Important
Disclaimer: This IS NOT legal advice.
Until the mid-2010's the "technology industry" was widely considered to be unregulated, resulting in tremendous harm. The colloquialism "move fast and break things" is from these times, and despite being a proven travesty, continues to influence leadership across industry.
Fortunately, today, both data and related business operations are regulated.
Unfortunately, there are many in leadership roles who see the compliance-related fines and penalties as acceptable business risks -- especially as their expected tenure ostensibly limits personal exposure to said risks.
According to a Gartner study in 2024, Only 14% of security leaders reported being able to both secure data assets and use them to achieve business objectives. Notably, only 35% of respondents reported securing data assets.
Note
I avoid having AI write for me like the plague, as aside from being distracting, it deviates from my values, perspective, and identiy -- but in this instance I will leverage it (Gemini) to add any and all possible credence to this subject matter.
PROMPT
What are some of the consequences of now considered "protected data"
and related business operations having been unregulated? Is there any
relation to the colloquialism "move fast and break things"?
RESPONSE
begin --------------
That's an excellent and insightful question. There is a very direct relationship between the "move fast and break things" philosophy and the consequences of the previously unregulated landscape of protected data.
The colloquialism "move fast and break things" perfectly encapsulates the tech industry's growth-at-all-costs mindset of the 2000s and 2010s. In an environment with no data protection laws, this philosophy meant that user privacy, data security, and consent were some of the primary "things" that were broken in the pursuit of rapid innovation, user acquisition, and market dominance.
Here are the direct consequences of that unregulated era:
- Massive, Uncontrolled Data Collection: Companies treated personal data as a free resource to be harvested. Every click, search, location, and interaction was collected and stored indefinitely, often without clear user knowledge or meaningful consent. This created vast, centralized troves of sensitive information.
- Erosion of Privacy as a Norm: The concept of a private life was fundamentally undermined. The line between public and private blurred, leading to a "surveillance economy" where profiling and tracking became the default business model of the internet.
- Manipulation and Algorithmic Influence: The collected data was used to build sophisticated profiles for micro-targeting. While often used for advertising, this capability was famously abused in cases like the Cambridge Analytica scandal, where personal data was used to influence political outcomes.
- Lack of Recourse or Control: Before regulations like GDPR, individuals had virtually no rights over their data. There was no "right to be forgotten," no "right to access," and no legal mechanism to stop a company from selling or misusing your information.
- Pervasive Security Risks: With no legal requirement to secure data, security was often treated as a cost center rather than a necessity. This led to an epidemic of data breaches where sensitive personal and financial information was stolen from poorly protected systems, with little to no consequence for the breached company.
- The Creation of "Privacy Debt": This is the most direct business consequence of "moving fast." Companies built entire products and business models on a foundation of unregulated data practices. They are now facing the enormous technical and financial cost of refactoring those systems to comply with new laws—a debt that has come due. They have to re-engineer how they collect, process, store, and delete data.
- Sudden Regulatory Whiplash and Financial Risk: The shift from a "Wild West" environment to a highly regulated one has been abrupt. Business operations that were once standard practice are now illegal and carry the risk of billion-dollar fines. This represents an existential threat to companies whose models were built entirely on the old paradigm.
- Loss of Public Trust: The constant cycle of data scandals, breaches, and revelations about surveillance has severely damaged public trust in the tech industry. This has led to user skepticism, increased use of privacy-enhancing tools, and greater public support for even stricter regulation.
- Monopolistic "Data Moats": The first movers who "moved fast" and collected the most data created powerful competitive advantages (or "moats"). They amassed datasets so large that new competitors could not possibly replicate them, stifling innovation and leading to the market dominance of a few large players.
In essence, the regulations we see today (GDPR, CCPA, etc.) are a direct reaction to the consequences of the "move fast and break things" era. The "things" that were broken—privacy, security, and user autonomy—are now protected by law, and the "breaking" now comes with severe financial and reputational penalties.
The industry is being forced to shift from "move fast and break things" to a new mantra: "move carefully and build trust."
end ----------------
There are primarily three sources of for InfoSec and Compliance mandates -- THE LAW, industry standard governance frameworks, and common sense.
Important
If you wouldn't want your friends or family using your product, then you shouldn't be making it. 😃
These are some of the more commonly applicable frameworks and laws.
