IN RECENT YEARS, globalization has been driven by technology and the growth of the Internet. Internet usage statistics show that as of 2019, 57.3 percent of the world’s population, or 4.4 billion people, have Internet access.¹ In North America and Europe, that number is above 85 percent. Several other sources report similar numbers.^2,3

The expansion of Internet access continues to grow rapidly in developing countries. The Internet’s explosive reach has created global economic opportunity never seen before. You can see this in products you buy every day. Technology has helped create a global supply chain that delivers to consumers worldwide an array of low-cost goods that would have been unimaginable just a few years ago.

But the speed with which the Internet has expanded has come at a price. Privacy is an issue. People may feel, not unreasonably, that every action they take is being captured. Cellphones leave computer records of who called whom. Social media provides channels for cyberbullying in schools. Hackers have been able to steal massive amounts of credit card information through the Internet. Countries have used the Internet to launch attacks on other countries.

In February 2014, President Obama declared, “Cyberterrorism is [the] country’s biggest threat.”⁴ In general, cyberterrorism, or cyberwarfare, refers to an attempt to cause fear or major disruptions in a society through hacking computers. The idea is to attack government computers, major companies, or key areas of the economy. Such attacks can come from terrorist groups or individuals, as well as nation-states (sovereign countries).

President Obama’s statements still ring true. In 2019, there was an attempt to attack U.S. power companies that many sources believe was sponsored by the Chinese government.⁵ The Center for Strategic and International Studies reported that in May 2019, Iran was using a network of websites to launch a disinformation campaign against several nations, including the United States, Israel, and Saudi Arabia.⁶ Clearly, these threats have not abated since 2014.

With so much at stake, governments cannot sit on the sidelines. In the United States, the federal and state governments establish laws that define how to control, handle, share, and process the sensitive information that this new economy relies on. Much of that information is about you. It’s personal data about your finances, health, buying habits, and more. To these laws are added regulations, typically written by civil servants to implement the authority of the law. Regulators are the individuals or entities who help enforce these rules. Industry groups also try to self-regulate, which means they create standards their members must follow. Failure to follow regulations or industry standards can result in fines or limits placed on a company’s ability to operate. Gross violations of regulations can be seen as violation of criminal law. These violations can result in the arrest of officers of the company and possible jail time.

This chapter discusses major government laws and their compliance requirements. When the term regulation appears in this chapter, it relates to either U.S. laws or laws that are widespread around the globe. You will read about how requirements influence security policies. You will also learn about major drivers for the regulations and the importance of protecting personal privacy. You will see how to create compliant policies, standards, procedures, and guidelines. The chapter also examines industry standards that drive security policies. Any one of these laws or standards could take up the pages of an entire book. The focus here is on high-level principles that drive security policies and controls.

This chapter will focus primarily on U.S. laws and regulations; however, specific non-U.S. laws are also explored due to either their significance to U.S. businesses or their exemplary content. For example, the Global Data Protection Regulation (GDPR), although a European Union (EU) law, also affects any business operation in the EU. This includes e-commerce platforms with European customers. Thus, it is important for even U.S. businesses to be aware of this regulation.