According to a landmark study by GlobalSCAPE, Inc. and Ponemon, non-compliance costs 2.71 times the cost of maintaining or meeting compliance requirements. 

That’s because non-compliance can result in business disruption, productivity losses, fines, penalties, and settlement costs, among other factors that come with a hefty price tag. Even data breaches are more expensive if an organization is non-compliant. According to IBM, breaches cost almost $220,000 more on average when noncompliance with regulations was indicated as a factor in the event.

In this article, we’ll focus on the financial risk of non-compliance, highlighting notable examples of compliance fines and sanctions and provide tips for how businesses can proactively mitigate these risks.

What are non-compliance fines and sanctions?

Non-compliance fines and sanctions are penalties imposed on businesses or individuals who fail to adhere to regulatory requirements. These penalties can vary depending on the industry, governing body, and severity of the violation. They often include:

Monetary fines

Regulatory non-compliance can result in financial penalties ranging from thousands to millions of dollars. For example, the EU’s General Data Protection Regulation (GDPR) can impose fines of up to 4% of a company’s annual global revenue for violations. This was the case for Meta, which was fined €1.2 billion in 2023 for having an insufficient legal basis for data processing. This remains the largest GDPR fine to date. 

Legal action

Regulatory bodies may take legal action, leading to lawsuits or criminal charges. For instance, companies that commit financial fraud under the Sarbanes-Oxley Act (SOX) may face criminal prosecution, and executives can be personally held liable. 

Recently, in June 2024, the Securities and Exchange Commission (SEC) issued more than $500,000 in SOX penalties and fines to the former chief financial officer at Synchronoss Technologies for allegedly falsifying financial statements and lying to the company’s auditor. This came after Synchronoss reached a $12.5 million settlement with the SEC for engaging in “long-running accounting improprieties” in June 2022. 

Operational restrictions

Businesses may face restrictions, such as losing the ability to process transactions or operate in certain markets. For example, a payment processor found in violation of PCI DSS requirements may be prohibited from handling credit card transactions, impacting revenue and customer trust.

Take Heartland Payment Systems for example. After a data breach in 2008 that compromised as many as 130 million debit and credit cards, the company was found in violation of PCI DSS and faced a 14-month ban from processing credit card payments.

Reputational damage

Public exposure of non-compliance can erode customer trust and negatively impact brand reputation. Data breaches or regulatory violations can lead to loss of customers and difficulty in securing business partnerships. For example, when Sephora was fined $1.2 million in 2022 under the CCPA for failing to properly disclose its data-sharing practices and honor consumer opt-out requests, it faced significant negative press and loss of consumer trust as the first public CCPA enforcement. 

Loss of government contracts and funding

Organizations that fail to comply with government regulations may lose contracts or funding opportunities. For example, in February 2025, the military health benefits administrator Health Net Federal Services (HNFS) agreed to pay $11.2 million to settle allegations that the company falsely certified compliance with cybersecurity requirements for three years in a contract with the U.S. Department of Defense to administer the TRICARE program. In addition to paying that fine, they also lost their TRICARE West Region contract.

Lost deals

Many businesses require their partners and vendors to maintain strict compliance standards, and these often go beyond regulatory requirements to include commercial frameworks like SOC 2. Enterprises that have strong security and privacy standards may refuse to work with vendors who fail to meet those standards, resulting in lost revenue and missed growth opportunities. This was the case for India-based fintech company Refyne, which lost several deals before getting a SOC 2 report to prove their strong security posture. 

Common causes of non-compliance

Organizations can face compliance fines and sanctions for various reasons, including:

