Match the regulation in three steps: Who is the organization? What type of data? What is the context?
- SOX: Publicly TRADED company (stock exchange listed) + FINANCIAL REPORTING + IT controls. Any scenario mentioning: CEO/CFO certification, audit logs for financial systems, public company, financial statement integrity → SOX.
- HIPAA: HEALTHCARE entity (hospital, clinic, health insurer, pharmacy) or BUSINESS ASSOCIATE + PHI (patient medical records, health data, treatment information) → HIPAA.
- GLBA: FINANCIAL INSTITUTION (bank, credit union, insurance company, mortgage company, investment firm, tax preparer) + CUSTOMER FINANCIAL DATA (account numbers, loans, investments) → GLBA.
Watch for overlap: a publicly traded hospital must comply with BOTH SOX (for its financial reporting IT systems) AND HIPAA (for its patient data). A bank that accepts health insurance payments may face BOTH GLBA (banking data) AND HIPAA (health payment data). Multiple regulations applying simultaneously is a common exam trap.
Quick elimination: if the scenario says "publicly traded" = SOX in scope. "Hospital / patient records / PHI" = HIPAA. "Bank / financial institution / customer financial data" = GLBA.
Three HIPAA criminal penalty tiers, memorized by intent and dollar amount:
- $50,000 / 1 year: Did not KNOW they were violating HIPAA (unknowing). "Accident, ignorance." Accidental disclosure without awareness of the violation.
- $100,000 / 5 years: Knew it was wrong but did it anyway under FALSE PRETENSES. "Knew it was wrong." Deliberate unauthorized access or disclosure without commercial motive.
- $250,000 / 10 years: Intent to SELL, transfer, or use for commercial advantage or personal gain. "Selling or profiting from PHI." The highest tier applies when money changes hands or there is deliberate exploitation of PHI for gain or harm.
Memory aid: the penalty doubles from 50K to 100K to 250K as intent increases. The years follow: 1, 5, 10. If you know the dollar amounts in order, the years are 1-5-10.
Exam trap: "An employee accidentally emailed patient records to the wrong patient." This is unknowing ($50K/1yr tier), not the higher tiers. Intent matters for classification. "An employee sold patient records to an insurance fraud company" = $250K/10yr tier (selling for commercial gain).
The distinction is directional. Both start with "due" but they point in opposite directions:
- Due CARE: INTERNAL. The organization caring for its own security house. Training employees, applying patches, reviewing access, monitoring systems. "We take care of our own obligations."
- Due DILIGENCE: EXTERNAL. The organization being diligent about who it works with. Vetting vendors, reviewing SOC 2 reports, conducting background checks, exercising right-to-audit. "We are diligent in choosing and monitoring our partners."
Memory trick: Care (internal) = "Caring for YOUR house." Diligence (external) = "Being Diligent about WHO you invite in."
Exam scenarios describing internal activities (access reviews, training, patching, SIEM, internal audit) = due care. Scenarios describing vendor evaluation activities (SOC 2 review, vendor questionnaire, right-to-audit, background checks on vendor personnel) = due diligence.
Both are required. An organization that has excellent internal controls (due care) but does zero vendor vetting (no due diligence) has a compliance gap. The Uber case: Uber arguably had weak due care (paying attackers off rather than reporting) and violated its duty to exercise due care in managing the incident.
Attestation elevates compliance documentation from paperwork to a legal commitment. The exam will present scenarios where an executive signs something and ask what the legal significance is.
Simple rule: when an executive signs a compliance certification, they are personally stating under legal penalty that the content is true. If it is later discovered to be false, the signatory faces personal legal liability — not just organizational fines.
- SOX Section 302: CEO and CFO personally certify financial statements. False certification = up to 20 years imprisonment.
- HIPAA compliance attestations: executives certifying compliance status bear personal responsibility for the accuracy.
- Any compliance certification signed by an individual creates personal accountability for that individual.
The Uber connection: the former CSO actively concealed the breach from regulators and boards. This concealment was an implicit misrepresentation of the company's security status — effectively false attestation. The result: criminal conviction and imprisonment for the individual, not just organizational fines.
Exam trap: "The organization's CISO signed the annual security compliance report." If the report contained false information, who is liable? The signatory (CISO) bears personal legal accountability. The organization also faces liability, but attestation creates individual liability for the person who signed.
Practice Scenarios
Acme Financial Corporation is a publicly traded insurance company that accepts health insurance premiums from customers. It maintains customer financial records (premium payments, investment accounts), health insurance policy data (covered conditions, claim histories), and employee records. A data breach exposes all three categories. Which regulations apply to each data category, and what are the notification obligations for each?
