The email can arrive in your inbox cleverly disguised, appearing to come from your boss, a co-worker or some other person, business or organization you trust.

But click on a link or attachment as instructed and you could be in for a headache. You’ve just given cybercriminals access to your company’s data – and potentially put the business out of compliance with federal laws and regulations about protecting that data.

Phishing attacks are one of the most common security challenges individuals and businesses face when it comes to keeping information secure, says Beth Haddock author of Triple Bottom-Line Compliance: How to Deliver Protection, Productivity and Impact.

“The phisher’s goal is to steal sensitive and confidential information,” says Haddock. That information could include Social Security numbers, credit card and bank account numbers, medical or educational records, dates of birth and mailing/email addresses.

That’s problematic because federal regulations may require that your business keep certain information secure. Just as an example, health providers are expected to safeguard the medical records of patients under the Health Insurance Portability and Accountability Act.

Such compliance issues can create unwelcome complications for businesses, which is why they need to be proactive in addressing phishing. Haddock says there are a few steps they can take to protect themselves, including:

Educate employees.The first line of defense against phishing is employees, because they are the ones likely to be targeted. “Make them aware of the concerns and tell them to be suspicious of emails that offer them links with little explanation, or that ask for sensitive data, even if it appears to be coming from a trusted source,” Haddock says.

Reassess who has access to data.Because employee mistakes are the most likely cause of a breach, retraining alone may not get the job done. A business or organization may want to take another look at who should have access to all that sensitive data and make adjustments where possible.

If a breach happens, take action.You can’t just ignore the data breach, Haddock says. Right away, your IT team needs to be notified so they can get to work handling the breach. At the same time, she says, it’s important to immediately contact your compliance officer or attorney so they can take appropriate steps for reporting the breach to the proper regulatory agencies. 

“These ‘phishing expeditions’ from cybercriminals represent a serious challenge for businesses and for their compliance officers,” Haddock says. “It’s critical to be aware of the threat and to know that there are steps you can take to reduce your risk and avoid finding yourself out of compliance with regulations that govern your sensitive data.”