copyright © center for systems security and information assurance lesson three legal, ethical...

Copyright © Center for Systems Security and Information Assurance

Lesson Three

Legal, Ethical Issues in Information Security


Lesson Objectives • Describe the fundamentals of the American legal system.• Define the basic terms associated with the legal process.• Explain the difference between criminal and civil law.• Describe the role of the Judicial branch.• Differentiate between laws and ethics.• Identify major national laws that relate to the practice of

information security.• Understand the role of culture as it applies to ethics in

information security.


Law and Ethics in Information Security

• Laws Rules adopted for determining expected behavior.

Laws are drawn from ethics

• Ethics Define socially acceptable behaviors. Ethics, in turn, are based on cultural mores: fixed moral attitudes or customs of a particular group.


Code of Ethics

• To perform all professional activities in accordance with all applicable laws and the highest ethical principles;

• To promote generally accepted information security practices and standards.

• Discharge professional responsibilities with diligence and honesty.


Computing Ethics

Our study of computing ethics involves asking the questions of “right and proper conduct when using computers”

What is good, what is bad?What is right, what is wrong?


Computing Ethics

• When examining computing ethics, it is tempting to oversimplify ethical problems by reducing them to issues of computer crime and data security.

• In reality, the moral concerns and dilemmas confronting computing professionals are far more broad than in most other situations.


Ten Commandments Of Computer Ethics

1. Thou Shall Not Use A Computer To Harm Other People.

2. Thou Shall Not Interfere With Other People’s Computer Work.

3. Thou Shall Not Snoop Around In Other People’s Computer Files.

4. Thou Shall Not Use A Computer To Steal.5. Thou Shall Not Use A Computer To Bear False

Witness.6. Thou Shall Not Copy Or Use Proprietary

Software For Which You have Not Paid.

(Created by the Computer Ethics Institute)


Ten Commandments Of Computer Ethics

7. Thou Shall Not Use Other People’s Computer Resources Without Authorization Or Proper Compensation.

8. Thou Shall Not Appropriate Other People’s Intellectual Output.

9. Thou Shall Think About The Social Consequences Of The Program You Are Writing Or The System You Are Designing.

10. Thou Shall Always Use A Computer In Ways That Insure Consideration And Respect For Your Fellow Humans.

Created by the Computer Ethics Institute


Law and Information Security

• Information technology professionals and particularly those in the medical, legal, and accounting fields, want to use the Internet to conduct their businesses.

• Email and electronic communications have become a part of everyday life.

• Security incidents have led to several new federal and local laws as well as a rush by organizations to take appropriate measures to protect their assets.


Source of American Law• The sources of law in the American legal system are

protected by the following authority: U.S. Constitution Federal statutes Federal court decisions State constitutions State statutes State court decisions

• The U.S. Supreme Court, however, has the final decision about the constitutionality of governmental actions.


US Constitution

• The U.S. Constitution is the supreme law and is the basis of our system of justice.

• Article I, II & III form and describe the legislative branch, executive branch and the judicial branch.

• Article IV describes relations between the states. • Article V is the amendment process.• Article VI describes past debts, supremacy clause,

no religious test for federal office.• Article VII describes the ratification process.


United States Constitution

• Bill of Rights – first ten amendments • The fundamental rights granted to individuals.

The 1st, 10th, and 14th Amendments define equal protection and due process.

The 11th Amendment – protection to states from suits in federal courts by citizens of other states.

http://www.house.gov/Constitution/Constitution.html


Judicial Review Process• Judicial review is the power of the judicial branch

of government to decide whether or not acts of government are constitutional and consistent.

• Judges maintain limited government and the rule of law by upholding the supremacy of the Constitution, federal and local statutes and previous court decisions.

• All courts in the United States, federal and state, may use the power of judicial review.


Civil Versus Criminal LitigationThe American Judicial system has two distinctly different court systems to deal with different issues.

• Civil and criminal court system.• Basic differences between the systems:

The purpose of litigation The parties involved Burden of proof needed to convict The remedies to be considered


Purpose of Litigation

• Civil cases involve conflicts between people or institutions such as businesses.

• Criminal cases involve enforcing public codes of behavior as embodied in the laws, with the government prosecuting individuals or institutions.


The Parties to a Lawsuit

The American system of justice is based on a adversarial system of justice. This system is designed to promote the discovery of the truth while maintaining court impartiality.

The parties to a lawsuit include:The party bringing the suit is called the “plaintiff”The party accused is called the “defendant” (s)Either party may also have intervening & joined parties


Legal Burden of Proof

• The criminal standard of proof on the prosecution is proof beyond all reasonable doubt, which means proof to a high degree of probability but not proof beyond a shadow of a doubt.

In a criminal case, the jury must be unanimous to convict.

• The standard of proof on both parties is proof on the balance of probabilities, i.e., that an allegation is more probable than not.

The jury in a civil case is normally just a majority of the jury to convict.


Legal Remedies

• Civil law remedies:Monetary DamagesA court injunction - an equitable remedy in the

form of a court order that prohibits a party from continuing a particular activity.

• Criminal case remedies:Criminal fine IncarcerationCapital Punishment


Code Law Versus Common Law Jurisdictions

• Code Law: The Code Napoleon takes the civilian law approach. Civilian law is based on scholarly research and the drafting of legal code which is passed into law by the legislative branch. It is then the judge's job to interpret that intent more than to follow judicial precedent.

