Legal and Regulatory Stuff

Compliance – most of you already know what this means, but if not, it means adherence to some type of mandate.  Audits are a form of measuring compliance.

Mandates come in many forms.  Here are the types you’ll need to know for the exam:

Contractual mandates – above we talked briefly about what a contract is.  The contract has expectations and demands from each party that can be both legally and financially enforceable.  An example of a contractual mandate is the Payment Card Industry Data Security Standard (PCI-DSS). This set of standards requires businesses who accept credit or debit cards to adhere to specific security standards, the failure of which results in the revoking of a business’ ability to accept such payments.  

Legal mandates – or legal standards are decided by courts by making case decisions that set a precedent, or common practice of how the law should be applied in future similar situations, or what the norm should be.  Of interest should be court decisions that are made in relation to due care.  Due care legal standards will help organizations understand what is expected of a “prudent person” in the industry, and how that person might behave..  

For example, if a regulation says that paper documents containing personal information should be shredded effectively, and a court decision was made that ruled specifically that due care in complying with that shredding regulation is considered 5/16th of an inch instead of using a punch-tear method, or any other method, then the business should adhere to the 5/16th legal standard.  

Industry mandates/standards – industry standards have no inherent legal force, but can be useful in court decisions in demonstrating due diligence.  If, for example, a company is facing criminal charges for misuse of information, that company can demonstrate due diligence by showing that it was adhering to an industry standard.

Regulatory standards – these are requirements created by government bodies that are overseen by regulators (typically the government body that established the regulation), and are enforced with punitive measures, typically fines, court orders, or imprisonment.  They usually have the word “Act” or “Law” in them. Examples include:

• Privacy Act
• Sarbanes Oxley Act
• Health Insurance Portability and Accountability Act 
• Graham Leach Bliley Act
• Federal Information Systems Management Act