In some cases, yes, they are held responsible. When I was trained on HIPAA compliance lawyers made it clear that individual employees could be held responsible for some violations. And yes, we restricted service availability based on region until we achieved compliance with GDPR and various regional PII/PHI data export laws.
I work in another regulated industry today, and throughout the year sign off on understanding various regulations and trainings of 3 letter agencies, that are essentially in place to indemnify the company in case of a violation. I’d expect financial services follows similar steps.
I work in another regulated industry today, and throughout the year sign off on understanding various regulations and trainings of 3 letter agencies, that are essentially in place to indemnify the company in case of a violation. I’d expect financial services follows similar steps.