Regulations on the local, state and federal levels are on the rise and this is putting a lot of pressure on compliance efforts of Small and Medium-sized businesses (SMBs) and exposing the fact that these organizations can only avoid costly fines and/or lawsuits by maintaining strict compliance throughout their information management processes.
I found the recent fines levied by the NBA on two players – Kobe Bryant and Joachim Noah as a good lesson on the cost of non-compliance.
The NBA has consistently fined players who were in non-compliance of its rules and these violations range from the serious to what one could argue is the absurd – like kicking a ball in frustration, or throwing a basketball into the stands in celebration of a win.
Here is a sample of violations that could get an NBA entity in trouble:
- derogatory slurs, flagrant fouls, speaking out against or complaining about poor officiating, altercations during a game, making comments about the collective bargaining negotiations, violating team rules,;
- contact between NBA personnel and underclassmen, receiving 16,18 and 20 technical in one season [A player is automatically suspended for 1 game for his 16th, 18th, 20th etc technical foul in the regular season];
- shoving another player in the face during a game, escalating an altercation, throwing a ball at a referee during a game, missing a shoot-around, fighting with a teammate, verbally abusing a referee;
- leaving the court during a game, improper conduct toward a referee (whatever that means), conducting illegal draft workouts, failing to leave the court in a timely manner following an ejection;
- removing jersey on the court, asking publicly to be traded or released, throwing a basketball into the stands during game.
Article 35(c) of the NBA_Constitution gives the commissioner broad discretion to fine players whose “act or conduct […] has been prejudicial to or against the best interests of the Association or the game of basketball
Notable NBA fines include:
- $100,000 by Kobe Bryant of the Los Angeles Lakers for using a derogatory slur on a referee during a basketball game;
- $50,000 by Joachim Noah of the Chicago Bulls for directing a derogatory slur at a fan during a game in Miami;
- $500,000 by Dallas Mavericks owner Mark Cuban for repeatedly criticizing the league’s officiating;
- $75,000 by Lakers coach Phil Jackson after he spoke to reporters about ongoing collective-bargaining negotiations;
- $3.5 million by the Minnesota Timberwolves (in addition to five first-round draft picks) for making an under-the-table deal with forward Joe Smith;
- $5 million by Ron Artest who served an 86-game suspension because of his role in the mega-brawl among players and fans at an Indiana Pacers-Detroit Pistons match;
- $100,000 by Cleveland Cavaliers owner Dan Gilbert for calling LeBron James’ decision to play for the Miami Heat a “cowardly betrayal” and a “shocking act of disloyalty.”
The latest in the rounds of fines were the $100,000 levied on Kobe Bryant of the Los Angeles Lakers for using a derogatory slur on a referee and $50,000 on Joachim Noah of the Chicago Bulls for directing a derogatory slur at a fan.
The fines on Noah and Bryant generated a lot of debate because they happened “in the heat of the game” where the players were either reacting to what they felt were bad calls or were being heckled by a fan of the opposing team. Joachim Noah for example said he was “just caught up”.
And as a fan commented, “The … slur is probably uttered a dozen or more times on the court during a game and nothing happens. These two incidents were simply caught on camera. A couple of fines are not going to change a culture that was years in the making. Get real.”
What does this teach us about non-compliance? A lot of pain and suffering. But the critical factor here is that they were fined because they got “audited” if you will. Can anyone deny that players use very raw language all the time? Even during the course of a game, I have heard people say “oh, he used a bad word” when a player misses a shot or a team loses a game. The X-Factor here is that Kobe and Noah had TV cameras on them when the “violations” happened.
If we take Kobe and Joachim as small business owners and the TV cameras as auditors, a fine resulting from non-compliance can be devastating and can lead to a lot of hurt. Granted Kobe, Joachim Noah and Coach Phil will hardly miss the “chicken change” called fines, but I bet you Ron Artest missed his five million when he has to sit out an entire season due to suspension as will a small business that may be forced to cough up millions of dollars due to a violation.
These are the laws that lay down rules or regulations that could lead to fines:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) – enacted to improve efficiency in healthcare information delivery by standardizing electronic data interchange.
- Health Information Technology for Economic and Clinical Health Act (HITECH) – which imposes data breach notification requirements for unauthorized uses and disclosures of unencrypted Personal Health Information (PHI) among other things
- Stored Communications Act (SCA) – addresses voluntary and compelled disclosure of email and other digital communications stored on the internet by third-party internet service providers.
