1.4 Determine compliance requirements

  • Contractual, legal, industry standards, and regulatory requirements
  • Privacy requirements

What kinds of policies should we implement to protect our organization?  Compliance comes from several places

  • Contractual – our customers or vendors may impose specific requirements on us, especially for the protection of data we store about them or on their behalf.

  • Legal – the government may impose specific requirements for the protection of data belonging to their citizens.  Different levels of government may have different rules.

  • Industry Standards – industry standards are created by industry organizations and represent best practices that are not binding.  But if our organization does not comply with an industry standard and there is a data leak or other breach, we may be considered negligent. 

    People will say that we should have known about the industry standards.  If we are a member of an industry organization, we may be required to follow their policies to remain a member.

  • Regulatory Requirements – an applicable regulatory body may impose specific regulations on our industry.  For example, banks must follow specific regulatory requirements imposed by agencies such as the FTC or FDIC.

  • Privacy Requirements – a privacy commissioner or regulatory body may impose specific requirements for customer data.

We should understand the requirements for our organization.  If we operate in more than one jurisdiction, we may be subject to requirements from more than one government.  We may be subject to requirements from jurisdictions where we store the data in or jurisdictions where we collect data, even if we aren’t physically present there.

For example, if we are based in California, and collect data from people in Florida, but store it in Oregon, we might be subject to the laws of three different states.

There are three types of laws

  • Criminal Law – the criminal law is the basis of society.  A violation of a criminal law could lead to a fine, a prison sentence, and/or a criminal record.  The most illegal acts are prohibited by criminal law.  Criminal law usually requires intent.  That means that in order to be found guilty, the government must prove that you broke the law and that you intended to break the law (you did something illegal and you knew that it was illegal when you did it – or that a reasonable person in your situation would have known that it was illegal).

    The police and other investigative agencies investigate and prosecute violations of criminal law.  In most countries, a private individual does not have the right to initiate a criminal prosecution.

    Criminal laws are created by the federal government, the state/provincial governments, and local governments.  In Canada, only the federal government creates criminal laws. 

    In the United States, only specific crimes fall under the jurisdiction of the federal government (each state has their own criminal laws).  They include

    • Acts that take place on federal government property such as a government building, a national park, etc.

    • Acts that are federal in nature such as copyright or trademark violations, bank robbery (because banks are federally insured), or immigration.

    • Acts that occur in the “Special Aircraft Jurisdiction of the United States”  If you commit a crime on an airplane that took off from the United States, is scheduled to land in the United States, belongs to a United States company or the United States government, or is flying over United States airspace, then any crime on board that plane can be prosecuted.

    • Acts that occur in the “Special Maritime Jurisdiction of the United States”.  If you commit a crime on a ship that is sailing with the flag of the United States, then you are subject to United States federal jurisdiction while on board that ship.

    • Acts that occur in foreign countries against United States citizens.  For example, the murder of an American citizen in a foreign country is subject to United States federal jurisdiction.

    • Acts that go over state or federal borders such as smuggling, computer hacking, or transporting drugs across state lines.  Almost all computer crimes can be subject to federal jurisdiction because the internet communications almost always travel across state lines.

In the United States, the other crimes fall under state law.  A crime can be subject to both state and federal laws.

  • Civil Law –Civil laws regulate disputes between private parties.  Civil laws do not always require intent.  That means you can be found liable even if you did not intend to break the law – this is known as strict liability.  For example, copyright infringement is a strict liability tort.  If you violate somebody’s copyright, they can sue you for damages and win, even if you can prove that you didn’t know your actions infringed on their copyright.

    The burden of proof in civil law is lower than in criminal law.  In criminal law, the government must prove guilt beyond a reasonable doubt.  In civil law, the person filing the lawsuit must only prove their case beyond a preponderance of the evidence (more likely than not that they are right)

    The police do not usually investigate violations of civil law.  If you violate a civil law, the person who is harmed must file a lawsuit against you to recover damages.  In the United States, the federal government enforces some activities through civil law, such as unfair competition or insider trading.

    Some laws can be both civil and criminal.  For example, copyright and trademark infringement can be prosecuted by the federal government under criminal law or can be prosecuted by their respective rights holders under civil law.

    When you file a lawsuit in the United States, you must decide whether to file it in federal court or in state court.  The federal courts have jurisdiction in specific cases.  You must have subject matter jurisdiction, territorial jurisdiction, and personal jurisdiction in order to be successful.

    • When the case involves a federal subject matter, the courts automatically have subject matter jurisdiction.  That means that the case involves an issue that only the federal government has jurisdiction over.  This includes copyright and trademark cases.

    • When the case does not involve a federal subject matter, the courts still have subject matter jurisdiction if there is diversity and the amount of money in question is over $75,000.  Diversity means that none of the plaintiffs are from the same state as any of the defendants.

      • Multiple people can get together as Plaintiffs and sue one or more people as Defendants

      • Corporations are people too (for the purposes of a lawsuit)

      • A corporation is considered a resident of the state that it was incorporated in and the state with its principal place of business

      • An LLC or partnership is considered a resident of the state or states that each of its members are from

Federal courts won’t hear divorce or estate cases even if they are over $75,000 and there is diversity.

In a diversity case, the federal court will apply the law of the state that the case was filed in, and not the federal law.  The diversity rule was created because the federal government felt that states would not treat non-residents fairly.