Note specifically that compliance coverage is largely dictated by the scale and type of business operations, as well as which regions they take place.
| Framework | Full Name | Region(s) | Applicability & Scenario | Fines & Penalties |
|---|---|---|---|---|
| CIS Controls | Center for Internet Security Controls | Global | A prioritized, practical set of cyber defense best practices. | None directly. This is a voluntary, best-practice framework. Penalties may arise under other laws (e.g., GDPR, HIPAA) if a breach occurs due to negligence. |
| COBIT | Control Objectives for Information and Related Technologies | Global | An IT governance and management framework. | None directly. This is a governance framework. Failure to implement it may lead to operational inefficiencies and risks that result in fines under other regulations. |
| ISO/IEC 27001 | Information Security Management System (ISMS) Standard | Global | An international standard for managing information security. | None directly. The "penalty" is typically loss of certification, reputational damage, and potential loss of contracts. Non-compliance could also lead to fines under other laws. |
| PCI DSS | Payment Card Industry Data Security Standard | Global | Not a law, but a contractual requirement. | Contractual fines: Levied by card brands to acquiring banks and passed to the merchant. Typically $5,000-$100,000 per month, plus card re-issuance costs and forensic audit fees. Can result in loss of ability to process payments. |
| SOC 2 | Service Organization Control 2 | Global (Primarily US-driven) | A report based on an audit of trust service criteria. | None directly. The penalty for a failed audit is business-related: loss of customer trust and contracts, as many companies require a clean SOC 2 report from their vendors. |
| NIST CSF | NIST Cybersecurity Framework | Global (Primarily US-driven) | A voluntary framework of standards and best practices. | None directly. This is a voluntary framework. However, adherence can be cited as evidence of due care, potentially reducing fines in post-breach litigation. |
| NIST 800-53 | Security and Privacy Controls for Information Systems | USA (Influence is Global) | A comprehensive catalog of security and privacy controls. | None directly for private sector. For federal agencies, penalties are disciplinary. For contractors, the penalty is typically suspension or loss of the government contract. |
| FedRAMP | Federal Risk and Authorization Management Program | USA | A mandatory framework for cloud service providers selling to U.S. federal agencies. | No direct fines. The primary penalty is the suspension or complete revocation of a company's "Authority to Operate" (ATO), resulting in the immediate loss of all U.S. government contracts. |
| HIPAA | Health Insurance Portability and Accountability Act | USA | A law governing the use and protection of Protected Health Information (PHI). | Civil & Criminal: Civil penalties up to $1.5 million per year, per violation type. Criminal penalties (for intentional misuse) up to $250,000 and 10 years in prison. |
| CCPA/CPRA | California Consumer Privacy Act / California Privacy Rights Act | USA (California) | State laws granting California consumers rights over their personal data. | Civil Penalties: Up to $2,500 per unintentional violation and $7,500 per intentional violation. Private Right of Action: Consumers can sue for $100-$750 per incident in a data breach. |
| GDPR | General Data Protection Regulation | European Union (EU) | A comprehensive data protection law. | Up to €20 million or 4% of global annual turnover, whichever is higher. Fines are tiered based on the severity of the infringement. |
| BDSG | Bundesdatenschutzgesetz | Germany | The German Federal Data Protection Act. | Aligned with GDPR penalties (up to 4% of global turnover). Some specific national violations can carry fines up to €300,000. |
| PIPEDA | Personal Information Protection and Electronic Documents Act | Canada | Canada's federal privacy law for the private sector. | Fines of up to $100,000 CAD per violation for non-compliance with specific provisions, such as breach reporting. |
| CASL | Canadian Anti-Spam Legislation | Canada | A law that regulates the sending of Commercial Electronic Messages (CEMs). | Administrative Monetary Penalties (AMPs) of up to $1 million CAD for individuals and $10 million CAD for corporations per violation. |
| RPAA | Regulations Prescribing Privacy and Access | Canada | These are not a standalone framework but are specific regulations. | Penalties would be defined by the parent act under which the regulations are issued (e.g., PIPEDA's penalties would apply). |
| PCMLTFA | Proceeds of Crime (Money Laundering) and Terrorist Financing Act | Canada | Canada's anti-money laundering (AML) law. | AMPs: Up to $500,000 for entities. Criminal Penalties: For severe non-compliance, up to $2 million CAD in fines and/or 5 years imprisonment. |
| BSA | Bank Secrecy Act | USA | The core U.S. legislation for Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF). Applies to financial institutions, casinos, money services businesses, etc., requiring the reporting of suspicious activities (SARs) and currency transactions (CTRs). | * Civil Penalties: Can range from $25,000 to $100,000 per violation, or even per day, depending on the severity and nature of the violation. * Criminal Penalties: For willful violations, fines can be up to $500,000 or more, and imprisonment up to 20 years for individuals. |
| EU AMLDs | EU Anti-Money Laundering Directives | EU | A framework of directives requiring EU member states to implement national laws for AML/CTF. Applies to financial institutions, crypto service providers, real estate agents, etc., focusing on customer due diligence, beneficial ownership registers, and suspicious transaction reporting. | Penalties are imposed by individual member states, but the directives require them to be effective, proportionate, and dissuasive. Fines can include up to €5 million or 10% of the total annual turnover for corporate entities (whichever is higher), and imprisonment for individuals. |
Important
Also observe the absolute requirement of being compliant with all relevant Accessibility Law, such as ADA, ACA, EAA, etc. Note that many accessibility regulations refer to WCAG as guidance.