- Sarbanes Oxley Act (SOX) – holds the CEO and CFO accountable for maintaining effective internal controls over financial and operational processes. Failure to comply can result in significant fines and even criminal penalties.
- Payment Card Industry Data Security Standard (PCI DSS) – a worldwide standard that includes specific technical requirements, such as data encryption, user access controls, activity monitoring and event logging systems for the protection of cardholder information. Non-compliant companies risk losing their ability to process credit card payments and being audited and/or fined.
- Gramm-Leach-Bliley Act (GLBA) – comprised of several components related to the collection, disclosure, and protection of consumers’ nonpublic personal information including: the Financial Privacy Rule, the Safeguards Rule, and Pretexting Protection.
- UK Data Protection Act of 1998- Organizations that do business in the United Kingdom must comply with the broad-sweeping Data Protection Act of 1998. This legislation that governs the security of personal data—defined as any data about a living and identifiable individual.
And many others.
The lesson for small and medium businesses are that while they may think they are “too small” to worry about compliance issues, when the auditors (TV cameras) put the spotlights on them, it won’t matter whether the cat made away with a compliance policy or that the security team “planned” on encrypting PII data “soon”.
If does not make a difference if your violation was due to the dog eating your paperwork, or whether your kid used your laptop as a Frisbee, you are going to be fined. Did Kobe or Noah mean any harm by what they said, I believe it is safe to say “No”. But they knew the rules and agreed to be bound by the rules and regulations of the “Association”.
For example, here’s what HIPAA violations can do to you:
- a fine of up to $50,000, or up to 1 year in prison, or both; (Class 6 Felony)
- if the offense is committed under false pretenses, a fine of up to $100,000, up to 5 years in prison, or both; (Class 5 Felony)
- if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both. (Class 4 Felony)
- HIPAA also provide for civil fines to be imposed by the Secretary of DHHS “on any person” who violates a provision of it. The maximum is $100 for each violation, with the total amount not to exceed $250,000 for all violations of an identical requirement or prohibition during a calendar year. (Class 3 Felony)
An argument can also be made that the biggest consequence of noncompliance with the law are lawsuits. They are expensive, time-consuming, and morale killers.
For example, a group of pipe-fitters refused to install a weaker and cheaper valve in a line for a nuclear power plant. One of the pipe-fitters got some more expensive and stronger valves that would hold the pressure, these were installed. Instead of receiving praise for their work, they were laid off by the management of the company. The employees sued, claiming retaliation for blowing the whistle on the company and management for the use of the weaker and cheaper valve. The jury of 12 awarded the pipe fitters with $4.7 million.
Another example is the Health Information Technology for Economic and Clinical Health (HITECH) Act that was enacted in 2010 which among other things improved and expanded current Federal privacy and security protections for health information. The new law ensures that new entities that were not contemplated when the Federal privacy rules were written, as well as those entities that do work on behalf of providers and insurers, also known as “business associates”, are subject to the same privacy and security rules as providers and health insurers.
One sector that will face non-compliance challenges under the HITECH Act is the legal sector in that whereas the focus of HIPAA privacy compliance in law had previously been limited or quasi-restricted to legal entities who handle health-related information (typically HR), lawyers are now bound by the same HIPAA security and privacy guidelines as healthcare providers, including penalties for data security breaches and/or non-compliance with Federal regulations. They are now required to implement all of the HIPAA Security Rules for all client-related electronic protected health information (ePHI).
So while many of us may understand that Kobe and Joachim committed their non-compliance violations in the heat of the moment and that they did not mean any harm, they agreed to abide by the the rules and policies of the NBA just like a health care provider agreed to abide by the rules of HIPAA. They were well aware of the consequences of any violations.
If you are a small or medium business out there without a boatload of cash to handle a case of non-compliance, the best bet is to start now. Review the regulations that impact your organization and make sure your organization stays up-to-date with constantly changing rules to help stay compliant.
According to an Iron Mountain report on “Best Practices for Records Management” which encompassed a diverse, broad-based sample of nearly 3,500 organizations across almost every vertical market:
- 13% of all organizations surveyed managed electronic records in compliance with a records retention schedule.
- 29% of all respondents said they had no written employee notification procedure should there be a need to cease disposal of records related to actual or anticipated legal actions, investigations, or audits.
- 63% of all respondents did not have a records training program.
If you own a small business in the Austin area and have less than 20 employees, see how you can get started with compliance risk assessment without upfront or out-of-pocket cost here. Tech Prognosis can review your current environment to see where you may need help.