Statutory vs Regulatory vs Contractual Compliance

Compliance terms are pretty badly abused, even by professionals within the cybersecurity and privacy industries. Words have meaning and non-compliance can have negative ramifications. Cybersecurity, IT and privacy professionals routinely abuse the terms “law” and “regulation” as if they are synonymous, but those terms have unique meanings that need to be understood.

ComplianceForge compiled the information on this page to help get everyone on the same sheet of music, since words do have meanings and it is important to understand the risks associated with cybersecurity and privacy requirements, since not all compliance obligations have the same weight.

Why Should You Care: Prioritizing Controls & Risk Management

Understanding the “hierarchy of pain” with compliance leads to well-informed risk decisions that influence technology purchases, staffing resources and management involvement. That is why it serves both cybersecurity and IT professionals well to understand the compliance landscape for their benefit, since you can present issues of non-compliance in a compelling business context to get the resources you need to do your job.

Beyond just using terminology properly, understanding which of the three types of compliance is crucial in managing both cybersecurity and privacy risk within an organization. The difference between non-compliance penalties can be as stark as:

• Going to jail;
• Getting fined;
• Getting sued;
• Losing a contract (breach of contract); or
• An unpleasant combination of the previous options.

Statutory, Regulatory and Contractual Obligations Define "Must Have" vs "Nice To Have" Requirements

When discussing cybersecurity and privacy requirements, the term "must" is often thrown around as an absolute. This is most often due to an applicable law, regulation or contract clause that is compelling the control to exist.

Secure and compliant operations exist when both MCR and DSR are implemented and properly governed :

• MCR are primarily externally-influenced, based on industry, government, state and local regulations. MCR should never imply adequacy for secure practices and data protection, since they are merely compliance-related.
• DSR are primarily internally-influenced, based on the organization’s respective industry and risk tolerance. While MCR establish the foundational floor that must be adhered to, DSR are where organizations often achieve improved efficiency, automation and enhanced security.

Statutory Cybersecurity & Privacy Requirements

Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. From a cybersecurity and privacy perspective, statutory compliance requirements include:

US - Federal Laws

• Children's Online Privacy Protection Act (COPPA)
• Fair and Accurate Credit Transactions Act (FACTA) - including "Red Flags" rule
• Family Education Rights and Privacy Act (FERPA)
• Federal Information Security Management Act (FISMA)
• Federal Trade Commission (FTC) Act
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Sarbanes-Oxley Act (SOX)

US - State Laws

• California SB 1386
• Massachusetts 201 CMR 17.00
• Oregon ORS 646A.622

International Laws

• Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
• UK - Data Protection Act (DPA)
• Other countries' variations of Personal Data Protect Acts (PDPA)

Regulatory Cybersecurity & Privacy Requirements

Regulatory obligations are required by law, but are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements. From a cybersecurity and privacy perspective, regulatory compliance examples include:

US Regulatory Requirements

• Defense Federal Acquisition Regulation Supplement (DFARS)
• Cybersecurity Maturity Model Certification (CMMC)
• Federal Acquisition Regulation (FAR)
• Federal Risk and Authorization Management Program (FedRAMP)
• DoD Information Assurance Risk Management Framework (DIARMF)
• National Industrial Security Program Operating Manual (NISPOM)
• Financial Industry Regulatory Authority (FINRA)
• New York Department of Financial Services (NY DFS) 23 NYCRR 500

International Regulatory Requirements

• European Union General Data Protection Regulation (EU GDPR)

Contractual Cybersecurity & Privacy Requirements

Contractual obligations are required by legal contract between private parties . This may be as simple as a cybersecurity or privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations. From a cybersecurity and privacy perspective, common contractual compliance requirements include:

• Payment Card Industry Data Security Standard (PCI DSS)
• ISO 27001 certification
• Service Organization Control (SOC) audits
• Generally Accepted Privacy Principles (GAPP)
• Center for Internet Security (CIS) Critical Security Controls (CSC)
• Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Questions? Please contact us for clarification so that we can help you find the right solution for your cybersecurity and privacy compliance needs.

Browse Our Products

Digital Security Program (DSP) - SCF Policy Template

Secure Controls Framework (SCF) Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about.

Learn More About Cybersecurity & Data Privacy

NIST 800-171 R2 to R3 Transition Guide

NIST 800-171 R3 Kill Chain

NIST 800-171 R3 In A Nutshell

NIST 800-171 R3

VISIT OUR FAQS

Questions about our products?

CUSTOMER SERVICE

Our customer service is here to help you get answers quickly!

WHY CYBERSECURITY?

Find out the importance of these documents for your business.

BLOG

Read exclusive information about cybersecurity from Compliance Forge.

Footer Start

Navigation

Information

Veteran-Owned Small Business (VOSB) | DUNS: 080724402 | CAGE Code: 7XAZ4 | NAICS Codes: 541690, 541519, & 541611

© Compliance Forge, LLC (ComplianceForge). All Rights Reserved.

This website does not render professional services advice and is not a substitute for dedicated professional services. If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. Compliance Forge, LLC (ComplianceForge) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. ComplianceForge does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.

ComplianceForge reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.