Compliance gets treated like security’s annoying sibling — the one who shows up with a checklist and makes everyone fill out paperwork. But here’s the thing: every major compliance regulation exists because something went terribly wrong. HIPAA exists because health records were being handled like junk mail. PCI-DSS exists because credit card numbers were being stored in plain text on web servers. SOX exists because Enron. Regulations are the scar tissue of catastrophic failures, and understanding them means understanding what went wrong badly enough for governments to intervene.

The TLDR

The major compliance frameworks — GDPR, HIPAA, PCI-DSS, SOX, and CCPA/CPRA — each protect different types of data for different reasons with different enforcement mechanisms. GDPR covers personal data of EU residents and has the sharpest teeth (fines up to 4% of global annual revenue). HIPAA protects health information in the US. PCI-DSS governs credit card data. SOX covers financial reporting integrity. CCPA/CPRA gives California residents data privacy rights. Being compliant with one doesn’t make you compliant with the others, and being compliant with any of them doesn’t make you secure. It makes you minimally defensible.

The Reality

The compliance-versus-security gap is one of the most dangerous misconceptions in the industry. Target was PCI-DSS compliant when 40 million credit card numbers were stolen in 2013. Equifax had security frameworks in place when 147 million records walked out the door. Anthem was HIPAA compliant on paper when 78.8 million health records were exfiltrated.

Compliance audits are point-in-time snapshots. An auditor validates that controls exist and are functioning during the audit window. What happens the other 50 weeks of the year is between you and the threat landscape. The usual suspects don’t check whether you’ve passed your audit before they come knocking.

Enforcement, however, is very real. The EU’s GDPR enforcement tracker shows fines exceeding several billion euros since 2018. The HHS Office for Civil Rights has collected hundreds of millions in HIPAA settlements. These aren’t theoretical penalties — they’re checks that organizations have written.

How It Works

GDPR (General Data Protection Regulation)

Scope: Any organization that processes personal data of EU/EEA residents, regardless of where the organization is based. If you’re a startup in Texas with a single EU customer, GDPR applies to you.

Key requirements:

Penalties: Up to 20 million euros or 4% of global annual turnover, whichever is higher. Meta was fined 1.2 billion euros in 2023 for data transfer violations. Amazon took a 746 million euro hit in 2021.

HIPAA (Health Insurance Portability and Accountability Act)

Scope: Covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. If you handle Protected Health Information (PHI) in the United States, HIPAA applies.

Key rules:

Penalties: Tiered based on knowledge — from $100 per violation (didn’t know) up to $50,000 per violation (willful neglect), with annual caps per category. Criminal penalties include up to 10 years imprisonment for wrongful disclosure with intent to sell.

PCI-DSS (Payment Card Industry Data Security Standard)

Scope: Any organization that stores, processes, or transmits cardholder data. This isn’t a government regulation — it’s an industry standard enforced by the card brands (Visa, Mastercard, etc.) through acquiring banks.

The 12 requirements:

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data by business need to know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organizational policies and programs

Validation levels: Merchants are classified into levels 1-4 based on transaction volume. Level 1 (over 6 million transactions annually) requires an on-site audit by a Qualified Security Assessor (QSA). Smaller merchants can self-assess using Self-Assessment Questionnaires (SAQs).

Penalties: Fines from $5,000 to $100,000 per month from the card brands. More critically, repeated non-compliance can result in losing the ability to accept card payments entirely — which for most businesses is existential.

SOX (Sarbanes-Oxley Act)

Scope: Publicly traded companies in the United States and their auditors.

The security angle: SOX Section 404 requires management to assess and report on internal controls over financial reporting. Since financial reporting systems are IT systems, this means IT controls — access management, change management, audit trails, data integrity, and backup procedures for financial systems.

SOX doesn’t prescribe specific security controls like PCI-DSS does. Instead, it requires that whatever controls you have are documented, tested, and effective. Frameworks like COBIT and the COSO Internal Control Framework provide the structure most organizations use to meet Section 404 requirements.

Penalties: Personal liability for executives. CEOs and CFOs personally certify financial reports. False certification carries fines up to $5 million and imprisonment up to 20 years. This one has teeth.

CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)

Scope: For-profit businesses that collect personal information of California residents and meet certain thresholds (annual gross revenue over $25 million, buy/sell/share 100,000+ consumers’ personal information, or derive 50%+ of revenue from selling personal information).

Key rights: Right to know what’s collected, right to delete, right to opt out of sale/sharing, right to correct, right to limit use of sensitive personal information. CPRA (effective 2023) expanded CCPA significantly and created the California Privacy Protection Agency for enforcement.

Penalties: $2,500 per unintentional violation, $7,500 per intentional violation. Private right of action for data breaches involving unencrypted/unredacted personal information ($100-$750 per consumer per incident).

How It Gets Exploited

The compliance gap. Attackers don’t care about your compliance status. They care about your actual security posture. Organizations that treat compliance as the finish line leave exploitable gaps — because compliance frameworks are inherently backward-looking. They codify yesterday’s best practices. The MITRE ATT&CK framework catalogs what attackers actually do today, and it moves faster than any regulatory body.

Regulatory arbitrage. Organizations structure operations to minimize regulatory exposure. Data processing in jurisdictions with weaker protections. Classifying data to avoid triggering compliance requirements. The data harvesters have entire legal teams dedicated to finding the gaps between regulations.

Business associate chains. HIPAA’s BAA requirement creates a chain of trust. You’re only as secure as your weakest business associate. The same applies to any shared compliance obligation — your vendor’s breach becomes your breach notification obligation.

What You Can Do

For Organizations

Map your data. Know what you collect, where it lives, who has access, and what regulations apply. You can’t be compliant with regulations you don’t know apply to you. Use the NIST Privacy Framework as a starting point for understanding your data processing activities.

Treat compliance as the starting line, not the finish line. Meet the requirements, then keep going. The controls that regulations require are minimum standards. Your actual security program should exceed them.

For Individuals

Know your rights. If you’re in the EU, GDPR gives you the right to request your data and demand its deletion. If you’re in California, CCPA/CPRA gives similar protections. These rights are enforceable — companies must respond to valid requests. Exercise them. The EFF’s surveillance self-defense guide covers how to leverage your legal privacy rights.

Sources & Further Reading