Legal, Regulatory, and Compliance

What the Exam Is Really Testing

Your company just expanded into the EU. Marketing launched a campaign collecting email addresses across 12 countries. Nobody consulted legal. Nobody reviewed data flows. And now someone in compliance is reading Article 83 of the GDPR and trying not to panic.

This is the scenario CISSP builds toward.

The exam does not expect you to memorize every statute. It expects you to know which category of law applies, which type of protection covers a given asset, and how jurisdictional differences change your obligations. The questions test pattern recognition across legal frameworks — not legal expertise itself.

Categories of Cyberlaw

Four categories show up repeatedly:

Criminal law — Offenses against society. Prosecution by the state. Penalties include fines and imprisonment. The Computer Fraud and Abuse Act (CFAA) in the United States is the most tested example. The standard of proof is beyond a reasonable doubt.

Civil law — Disputes between parties. The injured party sues for damages. Breach of contract, negligence, and tort claims fall here. The standard of proof is preponderance of the evidence — more likely than not.

Administrative/regulatory law — Rules created by government agencies under authority granted by legislation. HIPAA regulations enforced by HHS, FTC enforcement actions, and SEC cybersecurity disclosure rules are all administrative. Penalties typically include fines and mandatory corrective actions.

Regulatory compliance — Industry-specific mandates such as PCI DSS (payment cards), SOX (financial reporting), and GLBA (financial institutions). While not laws themselves, failure to comply often triggers legal consequences.

The exam tests whether you can classify a scenario into the correct category. If a government agency issues a fine for noncompliance with its own rules, that is administrative law. If a hacker is prosecuted, that is criminal law. If a customer sues for a data breach, that is civil law.

Intellectual Property

Four protections, each covering different assets:

Copyright — Protects original expression. Software code, documentation, website content, and databases. Automatic upon creation in most jurisdictions. In the US, registration strengthens enforcement. Duration: life of the author plus 70 years (or 95 years for corporate works). Does not protect ideas — only the expression of ideas.

Trademark — Protects brand identifiers. Names, logos, slogans, and trade dress. Must be distinctive and used in commerce. Registration is not required but provides stronger protection. Duration: indefinite, as long as the mark remains in use.

Trade secret — Protects confidential business information that derives value from secrecy. Formulas, algorithms, customer lists, and processes. No registration — protection depends on the owner taking reasonable measures to maintain secrecy. Once disclosed, protection is lost. The Defend Trade Secrets Act (DTSA) provides federal civil remedies in the US.

Patent — Protects inventions and novel processes. Requires formal application and examination. Duration: 20 years from filing date for utility patents. The trade-off is public disclosure in exchange for temporary exclusivity. Software patents remain contested territory in many jurisdictions.

Exam pattern: if the question describes something kept secret internally, think trade secret. If it describes original written or coded work, think copyright. If it describes a brand identifier, think trademark. If it describes a novel invention filed with a government office, think patent.

Privacy Laws and Regulations

Privacy regulations differ by jurisdiction, and the CISSP expects you to understand the distinctions.

GDPR (EU) — Applies to any organization processing data of EU residents, regardless of where the organization is located. Key principles: lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. Grants data subjects rights including access, rectification, erasure (right to be forgotten), portability, and objection. Requires a Data Protection Officer (DPO) in many cases. Maximum penalty: 4% of annual global turnover or 20 million euros, whichever is greater.

HIPAA (US) — Protects Protected Health Information (PHI). Applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. The Privacy Rule governs use and disclosure. The Security Rule mandates administrative, physical, and technical safeguards. The Breach Notification Rule requires notification within 60 days.

CCPA/CPRA (California) — Grants California consumers rights to know, delete, and opt out of the sale of personal information. CPRA expanded this with a right to correct, restrictions on sensitive personal information, and the California Privacy Protection Agency for enforcement.

PIPEDA (Canada) — Governs how private-sector organizations collect, use, and disclose personal information in commercial activities. Based on ten fair information principles including consent, purpose limitation, and accountability.

The exam tests jurisdiction awareness. If a scenario involves EU residents, GDPR applies regardless of where the company is headquartered. If it involves patient health records in the US, HIPAA applies.

Import/Export Controls and Transborder Data Flow

Encryption and security technologies are treated as controlled items in international trade:

EAR (Export Administration Regulations) — Administered by the US Bureau of Industry and Security. Covers dual-use items including encryption software and hardware. Most commercial encryption requires a license exception or classification review before export.