• Intentional violations: Willful non-compliance with regulations such as GDPR, HIPAA, SOX, DPDPA, and DORA can lead to more severe penalties. For example, when calculating GDPR fines, data protection regulators use a range of criteria, including intention. If the infringement was intentional, then that is likely to make the fine higher than if the infringement was the result of negligence.
• Lack of awareness: Rather than willfully ignoring regulatory requirements, organizations may be unaware of regulatory requirements that are specific to their industry, location, or the type of data they process. This is particularly true in industries with constantly evolving compliance standards, like critical infrastructure sectors, where compliance and risk professionals may struggle to keep abreast of upcoming regulatory and legislative changes.
• Misunderstanding or misinterpretation: If aware of regulations, companies may still fail to comply by misinterpreting the requirements and implementing controls ineffectively to meet those requirements. Typically, framework requirements are either very specific and complex or broad and too general to know what exactly needs to be implemented without former audit or compliance experience. This lack of knowledge and expertise can lead to compliance issues. 
• Inadequate data protection measures: As a result of negligence or other reasons, organizations may put inadequate security measures in place. Mishandling or exposing sensitive customer data as a result of inadequate safeguards can lead to violations of GDPR, CCPA, HIPAA, PCI DSS, and other regulations, resulting in significant fines and sanctions.
• Failure to implement required security controls: Organizations may fail to implement effective security controls for a variety of reasons. In addition to the lack of skilled personnel and human error mentioned above, budget and time constraints, inadequate documentation, unenforced policies, and technical issues may lead to failure. Not following mandated regulatory requirements such as HIPAA or CMMC can respectively result in fines or other financial consequences like lost contracts.
• Lack of executive buy-in: Compliance initiatives require leadership support to be effective. When executives do not prioritize compliance, organizations may struggle to allocate resources, enforce policies, and build a culture of security, ultimately leading to compliance risks.
• Lack of internal policies and training: Employees who are unaware of compliance requirements may unintentionally violate regulations. For example, mishandling patient data due to a lack of training can lead to HIPAA fines.
• Failure to conduct audits and assessments: Not performing required compliance audits or risk assessments can lead to regulatory action. For example, organizations that fail to conduct HIPAA risk assessments may be fined for negligence.
• Insufficient incident response planning: Organizations that do not have a proper incident response plan may fail to report breaches in a timely manner, resulting in fines. For example, under GDPR, businesses must report breaches within 72 hours, or they may face penalties.
• Use of outdated security technology: Legacy systems and outdated security tools often lack the necessary features to meet modern compliance requirements. Organizations that fail to update their technology may be more vulnerable to security breaches and compliance violations, increasing their risk of regulatory penalties.
• Reliance on manual processes: Manual processes are inefficient and prone to error, which can leave your organization vulnerable to compliance risk. For example, relying on manual evidence collection requires gathering screenshots, tickets, and other types of evidence, compiling spreadsheets, working with disparate tools and sources of data, and chasing different team members for evidence. Not only is this process time- and resource-intensive, but it is also plagued by issues like incorrect data entry, overlooked information, inconsistency, lack of standardization and scaleability, which can lead to inaccuracies in compliance reporting and other issues.

Biggest non-compliance fines and sanctions in the last two years

In recent years, organizations across various sectors have faced significant fines for non-compliance with regulations such as HIPAA, GDPR, and CCPA. Below are notable examples categorized by the regulatory framework. Each section is organized in descending order of the fine. 

HIPAA non-compliance fines

According to the US Department of Health and Human Services’ (HHS) Enforcement Highlights, they have received nearly 375,000 complaints since the compliance date of the Privacy Rule in April 2003. As of October 2024, OCR settled or imposed a civil money penalty in 152 cases resulting in a total dollar amount of $144,878,972.00. Let’s take a look at some of the biggest penalties below.

1. Montefiore Medical Center - $4.75 Million

Year issued: 2024

Cause: Lack of safeguards to secure and protect ePHI

In February 2024, Montefiore Medical Center reached a settlement with the HHS over potential HIPAA Security Rule violations, agreeing to pay $4.75 million and submit to a corrective action plan. This first HHS settlement of 2024 came after the NYPD informed Montefiore Medical Center that there was evidence that patient information had been stolen from the hospital’s database and an HHS investigation discovered that a malicious insider had been stealing patient data and selling it to an identity theft ring for six months.

Key takeaways:

• Develop a written risk management plan to address and mitigate security risks.
• Develop a plan to implement hardware, software, and/or other procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.

