Chapter 1 of the textbook discussed legal issues associated with information systems, security, and privacy. It discussed cybersecurity laws such as the Computer Security Act of 1987 which require implementation of certain security measures and privacy laws such as HIPAA which require the protection of sensitive information. In other words, there are some laws that require specific means (e.g., the implementation of certain controls) to be in compliance, and others that require specific outcomes (e.g., the protection of specific types of information) to be in compliance.

In relation to these legal requirements, please discuss the following:

1. Do you believe that it is more difficult for businesses to comply with laws that require the implementation of specific controls or those that require the protection of specific types of information? Why?

2. Would you, as a business leader/owner, be more motivated to spend money on information security because of a 5% chance that a private party would bring a $10 million lawsuit or because of a 50% chance that a regulatory agency that directly oversees your industry would issue a $10,000 fine for noncompliance? Why?

3. Besides financial consequences, what other risks could your business face as a result of non-compliance with cybersecurity and privacy laws applicable to your industry?