Important
Carefully note that this table DOES NOT cover material such as Export Administration Regulations (EAR), or The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
This is an expansive and continually developing field (as laws change), which makes it challenging for international businesses to achieve and maintain a strong compliance posture. Fortunately internationally recognized InfoSec frameworks such as SOC2 and ISO27001 ensure that (with a strong report from a reputable audit partner) businesses can demonstrate due diligence and due care. These terms are common when dealing with this subject matter, and directly impactful when fines and penalties are being considered by Data Protection Authorities (or other prosecutors).
Compliance is achieved by satisfying various controls. There are two primary categories of controls: organizational, and technical. A control is a demonstrable action which enhances an organizations overall InfoSec/Compliance posture. Examples include: employees complete security training annually; software security patches are applied to servers and laptops; etc. There are thousands.
business executives should note that regulatory bodies, business partners, customers, and even end-user consumers highly value, and in the case of B2B relations -- often require, strong compliance audit reports.
Tip
Not all frameworks carry the potential of certification. SOC2, for example, has two types of report that can be issued by an audit partner -- Type I, and Type II. The former is a point-in-time attestation, while the latter covers a period of time, which ideally will be maintained.
Such reports will often come in both a full and limited version, with the redacted version being intended for delivery to partners and customers.
Tip
Because this material is exceedingly complex it is strongly recommended that businesses contract with a compliance partner, such as OneTrust (who acquired Tugboat software). The Unified Control Framework (UCF) has some good resources, regardless.
Because of this complexity, some regions dictate the hiring of a Chief Compliance Officer -- which is itself a compliance control.
These are the policies, procedures, and processes that manage and govern an organization's security program.
| Control Category | Description |
|---|---|
| Security Governance and Risk Management | Establishing a formal program to manage security risk. This includes defining roles and responsibilities, getting management buy-in, and performing regular risk assessments. |
| Information Security Policies | Creating and maintaining a comprehensive suite of policies that define the organization's stance on security. This includes an Acceptable Use Policy, an Information Security Policy, a Data Classification Policy, and others. |
| Human Resources Security | Controls that are applied before, during, and after employment. This includes background checks, security awareness training, confidentiality agreements, and formal termination processes. |
| Asset Management | Maintaining an inventory of all information assets (hardware, software, data) and classifying them based on their sensitivity and criticality. |
| Vendor/Third-Party Risk Management | A process for assessing the security posture of all third-party vendors and service providers who have access to your data or systems. This is a major focus of SOC2 and HIPAA (Business Associate Agreements). |
| Incident Response and Management | Having a documented plan to detect, respond to, and recover from security incidents. This includes a designated incident response team, communication plans, and regular testing of the plan. |
| Business Continuity and Disaster Recovery | Ensuring that the business can continue to operate in the event of a major disruption. This involves business impact analysis, creating recovery plans, and testing those plans. |
| Compliance and Auditing | Regularly auditing your controls against your chosen frameworks to ensure they are implemented and operating effectively. This includes both internal and external audits. |
| Control Category | Description |
|---|---|
| Access Control | Ensuring that users only have access to the information and systems that are necessary for their job roles (Principle of Least Privilege). This includes strong password policies, multi-factor authentication (MFA), and regular access reviews. |
| Cryptography and Encryption | Protecting data both at rest (in storage) and in transit (over the network). The level of encryption required often depends on the data type (e.g., PCI DSS has very specific requirements for cryptographic key management). |
