As more records and digital assets are being created in an organization at 50-80% growth rate each year, so will enterprise risks. In a recent survey, about 80% of survey respondents reported that they create new documents in their jobs at least several times a week, and almost 60% of them create them daily or continuously. More files, more pain.
Public and private companies, and public sector entities must understand and meet the daunting and vitally important challenge of operating in accordance with the applicable laws and regulations. As such, they must lower the legal, regulatory, and business risks involved in the capture, archival, management and reproduction of their digital records. Why store and retain authentic data? In the modern data economy, data records live in a trustless society with the need to fulfill many purposes:
- To foster transparency, participation, and trust with the entity,
- To retain the “immutable memory” of activities, events, contracts, and assets,
- To provide irrefutable evidence in the event of an investigation, dispute, or lawsuit in both regulated and non-regulated industries,
- Rent extraction from digital assets,
- To preserve and share knowledge,
- To improve enterprise efficiency and sustainability
However, failure to treat data records and files as an immutable (authentic, reliable, trustworthy) digital asset may result in consequences that could put individuals and organizations seriously at risk of penalties, and more severely out of business. Multiple regulators across the globe impose requirements on firms to record and store digital files such as phone conversations and electronic communications to ‘prove’ codes of conduct. In FY2022 the U.S. Securities and Exchange Commission (SEC) imposed $4.2 billion regulatory fines. $1.1 billion of the total were issued fines due to failures in record-keeping and its storage. The U.S. Commodity Futures Trading Commission (CFTC) imposed further fines totaling more than $710 million for related conduct.
Compliance Areas | Description | Civil penalty | Criminal penalty |
HIPAA – Health Insurance Portability and Accountability Act | Medical records and information privacy | $100 – $50,000 per violation or total of $25,000 or $1.5M per requirement in a calendar year | Up to 10 years imprisonment in certain cases |
HITECH – Health Information Technology for Economic and Clinical Health | Electronic record keeping, HIPPA enhancement | Tier 1 – $100 for each violation max annual penalty of $25,000. Tier 2 – $1,000 for each violation with max annual $100,000. Tier 3 –$10,000 for each violation with a max annual $250,000. Tier 4 –$10,000 for each violation with a max annual penalty of $1,500,000. |
|
SEC – Securities Exchange Commission | Payback, wrongdoing in handling securities, misleading act, or record omission. | Tier 1: $7500-$80000 per violation Tier 2: $80K – $400K Tier 3: $160K – $775K Average fine in 2022 was $9.1M for a total of $6.4Bn levied.
| Up to 5 or 20 years in federal prison, barring from participation |
Federal Trade Commission Act | Consumer privacy, deceptive trade pracices | Up to $40,000 per violation of FTC Act |
|
Sarbanes Oxley | Policies and protection of investors against falsification, destruction, alteration of records | Delistings, $5M per executive. | 20 Year imprisonment for CEO/CFO and up to 10-year imprisonment for accountants and auditors for not maintaining financial documents for the required period. |
GLBA – Gramm-Leach-Bliley Act, Safeguards Rule | Financial institution treatment of customer private information | $5000 to $1M per day of knowingly in violation |
|
U.S. Customs and Border Protection Record Keeping, Export Control Regulations | Record keeping and document maintenance requirements and procedures, prevention of unintended export of goods, information or services. | $10K to $500K per violation / transaction depending on the authorizing legislation, failure to produce a demanded record will result in penalty not to exceed $10K or 40% of appraised value. | Individuals up to $1M and up to 20 years imprisonment |
CCPA – California Consumer Privacy Act, Virgina Consumer Data Protection Act (VCDPA) | Opt-in/Opt out policy, information privacy, selling of personal information | $2500 to $7500 per intentional violation – no cap | Statutory damages up to $750 per consumer per incident |
California Insurance information and Privacy Protection Act | Protection for personally identifiable information and privacy | Max $10,000 for each act |
|
CPA (Federal) | Consumer Privacy | $20,000 per violation |
|
EU GDPR – General Data Protection Act | Consumer privacy | Up to $20M Euros or 4% of worldwide turnover of preceding financial year |
|
FACTA – Fair and Accurate Credit Transactions Act | Reporting and disclosure | $2500 per federal violation and $1000 state | $1M for 1K consumers – plus courthouse decisions |
FTC Red Flags Rule | Identity theft protection | $3500 per non-compliance violation |
|
The severity of fines covers a wide spectrum. When records are not properly stored, replicated, and organized on immutable storage mediums, they can get lost or destroyed, which will lead to the loss of important information and data. Poorly managed records or loss of data make it difficult for companies to comply with regulatory requirements and other legal obligations.
How do you know you’re at risk?
- You organization lack regular training, communications, audits, and policy handbooks, and have immature data lifecycle management and enforcement practices.
- IT storage team is spending more than 8% of storage TCO (CAPEX and OPEX) budget each year to migrate cold data onto new hard drives or servers.
- Your cloud service provider limits liabilities or SLA guarantees in the case of data loss and breaches.
- Data storage for non-changing master data assets are connected or accessible through a network connection.
- Over-reliance on outsourcing and software-based controls for data immutability.