Cybersecurity & Privacy Compliance - Statutory vs Regulatory vs Contractual Obligations

Posted by ComplianceForge on Oct 5th 2017

Compliance terms are pretty badly abused, even by professionals within the cybersecurity and privacy industries. This is our attempt to help get everyone on the same sheet of music, since words do have meanings and it is important to understand cybersecurity and privacy requirements.


Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. From a cybersecurity and privacy perspective, statutory compliance requirements include:

US - Federal Laws

  • Children's Online Privacy Protection Act (COPPA)
  • Fair and Accurate Credit Transactions Act (FACTA) - including "Red Flags" rule
  • Family Education Rights and Privacy Act (FERPA)
  • Federal Information Security Management Act (FISMA)
  • Federal Trade Commission (FTC) Act
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Sarbanes-Oxley Act (SOX)

US - State Laws

  • California SB1386
  • Massachusetts 201 CMR 17.00
  • Oregon ORS 646A.622

International Laws

  • Canada - Personal Information Protecion and Electronic Documents Act (PIPEDA)
  • UK - Data Protection Act (DPA)
  • Other countries' variations of Personal Data Protect Acts (PDPA)


Regulatory obligations are required by law, but are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements. From a cybersecurity and privacy perspective, regulatory compliance examples include:

US Regulations

  • Defense Federal Acquisition Regulation Supplement (DFARS) - NIST 800-171
  • Federal Acquisition Regulation (FAR)
  • Federal Risk and Authorization Management Program (FedRAMP)
  • DoD Information Assurance Risk Management Framework (DIARMF)
  • National Industrial Security Program Operating Manual (NISPOM)
  • New York Department of Financial Services (NY DFS) 23 NYCRR 500

International Regulations

  • European Union General Data Protection Regulation (EU GDPR)


Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations. From a cybersecurity and privacy perspective, common contractual compliance requirements include:

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Financial Industry Regulatory Authority (FINRA)
  • Service Organization Control (SOC)
  • Generally Accepted Privacy Principles (GAPP)
  • Center for Internet Security (CIS) Critical Security Controls (CSC)
  • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Questions? Please contact us for clarification so that we can help you find the right solution for your cybersecurity and privacy compliance needs.