| Network Security | Securing the network perimeter and internal network segments. This includes firewalls, intrusion detection/prevention systems (IDS/IPS), and network segmentation (e.g., isolating the cardholder data environment in PCI DSS). |
| Endpoint Security | Securing all endpoints (workstations, servers, mobile devices). This includes antivirus/antimalware, host-based firewalls, and configuration management to ensure systems are hardened against attack. |
| Application Security | Building security into the software development lifecycle (SDLC). This includes secure coding training for developers, static and dynamic application security testing (SAST/DAST), and vulnerability scanning of third-party libraries. |
| Data Loss Prevention (DLP) | Technologies and processes that prevent sensitive data from leaving the organization's control. This can include monitoring email and removable media for sensitive data patterns. |
| Security Information and Event Management (SIEM) | Centralized logging and monitoring of all systems and applications. This is critical for detecting security incidents in real-time and for forensic analysis after an incident. |
| Vulnerability Management | A continuous process of identifying, assessing, and remediating vulnerabilities in your systems and applications. This includes regular vulnerability scanning and a defined process for patching systems. |
The implementation of these controls will vary based on the type of data you are handling:
- No Protected Data: Even with no "protected" data, a baseline set of controls from a framework like CIS Controls or NIST CSF is recommended to protect the business from common cyber threats.
- PII Only: GDPR, CCPA, and other privacy laws come into play. You will need to focus on controls related to data subject rights (e.g., the right to be forgotten), consent management, and data minimization.
- SPI (Sensitive Personal Information): This requires a higher level of protection than standard PII. Encryption, stricter access controls, and more granular auditing will be necessary.
- Health Data (HIPAA): HIPAA has very specific administrative, physical, and technical safeguards. Key additions include the requirement for Business Associate Agreements (BAAs) with all vendors who handle PHI, and controls to ensure the integrity and availability of health information.
- PCI Data (PCI DSS): This is the most prescriptive framework. It requires strict network segmentation, file integrity monitoring, quarterly vulnerability scans by an Approved Scanning Vendor (ASV), and an annual Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ).
This is an exceedingly high-level summary. Refer additionally to your vendor documentation on best practices, such as AWS's Well Architected Framework.
Tip
Engage with audit partners early, as they can assist in discovering compliance mandates/coverage, and will supply a detailed checklist of controls which will be audited. Ensure that these controls are satisfied to the best of your ability prior to having them execute the audit. Their engagements often include only two additional reviews after the initial audit.
- Owner & Scope: Documented
CISO/Head of Complianceand explicit scope for the audit. - Policies: Latest versions of InfoSec, Data Classification, Retention, Incident Response, Acceptable Use — signed/dated.
- Data Inventory & RoPA: Up-to-date data inventory and RoPA (where applicable).
- DPIAs: Completed DPIAs for high-risk processing with remediation evidence.
- Third-Party Contracts: Signed DPAs/BAAs/DSAs for all vendors handling sensitive data.
- Evidence of Controls: Training records, access review logs, change control logs, vulnerability scan reports, pentest reports.
- Logging & Monitoring: Centralized logs, SIEM alerts, and retention evidence for the audit period.
- Encryption & Key Mgmt: Encryption policy, KMS ownership, and evidence of keys lifecycle management.
- Incident Response: Recent tabletop exercise report, IR plan, and at least one incident post-mortem (redacted if needed).
- Business Continuity: Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and latest DR test results.
- Vulnerability Management: Patch management policy and proof of remediation for critical/high findings within SLA.
- Access Controls: Evidence of MFA, privileged access reviews, and role-based access control (RBAC) census.
- Privacy Rights: Process and sample records for data subject access requests (DSARs) and deletion requests.
- Certificates & Reports: ISO27001 cert, SOC2 report, PCI attestation (if applicable) or remediation plans.
- Regulatory Notifications: Template communications for breach notifications and regulator contact list.
- Executive Summary: One-page risk summary for auditors and executives (top 5 risks, remediation plan, status).
Security is everyone's responsibility.