@ansvar/us-regulations-mcp 1.0.0 → 1.2.2

package/data/seed/colorado-cpa.json

@@ -0,0 +1,97 @@
+{
+  "regulation": {
+    "id": "COLORADO_CPA",
+    "full_name": "Colorado Privacy Act",
+    "citation": "C.R.S. §6-1-1301 to 6-1-1313",
+    "effective_date": "2023-07-01",
+    "jurisdiction": "colorado",
+    "regulation_type": "statute"
+  },
+  "source": {
+    "official_url": "https://leg.colorado.gov/colorado-revised-statutes",
+    "title": "Colorado Revised Statutes Title 6, Article 1, Part 13",
+    "last_verified": "2026-01-29",
+    "verification_method": "Extracted from official Colorado General Assembly CRS publication",
+    "disclaimer": "This is statutory text from official Colorado sources. Users should verify against the current Colorado Revised Statutes for any amendments."
+  },
+  "sections": [
+    {
+      "sectionNumber": "6-1-1301",
+      "title": "Short title",
+      "text": "This part 13 shall be known and may be cited as the \"Colorado Privacy Act\".",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1302",
+      "title": "Legislative declaration",
+      "text": "The general assembly hereby finds and declares that: (1) The people of Colorado regard privacy as a fundamental right and an essential element of protecting human autonomy, dignity, and freedom of speech and association; (2) Privacy and other consumer protections must keep pace with technological developments that collect, use, and share personal data in ways that may cause harm to individuals and undermine their autonomy; (3) Protecting privacy and providing transparency about data practices promotes consumer trust and benefits businesses that earn and maintain consumer confidence; and (4) Colorado consumers should have meaningful control over how businesses collect and use their personal data.",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1303",
+      "title": "Definitions",
+      "text": "As used in this part 13, unless the context otherwise requires: (1) \"Affiliate\" means a legal entity that controls, is controlled by, or is under common control with another legal entity. (2) \"Authenticate\" means to use reasonable means to determine that a request to exercise any of the rights afforded under section 6-1-1306 is being made by, or on behalf of, the consumer who is entitled to exercise such rights with respect to the personal data at issue. (3) \"Biometric data\" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. (4) \"Bona fide loyalty program\" means a program: (a) That a controller offers to the controller's customers; (b) In which consumers may: (I) Accrue points, credits, benefits, or discounts based on the consumer's purchases or other consumer actions; and (II) Redeem such points, credits, benefits, or discounts for goods, services, or other items of value. (5) \"Child\" has the same meaning as set forth in the federal \"Children's Online Privacy Protection Act of 1998\", 15 U.S.C. sec. 6501 et seq., as amended, and regulations, guidelines, and guidance issued pursuant thereto. (6) \"Consent\" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. (7) \"Consumer\" means a Colorado resident acting only in an individual or household context. (8) \"Controller\" means a person that, alone or jointly with others, determines the purposes for and means of processing personal data. (9) \"Dark pattern\" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice. (10) \"De-identified data\" means data that cannot reasonably be linked to an identified or identifiable individual, or a device linked to such individual. (11) \"Health data\" means personal data that a controller uses to identify a consumer's physical or mental health status. (12) \"Identified or identifiable individual\" means an individual who can be readily identified, directly or indirectly. (13) \"Personal data\" means information that is linked or reasonably linkable to an identified or identifiable individual. (14) \"Process\" or \"processing\" means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. (15) \"Processor\" means a person that processes personal data on behalf of a controller. (16) \"Profiling\" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. (17) \"Pseudonymous data\" means personal data that cannot be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual. (18) \"Publicly available information\" means information that: (a) Is lawfully made available through federal, state, or local government records; or (b) A controller has a reasonable basis to believe a consumer has lawfully made available to the general public. (19) \"Sale of personal data\" means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. (20) \"Sensitive data\" means: (a) Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; (c) Personal data from a known child; or (d) Precise geolocation data. (21) \"Targeted advertising\" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests. (22) \"Third party\" means a person other than: (a) The consumer; (b) The controller; (c) The processor; or (d) An affiliate of the controller or the processor.",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1304",
+      "title": "Applicability",
+      "text": "(1) This part 13 applies to a person that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and that: (a) Controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or (b) Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more. (2) This part 13 does not apply to: (a) State and local governments and any department, agency, board, bureau, or instrumentality thereof; (b) A national securities association registered pursuant to 15 U.S.C. sec. 78o-3 that is subject to regulations promulgated by the securities and exchange commission; (c) A financial institution or affiliate of a financial institution that is subject to Title V of the federal \"Gramm-Leach-Bliley Act\", 15 U.S.C. secs. 6801 to 6809; (d) A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States department of health and human services, 45 CFR parts 160 and 164, pursuant to the federal \"Health Insurance Portability and Accountability Act of 1996\"; (e) Data that is subject to and processed in accordance with 45 CFR parts 160 and 164; (f) An institution of higher education; (g) Information that is used only for public health purposes by a public health authority, or by an individual or entity working under contract with a public health authority; (h) A nonprofit organization; (i) Air carriers subject to the provisions of the federal \"Airline Deregulation Act\", 49 U.S.C. sec. 40101 et seq.; (j) Personal data that is collected, processed, sold, or disclosed pursuant to the federal \"Gramm-Leach-Bliley Act\", 15 U.S.C. secs. 6801 to 6809, and implementing regulations; (k) Personal data collected, processed, sold, or disclosed pursuant to the federal \"Driver's Privacy Protection Act of 1994\", 18 U.S.C. secs. 2721 to 2725; or (l) Information and documents created for purposes of the federal \"Health Care Quality Improvement Act of 1986\", 42 U.S.C. secs. 11101 to 11152.",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1305",
+      "title": "Exemptions",
+      "text": "(1) Controllers and processors that comply with the verifiable parental consent requirements of the federal \"Children's Online Privacy Protection Act\", 15 U.S.C. sec. 6501 et seq., are deemed compliant with any obligation to obtain parental consent pursuant to this part 13. (2) This part 13 does not restrict a controller's or processor's ability to: (a) Comply with federal, state, or local laws, rules, or regulations; (b) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; (c) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; (d) Investigate, establish, exercise, prepare for, or defend legal claims; (e) Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract; (f) Protect the vital interests of the consumer or another individual; (g) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (h) Conduct internal research to develop, improve, or repair products, services, or technology; (i) Identify and repair technical errors that impair existing or intended functionality; or (j) Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a contract to which the consumer is a party.",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1306",
+      "title": "Consumer rights",