  • If you are suing the federal government, or the federal government is suing you, then the federal court automatically has subject matter jurisdiction.

    • There are 94 federal courts.  Each court has jurisdiction over a specific geographic area.  A jurisdiction may cover an entire state or part of a state.  No federal jurisdiction overlaps two states.  This is known as territorial jurisdiction.  When you file a lawsuit in the federal court, you must choose the correct one.  Look at 28 U.S. Code § 1391 for guidance.

      • A substantial portion of the events or omissions took place in the physical jurisdiction of the court

      • The property in dispute is located in the physical jurisdiction of the court

      • One of the Defendants is a resident of the physical jurisdiction of the court.  Notice that the residency of the Plaintiff does not apply.

        • If the Defendant is a human, then he resides where his principal residence is

        • A foreign human can be sued in any jurisdiction

        • A corporation is a resident of any jurisdiction where it is a legal entity.  If the corporation is in a state that has multiple jurisdictions, then it is subject to the jurisdiction where it has the “most significant contacts”

      • If the Defendant is the federal government, and no real property is involved, then the jurisdiction is proper anywhere that the Plaintiff is a resident.

      • If the Defendant is a foreign state, then the suit can be filed in the United States District Court for the District of Columbia, in addition to any jurisdiction where the act took place, or where the foreign state is doing business.

        In general, you cannot sue a foreign government.  You also cannot sue a corporation owned by a foreign government.  This is known as the Doctrine of Sovereign Immunity.  The Foreign Sovereign Immunities Act allows you to sue the foreign government only in specific circumstances

        • The foreign government is carrying out a commercial activity and you are suing them on the basis of that activity

        • The foreign government waived its immunity

        • Property rights are at stake, and the property is located in the United States, and cannot be moved outside the United States

        • The issue relates to monetary damages for personal injury or death

      • If the act took place overseas, or in a special aircraft jurisdiction, or a special maritime jurisdiction, then all the courts will have jurisdiction. 

        In general, very few civil laws apply to acts that takes place outside the physical territory of the United States.

        A foreign national cannot file a lawsuit in a federal court of the United States except under the Alien Tort Claims Act (ATCA).  ATCA allows you to sue a foreign government for torture, cruel treatment, genocide, war crimes, and prolonged arbitrary detention.

    • There are specific federal courts in addition to the 94 federal courts that only hear specific types of cases.

      • The United States Tax Court only hears tax cases.

      • The United States Bankruptcy Court only hears bankruptcy cases.

      • The United States Court of International Trade only hears cases regarding international trade.

      • The United States Court of Federal Claims only hears cases involving disputes between the federal government and its contractors.

  • Administrative Law – Administrative laws are created by the United States federal government to govern.  These laws are published in the Code of Federal Regulations.  Agencies can create administrative laws without requiring approval from Congress.  They can also enforce them via their own procedures.

    For example, Congress gives the Food and Drug Administration (FDA) the power to regulate food labeling and medications through the law.  The FDA then writes regulations regarding food and drug labelling.  The FDA made a regulation about the type of nutritional information that must be written on each package of food sold on the United States. 

    The FDA regulates the meaning of words like “low in fat”, “low sodium”, “a good source of calcium”, etc.  If you go to the store and see a can of soup that says “low sodium”, that means that it contains 140 mg or less of sodium in each serving.  A food manufacturer can’t arbitrarily write those words on the can thanks to the FDA.

In the United States, some important laws and standards are

  • US Computer Security Act of 1987

    • Established NIST (National Institute of Standards and Technology)

    • Requires federal employees to have cybersecurity training

  • US Federal Information Security Management Act of 2002

    • Replaced the Computer Security Act of 1987

    • Requires the US federal government and those who provide IT to the federal government to conduct security assessments in accordance with NIST standards

  • Corporate and Auditing Accountability, Responsibility, and Transparency Act (also known as Sarbox, Sarbanes-Oxley, or SOX)

    • Public corporations and their accounting firms have a legal obligation to preserve certain types of data for at least seven years. 

  • SSAE SOC 2 Type I/II.  Statement on Standards for Attestation Engagements are standards that are put out by American Institute of Certified Public Accountants (AICPA) Auditing Standards Board.  It is a Generally Accepted Accounting Standard.  The current version is version 18.

    The purpose of the standard is to provide a framework for conducting an audit of a financial system.  When an audit is implemented, the standard results in a report known as a SOC Type 1 or SOC Type 2, which shows that a financial statement is accurate, complete, and fair.  But, it can theoretically be applied to an audit about any other subject (not just finance).  The audit asks whether the organization have internal controls to prevent fraud and bad behavior?  Can we trust what they say?

    • A SOC Type 1 report is an assessment of the design of the organization’s internal controls.

    • A SOC Type 2 report is an assessment of the operating effectiveness of the organization’s internal controls.  If the controls are designed well but people bend the rules, then the controls are meaningless.

  • Payment Card Industry Data Security Standard (PCI DSS).  PCI regulates the way that credit card data is stored and transmitted.  Some of the things that it covers

    • Firewall to protect credit card data

    • OS hardening

    • Changing default passwords

    • Protecting stored credit card data

    • Limitations on what type of credit card data can be stored

    • Encryption

    • Encrypted transmission of data

    • Antivirus

    • Vulnerability management programs

    • Authentication of authorized users

    • Audit trails

    • Information security policy