2. Solara Medical Supplies, LLC - $3 Million

Year issued: 2025

Cause: Multiple breaches of unsecured electronic protected health information​ (ePHI)

In January 2025, Solara agreed to pay $3 million to settle potential violations of the HIPAA Security and Breach Notification Rules after a breach exposed the electronic protected health information of over 114,000 individuals and then a second breach occurred when Solara sent 1,531 breach notification letters to the wrong mailing addresses. 

Key takeaways:

• Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in its systems.
• Implement sufficient security measures to reduce those risks and vulnerabilities to a reasonable and appropriate level. 
• Provide timely breach notification to individuals, HHS, and the media.

3. L.A. Care Health Plan - $1.3 Million

Year issued: 2023

Cause: Data breaches exposing ePHI

In September 2023, L.A. Care, the nation’s largest publicly operated health plan that provides coverage for approximately three million people, reached a $1.3 million settlement with HHS to settle potential HIPAA violations linked to data breaches. One breach occurred due to a mailing error that caused member identification cards to be mailed to wrong addresses, which affected 1,498 members.

Key takeaways:

• Tell HHS about any failure among employees to comply with HIPAA rules within 30 days.
• Create policies and procedures for risk analysis and distribute them to employees. 

4. Banner Health - $1.25 Million

Year issued: 2023

Cause: Data breach exposing 2.8 million consumers

In February 2023, Banner Health paid $1.25 million to settle an HHS investigation into a 2016 data breach from a hacking incident that disclosed the protected health information of roughly 2.8 million consumers. The investigation revealed “long-term, pervasive noncompliance” with the HIPAA Security Rule. 

Key takeaways:

• Implement an authentication process to safeguard its electronic protected health information.
• Have security measures in place to protect electronic protected health information from unauthorized access when it is being transmitted electronically.

5. Gulf Coast Pain Consultants, LLC - $1.19 Million

Year issued: 2024

Cause: Workforce access violation

In December 2024, Gulf Coast agreed to pay $1.19 million to settle potential HIPAA violations after a terminated contractor accessed the ePHI of over 34,000 individuals and then filed medical claims for services that were not actually rendered, resulting in approximately 6,500 false Medicare claims. This case underscores the importance of securing servers containing sensitive data.

Key takeaways:

• Implement regular reviews of information system activities to detect unauthorized access, threats or vulnerabilities.
• Maintain and adhere to procedures for terminating access to ePHI when a workforce member’s employment or contract ends.
• Implement policies and procedures for modifying a user’s right of access to a workstation, transaction, program or process, or an alternative equivalent measure. 

GDPR non-compliance fines

Since the General Data Protection Regulation (GDPR) went into effect in May 2018, organizations across the EU and beyond have faced substantial fines for failing to protect consumer data. As of March 2024, regulatory authorities have issued 2,086 fines totalling 4.48 billion euros.

Below are some of the largest GDPR fines in recent years. Please note that, aside from the largest fine to date imposed on Meta, we focused on more recent examples in 2024 and 2025 rather than the largest ones to date. 

6. Meta - €1.2 Billion ($1.3 Billion)

Year issued: 2023

Cause: Insufficient legal basis for data processing

In May 2023, the Irish Data Protection Commission (DPC) fined Meta €1.2 billion for its transfers of personal European Union data to the U.S. on the basis of standard contractual clauses (SCCs) since 2020. Back in 2020, the European Court of Justice delivered a judgment that the personal EU data transferred to the US required robust protection but Meta continued to transfer EU user data to the US without proper safeguards in place. Since these transfers are systematic, repetitive, and continuous, this infringement of GDPR was considered very serious and resulted in the largest GDPR fine to date.

Key takeaways:

• Review your organization’s practices and agreements regarding the processing and transfer of personal data outside the EU to countries that have not been recognized as providing “equivalent safeguards” under Article 46 of GDPR.
• Assess the legal basis on which your business transfers personal data from the EU. 

7. LinkedIn - €310 Million ($335 Million)

Year issued: 2024

Cause: Insufficient legal basis for data processing

In October 2024, the Irish DPC fined LinkedIn Ireland Unlimited Company €310 million for processing users' personal data without a valid legal basis. The DPC’s investigation found LinkedIn did not have a lawful basis to gather data so it could target users with online ads. Because it violated the principles of lawfulness, fairness, and transparency when processing personal data for advertising purposes, this was considered a clear and serious violation.