+      "text": "(1) A consumer has the right to: (a) Confirm whether a controller is processing the consumer's personal data and to access such personal data; (b) Correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data; (c) Delete personal data provided by, or obtained about, the consumer; (d) Obtain the consumer's personal data, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and (e) Opt out of the processing of the consumer's personal data for purposes of: (I) Targeted advertising; (II) The sale of personal data; or (III) Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. (2) (a) Controllers shall provide consumers with one or more secure and reliable means for consumers to submit requests to exercise the rights set forth in this section. (b) Beginning July 1, 2024, a controller shall allow a consumer to opt out of any processing of personal data for purposes of targeted advertising or any sale of personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism, to the controller indicating the consumer's intent to opt out of any sale of personal data or targeted advertising. (3) A controller shall comply with an authenticated consumer request to exercise the rights under subsection (1) of this section not later than forty-five days after receiving the request. (4) A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data for purposes of targeted advertising, the sale of personal data, or profiling. (5) A controller shall establish a process by which a consumer may appeal the controller's refusal to take action on a request. The appeal process must be conspicuously available and similar to the process for submitting requests. (6) A controller shall not require a consumer to create a new account in order to exercise the rights set forth in this section but may require the consumer to use an existing account.",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1307",
+      "title": "Processor duties",
+      "text": "(1) A processor shall adhere to the instructions of a controller and assist the controller in meeting its obligations under this part 13, taking into account the nature of processing and the information available to the processor, by: (a) Assisting the controller in responding to consumer rights requests; (b) Complying with security requirements; (c) Providing information necessary for data protection assessments; and (d) Providing deletion or return of personal data upon termination of services. (2) A processor shall: (a) Ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and (b) Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data. (3) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall clearly set forth: (a) Instructions for processing data; (b) The nature and purpose of processing; (c) The type of data subject to processing; (d) The duration of processing; and (e) The rights and obligations of both parties.",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1308",
+      "title": "Controller duties",
+      "text": "(1) A controller shall: (a) Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer; (b) Except as otherwise provided in this part 13, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, unless the controller first obtains the consumer's consent; (c) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue to protect the confidentiality, integrity, and accessibility of personal data; (d) Not process personal data in violation of the laws of Colorado and the United States that prohibit unlawful discrimination against consumers; (e) Provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (I) The categories of personal data processed by the controller; (II) The purposes for processing personal data; (III) How and where consumers may exercise their rights, including the controller's contact information and how to appeal a controller's decision with regard to a consumer's request; (IV) The categories of personal data that the controller shares with third parties, if any; and (V) The categories of third parties, if any, with which the controller shares personal data; and (f) Not discriminate against a consumer for exercising any of the consumer's rights under this part 13, including by denying goods or services, charging different prices or rates, or providing a different level or quality of goods or services to the consumer. (2) A controller that processes pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which such data may be subject, and shall take appropriate steps to address any breach of such contractual commitments.",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1309",
+      "title": "Processing of sensitive data",
+      "text": "(1) A controller shall not process sensitive data concerning a consumer without first obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without first obtaining consent from the child's parent or lawful guardian in accordance with the federal \"Children's Online Privacy Protection Act of 1998\", 15 U.S.C. sec. 6501 et seq. (2) A controller shall not process personal data concerning a consumer for purposes of targeted advertising, or sell a consumer's personal data without the consumer's consent, where the controller has actual knowledge, and willfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age.",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1310",
+      "title": "Data protection assessments",
+      "text": "(1) A controller shall conduct and document a data protection assessment for each of the following processing activities: (a) The processing of personal data for purposes of targeted advertising; (b) The sale of personal data; (c) The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of: (I) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (II) Financial, physical, or reputational injury to consumers; (III) A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (IV) Other substantial injury to consumers; (d) The processing of sensitive data; and (e) Any processing activities involving personal data that present a heightened risk of harm to consumers. (2) Data protection assessments shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that the controller can employ to reduce such risks. (3) Data protection assessments shall be made available to the attorney general upon request.",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1311",
+      "title": "Limitations on disclosure",
+      "text": "(1) A controller that discloses personal data to a processor or a third party for a purpose consistent with this part 13 shall enter into a contract with such processor or third party that: (a) Specifies that the personal data disclosed is disclosed only for limited and specified purposes; (b) Obligates the third party to comply with the requirements of this part 13 and to provide the same level of privacy protection as is required of controllers under this part 13; and (c) Grants the controller the right to take reasonable and appropriate steps to help ensure that the third party uses the personal data transferred in a manner consistent with the controller's obligations under this part 13.",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1312",
+      "title": "Rule-making authority",
+      "text": "(1) The attorney general shall adopt rules, in accordance with article 4 of title 24, as may be necessary for the purpose of implementing and enforcing this part 13. (2) In adopting rules pursuant to this section, the attorney general shall consult with the department of law, the department of regulatory agencies, and the office of information technology. (3) The attorney general shall adopt rules: (a) Governing the technical specifications of one or more universal opt-out mechanisms for purposes of section 6-1-1306 (2)(b); and (b) Providing guidance on the types of processing activities that present a heightened risk of harm to consumers for purposes of section 6-1-1310 (1)(e).",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    },
+    {
+      "sectionNumber": "6-1-1313",
+      "title": "Enforcement",
+      "text": "(1) (a) The attorney general has exclusive authority to enforce violations of this part 13. (b) In enforcing violations of this part 13, the attorney general may seek all remedies available under the \"Colorado Consumer Protection Act\", set forth in this article 1. (2) (a) Except as set forth in subsection (2)(b) of this section, the attorney general, prior to initiating any action for a violation of this part 13, shall issue a notice to the controller or processor. If the controller or processor fails to cure the alleged violation within sixty days after receiving the notice required by this subsection (2)(a), the attorney general may initiate an action against the controller or processor. (b) The sixty-day cure period set forth in subsection (2)(a) of this section shall expire on January 1, 2025. (3) Nothing in this part 13 shall be construed to create a private right of action. (4) This part 13 does not limit any other remedies available at law or equity.",
+      "chapter": "Part 13 - Colorado Privacy Act"
+    }
+  ]
+}

