Computer Security, Privacy and Crime Laws

From the CISSSP Prep Guide: Krutz, Ronald L. and Vines, Russell Dean, The CISSP Prep Guide: Mastering the Ten Domains of Network Security; John Wiley & Sons, New York, New York, 2001, 305308.

The following is a summary of laws, regulations, directives and lists requirements pertaining to the protection of computer-related information: 1970 U.S. Fair Credit Reporting Act. Covers consumer reporting agencies. 1970 U.S. Racketeer Influenced and Corrupt Organization Act (RICO). Addresses both criminal and civil crimes involving racketeers influencing the operation of legitimate businessescrimes cited in this act include mail fraud, securities fraud, and the use of a computer to perpetrate fraud. 1973 U. S. Code Of Fair Information Practices. Applies to personal recordkeeping. 1974 U.S. Privacy Act. Applies to federal agencies. Provides for the protection of information about private individuals that is held in federal databases, and grants access by the individual to these databases. 1980 Organization For Economic Cooperation and Development (OECD) Guidelines. Provides for data collection limitations, the quality of the data, specifications of the purpose for data collection, limitations on data use, information security safeguards, openness, participation by the individual on whom the data is being collected, and accountability of the data controller. 1984 U.S. Medical Computer Crime Act. Addresses illegal access or alteration of computerized medical records through phone or data networks. 1984 (Strengthened in 1988 and 1994) First U.S. Federal Computer Crime Law Passed. Covered classified defense or foreign relations information, records of financial institutions or credit reporting agencies, and government computers. Unauthorized access or access in excess of authorization became a felony for classified information and a misdemeanor for financial information. This law made it a misdemeanor to knowingly access an U.S. Government computer without or beyond authorization if the U.S Government's use of the computer would be affected. 1988 (Amended in 1996) U.S. Computer Fraud and Abuse Act. Clarified the 1984 law and added three new crimes: 1. When use of a federal interest computer furthers an intended fraud. 2. Altering, damaging, or destroying information in a federal interest computer or preventing the use of the computer or information that causes a loss of $1000 or more or could impair medical treatment.

3. Trafficking in computer passwords if it affects interstate or foreign commerce or permits unauthorized access to government computers. 1986 U.S. Electronic Communications Privacy Act. Prohibits eavesdropping or the interception of message contents without distinguishing between private or public systems. 1987 Computer Security Act. Places requirements on federal government agencies to conduct security-related training, to identify sensitive systems, and to develop a security plan for those sensitive systems. A category of sensitive information called Sensitive But Unclassified (SBU) has to be considered. This category, formerly called Sensitive Unclassified Information (SUI), pertains to information below the Government's Classified level that is important enough to protect, such as medical information, financial information and research and development knowledge. This act also partitioned the government's responsibility for security between the National Institute of Standards and Technology (NISA) and the National Security Agency (NSA.) NIST was given responsibility for information security in general, (primarily for the commercial and SBU arenas), and NSA retained the responsibility for cryptography for classified government and military applications. 1991 Federal Sentencing Guidelines. Provides punishment guidelines for those found guilty of breaking federal law. These guidelines are as follows: 1. Treat the unauthorized possession of information without the intent to profit from the information as a crime. 2. Address both individuals and organizations. 3. Make the degree of punishment a function of the extent to which the organization has demonstrated due diligence (due care or reasonable care) in establishing a prevention and detection program. 4. Invoke the prudent man rule that requires senior officials to perform their duties with the care that ordinary, prudent people would exercise under similar circumstances. 5. Place responsibility on senior organizational management for the prevention and detection programs with fines of up to $290 million for nonperformance. 1992 OECD Guidelines to Serve as a Total Security Framework. Framework includes laws, policies, technical and administrative measures, and education. 1994 U.S. Communications Assistance for Law Enforcement Act. Requires all communications carriers to make wiretaps possible. 1994 U.S. Computer Abuse Amendments Act. This act accomplished the following: 1. Changed the federal interest computer to a computer used in interstate commerce or communications. 2. Covers viruses and worms. 3. Included intentional damage as well as damage done with "reckless disregard of substantial and unjustifiable risk". 4. Limited imprisonment for the unintentional damage to one year. 5. Provides for civil action to obtain compensatory damages or other relief.