Key takeaways:

• Provide clear, transparent information to users about use of their personal data so that users are not properly informed of how their data would be processed and the specific legal grounds for doing so.

8.  Uber - €290 Million ($312 Million)

Year issued: 2024

Cause: Non-compliance with general data processing principles

In August 2024, the Dutch Data Protection Authority (DPA) fined Uber €290 million related to the transfer of driver’s personal data to the US. Its investigation found that Uber had been unlawfully transferring sensitive personal data of European drivers to the United States for over two years and failed to appropriately safeguard this data. To date, this is the third time Uber has been fined by the Dutch DPA.

Key takeaways:

• Establish a valid transfer instrument for the international transfer of personal data.

9. Meta - €251 Million ($263.5 Million)

Year issued: 2024
Cause: Insufficient technical and organisational measures to ensure information security

In December 2024, the DPC fined Meta €251 million for a 2018 security breach that affected 29 million Facebook users. Attackers exploited a vulnerability in the "View As" feature, exposing personal information such as names, contact details, locations, workplaces, dates of birth, religions, genders, and children's data. Approximately 3 million of the affected accounts were based in the EU and European Economic Area. The DPC highlighted the grave risk of misuse of these data types due to the breach

Key takeaways:

• Ensure that data protection principles are protected in the design of processing systems.
• Ensure that only personal data that are necessary for specific purposes are processed.

10. Orange Espagne - €1.2 Million ($1.3 Million)

Year issued: 2025

Cause: Insufficient technical and organisational measures to ensure information security

In February 2025, the Spanish Data Protection Authority (AEPD) fined Orange Espagne €1.2 million for multiple GDPR violations, including failure to implement necessary technical and organizational measures for data protection by design, as required by Article 25 of the GDPR, and infringing Article 6(1). The latter was related to a complaint about Orange Espagne issuing a duplicate SIM card without proper identity verification, leading to a €9,000 theft from the complainant's bank accounts and the complainant left without service. 

Key takeaways:

• Integrate privacy into your systems and processes from the outset in order to meet data protection by design and default requirements. 

CCPA non-compliance fines

Since taking effect in 2020, the California Consumer Privacy Act (CCPA) has empowered consumers with greater control over their personal data and imposed strict requirements on businesses handling Californian residents' information. The California Attorney General and California Privacy Protection Agency (CPPA) have enforced fines on companies that fail to disclose data practices, honor consumer privacy rights, or properly secure sensitive information, starting with the landmark $1.2 million settlement with Sephora for failing to disclose that it was selling consumers' personal information and not honoring their requests to opt out of such sales.

While there is no enforcement tracker for CCPA as amended by CPRA similar to the one for GDPR, the CPPA has continued to make announcements about fines and settlements on its website on an ongoing basis. 

Here are some of the largest CCPA non-compliance penalties in the last two years.

11. American Honda Motor Co., Inc. - $632,500

Year issued: 2025

Cause: Mishandling customer data and obstructing privacy rights

In March 2025, the California Privacy Protection Agency fined Honda $632,500 for making it unnecessarily difficult for consumers to exercise their privacy rights, such as opting out of data sharing. Honda required excessive personal information for such requests and shared data with advertising companies without proper contracts. This was the first settlement not involving data brokers. 

Key takeaways:

• Do not require consumers to verify Requests to Opt-Out of Sale/Sharing and Requests to Limit Sensitive Personal Information.
• Only require a consumer to provide the minimum information needed to initiate and verify (if permitted) a rights request, like Right to Limit.
• Train personnel handling CCPA requests on the proper ways to intake and respond to them.

12. Key Marketing Advantage, LLC – $55,800

Year issued: 2024

Cause: Failure to comply with Delete Act

The Enforcement Division of the CPPA reached a settlement with Key Marketing Advantage, LLC, fining the data broker $55,800 for failing to register and pay an annual fee as required by the Delete Act. Part of the CCPA’s investigative sweep of data broker registration compliance under the Delete Act, this was the fifth administrative fine against an unregistered data broker in 2024. 