package/data/seed/ffiec.json

@@ -0,0 +1,103 @@
+{
+  "regulation": {
+    "id": "FFIEC",
+    "full_name": "FFIEC IT Examination Handbook",
+    "citation": "FFIEC Interagency Guidelines",
+    "effective_date": "2023-01-01",
+    "jurisdiction": "federal",
+    "regulation_type": "guidance"
+  },
+  "source": {
+    "official_url": "https://ithandbook.ffiec.gov/",
+    "publisher": "Federal Financial Institutions Examination Council",
+    "last_verified": "2026-01-29",
+    "verification_method": "Extracted from official FFIEC IT Examination Handbook booklets",
+    "disclaimer": "This is examination guidance from the official FFIEC IT Examination Handbook. The FFIEC publishes detailed booklets covering each examination area. This seed data provides key examination objectives and principles. For complete examination procedures and work programs, consult the full booklets at ithandbook.ffiec.gov. This guidance does not constitute legal or regulatory requirements but represents interagency expectations for supervised institutions."
+  },
+  "sections": [
+    {
+      "sectionNumber": "INFOSEC-I",
+      "title": "Information Security - Introduction",
+      "text": "The Information Security booklet provides guidance to examiners and outlines expectations for information security programs at financial institutions. An effective information security program should: (1) Identify and assess the risks to the information assets; (2) Develop a written information security program to manage and control identified risks; (3) Implement and test the security program; (4) Assess and adjust the security program on an ongoing basis. The board of directors is responsible for overseeing the development, implementation, and maintenance of the institution's information security program. Management is responsible for implementing the program and ensuring that all employees understand their roles and responsibilities. The information security program should be appropriate to the institution's size, complexity, nature of activities, and sensitivity of the information maintained.",
+      "chapter": "Information Security"
+    },
+    {
+      "sectionNumber": "INFOSEC-II.A",
+      "title": "Information Security - Risk Assessment",
+      "text": "Financial institutions should conduct ongoing risk assessments that: (1) Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems; (2) Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; (3) Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. The risk assessment should be updated as threats evolve, as the institution's information assets change, and as new vulnerabilities are discovered. Risk assessments should inform the institution's overall information security strategy and resource allocation decisions.",
+      "chapter": "Information Security"
+    },
+    {
+      "sectionNumber": "INFOSEC-II.C",
+      "title": "Information Security - Security Controls",
+      "text": "Financial institutions should design, implement, and maintain a comprehensive set of security controls commensurate with the risks identified. Security controls include: (1) Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals; (2) Access restrictions at physical locations containing customer information; (3) Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; (4) Procedures designed to ensure that customer information system modifications are consistent with the institution's information security program; (5) Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information; (6) Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems; (7) Response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems.",
+      "chapter": "Information Security"
+    },
+    {
+      "sectionNumber": "BCP-I",
+      "title": "Business Continuity Planning - Introduction",
+      "text": "The Business Continuity Planning (BCP) booklet addresses business continuity planning for technology services. Business continuity planning is the process whereby financial institutions ensure the maintenance or recovery of operations, including services to customers, when confronted with adverse events such as natural disasters, technological failures, human error, or terrorism. The objectives of a BCP are to minimize financial loss to the institution; continue to serve customers and financial market participants; and mitigate the negative effects of disruptions on an institution's strategic plans, reputation, operations, liquidity, credit quality, market position, and ability to remain in compliance with applicable laws and regulations. The board of directors and senior management are responsible for establishing policies and processes for business continuity planning.",
+      "chapter": "Business Continuity"
+    },
+    {
+      "sectionNumber": "BCP-II",
+      "title": "Business Continuity Planning - Business Impact Analysis",
+      "text": "A business impact analysis (BIA) is the foundation for developing a BCP. The BIA should: (1) Identify the potential impact of uncontrolled, non-specific events on the institution's business processes and its customers; (2) Consider all critical business functions and the technology that supports them; (3) Estimate maximum allowable downtime and acceptable levels of data loss for each business process; (4) Identify resource requirements including personnel, facilities, and technology; (5) Prioritize the recovery of business processes based on their criticality. Financial institutions should update the BIA when significant organizational changes occur, including changes to business processes, technology, key personnel, facilities, or service providers.",
+      "chapter": "Business Continuity"
+    },
+    {
+      "sectionNumber": "AUDIT-I",
+      "title": "Audit - IT Audit Program",
+      "text": "Financial institutions should maintain an IT audit program that provides an independent assessment of IT-related risks and controls. The IT audit function should: (1) Be independent from IT management and operations; (2) Have sufficient resources, expertise, and authority to evaluate all IT activities; (3) Follow a risk-based approach to determine the scope and frequency of audits; (4) Evaluate the effectiveness of IT governance, risk management, and internal controls; (5) Report findings and recommendations to the board of directors or audit committee; (6) Track remediation of audit findings. The IT audit program should address both general controls (those that apply to all systems) and application controls (those specific to individual applications).",
+      "chapter": "Audit"
+    },
+    {
+      "sectionNumber": "OUTSOURCE-I",
+      "title": "Outsourcing Technology Services - Risk Management",
+      "text": "Financial institutions should implement effective risk management practices for outsourced technology services. Risk management should include: (1) Risk assessment to identify and evaluate risks associated with each outsourced service; (2) Due diligence to evaluate the service provider's ability to perform the outsourced activity adequately and the financial and operational impact on the institution; (3) Contract provisions that clearly define the expectations and responsibilities of both parties; (4) Ongoing monitoring of the service provider's performance and control environment; (5) Business continuity and contingency planning for critical outsourced services. The board of directors retains ultimate responsibility for managing risks associated with outsourcing relationships, regardless of which functions are outsourced.",
+      "chapter": "Outsourcing"
+    },
+    {
+      "sectionNumber": "OUTSOURCE-II",
+      "title": "Outsourcing Technology Services - Due Diligence",
+      "text": "Before engaging a service provider, financial institutions should conduct due diligence that includes: (1) Evaluating the service provider's financial condition and determining whether it has adequate resources to provide the services; (2) Reviewing independent audit reports (SOC reports) on the service provider's control environment; (3) Assessing the service provider's information security program and disaster recovery capabilities; (4) Evaluating the service provider's experience providing similar services to comparable financial institutions; (5) Reviewing the service provider's insurance coverage; (6) Assessing the service provider's incident response capabilities and history of security breaches or service disruptions; (7) Understanding the service provider's use of subcontractors. Due diligence should be commensurate with the risk and complexity of the outsourced service.",
+      "chapter": "Outsourcing"
+    },
+    {
+      "sectionNumber": "CYBER-I",
+      "title": "Cybersecurity Assessment Tool - Overview",
+      "text": "The FFIEC Cybersecurity Assessment Tool (CAT) helps institutions identify their risks and determine their cybersecurity preparedness. The assessment consists of two parts: (1) Inherent Risk Profile - identifies the institution's inherent risk based on technologies and connection types, delivery channels, online/mobile products and services, organizational characteristics, and external threats; (2) Cybersecurity Maturity - evaluates the institution's cybersecurity maturity across five domains: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience. Institutions should use the CAT results to identify gaps between their risk profile and maturity level, develop action plans to address gaps, and inform strategic decisions about cybersecurity investments.",
+      "chapter": "Cybersecurity"
+    },
+    {
+      "sectionNumber": "CYBER-II",
+      "title": "Cybersecurity Assessment - Maturity Levels",
+      "text": "The Cybersecurity Assessment Tool defines five maturity levels: (1) Baseline - minimum expectations that all institutions should meet based on examination guidance; (2) Evolving - additional practices beyond baseline that institutions with elevated risks should consider; (3) Intermediate - practices that institutions with significant inherent risk typically implement; (4) Advanced - practices implemented by institutions with substantial inherent risk or that are leaders in cybersecurity; (5) Innovative - practices that represent cutting-edge approaches to cybersecurity. Institutions should determine the appropriate maturity level based on their inherent risk profile. An institution with a higher inherent risk profile should demonstrate a more mature cybersecurity posture across all five domains.",
+      "chapter": "Cybersecurity"
+    },
+    {
+      "sectionNumber": "DEV-I",
+      "title": "Development and Acquisition - SDLC",
+      "text": "Financial institutions should implement a secure software development life cycle (SDLC) for internally developed applications. The SDLC should include: (1) Security requirements definition during the planning and requirements phase; (2) Threat modeling and secure design principles during the design phase; (3) Secure coding standards and code reviews during the development phase; (4) Security testing including static analysis, dynamic analysis, and penetration testing; (5) Secure deployment procedures and configuration management; (6) Ongoing vulnerability management and patching after deployment. Institutions should ensure that developers receive training on secure coding practices and that security reviews are integrated throughout the development process.",
+      "chapter": "Development"
+    },
+    {
+      "sectionNumber": "ARCH-I",
+      "title": "Architecture, Infrastructure, and Operations - Network Security",
+      "text": "Financial institutions should implement network security controls that protect the confidentiality, integrity, and availability of information and systems. Network security controls include: (1) Network segmentation to isolate sensitive systems and limit lateral movement; (2) Firewalls and access control lists to filter traffic between network segments; (3) Intrusion detection and prevention systems to identify and block malicious activity; (4) Secure configuration of network devices including routers, switches, and wireless access points; (5) Encryption of sensitive data in transit using current cryptographic standards; (6) Regular vulnerability scanning and penetration testing of network infrastructure; (7) Monitoring and logging of network activity to detect anomalies and support incident investigation.",
+      "chapter": "Architecture"
+    },
+    {
+      "sectionNumber": "RETAIL-I",
+      "title": "Retail Payment Systems - Authentication",
+      "text": "Financial institutions offering retail payment services should implement layered security controls. For customer authentication, institutions should: (1) Use multi-factor authentication for higher-risk transactions and access to sensitive functions; (2) Implement device identification and authentication to recognize returning customers; (3) Monitor login attempts and implement lockout policies after failed attempts; (4) Provide customer notification of account activity and security events; (5) Educate customers about security risks and protective measures. Authentication methods should be commensurate with the risk of the payment channel and transaction type. Institutions should periodically evaluate the effectiveness of authentication controls against evolving threats.",
+      "chapter": "Retail Payments"
+    },
+    {
+      "sectionNumber": "WHOLESALE-I",
+      "title": "Wholesale Payment Systems - Controls",
+      "text": "Financial institutions processing wholesale payments should implement enhanced controls given the higher values and greater fraud risks. Controls should include: (1) Dual authorization requiring two individuals to approve high-value or unusual transactions; (2) Positive pay and transaction filtering to identify unauthorized payments; (3) Out-of-band verification using separate communication channels to confirm transaction details; (4) Behavioral analytics to detect anomalous transaction patterns; (5) Customer agreements defining security responsibilities and liability; (6) Real-time monitoring and alerts for suspicious activity; (7) Secure transmission protocols for payment instructions. Institutions should conduct periodic assessments of wholesale payment controls and adjust them based on emerging fraud trends.",
+      "chapter": "Wholesale Payments"
+    }
+  ]
+}

