Management, compliance & auditing

How foundations of U.S. law apply to information security

May 31, 2022 by John Bandler

The following info is important if you are one of the following: 

  • Live in the U.S.
  • Citizen of the U.S.
  • Work in information security
  • Aspire to any of the above
  • Are interested in law
  • Have no interest in law (yet)

The word “law” instills fear or dread in some, but that needn’t be the case. Sometimes law evokes strong feelings and debates. Let’s face it, there are plenty of imperfections in the law. Our legal system is made up of people, and people are not perfect.

Law should not be the exclusive province of lawyers, and there are principles we can and should learn. Law is important for us as individuals and information security professionals, as I’ve covered in an earlier article, Why information security professionals should learn about law. Here we will explore the important fundamentals of U.S. law, which is also part of a privacy certification body of knowledge I wrote about in my article, CIPP/US: 5 things to know about privacy and cybersecurity law.

Law is for fairness and justice

The underlying purpose of the law is fairness and justice. To have a system of rules to protect society and individuals and a peaceful process to resolve disputes and address behavior that violates our rules. 

Our country is a nation of laws

We built our country to escape the tyranny of monarchs and dictators wielding absolute power. We, the people, should peacefully choose our government. We built guardrails for that system of government to protect individual rights and because some people might not want to relinquish their power.

The U.S. Constitution is our highest law that establishes our government, sets forth its powers and limitations, a system of checks and balances and protects from excessive government intrusion and interference with certain rights.

Citizens have important roles in government. First is the duty to vote and select the executive (president, governor, mayor etc.), legislators and sometimes judges. Second is the duty to serve on juries, an essential component of our legal system — our legal system explicitly relies upon non-lawyers.

Our laws have evolved and multiplied

Societies’ rules and laws have existed for thousands of years, and our Constitution is over 200 years old. Law continually evolves by creating new statutes via the legislative process and through legal precedent established in judicial decisions.

Federal statutes are found in the U.S. Code, a huge body of laws organized by topic (called “titles”), including criminal, financial, health and so on. Some of these statutes create regulatory bodies, such as the Federal Trade Commission (FTC) or Federal Deposit Insurance Corporation (FDIC), and give them powers, including the ability to make more detailed rules or regulations. Those regulations might be found in the Code of Federal Regulations (CFR), which is also organized by topic.

Then we have 50 states, each with its own powers, statutes and regulations.

The internet caused more legal change

Laws have evolved continually, but the Internet caused an explosion in several areas. We still apply traditional legal principles but now have new considerations.

Before the internet, disputes and legal issues were more local. Now the internet puts more people in contact across borders, which means the potential for more disputes and then figuring out which laws to apply. 

The internet brought incredible opportunities for both criminals and businesses. Criminals now steal data and money electronically. Businesses use consumer data to make money. All of this means cybercrime, identity theft and privacy are important issues and growing areas of law and regulation.

We can figure out the legal complexities

This mix of legal authorities with laws and regulations from varying sources and different scopes and definitions could seem overwhelming. But information security professionals are well suited to understand this. 

Consider the different information security frameworks we encounter, such as NIST CSF, NIST 800-53, ISO 27001, COBIT and other frameworks. Each has different categories, subcategories, controls, definitions, and terminologies, but all seek to accomplish similar overall goals. 

Just as we can synthesize all these frameworks, we can do so for the many laws and regulations that apply to information governance. I generally put them into four main categories:

  • Privacy (which includes the below categories)
  • Security (which generally includes the below)
  • Data breach reporting and notification
  • Data disposal rules.

Information security requires knowledge of law

Information security is subject to specific laws and regulations at the federal and state levels, including privacy, security and breach notification. It is also subject to more traditional legal principles of negligence and contract.

We want to protect our organizations from nasty cyber incidents and prevent regulatory actions or lawsuits that allege deficiencies. No information security professional wants their organization or personal actions to be called negligent. Ignorance of legal requirements is never a defense. We should learn about laws to align our information security programs, policies, and practices.

Small steps move us forward

Small steps get us where we need to go, and this article is a start. To move you even further, we’ve got a Certified Information Privacy Practitioner US (CIPP/US) course that covers these foundations of law plus an in-depth review of privacy and cybersecurity laws, all within the body of knowledge for the CIPP/US certification exam. CIPP/US stands for Certified Information Privacy Professional, United States. 

If you didn’t know, now you know — you don’t have to become a lawyer to improve your understanding of the law. The concepts are within your reach and relevant for work and your personal life as a consumer, resident and citizen.

Posted: May 31, 2022
Author
John Bandler
View Profile

John Bandler is a lawyer, consultant, speaker, teacher and author in the areas of cybersecurity, cybercrime, privacy, investigations and more. He is the founder of Bandler Law Firm PLLC and Bandler Group LLC, legal and consulting practices that help organizations and individuals with cybersecurity, the prevention and investigation of cybercrime, privacy, compliance, risk management and governance. John has expertise in many subjects, holds a number of certifications, and is a prolific writer and speaker. His first book is Cybersecurity for the Home and Office, his second book is Cybercrime Investigations, an extensive resource regarding the law, technology, process and skills regarding the investigation of cybercrime. John has authored articles on a range of topics and teaches professionals and students at the undergraduate, graduate and law school levels. Before entering private practice, John served in government as an assistant district attorney in the New York County District Attorney's Office where he investigated and prosecuted criminal offenses ranging from cybercrime, virtual currency money laundering and traditional street crimes and frauds. Prior to that, he served as a state trooper in the New York State Police providing full police services to the local community.

Leave a Reply

Your email address will not be published.