What you can learn from 3 recent corporate compliance failures

Chris Dunne, Digital Marketing Manager

Just when you thought things were getting better, two recent statistics underscore why being proactive with online compliance training remains so important to today’s organizations

The U.S. Equal Opportunity Employment Commission reported a 13.6 percent increase in sexual harassment claims for FY 2018 over the previous year, even as overall workplace harassment claims dropped.
Cybersecurity breaches have jumped 67 percent over the past five years, according to a report by Accenture and the Ponemon Institute.

The stats are frightening, but headlines and news articles detailing compliance failures truly hit home, with organizations wondering, “What if we’re next?” Here are three such compliance mishaps and the lessons you can learn from each.

1. Redtail Technology data leak

The situation: California-based Redtail Technology, a software company specializing in customer relationship management (CRM) solutions for financial advisors, discovered in March a technical error that possibly exposed the personal information of users’ clients. Logging systems captured investor data—including names, Social Security numbers, physical addresses, and dates of birth—and made the file accessible by anyone online.

The compliance failure: Investment News, which originally broke the story, also reported that Redtail did not start informing affected investors until May 17, more than two months after the breach was discovered. Every state requires that affected individuals be notified after the discovery of a data breach—and many of these notification deadlines are shorter than two months.

The lesson: Technical errors that lead to data breaches are unfortunate, but they happen, sometimes despite due diligence and full compliance. The response to the data breach is what possibly threw Redtail out of compliance. Florida and Colorado require companies to notify affected individuals within 30 days for companies to notify users, and at least a dozen more cap deadlines at 45 days. Investment News reported that Redtail said it required more time to investigate the incident, but that’s a tough excuse to sell in 2019. Know your state’s and industry’s compliance regulations so you know you’ll avoid violations, and don’t drag your heels after a discovered incident.

2. Cancer Treatment Centers of America phishing intrusions

The situation: A Cancer Treatment Centers of America (CTCA) employee in Atlanta fell victim to a phishing attack in March and gave a hacker their login credentials. Upon discovery, CTCA changed the credentials. However, the organization announced in May that, upon wrapping up its investigation, it couldn’t rule out that protected health information (PHI) and other personal data of 16,819 patients had been accessed during the two days before the breach was resolved.

The compliance failure: This was the second successful phishing attack against CTCA in less than a year. In 2018, the PHI of more than 41,000 patients was exposed in a one-day breach that wasn’t discovered for several months.

The lesson: In both events, employees gave up login credentials to the bad guys, potentially risking personal data of cancer patients, who, frankly, already have enough to worry about. Even with increased employee awareness about phishing attacks, these incidents still occur, partly because cybercriminals have become awfully good at deceiving smart people. Employee compliance training that includes real-world scenarios and adaptive learning can minimize the risk. Gamification and follow-up measures such as microlearning and job aids can also strengthen employees’ compliance knowledge, thus creating muscle memory so that users don’t fall for phishing, no matter how convincing the email is.

3. California organizations not meeting harassment training requirements

The situation: Until recently, California law required any business of more than 50 employees and all state agencies to provide two hours of harassment training to their supervisors within six months of hire/promotion; all supervisors must undergo training every two years—and the requirements are set to expand Jan. 1. This is an important mandate for businesses in California, but state agencies aren’t setting the best example for their private counterparts.

The compliance failure: An investigation by Capital Public Radio discovered that 60 percent of California state agencies did not provide sexual harassment training to all their supervisors as required by law. Some possibly failed to do so because they were unaware of the requirement.

The lesson: California’s law had been in place since before the #MeToo movement and, come 2020, will expand to requiring sexual harassment training for supervisors at businesses with five or more employees as well as an hour of training for nonsupervisory employees. The fact that the state’s own agencies weren’t complying with the requirements is embarrassing—and given California’s history of expensive payouts to state employees who have been harassed, it’s risky as well.

Whether your organization is required to provide sexual harassment training or simply see the value in it to minimize risk and better educate employees, comprehensive, no-fuss, and impactful online compliance courses are available. Be proactive so that your company isn’t the next splashed across an embarrassing headline.