Key takeaways:

• Data brokers must register and pay an annual fee to comply with California’s Delete Act— or face fines of $200 per day.

How to avoid non-compliance fines and sanctions

Below are key tips and best practices for avoiding fines and other consequences of non-compliance.

1. Implement robust security measures

Organizations should use encryption, access controls, intrusion detection systems, and other security measures to protect critical assets. A security framework helps define policies and procedures for establishing and maintaining security controls. Consider widely-recognized security frameworks like ISO 27001, NIST 800-53, and CIS Critical Security Controls® to implement best practices for securing sensitive data.

2. Provide employee training programs

Educating employees about security and privacy best practices related to their job and/or organization is crucial to defending your organization and meeting compliance requirements. Most compliance frameworks, including SOC 2, ISO 27001, NIST 800-53, and others, require security awareness training to be conducted regularly. Some of these frameworks require additional topics to be covered in the training, like insider threats. 

Frameworks like PCI DSS, CMMC, NIST 800-171, and NIST 800-53, also require specific training on secure coding practices. HIPAA, PCI DSS, GDPR, and CCPA require framework-specific training. HIPAA training must cover the different rules to safeguard PHI whereas PCI DSS covers payment account data. GDPR and CCPA are specialized privacy training with content specific to those laws.

3. Conduct regular audits

Regular audits, including internal and external audits, penetration tests, and vulnerability scans, help businesses proactively identify and address compliance gaps before they result in penalties. By assessing security controls, reviewing policies, and ensuring alignment with regulatory requirements, organizations can stay ahead of compliance risks.

4. Engage compliance experts

Consulting with compliance managers ensures businesses comply and stay up to date with evolving regulations. These experts can help with a variety of responsibilities, including:

• identifying compliance requirements
• designing policies
• conducting risk assessments
• monitoring and reviewing internal processes
• liaising with audit firms and regulatory bodies
• training and educating employees
• navigating complex regulatory landscapes

5. Leverage automation

Using compliance automation tools helps organizations manage, scale, and continuously monitor their compliance program over time. These tools not only integrate with your technology stack and provide control mapping to dozens of frameworks to tell you exactly what tasks you need to complete — they also help automate these tasks required to get and stay compliant, including evidence collection, continuous monitoring, policy management, risk assessments, and task management. They can also help detect and flag non-compliance issues so you can fix them quickly and proactively rather than scrambling to put out fires right before an assessment or before they escalate into an incident. 

This mitigates many of the common causes of non-compliance like negligence, misinterpretation, inadequate or missing controls, and more.

How Secureframe can help you avoid fines for non-compliance

Achieving and maintaining compliance can be complex and time-consuming, but Secureframe simplifies the process. Our platform helps businesses automate compliance workflows and continuously monitor security controls to help ensure adherence to over 40+ regulatory and commercial frameworks like CMMC, HIPAA, PCI DSS GDPR, SOC 2, ISO 27001, and more. 

With Securerame, you get:

• A compliance source of truth: See all of your policies and documentation in one place and automatically collect evidence for internal review.
• Automated evidence collection: Automate manual evidence collection utilizing 300+ out-of-the-box integrations with tests that are mapped directly to framework requirements and controls.
• Dashboards: Use our dashboards to see exactly how close you are to satisfying the requirements of the frameworks you’re pursuing and get actionable advice for closing any gaps.
• Task management: Assign tasks to employees within your organization and set notifications to ensure they are completed so you stay audit-ready and compliant.
• Trusted audit partners: Work with one of our recommended auditors to make the audit process as seamless as possible.
• Continuous monitoring: Continuously monitor your controls and systems to maintain a strong security and compliance posture 24/7.
• Control mapping: Controls are mapped across frameworks to speed up time-to- compliance and avoid duplicate work when complying with multiple frameworks.
• Expert support from our in-house compliance team: Get guidance and answers to any questions you may have from compliance managers.

Learn how you can reduce the risk of fines and sanctions while maintaining a strong security and compliance posture with Secureframe — request a demo today.