package/data/seed/mappings/ccpa-nist-csf.json

@@ -2,8 +2,18 @@
   "framework": "NIST_CSF_2_0",
   "regulation": "CCPA",
   "generated_at": "2026-01-29",
-  "generated_by": "claude-sonnet-4-5",
   "description": "Mapping of CCPA/CPRA requirements to NIST Cybersecurity Framework 2.0",
+  "source": {
+    "disclaimer": "IMPORTANT: These mappings are interpretive guidance created to assist with compliance research. They are NOT official California Attorney General or NIST crosswalks. CCPA/CPRA is a privacy regulation while NIST CSF is a cybersecurity framework - overlap exists but is not complete. For authoritative guidance, consult: (1) California Privacy Protection Agency regulations and guidance, (2) NIST Privacy Framework for privacy-specific controls, (3) Your organization's compliance and legal counsel. These mappings should be validated against your specific implementation context.",
+    "references": [
+      "NIST Cybersecurity Framework 2.0",
+      "NIST Privacy Framework 1.0",
+      "California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100-199)",
+      "CPRA Final Regulations (11 CCR §§ 7000-7304)"
+    ],
+    "methodology": "Mappings identify NIST CSF functions and categories that support CCPA/CPRA compliance objectives. Privacy requirements mapped to closest cybersecurity controls. Coverage indicates degree of alignment: 'full' = strong alignment, 'partial' = supporting control.",
+    "last_reviewed": "2026-01-29"
+  },
   "mappings": [
     {
       "section_number": "1798.100",

package/data/seed/mappings/hipaa-nist-800-53.json

@@ -2,8 +2,17 @@
   "framework": "NIST_800_53_R5",
   "regulation": "HIPAA",
   "generated_at": "2026-01-29",
-  "generated_by": "claude-sonnet-4-5",
   "description": "Mapping of HIPAA Security Rule requirements to NIST 800-53 Rev 5 controls",
+  "source": {
+    "disclaimer": "IMPORTANT: These mappings are interpretive guidance created to assist with compliance research. They are NOT official HHS or NIST crosswalks. For authoritative mappings, consult: (1) HHS HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, (2) NIST SP 800-66 Rev 2 'Implementing the HIPAA Security Rule', (3) Your organization's compliance and legal counsel. These mappings should be validated against your specific implementation context.",
+    "references": [
+      "NIST SP 800-66 Rev 2 - Implementing the HIPAA Security Rule",
+      "NIST SP 800-53 Rev 5 - Security and Privacy Controls",
+      "HHS HIPAA Security Rule (45 CFR Part 164 Subpart C)"
+    ],
+    "methodology": "Mappings based on control objective alignment between HIPAA Security Rule standards and NIST 800-53 control families. Coverage indicates degree of overlap: 'full' = direct alignment, 'partial' = related but not complete, 'related' = conceptually connected.",
+    "last_reviewed": "2026-01-29"
+  },
   "mappings": [
     {
       "section_number": "164.308(a)(1)",

