Characterizing, Classifying, and Understanding Information Security Laws and Regulations: Considerations for Policymakers and Organizations Protecting Sensitive Information Assets
- Author(s): Thaw, David Bernard
- Advisor(s): Mulligan, Deirdre K
- et al.
Current scholarly understanding of information security regulation in the United States is limited. Several competing mechanisms exist, many of which are untested in the courts and before state regulators, and new mechanisms are being proposed on a regular basis. Perhaps of even greater concern, the pace at which technology and threats change far outpaces the abilities of even the most sophisticated regulators.
My Ph.D. dissertation focuses on understanding these laws - how we can classify them, what effects they have, and what are the implications of these effects for organizations and professionals. I explore these concepts through a mixed methods approach, utilizing both qualitative semi-structured interviews and quantitative data on breach incidence. The qualitative interviews inform the development of my hypothesis in addition to providing a basis for empirical analysis. The quantitative data is limited, but promising both in results and in the potential for the future analysis.
In this Dissertation, I report preliminary results as to the effect certain of certain laws on information security practices. I develop a system for classifying information security regulation, and develop hypotheses as to the effect certain types of regulation have on organizations and information security professionals.
Two notable conclusions result. First, the combination of Security Breach Notification (SBN) laws and management-based "regulatory delegation" models together is better at preventing breaches of personal information by organizations in the United States than is either model alone. Second, compliance-oriented prescriptive legislation such as SBNs weakens the role of security professionals within organizations, while management-based regulatory delegation models such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Financial Modernization Act (GLBA) strengthen the role of professionals within organizations.