Word Crimes: Understanding Cybersecurity & Privacy Compliance Requirements
Compliance terms are pretty badly abused, even by professionals within the cybersecurity and privacy industries. The information below is meant to help get everyone on the same sheet of music, since words do have meanings and it is important to understand cybersecurity and privacy requirements.
Why Should You Care?
Words have meaning. Cybersecurity and IT professionals routinely abuse the terms “law” and “regulation” as if they are synonymous, but those terms have unique meanings that need to be understood.
Understanding the “hierarchy of pain” with compliance leads to well-informed risk decisions that influence technology purchases, staffing resources and management involvement. That is why it serves both cybersecurity and IT professionals well to understand the compliance landscape for their benefit, since you can present issues of non-compliance in a compelling business context to get the resources you need to do your job.
Beyond just using terminology properly, understanding which of the three types of compliance is crucial in managing both cybersecurity and privacy risk within an organization. The difference between non-compliance can be as stark as (1) going to jail, (2) getting fined, (3) getting sued, (4) losing your contract and (5) an unpleasant combination of the previous options.
Statutory Cybersecurity & Privacy Requirements
Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. From a cybersecurity and privacy perspective, statutory compliance requirements include:
US - Federal Laws
- Children's Online Privacy Protection Act (COPPA)
- Fair and Accurate Credit Transactions Act (FACTA) - including "Red Flags" rule
- Family Education Rights and Privacy Act (FERPA)
- Federal Information Security Management Act (FISMA)
- Federal Trade Commission (FTC) Act
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes-Oxley Act (SOX)
US - State Laws
- California SB 1386
- Massachusetts 201 CMR 17.00
- Oregon ORS 646A.622
- Canada - Personal Information Protecion and Electronic Documents Act (PIPEDA)
- UK - Data Protection Act (DPA)
- Other countries' variations of Personal Data Protect Acts (PDPA)
Regulatory Cybersecurity & Privacy Requirements
Regulatory obligations are required by law, but are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements. From a cybersecurity and privacy perspective, regulatory compliance examples include:
- Defense Federal Acquisition Regulation Supplement (DFARS)
- Federal Acquisition Regulation (FAR)
- Federal Risk and Authorization Management Program (FedRAMP)
- DoD Information Assurance Risk Management Framework (DIARMF)
- National Industrial Security Program Operating Manual (NISPOM)
- New York Department of Financial Services (NY DFS) 23 NYCRR 500
- European Union General Data Protection Regulation (EU GDPR)
Contractual Cybersecurity & Privacy Requirements
Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations. From a cybersecurity and privacy perspective, common contractual compliance requirements include:
- Payment Card Industry Data Security Standard (PCI DSS)
- Financial Industry Regulatory Authority (FINRA)
- Service Organization Control (SOC)
- Generally Accepted Privacy Principles (GAPP)
- Center for Internet Security (CIS) Critical Security Controls (CSC)
- Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
Questions? Please contact us for clarification so that we can help you find the right solution for your cybersecurity and privacy compliance needs.