# 6.2: Laws and Regulations

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

$$\newcommand{\id}{\mathrm{id}}$$ $$\newcommand{\Span}{\mathrm{span}}$$

( \newcommand{\kernel}{\mathrm{null}\,}\) $$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$ $$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$ $$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\id}{\mathrm{id}}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\kernel}{\mathrm{null}\,}$$

$$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$

$$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$

$$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$ $$\newcommand{\AA}{\unicode[.8,0]{x212B}}$$

$$\newcommand{\vectorA}[1]{\vec{#1}} % arrow$$

$$\newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow$$

$$\newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vectorC}[1]{\textbf{#1}}$$

$$\newcommand{\vectorD}[1]{\overrightarrow{#1}}$$

$$\newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}}$$

$$\newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}}$$

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

Information technology law (also called cyberlaw) concerns the law of information technology, including computing and the internet. It is related to legal informatics, and governs the digital dissemination of both (digitized) information and software, information security and electronic commerce aspects and it has been described as "paper laws" for a "paperless environment". It raises specific issues of intellectual property in computing and online, contract law, privacy, freedom of expression, and jurisdiction.

Information technology regulation, also referred to as cybersecurity regulation, is made up of any directive that safeguards information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyber attacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks.

Specifically. within the context of information security, the laws and regulations with which information security professionals might need to concern themselves with is massive. In the physical world the same issues, although still potentially complex, are much more straightforward and more easily enforceable.

For example, let's consider a real storefront is vandalized. The attacker walks up to the front of the store, spray paints some graffiti all over the store, throws the can of paint on the sidewalk, and runs off. Due to the cost of repairing the damage the police investigate the crime. The police, being able to get the culprits fingerprint from the spraypaint can, are able to track him down, and the discover he is a serial vandal. In the course of the investigation, it is also discovered that the perpetrator is on a foreign student visa. Given the record of offenses, his visa is revoked and he is deported from the country.

Now let's look at the same example from a slightly different angle. In this case, we have an online storefront. that is - a web page, which is defaced. Investigators which are part of the information security department with the victim company are able to trace back though their logs and discover that the attack that compromised their web server originated from a Chinese IP address (much like fingerprints). Unfortunately, the defacement came from a different IP address, one belonging to Microsoft's Azure hosting service. Additionally, traffic from Amazon's hosting service, Rackspace, and a number of others are all found in the logs as well, all originating from different countries. At this point, the company has patched the vulnerability that they think allowed the attacker in and repaired the web site. They have a number of potential leads that they could follow up on, but no authority to pursue them. At this point, the incident is reported to the FBI and generally will not be pursued as an active investigation because it doesn't cross over the loss threshold they follow due to the high volume of cases.

Such scenarios are all too common in the information security industry. Laws in the world today follow geographic boundaries, boundaries which the Internet ignores making enforcement complex at best and impossible in some cases because the countries involved have few if any laws governing Internet use.

A brief, non-exhaustive, list of laws and regulations is shown below.

### Broadly applicable laws and regulations

Sarbanes-Oxley Act (SOX)
Payment Card Industry Data Security Standard (PCI DSS)
Payment Service Directive, revised (PSD2)
Gramm-Leach-Bliley Act (GLBA)
Free and Secure Trade Program (FAST)
Children's Online Privacy Protection Act (COPPA)
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule
Federal Rules of Civil Procedure (FRCP)
Industry-specific guidelines and requirements
Federal Information Security Management Act (FISMA)
North American Electric Reliability Corp. (NERC) standards
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
Health Insurance Portability and Accountability Act (HIPAA)
The Health Information Technology for Economic and Clinical Health Act (HITECH)
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)
H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation

### US state laws

California Consumer Privacy Act (CCPA)
California Privacy Rights Act (CPRA)
Connecticut Data Privacy Act (CTDPA)
Maine Act to Protect the Privacy of Online Consumer Information
Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154)
Massachusetts 201 CMR 17 (aka Mass Data Protection Law)
Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches
Nevada Personal Information Data Privacy Encryption Law NRS 603A
New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51)
New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
Oregon Consumer Information Protection Act (OCIPA) SB 684
Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council
Utah Consumer Privacy Act
Virginia -- Consumer Data Protection Act (CDPA)
Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071)

### International laws

Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA) — Canada
Personal Information Protection Law (PIPL) — China
Law on the Protection of Personal Data Held by Private Parties — Mexico
General Data Protection Regulation (GDPR)