“Does This Really Apply to Us?” The Compliance Loophole That’s Going to Cost You Millions

Let’s talk about the biggest lie CFOs keep telling themselves: “This compliance stuff doesn’t really apply to us.” I hear it all the time. “We’re too small.” 

“We don’t handle credit cards.” 

“We’re under the threshold.” 

“We only have 47 and a half clients, and we did the math.” 

Let me just stop you right there. 

You’re So Busy Looking for the Loophole, You’re Missing the Point 

Sure, maybe you can shave a requirement or two if you squint at the regs and keep your client count conveniently low. That’s cute. But here’s the problem: You’re treating compliance like a list of rules to dodge. When in reality, it’s your only shot at surviving a breach with your reputation—and your wallet—intact. 

Compliance Is a Shield. Not a Shackle. 

Here’s what actually happens when you get breached (and you will, eventually): Some lawyer—probably in a suit that costs more than your server room—will ask: “Did you do everything you could to prevent this?” 

If your answer is, “Yes, we tried,” that’s not enough. 

If your answer is, “We followed the PCI-DSS standard, documented our decisions, and trained our staff,” now we’re talking. Now you have evidence. Now you have a defense. Now you’re not the negligent one in the courtroom. 

Think You’re the Exception? The Trash Collector Thought So Too. 

Let me walk you through my thought process. I started listing out all the industries that definitely have liability: 

• Dentist? PII. HIPAA. You’re toast.
• Accountant? PII + financials. Certified lawsuit bait.
• Insurance company? Oh boy.
• Trash collector?

Trash collector. I actually thought, “Now that’s gotta be safe. They haul garbage.” Nope. Turns out a trash company had a breach. Now they’re the subject of a class action lawsuit. The legal brief reads like a horror novel: 

Failure to implement safeguards. 

Failure to follow industry standards. 

Failure to comply with federal and state law. 

Failure to train employees. 

Failure to notify. 

Spoiler alert: they’ll settle for gobs of money. 

Standards Aren’t Optional. They’re Your Lifeline. 

When the breach happens—and the legal team shows up—not following a standard will be Exhibit A. You’re in business? You’re connected to the internet? You store anything about your clients? You have cyber liability. 

So Stop Dodging Requirements. Start Building Your Defense. 

Instead of asking, How can we get around this? Start asking, How can we use this to protect ourselves? Because one day, the question won’t be, Did you try? It’ll be, Can you prove it? 

And if your plan is to look surprised in a deposition and say, “We thought we were exempt,” 

You might as well start writing the settlement check now. 

Bottom Line: 

If the trash company can get sued, so can you. Build your defense. Follow the standards. And for the love of financial statements—get the evidence.