package/data/seed/nydfs.json

@@ -0,0 +1,122 @@
+{
+  "regulation": {
+    "id": "NYDFS_500",
+    "full_name": "NY DFS Cybersecurity Regulation",
+    "citation": "23 NYCRR 500",
+    "effective_date": "2017-03-01",
+    "last_amended": "2023-11-01",
+    "jurisdiction": "state",
+    "regulation_type": "rule"
+  },
+  "source": {
+    "official_url": "https://www.dfs.ny.gov/industry_guidance/cybersecurity",
+    "publisher": "New York State Department of Financial Services",
+    "last_verified": "2026-01-29",
+    "verification_method": "Extracted from official 23 NYCRR 500 regulation text",
+    "disclaimer": "This is regulatory text from the official New York State Department of Financial Services 23 NYCRR 500 regulation. The regulation was significantly amended effective November 1, 2023. Users should verify against the current official regulation at dfs.ny.gov for the most up-to-date requirements."
+  },
+  "sections": [
+    {
+      "sectionNumber": "500.1",
+      "title": "Definitions",
+      "text": "(a) Affiliate means any Person that controls, is controlled by or is under common control with another Person. (b) Authorized User means any employee, contractor, agent or other Person that participates in the business operations of a Covered Entity and is authorized to access and use any Information Systems and data of the Covered Entity. (c) Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. (d) Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. (e) Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. (f) Multi-Factor Authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token or text message on a mobile phone; or (3) Inherence factors, such as a biometric characteristic. (g) Nonpublic Information shall mean all electronic information that is not Publicly Available Information and is: (1) Business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity; (2) Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers' license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual's financial account, or (v) biometric records; (3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.",
+      "chapter": "Definitions"
+    },
+    {
+      "sectionNumber": "500.2",
+      "title": "Cybersecurity Program",
+      "text": "(a) Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity's Information Systems. (b) The cybersecurity program shall be based on the Covered Entity's Risk Assessment and designed to perform the following core cybersecurity functions: (1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity's Information Systems; (2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity's Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts; (3) detect Cybersecurity Events; (4) respond to identified or detected Cybersecurity Events to mitigate any negative effects; (5) recover from Cybersecurity Events and restore normal operations and services; and (6) fulfill applicable regulatory reporting obligations.",
+      "chapter": "Core Requirements"
+    },
+    {
+      "sectionNumber": "500.3",
+      "title": "Cybersecurity Policy",
+      "text": "Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity's board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity's policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. The cybersecurity policy shall address the following areas to the extent applicable to the Covered Entity's operations: (a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.",
+      "chapter": "Core Requirements"
+    },
+    {
+      "sectionNumber": "500.4",
+      "title": "Chief Information Security Officer",
+      "text": "(a) Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, Chief Information Security Officer or CISO). The CISO may be employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider. (b) The CISO shall report in writing, at least annually, to the Covered Entity's board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity's cybersecurity program. The CISO's report shall include: (1) assessment of the confidentiality, integrity and availability of the Covered Entity's Information Systems; (2) exceptions to the Covered Entity's cybersecurity policies and procedures; (3) identification of cyber risks to the Covered Entity; (4) assessment of the effectiveness of the Covered Entity's cybersecurity program; (5) proposed steps to remediate any identified inadequacies; and (6) summary of material Cybersecurity Events that affected the Covered Entity during the time period addressed by the report.",
+      "chapter": "Governance"
+    },
+    {
+      "sectionNumber": "500.5",
+      "title": "Penetration Testing and Vulnerability Assessments",
+      "text": "(a) Each Covered Entity's cybersecurity program shall include monitoring and testing, developed in accordance with the Covered Entity's Risk Assessment, designed to assess the effectiveness of the Covered Entity's cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities, Covered Entities shall conduct: (1) annual penetration testing of the Covered Entity's Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment; and (2) bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity's Information Systems based on the Risk Assessment.",
+      "chapter": "Testing and Vulnerability Management"
+    },
+    {
+      "sectionNumber": "500.6",
+      "title": "Audit Trail",
+      "text": "(a) Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment: (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and (2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity. (b) Each Covered Entity shall maintain records required under section 500.6(a)(1) of this Part for not fewer than five years and shall maintain records required under section 500.6(a)(2) of this Part for not fewer than three years.",
+      "chapter": "Audit and Monitoring"
+    },
+    {
+      "sectionNumber": "500.7",
+      "title": "Access Privileges",
+      "text": "As part of its cybersecurity program, based on the Covered Entity's Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges.",
+      "chapter": "Access Control"
+    },
+    {
+      "sectionNumber": "500.8",
+      "title": "Application Security",
+      "text": "(a) Each Covered Entity's cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity's technology environment. (b) All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.",
+      "chapter": "Application Security"
+    },
+    {
+      "sectionNumber": "500.9",
+      "title": "Risk Assessment",
+      "text": "(a) Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity's Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity's Information Systems, Nonpublic Information or business operations. The Covered Entity's Risk Assessment shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the Covered Entity's business operations related to cybersecurity, Nonpublic Information collected or stored, Information Systems utilized and the availability and effectiveness of controls to protect Nonpublic Information and Information Systems. (b) The Risk Assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such documentation shall include: (1) criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the Covered Entity; (2) criteria for the assessment of the confidentiality, integrity, security and availability of the Covered Entity's Information Systems and Nonpublic Information, including the adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.",
+      "chapter": "Risk Management"
+    },
+    {
+      "sectionNumber": "500.10",
+      "title": "Cybersecurity Personnel and Intelligence",
+      "text": "(a) In addition to the requirements set forth in section 500.4(a) of this Part, each Covered Entity shall: (1) utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third Party Service Provider sufficient to manage the Covered Entity's cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in section 500.2(b)(1)-(6) of this Part; (2) provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and (3) verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.",
+      "chapter": "Personnel"
+    },
+    {
+      "sectionNumber": "500.11",
+      "title": "Third Party Service Provider Security Policy",
+      "text": "(a) Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable: (1) the identification and risk assessment of Third Party Service Providers; (2) minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and (4) periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices. (b) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines addressing: (1) the Third Party Service Provider's policies and procedures for access controls, including its use of Multi-Factor Authentication; (2) the Third Party Service Provider's policies and procedures for use of encryption to protect Nonpublic Information in transit and at rest; (3) notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity's Information Systems or the Covered Entity's Nonpublic Information being held by the Third Party Service Provider; and (4) representations and warranties addressing the Third Party Service Provider's cybersecurity policies and procedures.",
+      "chapter": "Third Party Risk Management"
+    },
+    {
+      "sectionNumber": "500.12",
+      "title": "Multi-Factor Authentication",
+      "text": "(a) Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems. (b) Multi-Factor Authentication shall be required for any individual accessing the Covered Entity's internal networks from an external network, unless the Covered Entity's CISO has approved in writing the use of reasonably equivalent or more secure access controls.",
+      "chapter": "Authentication"
+    },
+    {
+      "sectionNumber": "500.13",
+      "title": "Limitations on Data Retention",
+      "text": "As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section 500.1(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.",
+      "chapter": "Data Governance"
+    },
+    {
+      "sectionNumber": "500.14",
+      "title": "Training and Monitoring",
+      "text": "As part of its cybersecurity program, each Covered Entity shall: (a) implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users; and (b) provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.",
+      "chapter": "Training and Awareness"
+    },
+    {
+      "sectionNumber": "500.15",
+      "title": "Encryption of Nonpublic Information",
+      "text": "(a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest. (b) To the extent a Covered Entity determines that encryption of Nonpublic Information in transit over external networks or at rest is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity's CISO. (c) To the extent that a Covered Entity is utilizing compensating controls under (b) above, the feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.",
+      "chapter": "Encryption"
+    },
+    {
+      "sectionNumber": "500.16",
+      "title": "Incident Response Plan",
+      "text": "(a) As part of its cybersecurity program, each Covered Entity shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity's Information Systems or the continuing functionality of any aspect of the Covered Entity's business or operations. (b) Such incident response plan shall address the following areas: (1) the internal processes for responding to a Cybersecurity Event; (2) the goals of the incident response plan; (3) the definition of clear roles, responsibilities and levels of decision-making authority; (4) external and internal communications and information sharing; (5) identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls; (6) documentation and reporting regarding Cybersecurity Events and related incident response activities; and (7) the evaluation and revision as necessary of the incident response plan following a Cybersecurity Event.",
+      "chapter": "Incident Response"
+    },
+    {
+      "sectionNumber": "500.17",
+      "title": "Notices to Superintendent",
+      "text": "(a) Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following: (1) Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity. (b) Each Covered Entity shall annually submit to the superintendent a written statement covering the prior calendar year certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years.",
+      "chapter": "Regulatory Reporting"
+    }
+  ]
+}