ITAR (International Traffic in Arms Regulations) — Administered by the US State Department. Covers defense articles and services. Military-grade encryption and weapons systems fall here. Violations carry severe criminal penalties.

Wassenaar Arrangement — A multilateral export control regime with 42 participating states. Establishes common standards for controlling exports of conventional arms and dual-use goods, including intrusion software and cryptographic technology.

Transborder data flow — The movement of personal data across national borders. GDPR restricts transfers to countries without adequate data protection. Mechanisms for lawful transfer include:

• Adequacy decisions (the EU Commission determines the destination country provides adequate protection)
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs) for intra-group transfers
• EU-US Data Privacy Framework (DPF) — the successor to Privacy Shield, which replaced Safe Harbor

The history matters for the exam: Safe Harbor was invalidated by the Schrems I decision. Privacy Shield was invalidated by Schrems II. The Data Privacy Framework is the current mechanism, but the pattern of legal challenge continues.

Contractual and Compliance Obligations

Beyond statutory law, organizations face obligations from contracts, industry standards, and professional requirements:

• Service Level Agreements (SLAs) defining security performance requirements
• Data Processing Agreements (DPAs) required by GDPR when using third-party processors
• Right-to-audit clauses allowing customers or regulators to inspect controls
• Industry frameworks like PCI DSS, which are contractual through card brand agreements even though they feel regulatory

For the CISSP, the distinction matters: PCI DSS is not a law. It is a contractual obligation enforced through the payment card ecosystem. Violating it does not result in criminal prosecution — it results in fines from acquirers and potential loss of card processing privileges.

Pattern Recognition

When a legal or compliance question appears:

1. Identify the jurisdiction — where are the data subjects located?
2. Identify the data type — health, financial, personal, classified?
3. Identify the obligation type — statutory, regulatory, or contractual?
4. Match the protection type — which law or framework applies?
5. Consider cross-border implications — does data cross jurisdictional boundaries?

If the question mentions EU residents, start with GDPR. If it mentions patient records, start with HIPAA. If it mentions exporting encryption, think EAR or ITAR. If it mentions a vendor contract, look for contractual obligations first.

Trap Patterns

• Confusing criminal and civil standards of proof — Beyond a reasonable doubt is criminal. Preponderance of the evidence is civil. The exam uses these phrases deliberately.
• Treating PCI DSS as a law — It is a contractual obligation, not legislation. Noncompliance creates contractual liability, not criminal.
• Assuming US law applies everywhere — GDPR applies to organizations worldwide when they process EU resident data. PIPEDA applies to commercial activities in Canada regardless of where the company is based.
• Confusing copyright and trade secret — If the information is public (published source code), copyright applies. If it is kept secret (proprietary algorithm), trade secret applies.
• Forgetting that Safe Harbor and Privacy Shield are dead — The current EU-US mechanism is the Data Privacy Framework. Questions that reference these older frameworks are testing whether you know the timeline.

Scenario Practice

Question 1

A US-based SaaS company discovers it has been collecting personal data from EU residents without a lawful transfer mechanism. The company has no EU presence.

What is the MOST significant regulatory exposure?

A. HIPAA violation for processing health data without authorization
B. GDPR violation for transferring EU personal data without adequate safeguards
C. CCPA violation for collecting California consumer data
D. SOX noncompliance for inadequate data governance controls

Question 2

A software company discovers a competitor has independently developed a nearly identical algorithm. The company never filed a patent but has maintained strict internal access controls over the algorithm.

What intellectual property protection, if any, is available?

A. Copyright, because the algorithm was original work
B. Patent, because algorithms are automatically protected
C. Trade secret, as long as the company maintained reasonable secrecy measures
D. No protection, because independent development defeats all IP claims

Question 3

An organization subject to HIPAA experiences a breach affecting 600 patient records. The breach is confirmed on March 1.

What is the organization's notification obligation?

A. Notify affected individuals within 30 days and HHS within 60 days
B. Notify affected individuals within 60 days; HHS notification can wait until the annual report
C. Notify affected individuals without unreasonable delay, no later than 60 days; notify HHS based on breach size
D. Notify HHS immediately and wait for guidance before contacting individuals

Key Takeaway

The CISSP does not test whether you can recite statutes. It tests whether you can identify which law applies to a given scenario, understand jurisdictional reach, and recognize the differences between criminal, civil, and regulatory consequences.

When you see a legal question, ask three things:

1. Where are the affected people?
2. What type of data is involved?
3. Is the obligation statutory, regulatory, or contractual?

Get those three right, and the correct answer usually follows.