Statutory vs Regulatory vs Contractual: Cybersecurity & Privacy Compliance
Compliance terms are pretty badly abused, even by professionals within the cybersecurity and privacy industries. Words have meaning and non-compliance can have negative ramifications. Cybersecurity, IT and privacy professionals routinely abuse the terms “law” and “regulation” as if they are synonymous, but those terms have unique meanings that need to be understood.
ComplianceForge compiled the information on this page to help get everyone on the same sheet of music, since words do have meanings and it is important to understand the risks associated with cybersecurity and privacy requirements, since not all compliance obligations have the same weight.
Why Should You Care: Prioritizing Controls & Risk Management
Understanding the “hierarchy of pain” with compliance leads to well-informed risk decisions that influence technology purchases, staffing resources and management involvement. That is why it serves both cybersecurity and IT professionals well to understand the compliance landscape for their benefit, since you can present issues of non-compliance in a compelling business context to get the resources you need to do your job.
Beyond just using terminology properly, understanding which of the three types of compliance is crucial in managing both cybersecurity and privacy risk within an organization. The difference between non-compliance penalties can be as stark as:
Going to jail;
Losing a contract (breach of contract); or
An unpleasant combination of the previous options.
Statutory, Regulatory and Contractual Obligations Define "Must Have" vs "Nice To Have" Requirements
When discussing cybersecurity and privacy requirements, the term "must" is often thrown around as an absolute. This is most often due to an applicable law, regulation or contract clause that is compelling the control to exist.
There is a need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions. To assist in this process, it helps an organization to categorize its applicable controls according to “must have” vs “nice to have” requirements:
Minimum Compliance Criteria (MCC) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCC, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.
Secure and compliant operations exist when both MCC and DSR are implemented and properly governed:
MCC are primarily externally-influenced, based on industry, government, state and local regulations. MCC should never imply adequacy for secure practices and data protection, since they are merely compliance-related.
DSR are primarily internally-influenced, based on the organization’s respective industry and risk tolerance. While MCC establish the foundational floor that must be adhered to, DSR are where organizations often achieve improved efficiency, automation and enhanced security.
Statutory Cybersecurity & Privacy Requirements
Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. From a cybersecurity and privacy perspective, statutory compliance requirements include:
US - Federal Laws
Children's Online Privacy Protection Act (COPPA)
Fair and Accurate Credit Transactions Act (FACTA) - including "Red Flags" rule
Family Education Rights and Privacy Act (FERPA)
Federal Information Security Management Act (FISMA)
Federal Trade Commission (FTC) Act
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX)
US - State Laws
California SB 1386
Massachusetts 201 CMR 17.00
Oregon ORS 646A.622
Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
UK - Data Protection Act (DPA)
Other countries' variations of Personal Data Protect Acts (PDPA)
Regulatory Cybersecurity & Privacy Requirements
Regulatory obligations are required by law, but are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements. From a cybersecurity and privacy perspective, regulatory compliance examples include:
Defense Federal Acquisition Regulation Supplement (DFARS)
Federal Acquisition Regulation (FAR)
Federal Risk and Authorization Management Program (FedRAMP)
DoD Information Assurance Risk Management Framework (DIARMF)
National Industrial Security Program Operating Manual (NISPOM)
New York Department of Financial Services (NY DFS) 23 NYCRR 500
European Union General Data Protection Regulation (EU GDPR)
Contractual Cybersecurity & Privacy Requirements
Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations. From a cybersecurity and privacy perspective, common contractual compliance requirements include:
Payment Card Industry Data Security Standard (PCI DSS)
Financial Industry Regulatory Authority (FINRA)
Service Organization Control (SOC)
Generally Accepted Privacy Principles (GAPP)
Center for Internet Security (CIS) Critical Security Controls (CSC)
Digital Security Program (DSP) - Enterprise-Class, Hybrid Framework For Cybersecurity & Privacy
The DSP is an enterprise-class solution for cybersecurity & privacy documentation consisting of thirty-two (32) domains that defines a modern,...