package/data/seed/sox.json

@@ -0,0 +1,109 @@
+{
+  "regulation": {
+    "id": "SOX",
+    "full_name": "Sarbanes-Oxley Act of 2002",
+    "citation": "Pub.L. 107-204, 15 U.S.C. §§ 7201-7266, 18 U.S.C. §§ 1348-1350",
+    "effective_date": "2002-07-30",
+    "jurisdiction": "federal",
+    "regulation_type": "statute"
+  },
+  "source": {
+    "official_url": "https://www.congress.gov/bill/107th-congress/house-bill/3763",
+    "publisher": "United States Congress",
+    "last_verified": "2026-01-29",
+    "verification_method": "Extracted from official Sarbanes-Oxley Act of 2002 statutory text and SEC implementing regulations",
+    "disclaimer": "This includes key provisions from the Sarbanes-Oxley Act statute (15 U.S.C. and 18 U.S.C.) and SEC implementing regulations (17 CFR). For IT compliance purposes, Section 404 and related SEC rules are most relevant. This is not a complete compilation of all SOX requirements. Consult SEC.gov and legal counsel for comprehensive compliance guidance."
+  },
+  "sections": [
+    {
+      "sectionNumber": "SOX-101",
+      "title": "Section 101 - Establishment; Administrative Provisions",
+      "text": "There is established the Public Company Accounting Oversight Board, to oversee the audit of companies that are subject to the securities laws, and related matters, in order to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports. The Board shall be a body corporate, operate as a nonprofit corporation, and have succession until dissolved by an Act of Congress enacted after this Act. The Board shall not be an agency or establishment of the United States Government, and, except as otherwise provided in this Act, shall be subject to, and have all the powers conferred upon a nonprofit corporation by, the District of Columbia Nonprofit Corporation Act.",
+      "chapter": "Title I - Public Company Accounting Oversight Board"
+    },
+    {
+      "sectionNumber": "SOX-201",
+      "title": "Section 201 - Services Outside the Scope of Practice of Auditors",
+      "text": "It shall be unlawful for a registered public accounting firm to provide any non-audit service to an issuer contemporaneously with the audit, including: (1) bookkeeping or other services related to the accounting records or financial statements of the audit client; (2) financial information systems design and implementation; (3) appraisal or valuation services, fairness opinions, or contribution-in-kind reports; (4) actuarial services; (5) internal audit outsourcing services; (6) management functions or human resources; (7) broker or dealer, investment adviser, or investment banking services; (8) legal services and expert services unrelated to the audit; (9) any other service that the Board determines, by regulation, is impermissible. A registered public accounting firm may engage in any non-audit service, including tax services, that is not described above for an audit client, only if the activity is approved in advance by the audit committee of the issuer.",
+      "chapter": "Title II - Auditor Independence"
+    },
+    {
+      "sectionNumber": "SOX-301",
+      "title": "Section 301 - Public Company Audit Committees",
+      "text": "The audit committee of each issuer shall be directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by that issuer for the purpose of preparing or issuing an audit report or related work, and each such registered public accounting firm shall report directly to the audit committee. Each member of the audit committee of the issuer shall be a member of the board of directors of the issuer, and shall otherwise be independent. In order to be considered to be independent, a member of an audit committee of an issuer may not, other than in his or her capacity as a member of the audit committee, the board of directors, or any other board committee: (i) accept any consulting, advisory, or other compensatory fee from the issuer; or (ii) be an affiliated person of the issuer or any subsidiary thereof. Each audit committee shall establish procedures for the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.",
+      "chapter": "Title III - Corporate Responsibility"
+    },
+    {
+      "sectionNumber": "SOX-302",
+      "title": "Section 302 - Corporate Responsibility for Financial Reports",
+      "text": "The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934, that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that: (1) the signing officer has reviewed the report; (2) based on the officer's knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading; (3) based on such officer's knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report; (4) the signing officers are responsible for establishing and maintaining internal controls, have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers, have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report, and have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation.",
+      "chapter": "Title III - Corporate Responsibility"
+    },
+    {
+      "sectionNumber": "SOX-404",
+      "title": "Section 404 - Management Assessment of Internal Controls",
+      "text": "The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report, which shall: (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.",
+      "chapter": "Title IV - Enhanced Financial Disclosures"
+    },
+    {
+      "sectionNumber": "SOX-409",
+      "title": "Section 409 - Real Time Issuer Disclosures",
+      "text": "Each issuer reporting under section 13(a) or 15(d) of the Securities Exchange Act of 1934 shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest.",
+      "chapter": "Title IV - Enhanced Financial Disclosures"
+    },
+    {
+      "sectionNumber": "SOX-802",
+      "title": "Section 802 - Criminal Penalties for Altering Documents",
+      "text": "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both. Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any Federal offense, shall be fined under this title or imprisoned not more than 10 years, or both.",
+      "chapter": "Title VIII - Corporate and Criminal Fraud Accountability"
+    },
+    {
+      "sectionNumber": "SOX-806",
+      "title": "Section 806 - Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud",
+      "text": "No company with a class of securities registered under section 12 of the Securities Exchange Act of 1934, or that is required to file reports under section 15(d) of the Securities Exchange Act of 1934, or any officer, employee, contractor, subcontractor, or agent of such company, may discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee in the terms and conditions of employment because of any lawful act done by the employee to provide information, cause information to be provided, or otherwise assist in an investigation regarding any conduct which the employee reasonably believes constitutes a violation of section 1341, 1343, 1344, or 1348, any rule or regulation of the Securities and Exchange Commission, or any provision of Federal law relating to fraud against shareholders, when the information or assistance is provided to or the investigation is conducted by a Federal regulatory or law enforcement agency, any Member of Congress or any committee of Congress, or a person with supervisory authority over the employee.",
