# Legal*

# Glossary

Determines the legal standing of a case or issue.

The existing set of rulings and decisions made by courts, informed by cultural mores and legislation. These create precedents, which each party will cite in court as a means to sway the court to their own side of a case.

Often used to prove liability.

A company practices due care by developing (taking action) security policies, procedures, and standards. Due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible risks.

Due care is the duty owed by one entity to another, in terms of a reasonable expectation.

Due care is the minimal level of effort necessary to perform your duty to others; in cloud security, that is often the care that the cloud customer is required to demonstrate in order to protect the data it owns.

The lack of due care is often considered negligence.

Due diligence is the act of investigating and understanding the risks the company faces.

Due diligence is the legal concept that describes the actions and processes a cloud customer uses to ensure that a reasonable level of protection is applied to the data in their control.

Due diligence requires that an organization continually scrutinize their own practices to ensure they are always meeting or exceeding requirements for protection of assets and stakeholders.

Due diligence is any activity taken in support or furtherance of due care.

This usually determines the ability of a national court to decide a case or enforce a judgment or order.

The measure of responsibility an entity has for providing due care. An organization can share risk, but it cannot share liability.

Based on a judge's discretion, can we demonstrate we've acted responsibly as a prudent person would? What type of action would a prudent person exercise in a particular situation?

The term used to describe the destruction of potential evidence (intentionally or otherwise); in various jurisdictions, it can be a crime, or the grounds for another lawsuit.

# Legal Foundations

Under current laws, no cloud customer can transfer risk or liability associated with the inadvertent or malicious disclosure of personally identifiable information (PII). Your organization is ultimately responsible for any breaches or releases of data, even if you are using a cloud service and the breach/release results from negligence or attack on the part of the cloud provider. Legally and financially, in the eyes of the court, your organization is always responsible for any unplanned release of PII.

# Privacy Law

Privacy can be defined as the right of an individual to determine when, how, and to what extent they will release personal information. Privacy law also typically includes language indicating that personal information must be destroyed when its retention is no longer required.

# Criminal Law

Criminal law involves all legal matters where the government is in conflict with any person, group, or organization that violates statutes.

Statutes are rules that define conduct prohibited by the government and are designed to provide for the safety and well-being of the public. Statutes are legislated by lawmakers.

Enforcement of criminal law is called prosecution. Only the government can conduct law enforcement activity and prosecutions.

The burden of proof for criminal law is beyond a reasonable doubt.

Examples of criminal laws include traffic laws, robbery, theft, and murder. Each have their own related set of consequences.

# State Laws

State law typically refers to the law of each U.S. state, with their own state constitutions, state governments, and state courts.

Typically, federal laws supersede state laws; however, the general rule is that the most stringent of the laws apply to any situation unless there are other compelling reasons.

Examples of state laws include speed limits, tax laws, the criminal code, etc.

xamples of federal laws include those against kidnapping and bank robbery.

# Civil Law

Civil law is the body of laws, statutes, and so on that deals with personal and community-based law such as marriage and divorce. It is the set of rules that govern private citizens and their disputes.

As opposed to criminal law, the parties involved in civil law matters are strictly private entities, including individuals, groups, and organizations.

Burden of proof is typically a preponderance of evidence. A preponderance of evidence means that an entity that has a simple majority of fault (51 percent or more) is responsible for the full weight of a breach.

# Contracts

A contract is an agreement between parties to engage in some specified activity, usually for mutual benefit.

Disputes that arise from failure to perform according to activity specified in the contact is known as a breach. In the event of a breach, a party to the contract can sue.

Example of contractual items that contract law applies includes:

  • Service-level agreements (SLAs)
  • Privacy-level agreements (PLAs)
  • Operational-level agreements (OLAs)
  • Payment Card Industry Data Security Standards (PCI DSS) contracts

# Tort Law

Tort law refers to the body of rights, obligations, and remedies that set out reliefs for persons who have been harmed as a result of wrongful acts by others. Tort actions are not dependent on an agreement between the parties to a lawsuit.

Tort law and case precedence is what guides the courts in the handling of these civil cases whereby relief of some sort is sought.

Tort law serves four objectives:

  • It seeks to compensate victims for injuries suffered by the culpable action or inaction of others.
  • It seeks to shift the cost of such injuries to the person or persons who are legally responsible for inflicting them.
  • It seeks to discourage injurious, careless, and risky behavior in the future.
  • It seeks to vindicate legal rights and interests that have been compromised, diminished, or emasculated.

# Administrative Law

Administrative law are laws not created by legislatures, but by executive decision and function. Many federal agencies can create, monitor, and enforce their own administrative law.

# International Law

International law deals with the rules that govern interactions between countries. International law is based on the premise that all nations are sovereign and equal. The value and authority of these laws is dependent upon the participation of nations in the design, observance, and enforcement.

