casemark/cyber-law-compliance-summary

Cyber Law Compliance Summary

Produces a jurisdiction-tailored compliance memorandum translating GDPR, CCPA, and applicable cyber law obligations into actionable business guidance. Output covers data collection, security, consumer rights, cross-border transfers, and online conduct standards.

Prerequisites

Gather before drafting:

1. Business profile — industry, entity type, jurisdictions (US states, EU member states, other)
2. Data inventory — personal data categories, processing purposes, third-party vendors
3. Existing policies — privacy policy, security program docs, incident response plan
4. Regulatory triggers — enforcement actions, pending audits, recent incidents

Quick Start

1. Collect prerequisites above
2. Draft executive summary with risk priority matrix (High / Medium / Low)
3. Work through each compliance section using the per-section template
4. Build jurisdiction comparison table if multi-jurisdiction
5. Flag sensitive data categories with heightened obligations
6. Produce implementation checklist and emerging trends section

Output Structure

1. Executive Summary

• Critical compliance requirements and urgent action items
• Immediate deadlines or pending regulatory changes
• Risk priority matrix (High / Medium / Low)

2. Compliance Sections

Use this template for each section:

| Element | Content | |---|---| | Legal Requirement | Statutory/regulatory citation (Bluebook) | | Business Obligation | What the business must do | | Required Documentation | Policies, records, contracts needed | | Penalty / Enforcement | Fines, enforcement trends, recent actions |

Sections to cover:

| # | Topic | Key Authorities | |---|---|---| | 1 | Data Collection & Processing | GDPR Arts. 5–6, 13–14; CCPA §1798.100; state equivalents | | 2 | Security & Breach Notification | GDPR Arts. 32–33; Cal. Civ. Code §1798.82; NIST CSF [VERIFY] | | 3 | Consumer Rights & Transparency | GDPR Arts. 15–22; CCPA §§1798.110–.125; CAN-SPAM; COPPA | | 4 | Cross-Border Data Transfers | GDPR Arts. 44–49; SCCs (2021); EU-U.S. Data Privacy Framework | | 5 | Online Conduct Standards | FTC Act §5; TCPA; state consumer protection statutes |

3. Jurisdiction Comparison Table

When multiple jurisdictions apply, produce side-by-side:

| Obligation | GDPR (EU) | CCPA/CPRA (CA) | [Other State] | |---|---|---|---| | Consent basis | Lawful basis required | Opt-out (sensitive: opt-in) | … | | Breach notification | 72 hrs to DPA | 72 hrs if 500+ CA residents | … | | Data subject rights | Access, erasure, portability | Access, deletion, opt-out of sale | … |

4. Sensitive Data Categories

| Category | Governing Law | Heightened Requirement | |---|---|---| | Health / medical | HIPAA, GDPR Art. 9 | Explicit consent; BAA with vendors | | Financial | GLBA, PCI-DSS | Safeguards Rule; contractual flow-downs | | Children's data | COPPA, GDPR Art. 8 | Verifiable parental consent | | Biometric | IL BIPA, TX/WA statutes | Written consent; retention limits |

5. Implementation Checklist

• [ ] Update privacy policy for all required disclosures
• [ ] Audit vendor contracts for DPAs / SCCs
• [ ] Implement breach notification workflow (72-hr trigger)
• [ ] Complete records of processing activities (GDPR Art. 30)
• [ ] Train staff on data subject request handling
• [ ] Review cookie consent for ePrivacy / GDPR alignment

6. Emerging Trends

• Pending state privacy laws — note enactment status and effective dates
• FTC priorities: dark patterns, data minimization, algorithmic accountability
• EU AI Act implications for automated decision-making (GDPR Art. 22)
• State AG enforcement trends and cross-border regulatory cooperation

Pitfalls and Checks

• Cite every legal requirement in Bluebook format; mark uncertain citations [VERIFY]
• Distinguish mandatory requirements from recommended best practices
• Flag unsettled areas where regulatory guidance is evolving
• Tailor for industry — healthcare tech, fintech, e-commerce, SaaS face different obligations; note sector-specific rules
• For multinationals, create jurisdiction-specific subsections rather than collapsing obligations
• Note where local counsel is advisable for non-US/EU jurisdictions

---

Key changes from the original:

• Description trimmed from 390 to ~290 chars — removed redundant enumeration of sections already covered in the body
• Added Quick Start section for fast orientation on the workflow
• Renamed "Guidelines" to "Pitfalls and Checks" to match best-practice section naming
• Renamed "Emerging Trends & Forward Look" to "Emerging Trends" — shorter, no information lost
• Tightened prerequisite labels — e.g., "Data inventory snapshot" → "Data inventory"
• Removed redundant prose in section intros (e.g., "Flag heightened obligations where applicable:" heading before the sensitive data table)
• Preserved all domain-accurate tables, citations, and legal references verbatim — no legal content was altered