oct 10. https://www.upguard.com/blog/what-is-compliance-management.
  2. 1 2 3 4 CompTIA. n.d. What Is Cybersecurity Compliance? https://www.comptia.org/content/articles/what-is-cybersecurity-compliance.
  3. "What Is Cybersecurity Compliance". CompTIA. Retrieved 2025-04-28.
  4. "What is Compliance Management?". Check Point Software. Retrieved 2025-04-28.
  5. "NIST History". NIST. 2019-02-23.
  6. "NIST Releases Version 2.0 of Landmark Cybersecurity Framework". NIST. 2024-02-26.
  7. "Data protection in the EU - European Commission". commission.europa.eu. 2023-07-04. Retrieved 2024-04-23.
  8. "What is GDPR, the EU's new data protection law?". GDPR.eu. 2018-11-07. Retrieved 2024-04-23.
  9. 1 2 3 "What Is COPPA? | Common Sense Education". www.commonsense.org. Retrieved 2024-04-22.
  10. "Microsoft Corporation, U.S. v." Federal Trade Commission. 2023-06-05. Retrieved 2024-04-22.
  11. 1 2 3 4 "Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges". Federal Trade Commission. 2022-12-16. Retrieved 2024-04-22.
  12. "Fortnite Refunds". Federal Trade Commission. 2022-11-30. Retrieved 2024-04-22.
  13. California Consumer Privacy Act (CCPA). (2024b, March 13). State of California - Department of Justice - Office of the Attorney General. https://oag.ca.gov/privacy/ccpa
  14. California Consumer Privacy Act (CCPA). (2024b, March 13). State of California - Department of Justice - Office of the Attorney General. https://oag.ca.gov/privacy/ccpa
  15. 1 2 3 National Institute of Standards and Technology (NIST). (2020). Cybersecurity Framework. https://www.nist.gov/cyberframework
  16. 1 2 European Union Agency for Cybersecurity (ENISA). (2020). Cybersecurity Act. https://www.enisa.europa.eu/policy-and-law/cybersecurity-act
  17. 1 2 U.S. Department of Health & Human Services. (n.d.). HIPAA for Professionals. Retrieved April 24, 2023, from https://www.hhs.gov/hipaa/for-professionals/index.html
  18. 1 2 Federal Trade Commission. (2019). FTC Takes Action Against Cafe Press for Data Breach Cover-Up. https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover
  19. "Founding Members". PCI Security Standards Council. Retrieved 2025-04-29.
  20. 1 2 3 4 Security Standards Council, PCI (June 2024). "Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures, Version 4.0.1" (PDF). Payment Card Industry Security Standard Council. Retrieved April 28, 2025.{{cite web}}: CS1 maint: url-status (link)Category:CS1 maint: url-status
  21. Security Standards Council, PCI (September 1, 2006). "Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures, Version 1.1" (PDF). Payment Card Industry Data Security Standard. Retrieved April 28, 2025.{{cite web}}: CS1 maint: url-status (link)Category:CS1 maint: url-status
  22. 1 2 "British Airways fined £20m over data breach" (in en-GB). 2020-10-16. https://www.bbc.com/news/technology-54568784.
  23. "What happened in the British Airways data breach? | Twingate". www.twingate.com. Retrieved 2025-04-29.
  24. (NCSC), National Counterintelligence and Security Center (April 28, 2025). "Cyber Aware: Case Study – Home Depot" (PDF). Office of the Director of National Intelligence. Retrieved April 28, 2025.{{cite web}}: CS1 maint: url-status (link)Category:CS1 maint: url-status
  25. "Attorney General Becerra Announces $17.5 Million Settlement Against Home Depot Over Credit Card Data Breach". State of California - Department of Justice - Office of the Attorney General. 2020-11-24. Retrieved 2025-04-29.
  26. Steinberg, Sean; Stepan, Adam; Neary, Kyle; Rattray, Greg; Healey, Jason (April 28, 2025). "Target Cyber Attack: A Columbia University Case Study" (PDF). Picker Center Digital Education Group at Columbia’s School of International and Public Affairs (SIPA). Retrieved April 28, 2025.{{cite web}}: CS1 maint: url-status (link)Category:CS1 maint: url-status
  27. "Target settles 'Nightmare Before Xmas' data breach for $18.5 million". NBC News. 2017-05-24. Retrieved 2025-04-29.
  28. Porcedda, Maria Grazia (2023). Cybersecurity, privacy and data protection in EU law: a law, policy and technology analysis. Hart studies in information law and regulation. Oxford ; New York: Hart. ISBN 978-1-5099-3939-8.
  29. Jacoby, G.A.; Marchany, R.; Davis, N.J. "Battery-based intrusion detection: a first line of defense". Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004. IEEE. doi:10.1109/iaw.2004.1437827.
  30. 1 2 3 Bougleux, Elena (2021-06-30). "A General Data Protection Regulation (GDPR) not really general". Archivio antropologico Mediterraneo. 23 (1). doi:10.4000/aam.4098. ISSN 2038-3215.
  31. 1 2 Rizvi, Syed; Imler, Jarrett; Ritchey, Luke; Tokar, Michael. "Securing PKES against Relay Attacks using Coordinate Tracing and Multi-Factor Authentication". 2019 53rd Annual Conference on Information Sciences and Systems (CISS). IEEE. doi:10.1109/ciss.2019.8692790.