International laws determine how to settle disputes and manage relationships between countries. These include the following:

  • Conventions establishing rules expressly recognized by member countries
  • Customs are they are practices in a country and accepted as law
  • General principles of law recognized by civilized nations
  • Judicial decisions or precedent as it has developed over time in a particular instance
  • Trade regulations, including import agreements, tariff structures, and so forth
  • Treaties, which can be created to solve a dispute or to create alliances

# Legal Concepts

Allows law enforcement entities to use material presented voluntarily by the owner as evidence in the prosecution of crimes, without a warrant or a court order.

Allows law enforcement to act on probable cause when evidence of a crime is within their presence.

# Intellectual Property

Intellectual property describes creations of the mind. Intellectual property rights give the individual who created an idea an exclusive right to that idea for a defined period of time.

The legal protection for expressions of ideas. In the United States, copyright is granted to anyone who first creates an expression of an idea. Usually, this involves literary works, films, music, software, and artistic works.

In the United States, copyrights last for either 70 years after the author's death, or 120 years after the first publication of a work for hire.

There are a family of exceptions to copyright exclusivity. Limitations to copyrights include:

  • First sale: selling a purchased book at a yard sale.
  • Fair use: copies of songs can be made within reason (not well defined).

It is not mandatory to register works in order to own them. The U.S. Copyright Office allows copyright holders to register their works as means of securing proof.

Trademark protection is for intellectual property used to immediately identify a brand. It is intended to be applied to specific words and graphics.

In order to have a trademark protected by law, it must be registered within a jurisdiction. Commonly, that is the U.S. Patent and Trademark Office (USPTO), the federal entity for registering trademarks. Trademarks registered with the USPTO can use the (R) symbol to signify registration. States also offer trademark registration, and trademarks registered with state offices often use the TM symbol.

Trademarks last for as long as the property they protect is still being used commercially.

Patents protect formulas, processes, materials, decorations, patterns, inventions, and plants. This includes cryptographic algorithms.

Patents last for 20 years from the date the application was submitted, with a few exceptions.

Patent Cooperation Treaty (PCT) has been adopted by over 130 countries to provide the international protection of patents.

Trade secrets are intellectual property that involve processes, formulas, commercial methods, and so forth. Trade secrets are acknowledged as the ownership of private business material.

Protections exist for trade secrets upon creation, without any additional requirement for registration.

Intellectual property retains trade secret protection for as long as the business continues efforts to use it in commercial enterprise and maintains efforts to prevent its disclosure.

For all intellectual property disputes, it is often up to the owners to enforce these rights. In the United States, the USPTO handles patents. Globally, the World Intellectual Property Organization (WIPO) handles patents.

# Doctrine of the Proper Law

The Doctrine of the Proper Law is a term used to describe the processes associated with determine what legal jurisdiction will hear a dispute when one occurs.

# Restatement (Second) Conflict of Law

The Restatement (Second) Conflict of Law refers to a collation of developments in common law (that is, judge made law, not legislation) that help the courts stay up with changes. Many states have conflicting laws, and judges use these restatements to assist them in determining which laws should apply when conflicts occur. The conflicting legal rules may come from federal law, state law, or laws from other countries. The factors relevant to the choice of the applicable rule of law are used. Whichever state's laws fit the situation the best or are the most restrictive are what ultimately influence the decisions.

  • A restatement is a collation of developments in the common law that informs the judicial system of updates.
  • Conflict of laws relates to a difference/variance between the laws.

# Differentiators

# Laws

Laws are legal rules that are created by government entities such as a congress or parliament.

Failure to properly follow laws can result in punitive procedures that can include fines and imprisonment.

# Regulations

Regulations are rules that are created by either other departments of government or external entities empowered by government.

Regulators are entities that ensure organizations are in compliance with the regulatory framework for which they are responsible. These can be government agencies, certification bodies, or parties to a contract (FTC, SEC, etc.).

The burden of proof for regulations are more likely than not.

# Standards

Standards are created by other, nongovernmental organizations that provide frameworks and guidelines for business to follow. These are generally embraced by industries to provide a recognized, respectable standard for responsible, professional behavior.

# Contracts and Frameworks

Contracts do not derive authority from the government. For instance, Payment Card Industry (PCI) compliance is wholly voluntary (a contractual standard), but is also a regulated requirement for those who choose to participate in credit card processing. Those participants agree to submit to PCI regulation, including audits and controls. It's not a law, but it is a regulatory framework, complete with regulators.

# Clarification

# United States

In the United States, there is no single federal law governing data protection. The FTC and other associated U.S. regulators hold that the applicable U.S. laws and regulations apply to data after it leaves its jurisdiction, and U.S. regulated entities remain liable for the following:

  • Data exported out of the United States
  • Processing of data overseas by subcontractors
  • Subcontractors using the same protections for the regulated data when it leaves the country


Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States. It mandates that all countries comply with the regulation.

Directives lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws.

A directive allows member states to create their own laws; it allows every member country to create its own law this is compliant with the directive.

Decisions are laws relating to specific cases and directed to individual or several Member States, companies or private individuals. They are binding upon those to whom they are directed.