Home | Solutions | Regulatory Compliance | Regulation Glossary
All Regulations
Driving innovation together with zero trust, data-centric security
Understanding Data Security Regulations
Data security regulations define how organizations must protect sensitive information as it is created, accessed, shared, and stored. Across industries and regions, these regulations address a wide range of data types—from personal and financial information to intellectual property and controlled technical data—each with specific requirements for access control, protection, monitoring, and accountability.
This glossary provides clear, practical explanations of key data security–related regulations, helping readers understand their scope, intent, and relevance in today’s increasingly complex digital and regulatory landscape.
The Defense Federal Acquisition Regulation Supplement (DFARS)
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of rules that governs how the U.S. Department of Defense (DoD) acquires goods and services, supplementing the broader Federal Acquisition Regulation (FAR). It applies to all defense contractors, subcontractors, and suppliers—both in the United States and internationally—who handle DoD information systems, Controlled Unclassified Information (CUI), or perform work related to defense contracts. A key provision, DFARS Clause 252.204-7012, requires contractors to implement the cybersecurity controls outlined in NIST Special Publication (SP) 800-171, which defines standards for protecting CUI in non-federal systems. Additionally, compliance is increasingly verified through the Cybersecurity Maturity Model Certification (CMMC) framework, which establishes tiered levels of cybersecurity maturity that defense suppliers must meet to qualify for contracts. Together, these requirements ensure that sensitive defense information remains protected throughout the supply chain and across all tiers of DoD contractors.
The Export Administration Regulations (EAR)
The Export Administration Regulations (EAR) are a set of U.S. federal regulations administered by the Bureau of Industry and Security (BIS) under the U.S. Department of Commerce. They govern the export, re-export, and transfer of commercial and dual-use items—goods, software, and technology that have both civilian and military applications. The EAR applies to U.S. persons and organizations, as well as to foreign entities that handle U.S.-origin items or technology. Its scope extends globally, covering exports from the United States and re-exports from foreign countries of U.S.-controlled items, even when incorporated into foreign-made products. The regulations categorize items under the Commerce Control List (CCL), assigning Export Control Classification Numbers (ECCNs) that determine licensing requirements based on the item’s nature, destination, end use, and end user. Violations of the EAR can lead to severe civil and criminal penalties, including substantial fines, loss of export privileges, and imprisonment.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) that took effect on May 2018. It governs how organizations collect, process, store, and share personal data of individuals within the EU and European Economic Area (EEA), regardless of where the organization itself is located. This means that companies across industries—inside or outside Europe—that handle the personal data of EU residents must comply with the regulation. The GDPR gives individuals (data subjects) extensive rights over their data, including the right to access, correct, delete, and restrict processing. Noncompliance can lead to severe penalties: organizations can face fines of up to €20 million or 4% of annual global turnover, whichever is higher, along with reputational damage and legal liabilities.
The Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a U.S. federal law that requires financial institutions to protect the confidentiality and security of consumers’ personal financial information, including banks, insurance companies, and any company that offers finance products. GLBA applies to all entities operating within the United States that collect or maintain nonpublic personal information (NPI) about individuals for financial purposes. The law is structured around three key components: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions, which together mandate how organizations must disclose, protect, and monitor access to customer information. Violations of GLBA can result in significant civil and criminal penalties, including fines of up to $100,000 per violation for institutions and $10,000 for responsible officers, along with potential imprisonment for willful misconduct.
The Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996 to protect the privacy and security of individuals’ health information while ensuring the flow of healthcare data for high-quality care. It is regulated and enforced by the U.S. Department of Health and Human Services (HHS), specifically through its Office for Civil Rights (OCR). HIPAA applies to covered entities—including healthcare providers, health plans, and healthcare clearinghouses—as well as their business associates that handle protected health information (PHI) on their behalf. The law establishes national standards for safeguarding PHI in any form, and covers all entities that create, store, or transmit PHI. Violations can result in civil and criminal penalties, with fines reaching up to $1.5 million per year for repeated violations and potential imprisonment for willful neglect or misuse of patient information.
The International Traffic in Arms Regulations (ITAR)
The International Traffic in Arms Regulations (ITAR) is a crucial framework governing the export and transfer of defense-related articles, services, and technical data. Managed by the U.S. Department of State, ITAR plays a pivotal role in safeguarding national security interests and preventing unauthorized dissemination of sensitive defence technologies and weaponry to foreign entities or individuals. Under ITAR, defence articles are categorized under the U.S. Munitions List (USML), encompassing a wide array of items vital for military or strategic purposes.
The Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act (SOX), enacted in 2002 by the U.S. Congress, is a federal law designed to protect investors by improving the accuracy and reliability of corporate financial reporting. It applies to publicly traded companies in the United States, as well as their subsidiaries, auditors, and executives, and also extends to certain foreign companies listed on U.S. stock exchanges. SOX establishes strict requirements for financial disclosure, internal controls, and corporate accountability, particularly under Sections 302 (executive responsibility for financial reports) and 404 (assessment of internal controls). It also created the Public Company Accounting Oversight Board (PCAOB) to oversee audit practices. Violations of SOX—such as falsifying financial statements, destroying records, or failing to maintain proper controls—can result in severe civil and criminal penalties, including fines, corporate delisting, and imprisonment of up to 20 years for executives found guilty of fraud or willful misconduct.
