The Cost of Non-Compliance: Putting a Price on Privacy

With the invalidation of the EU-US Safe Harbor agreement in October 2015, privacy compliance has been top of mind for businesses and consumers alike. Focus on privacy can only be expected to intensify with constantly evolving policies being put into place by various lawmakers, social networks and agencies.

But a recent survey shows that 95% of large enterprises are only “somewhat aware” of their legal obligations when it comes to complying with today’s privacy regulations. Let’s take a look at how non-compliance can cost businesses, as well as the price of manually managing these policies in-house. Finally, we will illustrate how leading businesses are saving time, money and resources by using customer identity management (CIM) to help automatically manage many of these regulations.

Non-Compliance

With just 5% of large enterprises claiming to be fully aware of their legal privacy obligations, it’s easy to see why businesses are often faced with the consequences of non-compliance, which can result in significant fines and even imprisonment. Financial services and healthcare brands in particular face a laundry list of legislation.

Based on survey results from Protiviti and North Carolina State University’s ERM Initiative, the combination of regulatory change and heightened regulatory scrutiny is the number one risk for corporate executives. Some key privacy laws and the costs for violation include:

  • HIPPA & HITECH: Protection of privacy and security of Protected Health Information. Fines for violation can reach up to $1.5 million (ShredIt).
  • Russian Data Localization: This legislation maintains that 1) all Russian citizens’ personal data must be stored on Russian soil; 2) all server locations must be made known to Russia’s communication authorities; 3) infringing websites will be blocked by the Russian government; and 4) all violators and details around their violations will be added to a roster. Violators will also be fined (Morrison & Foerster).
  • PCI Standard: Designed to ensure that all merchants that process, store or transmit credit card information maintain a secure environment. Penalties for non-compliance include fines from $5,000 – $100,000 per month, increased transaction fees and terminated bank relationships (PCIComplianceGuide.org).
  • GLBA Act: A set of rules designed to protect consumer financial privacy. Violations can result in imprisonment and individual fines up to $1 million (ShredIt).

But lawmakers and institutions are not the only ones holding businesses accountable when it comes to data privacy – companies must also answer to their customers. As data becomes the linchpin of business success, consumers are growing increasingly wary of how their personal information is being used.

A recent survey reveals that 90% of consumers are at least somewhat concerned about their privacy. What’s more, the number one thing that would make them feel more comfortable about providing their personal information is knowing that it would be used only by the company that they are sharing it with. Fines and fees aside, the most significant cost of non-compliance is losing customer trust and relationships.

Compliance Management

Although the cost of maintaining privacy compliance is not nearly as high as non-compliance, according to the most recent compliance report from Ponemon Institute, it still costs businesses a pretty penny.

Compliance Blog 1

Source: Ponemon Institute


Survey results from Financial Executives International’s 2014 benchmarking survey reveal that 58% of US execs from companies with revenues between $1 billion and $5 billion feel that the cost of compliance is rising. This is related not just to direct costs such as compliance audits and consulting, but also largely to indirect costs like the headcount required to manage regulations, as illustrated in the chart below.

Compliance Blog 2

Source: Ponemon Institute

Financial Executives Research Foundation senior research associate Tom Thompson confirms that companies are feeling the pressure of compliance maintenance not just in dollars, but also in resources. “The time they’re spending responding to and monitoring these regulations is increasing,” he says.

So, how can businesses today mitigate the fiscal costs of privacy compliance, as well as minimize the resources needed to monitor and manage evolving regulations?

Automating Compliance with CIM

Best-of-breed, cloud-based customer identity management (CIM) solutions can offload much of the cost, resources and risk from businesses when it comes to maintaining privacy compliance.

For example, a multi-billion dollar media company recently adopted a CIM platform to help manage customer authentication, identities and data for its portfolio of more than 60 websites across 10+ countries. With data centers stationed across the globe, this platform has saved the brand significant development time and resources that would otherwise be spent managing regional privacy regulations.

For brands looking to implement social login, a means of authentication that grew by more than 35% from 2012 to 2015, CIM manages the privacy policies of global third-identity providers like Facebook, LinkedIn, PayPal and Sina – all through a single API. Harvard Business Review claims to have saved approximately four weeks of development time each year after offloading social login functionality and compliance to its CIM solution.

Finally, when it comes to traditional authentication, CIM also gives businesses the flexibility to structure registration forms and flows in keeping with regulations like the Children’s Online Privacy Protection Act (COPPA).

All of this can be done at a fraction of the cost needed to retrofit legacy technology and identity and access management (IAM) solutions to keep pace with modern privacy needs. According to the figure below, support and maintenance costs for legacy technology, of which privacy compliance composes a sizeable portion, are approximately 25% of licensing costs. In contrast, privacy maintenance is included at no extra cost by purpose-built CIM providers.

Compliance Blog 3

Source: Gigya. Cost analysis assumes 1 million customers and five third-party integrations.

There’s no doubt about it: privacy can be pricey, whether your business is keeping up with compliance or facing the consequences of violation. To learn more about how CIM can help your business mitigate these costs, download our white paper, CIAM In The Cloud: What’s In It For You?

By Tobias Meyer-Grunow