Answer: Three data categories, three regulatory frameworks: (1) Customer financial records (premium payments, investment accounts): GLBA applies. Acme is a financial institution (insurance company). GLBA requires Acme to have implemented a security program under the Safeguards Rule. GLBA does not specify breach notification timelines at the federal level (as of current regulations, though the FTC Safeguards Rule was updated to require notification for financial institutions). State data breach notification laws also apply and typically require notification to affected individuals within 30-90 days. Because Acme is publicly traded, SOX also applies to IT systems supporting financial reporting; the breach may require disclosure to the SEC if material to investors. (2) Health insurance policy data (covered conditions, claim histories, PHI): HIPAA applies. Acme, as a health insurance plan, is a covered entity under HIPAA. PHI breach notification requirements: notify affected individuals within 60 days of discovery, notify HHS within 60 days, if more than 500 individuals in a state are affected, notify prominent media in that state. Acme must investigate whether PHI was actually accessed or just potentially exposed (risk assessment). (3) Employee records: varies. HIPAA applies to employee health insurance data managed by Acme as a health plan. Employment records (payroll, performance) are not subject to HIPAA but are subject to state employment data protection laws and potentially GLBA if they include financial account data. Additional considerations: because Acme is publicly traded, the breach may be material and require SEC Form 8-K disclosure if it has a material impact on the company's operations or financial results. The SOX compliance team must assess whether the breach affects the integrity of financial reporting systems. Summary: this single breach triggers HIPAA, GLBA, state breach notification laws, and potentially SEC disclosure obligations simultaneously.
Classify each of the following HIPAA violations into the correct criminal penalty tier and explain your reasoning: (A) A hospital nurse accidentally sends a patient's discharge summary to a neighboring patient's email address instead of the correct patient, due to autofill selecting the wrong address. She realizes immediately and reports it. (B) A medical billing coder is curious about a celebrity patient's diagnosis after reading about them in a news article. She accesses the patient's records using her legitimate credentials, which she is not authorized to use for this patient. She does not share or copy the information. (C) A data analyst at a health insurance company extracts the personal and medical histories of 50,000 members and sells the data to a pharmaceutical company for $500,000. He uses his legitimate data access credentials to export the data.
Answer: (A) Class 6 tier: up to $50,000 and 1 year imprisonment. This is an unknowing violation: the nurse did not know she was sending to the wrong address (autofill selected incorrectly), she acted without any intent to improperly disclose PHI, and she reported the incident immediately. Unknowing violations occur when the person was unaware they were violating HIPAA. The accidental nature, the self-reporting, and the lack of intent all point to the lowest tier. In practice, this incident would likely result in administrative remediation (training, process improvement) rather than criminal prosecution given the circumstances. (B) Class 5 tier: up to $100,000 and 5 years imprisonment. This is a violation under false pretenses: the coder knew she was not authorized to access this patient's records (she accessed them out of curiosity, not as part of her job duties). She used her legitimate credentials in a manner she knew was improper. The "under false pretenses" tier applies when the person knows their access or disclosure is unauthorized, even if there is no commercial motive. The fact that she did not share the information is mitigating but does not change the tier classification for HIPAA criminal purposes — unauthorized access to PHI is itself a violation regardless of what is done with it afterward. (C) Class 4 tier: up to $250,000 and 10 years imprisonment. This is the highest criminal tier: intent to sell PHI for commercial advantage. The analyst deliberately extracted 50,000 members' data and sold it for $500,000. This is a clear case of using PHI for commercial advantage and personal financial gain. The fact that he used legitimate credentials does not diminish the severity — insider threats using authorized access for criminal purposes are still criminal. Additional civil penalties would apply on top of criminal liability, and the pharmaceutical company that purchased the data may also face regulatory action for knowingly receiving improperly obtained PHI.
A mid-size healthcare company undergoes a compliance review. The review finds: (1) The company has strong internal security controls including access reviews, patch management, and a SIEM. (2) There is no formal vendor assessment process — third-party vendors with access to PHI are engaged based on cost and reputation alone. (3) The annual HIPAA compliance report is drafted by the compliance team and submitted to regulators without any executive signature. (4) Compliance checks are performed manually by a team of 3 analysts monitoring 800 servers quarterly. What compliance gaps exist, and how should each be remediated?
Answer: Four gaps identified: (1) Strong due care, but no due diligence. The company has excellent internal security controls (due care) but no formal vendor assessment process. Vendors with access to PHI are engaged based on cost and reputation without verifying their actual security posture. This is a significant HIPAA gap: HIPAA requires covered entities to have Business Associate Agreements (BAAs) with all business associates and to conduct due diligence on their security practices. Remediation: implement a vendor risk management program including security questionnaires for all vendors accessing PHI, BAA execution before any PHI access, and annual vendor security reviews. Consider requiring SOC 2 reports from higher-risk vendors. (2) Missing attestation. The compliance report is submitted without executive signature, meaning no individual is personally accountable for its accuracy. If the report contains errors (intentional or not), there is no legal accountability for the inaccuracy. Remediation: require the CEO or CCO to sign the annual HIPAA compliance report, formally attesting to its accuracy. Establish a process for the signatory to review and confirm key compliance assertions before signing. Implement internal audit support to verify the report's accuracy prior to attestation. (3) Compliance monitoring is insufficient for scale. Three analysts performing quarterly manual checks on 800 servers is inadequate. At this scale, manual quarterly checks mean each server is checked only 4 times per year, and any compliance drift that occurs between quarterly reviews goes undetected. A server that goes out of compliance in January may not be detected until the April check. Remediation: implement automated compliance monitoring tools (SIEM with compliance-mapped rules, configuration management databases, automated vulnerability scanning against compliance benchmarks). Human analysts should focus on exception review and trend analysis, not manual per-server checking. (4) Overall: the company has due care (internal controls) but lacks due diligence (vendor vetting), attestation (executive accountability), and adequate compliance monitoring at scale. All three gaps represent HIPAA compliance risks that could result in OCR enforcement action if a breach or complaint triggers investigation.