Organizations follow several laws and regulations applicable to the work they do. Law always takes precedence over standards.
The implementation of an ISO standard can help, but it is not a legal condition. The ISO 27001 can be used if an organization wants an idea of the types of laws and regulations apply to them.
Here are categories of laws to be familiar with.
Criminal Law – Laws that protect society and enforced by law enforcement.
Civil Law – Matters that are not crimes but where people are wronged, such as lawsuits.
Administrative Law – Ensures government functions effectively. Executive branch enacts policies and regulations to enforce both civil and criminal law.
Religious Law – Based on religious principles.
An organization’s management must understand risk and put it to effect. This helps the organization from legal liability. Two ways to do this is by practicing Due Care and Due Diligence.
Due Care – Organization responds to risk and uses best practices.
Due Diligence– Steps taken by the organization to implement appropriate security.
But what laws does an organization follow to mitigate legal liabilities you may ask. Here is a list of different laws with their description.
Sarbanes-Oxley – Public company accounting reform and investor protection act.
HIPAA – Protection of information in storage, use, and transmission in the health industry.
GLBA – Protection of information in the finance industry, making the board of directors responsible for security issues.
FISMA – Information system protection measures used by federal agencies. Required for an organization to be audited on an annual basis.
SB 1386 – California law explaining disclosure obligation in the case of a breach of security affecting customer data.
Computer Fraud and Abuse Act – Broad law focused on protecting computer systems in interstate commerce and federal interest extended by the National Infrastructure Protection Act of 1986.
Federal Sentencing Guidelines – Provides guidelines to help interpretation of computer crime law. Applies the prudent man rule related to negligence.
Federal Cybersecurity Laws – Centralizes cyber security responsibility for the Federal government and charges NIST with the responsibility for coordinating Federal security standards.
PCI-DSS – A standard to reduce the risk of credit card fraud for all organizations that process, handle, or store credit card information.
General Data Protection Regulation – Considers issues such as globalization, use of social media, and this law protects people in the EU. Data controllers must report breaches to the DPA in 72 hours.
Information Security Law – Provides guidance on encryption export controls where the U.S submits their products for review by the Commerce Department with a review to be completed within 30 days.
Digital Millennium Copyright Act – Brings the U.S in compliance with the World Intellectual Property Organization (WIPO).
USA Patriot Act – Gives authorities less restrictions to investigate and gather information, and to detain and deport people suspected of terrorism.
Now let’s go over Intellectual Property laws.
Copyright – Exclusive rights regulating the use of a particular expression for an idea or information. Lasts 70 years after the death of the last surviving author.
Patent – Set of rights to keep an idea for a limited duration and on a given territory. Must be a new idea. Can be granted for 20 years.
Trade Secret – Intellectual property that makes your product unique and requires protection to maintain competitive advantage.
Trademark – A word, symbol, logo, etc. to identify a firms products. Can be granted for 10 years and can be renewed for successive 10 year periods.