Blog Post

Privacy Compliance for Small and Mid-Sized Businesses; It’s Not One Size Fits All

Read any survey of the challenges small and mid-sized business leaders face, and you’ll see an array of worries over managing cash, retaining customers, competing and keeping up with technological change. Chances are that regulatory compliance and data privacy aren’t making those lists of issues keeping SMB owners up at night. In fact, the majority of SMBs (80% according to one survey) know very little about whether and how data protection laws affect their business. Nevertheless, many data protection regulations are indiscriminate when it comes to organization size, and with consumers paying increasing attention to data privacy, the issue has become very real in the SMB arena.

Today, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are two of the most pressing privacy regulations that introduce implications for SMBs. The CCPA and CPRA both include annual revenue thresholds of $25 million, but companies under that figure may still be impacted if they have more than 50,000 consumers, earn 50% of their revenues from selling or sharing consumers’ personal data or buy, sell or share data of more than 100,000 consumers/households. Also of note is that a business may be subject to the law even if it does not have a physical presence (but is conducting business) in California. The California Department of Justice estimates that 75% of businesses in the state will be subject to its privacy laws, including between 50-75% of those generating less than $25 million.

The General Data Protection Regulation (GDPR) in Europe, HIPAA, the NYDFS Cybersecurity Regulation, and dozens of pending state legislations are also in play. Contrary to popular belief, these laws do not apply only to large corporations. HIPAA, for example, does not offer any carve-outs based on organization size or revenue, and some pending state regulations are drafted to govern all businesses that transact with consumer data, regardless of volume.

CCPA penalties can reach $7,500 per violation—so a single breach impacting 50,000 consumers could cost up to $375 million.

The cost of compliance with these laws may overwhelm some businesses to the point of turning a blind eye. Indeed, the initial expense of complying with CCPA is estimated at $50,000 for businesses with 50 or fewer employees and $450,000 for those with between 100-500 employees (per the standard regulatory impact assessment (SRIA) issued by the California DOJ). A HIPAA impact assessment may cost upwards of $75,000. Still, when compared to the costs of penalties for non-compliance, or brand damage incurred for failing to adequately protect consumer data, the cost of compliance may be the lesser of two ‘evils’.

An up-front investment of $100,000 for privacy compliance may be a difficult commitment, but in the long run, it could save the organization significant financial hardship. CCPA penalties can reach $7,500 per violation—so a single breach impacting 50,000 consumers could cost up to $375 million. While it’s not likely that an SMB would face such a severe penalty, even a lesser fine could easily exceed the cost of compliance. In 2019, the average HIPAA fine was more than $1.2 million. Under HIPAA, in addition to fines, companies that are found in violation are required to take remedial actions, which incur costs for hiring legal counsel, making policy and technological adjustments and submitting to mandatory third-party auditing.

Several recent HIPAA enforcements serve as stark examples of the impact these laws can have on small and mid-sized businesses. A private neurology practice in New York paid $100,000 for a single right of access violation, and a gastroenterologist in Utah paid $100,000 for a data breach and failure to “conduct a risk analysis.”

At FTI Consulting, our teams have encountered numerous clients in the mid-sized range that have unknowingly overlooked data privacy risks—processing or collecting personal information, but unaware of their regulatory requirements around those activities. Moreover, data breaches are quite common among SMBs. The Verizon Business 2020 Data Breach Investigations Report found that 28% of data breaches in 2020 involved small businesses. SMBs are so intensely focused on growing (and through 2020, merely surviving the current crisis), that they often feel they can’t make the time or find the resources to deal with their data. This has to change. To protect brand integrity and avoid regulatory fallout, data privacy must be added to the list of top SMB considerations.

The regulatory environment around data privacy will continue to ramp up on a state and federal level in the coming years. A strong position on data protection and consumer trust will continue to be viewed as a brand strength. SMBs will be increasingly impacted by the resulting challenges and opportunities. Privacy is an issue that can no longer be ignored—businesses can either build programs now, or face penalties down the road (and still have to invest in a program).

Related topics:

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.