+      "chapter": "Title VIII - Corporate and Criminal Fraud Accountability"
+    },
+    {
+      "sectionNumber": "SOX-906",
+      "title": "Section 906 - Corporate Responsibility for Financial Reports",
+      "text": "Whoever certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both; or whoever willfully certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $5,000,000 or imprisoned not more than 20 years, or both. Each periodic report containing financial statements filed by an issuer with the Securities Exchange Commission pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934 shall be accompanied by a written statement by the chief executive officer and chief financial officer of the issuer.",
+      "chapter": "Title IX - White-Collar Crime Penalty Enhancements"
+    },
+    {
+      "sectionNumber": "17-CFR-229.308",
+      "title": "SEC Regulation S-K Item 308 - Internal Control Over Financial Reporting",
+      "text": "(a) Management's annual report on internal control over financial reporting. Provide a report of management on the registrant's internal control over financial reporting that contains: (1) A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the registrant; (2) A statement identifying the framework used by management to evaluate the effectiveness of the registrant's internal control over financial reporting; (3) Management's assessment of the effectiveness of the registrant's internal control over financial reporting as of the end of the registrant's most recent fiscal year, including a statement as to whether or not internal control over financial reporting is effective. This discussion must include disclosure of any material weakness in the registrant's internal control over financial reporting identified by management; (4) If the registrant is an accelerated filer or a large accelerated filer, a statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on the registrant's internal control over financial reporting.",
+      "chapter": "SEC Implementing Regulations"
+    },
+    {
+      "sectionNumber": "17-CFR-240.13a-15",
+      "title": "SEC Rule 13a-15 - Controls and Procedures",
+      "text": "(a) Every issuer that has a class of securities registered pursuant to section 12 of the Act, other than an Asset-Backed Issuer, must maintain disclosure controls and procedures designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Act is recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms and that information required to be disclosed by an issuer in the reports that it files or submits under the Act is accumulated and communicated to the issuer's management, including its principal executive and principal financial officers, as appropriate to allow timely decisions regarding required disclosure. (b) Each such issuer must maintain a system of internal accounting controls sufficient to provide reasonable assurance that: (1) transactions are executed in accordance with management's general or specific authorization; (2) transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles and to maintain accountability for assets; (3) access to assets is permitted only in accordance with management's general or specific authorization; (4) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.",
+      "chapter": "SEC Implementing Regulations"
+    },
+    {
+      "sectionNumber": "17-CFR-240.13a-14",
+      "title": "SEC Rule 13a-14 - Certification of Disclosure in Annual and Quarterly Reports",
+      "text": "(a) Each report, including transition reports, filed on Form 10-Q, Form 10-K, Form 20-F or Form 40-F under section 13(a) of the Act must include certifications in the form specified in the applicable exhibit filing requirements of such report and such certifications must be filed as an exhibit to such report. Each principal executive and principal financial officer of the issuer, or persons performing similar functions, at the time of filing of the report must sign a certification. (b) Each periodic report containing financial statements filed by an issuer pursuant to section 13(a) of the Act must be accompanied by the certifications required by Section 1350 of Chapter 63 of Title 18 of the United States Code and such certifications must be furnished as an exhibit to such report.",
+      "chapter": "SEC Implementing Regulations"
+    },
+    {
+      "sectionNumber": "PCAOB-AS-2201",
+      "title": "PCAOB AS 2201 - An Audit of Internal Control Over Financial Reporting",
+      "text": "The auditor's objective in an audit of internal control over financial reporting is to express an opinion on the effectiveness of the company's internal control over financial reporting. Because a company's internal control cannot be considered effective if one or more material weaknesses exist, to form a basis for expressing an opinion, the auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management's assessment. A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. The auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting.",
+      "chapter": "PCAOB Auditing Standards"
+    },
+    {
+      "sectionNumber": "PCAOB-AS-2201-B",
+      "title": "PCAOB AS 2201 - Evaluating Design and Operating Effectiveness",
+      "text": "The auditor must test the design effectiveness and operating effectiveness of controls. Design effectiveness means the control, if operated as designed, satisfies the control objective. Operating effectiveness means the control was applied as designed and by a person who has the necessary authority and qualifications to perform the control effectively. Procedures the auditor performs to test operating effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, inspection of relevant documentation, and re-performance of the control. The evidence necessary to persuade the auditor that a control is effective depends on the risk associated with the control. The risk associated with a control consists of the risk that the control might not be effective and, if not effective, the risk that a material weakness would result.",
+      "chapter": "PCAOB Auditing Standards"
+    },
+    {
+      "sectionNumber": "IT-GENERAL-CONTROLS",
+      "title": "IT General Controls for SOX Compliance",
+      "text": "IT General Controls (ITGCs) are foundational controls that support the effectiveness of application controls and the integrity of financial information. SOX-relevant ITGCs include: (1) Access to Programs and Data - controls ensuring only authorized users can access systems, including user provisioning, authentication, authorization, and access reviews; (2) Program Changes - controls ensuring changes to applications are properly authorized, tested, and approved before implementation; (3) Computer Operations - controls ensuring systems operate as intended, including job scheduling, backup procedures, and incident management; (4) Program Development - controls ensuring new systems are developed with appropriate security, testing, and approval. Management must document the design and operating effectiveness of ITGCs as part of the Section 404 assessment. External auditors evaluate ITGCs as part of the integrated audit. Common frameworks for evaluating ITGCs include COBIT, NIST, and ISO 27001.",
+      "chapter": "IT Compliance Guidance"
+    }
+  ]
+}

