Uber’s (once) CSO has been in the headlines lately facing five felony charges for a (now) widely publicized breach that happened six years ago. The 2016 hack disclosed the sensitive information of 57 million Uber users and was played off as a Bug Bounty payout (instead of a non-disclosure coverup). The two men who hacked it were later indicted for breaching a subsidiary of LinkedIn.

No one likes to admit to a data breach, but start-ups and SMBs might have a particularly challenging time given their hand-to-mouth dependence on customer loyalty and the fact that a bad news rap could put them under. Sounds like pretty good reasons to me – so why should SMBs “do the right thing” when it comes to breach reporting (besides the obvious answer) and what are the legal ramifications if they don’t?

Let’s talk compliance standards

Cybersecurity compliance standards are legal requirements for companies regarding the security of their networks, systems and applications. More and more, this is becoming synonymous with data privacy protection, but they are not the same thing. However, since the punitive legal distinctions are nominal, we’ll go over both (because violating either could land you in jail).

Data Privacy Compliance

While many privately held small businesses feel they are exempt from compliance standards and regulations relating to data privacy, it’s not that simple, and it’s been that way for a while. A few examples:

• Anyone who accepts credit or debit cards must follow PCI-DSS standards – no matter how small or infrequent the transactions.
• Any medical organization defined as a Covered Entity under HIPAA is (perhaps obviously) subject to HIPAA requirements.
• Pretty much every state has a law on the books for breach disclosure, and they apply to small and private, as well as big and public, companies.

While the Sarbanes-Oxley compliance regulations and the Federal Information Security Management Act (FISMA) only apply to public and government entities respectively, all businesses are still held to state privacy law and the FTC – and this includes FTC consumer privacy enforcement.

Cybersecurity Compliance

President Biden’s 2021 Executive Order on improving the nation’s cybersecurity was a lightning rod for new processes, policies and pitfalls. While we abide the fear that technologies or methodologies not specifically enumerated may fall by the wayside, let’s look at what was included – and what’s on the books now.
Key points of the Executive Order include:

• IT providers are required to share certain breach information
• The Federal Government must deploy MFA in a certain timeframe
• Baseline security standards for technologies sold to the government
• Developers required to make security information publicly available
• Federal agencies required to log cybersecurity events

The EO applies to federal government and related entities alone, but don’t feel left out. There are cybersecurity requirements specific to your industry (and government niche) as well – plus some privacy laws:

• Finance
• Manufacturing
• Healthcare [HIPAA]
• Insurance [Ex. New York]
• Energy [CIP]
• Payment Card Industry [PCI DSS]
• Food and Drug (FDA)
• Securities and Exchanges (SEC)
• Department of Defense (DoD) [CMMC]
• Consumer Data Privacy [Ex. CPPA]

There’s something for everybody, and so long as SMBs are involved in any of the above industries, there’s something for them, too. I’ll illustrate the point. Since we don’t need to go through each of the above security compliance standards in depth, let’s make a case study out of one: HIPAA.

Case Study: HIPAA

HIPAA is useful to review because it consists of data privacy laws that require cybersecurity compliance to operate, covering both ends of the spectrum. As with most punitive measures, the consequences are scaled based on the infraction, but the penalties for failing to comply with HIPAA requirements (cybersecurity or not) include:

1. Termination. You’ll be looking for a new desk, if you’re lucky enough to not be tied up in legal knots.
2. Sanctions from professional boards. You could lose your license and be otherwise blacklisted from professional organizations.
3. Fines. Civil penalties start at $100 per infraction, increasing to $25,000 for multiple violations of the same type. The minimum fine for a willful violation is $50,000 USD and tops out at $250,00 (again, per infraction), along with restitution to the victims.
4. Criminal charges and imprisonment. For criminal HIPAA violations, jail is of course in the cards. If the HIPAA infraction was due to negligence, you’re looking at one year. False pretenses will land you five, and malicious intent up to ten.

In context, the fines for crossing China’s Data Security Law range anywhere from $15,000 to $1.55 million USD, and GDPR infractions can cost you tens of millions. And remember, on the back end of each regulation are regulators eager to audit and enforce the law, and lawyers who only need one whistleblower to pick up the task if they fall short. It’s not worth the risk – prevention is much less than the cure.

An SMB’s most important asset: Their Reputation.

Then, there are the just plain bad consequences, legal or not, of hiding a breach or otherwise failing to adhere to mandated cybersecurity regulations. You lose customer trust. You spend thousands (or hundreds of thousands) in PR patch-up. You tarnish your reputation, which curtails your ability to gain more customers. You lose business partnerships, funding and future investments until your name is cleared (and who knows how long that is). Ultimately, you pay a higher price than you would have coming clean, or even better – allocating budget to comply with security standards in the first place.

While data privacy and cybersecurity are inherently different, security compliance standards are what protect that data in the first place – making it nearly impossible to do one without the other.