On June 1st, the Department of Justice (DoJ) release further guidance about compliance programs which could effect the way PCI and HIPAA compliance breaches are handled in court.
https://www.justice.gov/criminal-fraud/page/file/937501/download
They state that compliance programs aren’t merely one-and-done snapshots in time, but are instead dynamic programs that get updated regularly to fit changing circumstances.
An article about it states, “the latest guidance issued by DOJ is premised almost entirely on the adequacy of the organization’s risk assessment efforts, an approach well-known and particularly applicable to cybersecurity professionals. Prosecutors are urged to evaluate the quality and effectiveness of an organization’s risk assessment program by examining:
- The risk management process, particularly the methodology used to identify, analyze and address the risks an organization faces
- Risk-tailored resource allocation, namely whether the organization devotes enough resources to managing risks
- Updates and revisions, specifically whether the risk assessment is subject to periodic dynamic reviews
- Lessons learned, determining whether the company has a process for tracking and coordinating changes in its risk management program based on its experience
The DOJ also stressed the importance of risk-based training and communications about misconduct as essential parts of how it determines whether the organization’s compliance programs are up to snuff. Finally, the guidance highlights the importance of management support of the organization’s compliance initiatives and the value of extending compliance due diligence to third-party providers.”
If your company is unsure about their compliance program or risk assessment process, then contact us for assistance.