Information Security Legal Environment

---

Due diligence is a legal term meaning that responsible persons have not been negligent in discharging their duties.

• Negligence may create criminal and civil liabilities
• Sarbanes–Oxley Act (SOX)
• The Computer Security Act of 1987
• Federal Information Security Management Act (FISMA)

Global Law

As information systems become more interconnected globally, many countries have enacted laws with broader, international reach:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)

Regulations and National, Local, Regional and Industry Laws

National Law

• United States
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Federal Information Security Management Act (FISMA)
• United Kingdom
  • Data Protection Act 2018
  • Network and Information Systems (NIS) Regulations 2018
• Canada
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
• India
  • Information Technology Act 2000
• Australia
  • Privacy Act 1988

Regional Laws

• New York Department of Financial Services (DFS) Part 500 Cybersecurity Regulation
• Massachusetts 201 CMR 17.00

Industry Laws and Regulations

• Healthcare
  • Health Insurance Portability and Accountability Act (HIPAA) (United States)
  • The General Data Protection Regulation (GDPR) (European Union)
• Financial Services
  • Gramm-Leach-Bliley Act (GLBA) (United States)
  • Payment Card Industry Data Security Standard (PCI DSS ) (Contractual obligation)
• Telecommunications
  • Communications Assistance for Law Enforcement Act (CALEA ) (United States )
• Energy
  • North American Electric Reliability Corporation (NERC) (United States and Canada)
• Education & Children
  • Family Educational Rights and Privacy Act (FERPA) (United States)
  • Children’s Internet Protection Act (CIPA) (United States)
  • Children’s Online Privacy Protection Act (COPPA) (United States )
• Government
  • Federal Information Security Modernization Act (FISMA) (United States )
  • Criminal Justice Information Services (CJIS ) Security Policy (United States )
  • The Government Security Classifications (GSC) (United Kingdom)

Cybersecurity Regulations

Cybersecurity regulations are legal rules and guidelines formulated by governments and regulatory bodies to safeguard digital information and systems from cyber threats.

• set standards for protecting data confidentiality, integrity, and availability, particularly sensitive and personal information
• e.g.,
  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Federal Information Security Management Act (FISMA)
  • Network and Information Systems (NIS) Directive
  • Cybersecurity Maturity Model Certification (CMMC)