package/dist/index.js

@@ -20,7 +20,7 @@ function getDatabase() {
 const db = getDatabase();
 const server = new Server({
     name: 'us-regulations-mcp',
-    version: '0.1.0',
+    version: '1.1.0',
 }, {
     capabilities: {
         tools: {},

package/dist/ingest/adapters/colorado-public.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Colorado Privacy Act Adapter
+ *
+ * Fetches Colorado CPA from official Colorado General Assembly sources.
+ * Source: C.R.S. § 6-1-1301 to 6-1-1313
+ *
+ * Official Source: https://leg.colorado.gov/colorado-revised-statutes
+ *
+ * NOTE: Uses seed data extracted from official Colorado Revised Statutes.
+ * The Colorado General Assembly publishes statutes in PDF format at leg.colorado.gov.
+ * This adapter uses pre-verified seed data to ensure accuracy and avoid
+ * reliance on third-party aggregators.
+ */
+import { SourceAdapter, RegulationMetadata, Section, Definition, UpdateStatus } from '../framework.js';
+export declare class ColoradoLegAdapter implements SourceAdapter {
+    private readonly regulationId;
+    private readonly seedPath;
+    constructor();
+    fetchMetadata(): Promise<RegulationMetadata>;
+    fetchSections(): AsyncGenerator<Section[]>;
+    extractDefinitions(): Promise<Definition[]>;
+    checkForUpdates(lastFetched: Date): Promise<UpdateStatus>;
+}
+export declare function createColoradoAdapter(): SourceAdapter;
+//# sourceMappingURL=colorado-public.d.ts.map