How foundations of U.S. law apply to information security
The following info is important if you are one of the following:
- Live in the U.S.
- Citizen of the U.S.
- Work in information security
- Aspire to any of the above
- Are interested in law
- Have no interest in law (yet)
The word “law” instills fear or dread in some, but that needn’t be the case. Sometimes law evokes strong feelings and debates. Let’s face it, there are plenty of imperfections in the law. Our legal system is made up of people, and people are not perfect.
Law should not be the exclusive province of lawyers, and there are principles we can and should learn. Law is important for us as individuals and information security professionals, as I’ve covered in an earlier article, Why information security professionals should learn about law. Here we will explore the important fundamentals of U.S. law, which is also part of a privacy certification body of knowledge I wrote about in my article, CIPP/US: 5 things to know about privacy and cybersecurity law.
Law is for fairness and justice
The underlying purpose of the law is fairness and justice. To have a system of rules to protect society and individuals and a peaceful process to resolve disputes and address behavior that violates our rules.
Our country is a nation of laws
We built our country to escape the tyranny of monarchs and dictators wielding absolute power. We, the people, should peacefully choose our government. We built guardrails for that system of government to protect individual rights and because some people might not want to relinquish their power.
The U.S. Constitution is our highest law that establishes our government, sets forth its powers and limitations, a system of checks and balances and protects from excessive government intrusion and interference with certain rights.
Citizens have important roles in government. First is the duty to vote and select the executive (president, governor, mayor etc.), legislators and sometimes judges. Second is the duty to serve on juries, an essential component of our legal system — our legal system explicitly relies upon non-lawyers.
Our laws have evolved and multiplied
Societies’ rules and laws have existed for thousands of years, and our Constitution is over 200 years old. Law continually evolves by creating new statutes via the legislative process and through legal precedent established in judicial decisions.
Federal statutes are found in the U.S. Code, a huge body of laws organized by topic (called “titles”), including criminal, financial, health and so on. Some of these statutes create regulatory bodies, such as the Federal Trade Commission (FTC) or Federal Deposit Insurance Corporation (FDIC), and give them powers, including the ability to make more detailed rules or regulations. Those regulations might be found in the Code of Federal Regulations (CFR), which is also organized by topic.
Then we have 50 states, each with its own powers, statutes and regulations.
The internet caused more legal change
Laws have evolved continually, but the Internet caused an explosion in several areas. We still apply traditional legal principles but now have new considerations.
Before the internet, disputes and legal issues were more local. Now the internet puts more people in contact across borders, which means the potential for more disputes and then figuring out which laws to apply.
The internet brought incredible opportunities for both criminals and businesses. Criminals now steal data and money electronically. Businesses use consumer data to make money. All of this means cybercrime, identity theft and privacy are important issues and growing areas of law and regulation.
We can figure out the legal complexities
This mix of legal authorities with laws and regulations from varying sources and different scopes and definitions could seem overwhelming. But information security professionals are well suited to understand this.
Consider the different information security frameworks we encounter, such as NIST CSF, NIST 800-53, ISO 27001, COBIT and other frameworks. Each has different categories, subcategories, controls, definitions, and terminologies, but all seek to accomplish similar overall goals.
Just as we can synthesize all these frameworks, we can do so for the many laws and regulations that apply to information governance. I generally put them into four main categories:
- Privacy (which includes the below categories)
- Security (which generally includes the below)
- Data breach reporting and notification
- Data disposal rules.
Information security requires knowledge of law
Information security is subject to specific laws and regulations at the federal and state levels, including privacy, security and breach notification. It is also subject to more traditional legal principles of negligence and contract.
We want to protect our organizations from nasty cyber incidents and prevent regulatory actions or lawsuits that allege deficiencies. No information security professional wants their organization or personal actions to be called negligent. Ignorance of legal requirements is never a defense. We should learn about laws to align our information security programs, policies, and practices.
Small steps move us forward
Small steps get us where we need to go, and this article is a start. To move you even further, we’ve got a Certified Information Privacy Practitioner US (CIPP/US) course that covers these foundations of law plus an in-depth review of privacy and cybersecurity laws, all within the body of knowledge for the CIPP/US certification exam. CIPP/US stands for Certified Information Privacy Professional, United States.
If you didn’t know, now you know — you don’t have to become a lawyer to improve your understanding of the law. The concepts are within your reach and relevant for work and your personal life as a consumer, resident and citizen.