13 Apr 2017

Data Privacy Compliance Audits Target Small Businesses

Author:

As consumer awareness of data privacy issues increases, companies that don’t take their clients’ data privacy seriously are getting hit harder and harder. In healthcare, a Florida healthcare provider paid a $5.5 million fine (a HIPAA record) earlier this year for allowing more than 115,000 patient records to be improperly accessed and disclosed. Last year, Ashley Madison paid almost $1.6 million to settle charges related to Federal Trade Commission (FTC) enforcement of data privacy laws, after the online “cheating” site’s virtually non-existent cybersecurity practices allowed the compromise of all its 36 million users worldwide.

Regulatory bodies such as the Consumer Financial Protection Bureau (CFPB) have been charged, in many cases, with enforcing data privacy laws such as the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act. Those covered by this rule include registered investment advisors, real estate settlement agents, lenders, collection agents, and other small businesses. Most states have additional state-based consumer privacy laws and enforcement agents.

Trends show that these government oversight bodies have now started to crack down on practitioners that don’t adequately protect client information, signaling a new area of focus and concern for smaller businesses that hadn’t seen much data privacy enforcement action to date.

As big as some of these financial penalties may be, they are a pittance compared to the reputational loss and client cancellations that follow in the aftermath of such audits and news of culpability. After all, who would want to engage in financial transactions with a company that isn’t working hard to safeguard their most private personal and financial details?

High-profile data breaches like the Ashley Madison example (and including Target, LinkedIn, and Anthem Blue Cross in recent years) might lead some to think regulators are too preoccupied with the “whales” to care about the hundreds of thousands of “fish” – the small businesses and sole practitioners. That doesn’t appear to be the case, however.

A registered investment advisor (RIA) in California recently shared his story with us, debunking the idea that government enforcement agencies don’t have the resources to audit small or new businesses.

 

A Three-Day Audit of a New Registered Investment Advisory Business

Tech Essentials reader “Joe” had recently started a financial planning and investment advisory practice. In business for just over a year, “Joe” was surprised to receive a notice from the “California Department of Business Oversight”, saying that they would be spending three days at his office to perform a routine compliance audit. While the SEC is responsible for enforcing regulations with financial services companies with more than $100M assets under management, most states have their own agencies that audit and enforce compliance among companies with less than $100M assets under management.

A three-day investigation? That might seem like an eternity for businesses that don’t have a staff to support the auditor. But as it turns out, a three-day onsite audit is the minimum this particular regulator requires to properly investigate a business’ practices.

The auditing team literally came into “Joe’s” place of business and spent three days poring over documents, accounting records, and even email records.

Because “Joe” transacts much of his business electronically through email, “Joe” reports he was extremely fortunate to have Registered Receipt™ proof records for all his critical email messages. These records proved that he complied with his legal obligations to ensure delivery of key disclosures and protect his clients’ personal and financial information.

Three important elements of the Registered Receipt™ email record for “Joe” were (1) visibility for the recipient that the information was transmitted private and with a record, conveying to the recipient that important communications were treated with proper care, (2) timestamped auditable proof of delivery in case a later claim that an investment disclosure or risk factor was not communicated, and (3) audit-ready forensic evidence certifying certain communications were sent encrypted. With these Registered Receipt™ email records auto-filed in a specific email folder within Microsoft Outlook, “Joe” had an automatically organized compliance record for the government auditor to review.

Thanks to “Joe’s” diligence in complying with the regulations and the technology that made compliance easy, the audit was concluded without issue.

 

Don’t Wait for the Auditors to Come

Whether you’re a Fortune 500, a sole practitioner, or something in between, one or more regulatory agencies have a mandate to make sure you’re following the rules and will do exactly that. Five years from now, next month, tomorrow even, based on a customer or competitor complaint – or not – they will come knocking on your door.

When they do, they’ll access your well-documented past, not just check what your practices are today. Get compliant today, so that not only will you reduce the risk of compliance-related penalties in the event of a future audit, but you’ll also keep your customers confident and happy about the way you do business — helping you avoid a nerve-wracking audit altogether.

RMail’s Registered Email™ certified proof of email delivery provides legally-admissible proof of email delivery, time of delivery, and exact message content. RMail includes an email encryption option to protect sensitive email messages and attachments for privacy compliance with a certified evidentiary record to prove compliance in case of an audit or allegation of data privacy breach.