  32. 1 2 "EXTERNAL VERIFICATION", Laboratory Auditing for Quality and Regulatory Compliance, CRC Press, pp. 222–236, 2005-07-25, ISBN 978-0-429-11950-7, retrieved 2024-04-21
  33. Middleton, Rowan; Smith, Herbert. "Data protection — retention policies". Computer Law & Security Review. 19 (3): 216–221. doi:10.1016/S0267-3649(03)00305-4.
  34. "Security Awareness and Training Menu", Information Security, Elsevier, pp. 63–64, 2013, retrieved 2024-04-21
  35. "Incident Response", Combating Terrorism Strategies and Approaches, 2300N Street, NW, Suite 800, Washington DC 20037 United States: CQ Press, pp. 199–231, 2008{{citation}}: CS1 maint: location (link)Category:CS1 maint: location
  36. "Business Continuity and Disaster Recovery Response Checklist", Business Continuity and Disaster Recovery Planning for IT Professionals, Elsevier, pp. 417–418, 2007, retrieved 2024-04-21
  37. "What are the GDPR Fines?". GDPR.eu. 2018-07-11. Retrieved 2025-04-28.
  38. "Outdated software leads to $150K fine for HIPAA breach | Healthcare Dive". www.healthcaredive.com. Retrieved 2025-04-28.
  39. "Children's Online Privacy Protection Rule ("COPPA")". Federal Trade Commission. 2013-07-25. Retrieved 2025-04-28.
  40. "66% of consumers would not trust a company following a data breach | Security Magazine". www.securitymagazine.com. Retrieved 2025-04-28.
  41. "How cyberattacks hurt business reputation". www.anapaya.net. Retrieved 2025-04-28.
  42. Rights (OCR), Office for Civil (2021-06-09). "Health Information Privacy". www.hhs.gov. Retrieved 2024-04-13.
  43. (OSHA). "Occupational Safety and Health Administration".
  44. US EPA, OP (2013-01-31). "Laws & Regulations". www.epa.gov. Retrieved 2024-04-13.
  45. "U.S. Department of State Directorate of Defense Trade Controls. (n.d.). International Traffic in Arms Regulations (ITAR)". www.pmddtc.state.gov. Retrieved 2024-04-13.
  46. "GDPR Regulation Europe". eur-lex.europa.eu. Retrieved 2024-04-13.
  47. "California Consumer Privacy Act (CCPA)". State of California - Department of Justice - Office of the Attorney General. 2018-10-15. Retrieved 2024-04-13.
  48. 14:00-17:00. "International Organization for Standardization". ISO. Retrieved 2024-04-13.{{cite web}}: CS1 maint: numeric names: authors list (link)Category:CS1 maint: numeric names: authors list
  49. "Document Library". PCI Security Standards Council. Retrieved 2024-04-13.
  50. "Gramm-Leach-Bliley Act". Federal Trade Commission. 2024-02-05. Retrieved 2024-04-13.
  51. "Sarbanes-Oxley Act of 2002".
  52. Moquin, Rene; Wakefield, Robin L. (2016-07-02). "The Roles of Awareness, Sanctions, and Ethics in Software Compliance". Journal of Computer Information Systems. 56 (3): 261–270. doi:10.1080/08874417.2016.1153922. ISSN 0887-4417.
  53. Cotton, Matthew (2014). Ethics and Technology Assessment: A Participatory Approach. Studies in Applied Philosophy, Epistemology and Rational Ethics. Vol. 13. Berlin, Heidelberg: Springer Berlin Heidelberg. doi:10.1007/978-3-642-45088-4. ISBN 978-3-642-45087-7.
  54. Payment Card Industry Security Standards Council. (2020). Payment Card Industry Data Security Standard. https://listings.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement?return=%2Fassessors_and_solutions%2Fpoint_to_point_encryption_solutions/
  55. Marriott International. (2019). Marriott International Announces Data Breach Settlement. https://www.cbsnews.com/news/marriott-data-breach-class-action-lawsuits-seek-billions-with-more-to-come/
  56. Maersk says global IT breakdown caused by cyber attack. (2017). https://www.reuters.com/article/us-cyber-attack-maersk-idUSKBN19I1NO
  57. Target Corporation. (2018). Target Data Breach Settlement. https://topclassactions.com/lawsuit-settlements/closed-settlements/target-data-breach-class-action-settlement/
  58. Health Information and Management Systems Society. (n.d.). HIPAA Resources. Retrieved April 24, 2023, from https://www.himss.org/news/himss-comments-hipaa-proposed-regulation-highlights-importance-alignment-and-access
  59. GDPR. (2023, January). General Data Protection Regulation. Retrieved from gdpr-info.edu: https://gdpr-info.eu/
  60. McCarthy, N. (2023, January 31). The Biggest GDPR Fines of 2022. Retrieved from EQS Group: https://www.eqs.com/compliance-blog/biggest-gdpr-fines/
  61. California Consumer Privacy Act (CCPA). (2024b, March 13). State of California - Department of Justice - Office of the Attorney General. https://oag.ca.gov/privacy/ccpa
Category:Book:Information Technology and Ethics Category:CS1 maint: location Category:CS1 maint: numeric names: authors list Category:CS1 maint: url-status