Statutory vs Regulatory vs Contractual Compliance
Compliance terms are often misused, even by professionals within the cybersecurity and privacy industries. Words have specific meanings, and non-compliance can lead to significant consequences. Cybersecurity, IT, and privacy professionals frequently use the terms "law" and "regulation" interchangeably, though these terms have distinct meanings that must be understood.
ComplianceForge compiled the information on this page to ensure everyone is on the same page, as understanding the nuances of compliance terminology is crucial for managing cybersecurity and privacy risks effectively.
Why Should You Care: Prioritizing Controls & Risk Management
Understanding the "hierarchy of pain" in compliance helps in making well-informed risk decisions that influence technology purchases, resource allocation, and management involvement. It benefits cybersecurity and IT professionals to comprehend the compliance landscape, enabling them to present non-compliance issues in a compelling business context to secure necessary resources.
Beyond correct terminology usage, understanding the three types of compliance is vital for managing cybersecurity and privacy risks. The differences in non-compliance penalties can include:
Jail time
Fines
Lawsuits
Loss of contracts (breach of contract)
An unpleasant combination of the above
Statutory, Regulatory, and Contractual Obligations Define "Must Have" vs "Nice To Have" Requirements
In discussions about cybersecurity and privacy requirements, the term "must" is often used as an absolute due to applicable laws, regulations, or contract clauses compelling the control to exist. It is essential to clarify the difference between "compliant" and "secure" to have coherent risk management discussions. Organizations should categorize controls into “must have” vs “nice to have” requirements:
Minimum Compliance Requirements (MCR): The absolute minimum requirements to comply with applicable laws, regulations, and contracts.
Discretionary Security Requirements (DSR): Additional controls based on the organization’s risk appetite, often addressing voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.
Secure and compliant operations exist when both MCR and DSR are implemented and properly governed:
MCR are primarily externally influenced, based on industry, government, state, and local regulations. MCR should not imply adequacy for secure practices and data protection, as they are compliance-related.
DSR are primarily internally influenced, based on the organization’s respective industry and risk tolerance. While MCR establishes the foundational floor, DSR often lead to improved efficiency, automation, and enhanced security.
Statutory Cybersecurity & Privacy Requirements
Statutory obligations are mandated by law and refer to current laws passed by a state or federal government. Examples of statutory compliance requirements in cybersecurity and privacy include:
US Federal Laws:
Children’s Online Privacy Protection Act (COPPA)
Fair and Accurate Credit Transactions Act (FACTA) - including "Red Flags" rule
Family Education Rights and Privacy Act (FERPA)
Federal Information Security Management Act (FISMA)
Federal Trade Commission (FTC) Act
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX)
US State Laws:
California SB 1386
Massachusetts 201 CMR 17.00
Oregon ORS 646A.622
International Laws:
Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
UK - Data Protection Act (DPA)
Other countries' variations of Personal Data Protection Acts (PDPA)
Regulatory Cybersecurity & Privacy Requirements
Regulatory obligations are required by law but differ from statutory requirements in that they refer to rules issued by a regulating body appointed by a state or federal government. Regulatory requirements tend to change more often than statutory requirements. Examples of regulatory compliance requirements include:
US Regulatory Requirements:
Defense Federal Acquisition Regulation Supplement (DFARS)
Cybersecurity Maturity Model Certification (CMMC)
Federal Acquisition Regulation (FAR)
Federal Risk and Authorization Management Program (FedRAMP)
DoD Information Assurance Risk Management Framework (DIARMF)
National Industrial Security Program Operating Manual (NISPOM)
Financial Industry Regulatory Authority (FINRA)
New York Department of Financial Services (NY DFS) 23 NYCRR 500
International Regulatory Requirements:
European Union General Data Protection Regulation (EU GDPR)
Contractual Cybersecurity & Privacy Requirements
Contractual obligations are required by legal contracts between private parties. These may include a cybersecurity or privacy addendum in a vendor contract that specifies unique requirements or broader requirements from an industry association. Examples of contractual compliance requirements include:
Payment Card Industry Data Security Standard (PCI DSS)
ISO 27001 certification
Service Organization Control (SOC) audits
Generally Accepted Privacy Principles (GAPP)
Center for Internet Security (CIS) Critical Security Controls (CSC)
Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)