After a lengthy process of “putting things to rights” in 17 states, Zenefits is paying up to US$7 million in penalties. As with other digital health companies penalized for non-compliance, the fast-growing benefits company has discovered the hard truth: compliance should not be an afterthought.
As I wrote about earlier this year, meteoric growth, while very exciting, doesn’t encourage the safest path. Cybersecurity and risk management can too easily take a back seat during initial operational planning when they should be front and center. A risk that looks small at the start can grow as fast as the company.
In the Zenefits case, because compliance was clearly not included in the business model at the beginning, there was no visibility into the very activities (and lack thereof) that have cost them so much. They had no means to track what was going on. A little forward planning could have saved this company a lot of money.
Other start-ups will feel the aftershock. Investors who previously took a founder/CEO’s word for it that their compliance was in order will likely ask more questions and want proof of a robust compliance program. Vendors need to show that they are taking privacy and information security compliance seriously to even start a business discussion. Security compliance is not just a check in the box, a failure to implement can have real consequences.
The Zenefits lesson is a clear example why organizations must ensure that information security and compliance is a top priority. They should plan for it on day one and ensure they have a way to track progress. This will allow of a culture of compliance to be developed which will make it easier to maintain as the company grows. As Zenefits is realizing, it would have been easier and less expensive to do things correctly right from the start.