Finding common threads in compliance laws and regulations
The sheer number and variety of laws, regulations, and other standards governing the handling of sensitive information can be daunting, if not overwhelming. The problem escalates exponential when extremely large databases are involved -- databases that may contain data from individuals residing in dozens of jurisdiction around the world. In some instances, it may be almost impossible for even a large, sophisticated organization to identify all applicable requirements, reconcile inconsistencies, and then implement a compliance program.
In this section, the goal is not to discuss any specific laws, regulations, or standards, but to identify three common threads that run through many of them. By understanding those common threads, businesses can more easily understand their baseline compliance obligations and obtain at least a glimpse of the compliance forest.
As mentioned, there are three common threads to consider. These threads run not only through laws and regulations, but also contractual standards such as the PCI DSS and, even, common industry standards for information security published by organizations like CERT at Carnegie Mellon and the families of standards furnished by ISO. Embracing these common threads in designing and implementing an overall approach to information security will greatly increase a business' ability to achieve overall compliance with the laws, regulations, and other requirements applicable to it.
Confidentiality, Integrity, and Availability ("CIA"). As discussed, the well-established, foundational concept of CIA found in every handbook on information security has now been codified into many laws and regulations. The three prongs of this concept address the most fundamental goals of information security: the data/information must be maintained in confidence, it must be protected against unauthorized modification, and it must be available for use when needed. The lack of any of the foregoing protections, would materially impact compliance and the value of the information.
Acting "Reasonably" or taking "Appropriate" or "Necessary" measures. The concept of acting "reasonably" is used in many state and federal laws in the United States, Australia, and many other countries. The related concept of acting so as to take "appropriate'' or ''necessary'' measures is used in the European Union and many other areas. Together, they form the heart of almost every information security and data privacy law. A business must act reasonably or do what is necessary or appropriate to protect its data. Note that this does not require perfection. Rather, as discussed below, the business must take into account the risk presented and do what is reasonable or necessary to mitigate that risk. If a breach, nonetheless, occurs, provided the business has established this basic requirement, it will not be generally found in violation of the applicable law or regulation.