1998 Council Directive (Law) on Data Protection for the European Union (EU). Declares that each EU nation is to enact protections similar to those of the OECD Guidelines. 1990 U.S. Economic and Protection of Proprietary Information Act. Addresses industrial and corporate espionage and extends the definition of property to include proprietary economic information in order to cover theft of this information. 1996 U.S. Kennedy-Kassenbaum Health Insurance and Portability Accountability Act (HIPPA) (with the additional requirements added in December of 2000). Addresses the issues of personal health care information privacy and health plan portability in the United States. 1996 U.S. National Information Infrastructure Protection Act. Enacted in October of 1996 as part of Public Law 104-294, it amended the Computer Fraud and Abuse Act, which is codified at 18 U.S.C. 1030. The amended Computer Fraud and Abuse Act is patterned after the OECD Guidelines for the Security of Information Systems and addresses the protection of the confidentiality, integrity, and availability of data and systems. This path is intended to encourage other countries to adopt a similar framework, thus creating a more uniform approach to addressing computer crime in the existing global information infrastructure. Generally Accepted Systems Security Principles (GASSP). These items are not laws, but are accepted principles that have a foundation in the OECD Guidelines. 1. Computer security supports the mission of the organization. 2. Computer security is an integral element of sound management. 3. Computer security should be cost-effective. 4. Systems owners have security responsibilities outside their organizations. 5. Computer security responsibilities and accountability should be made explicit. 6. Computer security requires a comprehensive and integrated approach 7. Computer security should be periodically reassessed. 8. Computer security is constrained by societal factors. As of this writing, there is also pending legislation dealing with U.S. Government procurement issues and electronic transactions. These pending laws are: The Uniform Electronic Transactions Act (UM A) and the Uniform Computer Information Transactions Act (UCITA.) The UETA applies to practices at the state level that are covered in the Federal Electronic Signatures in Global and Nation Commerce Act of 2000 (E-Sign.) As the result of this legislation, a major change would be the permission to use electronic signatures for certain transactions. UCITA legislation deals with shrink-wrap and click-wrap licensing agreements With these agreements, a user explicitly agrees to the licensing terms upon opening the shrink-wrapped box of new software or when asked to click agreement to terms in order to install the new software It makes such licensing agreements legally binding but does not hold the software developer liable for consequential damages due to the softwares failure to perform. UCITA essentially confirms the status quo.

From: http://www.ecu.edu/cs-itcs/itsecurity/GLB.cfm The Gramm-Leach Bliley Act The Gramm-Leach Bliley Act (GLBA) requires financial institutions, including colleges and universities, to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards appropriate to the size and complexity of the institution, the nature and scope of its activities, and the sensitivity of any customer-information issue.

From: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

The Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The Protection of Pupil Rights Amendment The Protection of Pupil Rights Amendment (PPRA) (20 U.S.C. 1232h; 34 CFR Part 98) applies to programs that receive funding from the U.S. Department of Education (ED). PPRA is intended to protect the rights of parents and students in two ways: It seeks to ensure that schools and contractors make instructional materials available for inspection by parents if those materials will be used in connection with an EDfunded survey, analysis, or evaluation in which their children participate; and It seeks to ensure that schools and contractors obtain written parental consent before minor students are required to participate in any ED-funded survey, analysis, or evaluation that reveals some types of personal information.

From: http://www.ecu.edu/cs-itcs/itsecurity/HIPAA-Privacy-Security.cfm
HIPAA Privacy and Security

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) main goal was to ensure the portability of health insurance benefits particularly as individuals moved from job to job. The Privacy Rule sets the standards for how protected patient health information should be controlled.

