Introduction to Regulatory Requirements
There are government concerns with consumer protection, promoting a stable economy, and maintaining a reliable source of tax revenue. All three of these drivers are linked. If people feel safe using the Internet to buy goods and services, a stable economy emerges. When you have a stable sector of the economy, the government has a reliable source of tax revenue. This is not to imply that any one of these drivers is the primary goal of government regulation. However, government regulations do exist, and the question is what to regulate and how much.
When you implement security policies, remember that there are pressures and trade-offs. For example, you may have to place restrictive controls on data to comply with a regulation that limits how your business operates. As you balance competing interests, you must be talking to the business. Security policies reflect how the business wishes to balance competing interests.
Nevertheless, it is first important to understand why these requirements exist. Equally important is to understand how the regulator within your industry interprets these regulations. It is the regulator interpretation that will set expectations on what controls the organization must deploy.
An example is the General Data Protection Regulation (GDPR), which was adopted by the European Union (EU) in May 2018. GDPR brings greater obligations on companies processing and handling personal data of individuals who live in Europe. Why is this important to U.S. companies? EU citizens buying products over the Internet or EU citizen traveling to the United States would be covered by the GDPR regulations. While this chapter only focuses on U.S. laws, a broader view of regulations would be needed.
Regulatory compliance is nothing new. However, government oversight and strong compliance regulations greatly increased due to the expansion of the Internet. Consider how quickly the Internet has become part of our daily lives. It’s not just the browser we use to surf the Internet that impacts our lives daily. Our doorbell may have an Internet camera, we may be using an Internet phone (smartphone), or those unwanted robot calls are usually generated through data obtained through the Internet.
Regulatory Acts of Congress
Congress enacts major legislation known as statutes. The president of the United States signs these acts of Congress into law. Examples of such acts include the Cybersecurity Information Sharing Act (CISA) of 2015, E-Government Act of 2002, the Sarbanes-Oxley (SOX) Act, and the Health Insurance Portability and Accountability Act (HIPAA).
After such acts become law, various government agencies create and enforce the federal regulations authorized by those acts. Some examples of these government agencies are the Food and Drug Administration (FDA), Environmental Protection Agency (EPA), U.S. Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), and Federal Communications Commission (FCC), to name a few.
Congress first typically passes a statute to address a problem, such as a social or economic issue. These are considered enabling legislation that allow regulatory agencies to create the necessary regulations to implement the law. (A regulatory agency is a public or government agency that has authority over some area of activity in a regulatory or supervisory capacity.) For example, the FCC creates regulations under CIPA. The SEC creates regulations under SOX.