The Security Rule mandates physical and technical safeguards that should be put in place to ensure adequate ongoing protection of electronic protected healthcare information (EPHI). These safeguards are based upon information security best practices. All workforce members must be trained on HIPAA security issues if they access computers that contain EPHI.

From http://www.randomneuron.com/security/laws.htm

Primary Source: SecurityFocus - U.S. Information Security Law, Part One: Protecting Private Sector Systems, and Information Security Professionals and Trade Secrets by Steven Robinson last updated Feb 25, 2003

The Wiretap Act - (1968, amended 1996)

Imposes civil and criminal liability on any person who intentionally uses or attempts to use any electronic, mechanical, or other device, either directly or through another person, to intercept any oral communication: Federal Privacy Act of 1974 It requires government agencies to limit disclosure of collected personal information to only authorized persons; to keep the records accurate, relevant to the purpose of the agency, timely, and complete; and to safeguard the security of the records.
CFAA - Computer Fraud and Abuse Act (1986, amended 1996)

The CFAA imposes liability on anyone who:

Intentionally accesses a protected computer without authorization or in excess of authority, and by doing so, steals anything of value, other than the use of the computer itself, where that computer use is worth more than $5,000 in any one year period; Knowingly transmits a program, code or instruction, and as a result, intentionally causes damage, without authorization, to a protected computer; Intentionally accesses a protected computer without authorization, and as a result, causes damage, recklessly or otherwise; Knowingly traffics illegally in passwords or other access credentials that allow unauthorized access to a computer, if that traffic effects interstate or foreign commerce or the computer is used by or for the United States government; Threatening to damage a protected computer with intent to extort anything of value; or Attempts to do any of the above.

The second part of the definition, the language that extends the CFAA's protections to any computer "used in interstate of foreign communication," is responsible for the great breadth of the CFAA's present applicability, because that language brings essentially every computer with Internet access within the scope of the statute. Electronic Communications Privacy Act (1986)

PL 99-508 - Updated USC to cover electronic communications. It prohibits any interception of communications (without an authorized court order or jurisdiction).

The Stored Communications Act

The Stored Communications Act, 18 U.S.C. 2701-12, protects stored communications from being accessed and disclosed without authorization.

U.S Economic and Protection of Proprietary Information Act 1996 The Act makes it a federal criminal act for any person to convert a trade secret to his own benefit or the benefit of others intending or knowing that the offense will injure any owner of the trade secret. The conversion of a trade secret is defined broadly to cover every conceivable act of trade secret misappropriation including theft, appropriation without authorization, concealment, fraud artifice, deception, copying without authorization, duplication, sketches, drawings, photographs, downloads, uploads, alterations, destruction, photocopies, transmissions, deliveries, mail, communications, or other transfers or conveyances of such trade secrets without authorization.
Under this act, Computer source code is considered to be a trade secret.

DMCA - The Digital Millennium Copyright Act The Digital Millennium Copyright Act, 17 U.S.C. 1201- 05 (the "DMCA"), provides that: "no person shall circumvent a technological measure that effectively controls access to a work protected under this title [the Copyright Law]," and goes on to prohibit the "manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that " "(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to [a copyrighted work];" "(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to [a copyrighted work]; or" "(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to [a copyrighted work]."

The DMCA defines the term "circumvent a technological measure" [to] mean[] to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner. 17 U.S.C. 1201 (a). This provision of the DMCA assists licensors of digitized copyrighted works in restricting access to those who obtain access to it lawfully and are therefore entitled to decrypt the work.

Sarbanes-Oxley Act of 2002 Enacted in response to the high-profile Enron and WorldCom financial scandals The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for "not less than five years." The consequences for non-compliance are fines, imprisonment, or both.

The legislation affects the IT departments whose job it is to store a corporation's electronic records