• Common Law: Common law is law that comes from the common people, not legislation (practiced in 49 states). Common law is based on two concepts: Do all you have agreed to do; Do not encroach on other persons or their property.


Judicial Precedent

• Precedent is a previously reported decision by an appellate court that establishes a point of law on a specific issue.

• In the law, decisions in previous cases play a significant role in the presentation, understanding, and outcome of new cases.

• This is particularly true in the area of contract law where few statutes (explicit legal rules) exist.


Judicial Precedent • Stare Decisis, which means to stand by the

decided, whereby lower courts are bound to apply the legal principles set down by superior courts in earlier cases

• The binding part of a previous decision is the ratio decidendi (reason for the decision) and it must be followed by judges in later cases.

• Anything said obiter dictum (by the way) in the original case is merely persuasive because it was not strictly relevant to the matter in issue and does not have to be followed.


Jurisdiction• A court has no authority to decide a case unless

it has jurisdiction over the person or property involved. To have jurisdiction, a court must have authority over the subject matter of the case And the court must be able to exercise control over

the defendant, Or the property involved must be located in the area

under the court's control.

• The extent of the court's control over persons and property is set by law.


Jurisdiction

• Certain judicial actions are transitory. They can be brought wherever the defendant may be found and served with a summons, and where the jurisdiction has sufficient contact with one of the parties and the incident that gave rise to the suit.

• Other actions - such as foreclosing on a piece of property are local. They can be brought only in the county where the subject of the suit is located.


Original and Appellate Jurisdiction

• Original jurisdiction is the authority to hear trials.

• Appellate jurisdiction is the authority to hear appeals. The principal functions of an appellate court are: to correct errors in the decisions of trial courts or in

the reasoning used by them in reaching those decisions; and

to develop the body of law through judicial exposition.


Types of Courts

• Functional organization of federal and state courts trial courts intermediate appellate courts highest appellate courts

• Geographic organization of federal courts Made up of 94 U.S. judicial districts Organized into 12 regional circuits

http://www.usdoj.gov/usao/eousa/kidspage/circuit.html


Federal Circuit Court System


Venue

• Venue refers to the county or district within a state or the U.S. where the lawsuit is to be tried.

• The venue of a lawsuit is set by statute, but it can sometimes be changed to another county or district.

• Venue also may be changed for the convenience of witnesses.


Pleadings

A lawsuit begins when the person bringing the suit files a complaint. Pleadings are certain formal documents filed with the court that state the parties' basic positions. Common pre-trial pleadings include:

Complaint (or petition or bill) Counts Answer Reply Counterclaims


Pleadings

• Complaints are probably the most important pleading in a civil case, since by setting out the plaintiff's version of the facts and specifying the damages, it frames the issues of the case.

• It includes various counts - that is, distinct statements of the plaintiff’s cause of action - highlighting the factual and legal basis of the suit.


Pleadings

• Answer. This statement by the defendant usually explains why the plaintiff should not prevail. It may also offer additional facts, or plead an excuse.

• Reply. Any party in the case may have to file a reply, which is an answer to new allegations raised in pleadings.


Pleadings

• Counterclaim. The defendant may file a counterclaim, which asserts that the plaintiff has injured the defendant in some way, and should pay damages. ("You're suing me? Well then, I'm suing you.") It may be filed separately or as part of the answer. If a counterclaim is filed, the plaintiff must be given the

opportunity to respond by filing a reply.


Types of Motions

Motions are not pleadings but are requests for the judge to make a legal ruling. Some of the most common pre-trial motions include:

Motion to Discover. A motion by which one party seeks to gain information from the adverse party.

Motion to Dismiss. This motion asks the court to dismiss the suit because the suit doesn’t have a legally sound basis, even if all the facts alleged are proven true.


Motion for Summary Judgment

• Motion for Summary Judgment (sometimes called motion for summary disposition).

• This motion asks the court for a judgment on the merits of the case before the trial.

• It is properly made where there is no dispute about the facts and only a question of law needs to be decided.


Due Process• Due process is the principle that guarantees

basic fairness, as embodied in current legal doctrines. These take the form of procedural protections against arbitrary actions by governmental authorities and substantive rights not to have life, liberty and property taken away to serve the interest of an oppressive majority.

• Due process, in the context of the United States, refers to how and why laws are enforced. It applies to all persons, citizens or aliens, as well as to corporations.


Due Process Guarantees• Due process requires that laws be written so that

a reasonable person can understand what is criminal behavior.

• Generally, due process guarantees the following: Right to a fair public trial conducted in a competent

manner Right to be present at the trial Right to an impartial jury Right to be heard in one’s own defense


U.S. Laws Addressing Information Security

• Computer Fraud and Abuse Act of 1986• Communications Decency Act of 1996 USA

Patriot Act of 2001• National Information Infrastructure Protection Act

of 1996• Telecommunications Deregulation and

Competition Act of 1996• Communications Decency Act (CDA)• Computer Security Act of 1987


The Computer Fraud and Abuse Act of 1986

• The Computer Fraud and Abuse Act of 1986 focuses primarily on protecting "government-interest" computers.

• Specifically, the law prohibits the use of "a program, information, code or command" with intent to damage, cause damage to, or deny access to a computer system or network.

• The Act also specifically prohibits unintentional damage if the perpetrator demonstrates reckless disregard of the risks of causing such damage.

http://www.usdoj.gov/criminal/cybercrime/1030_new.html


Communications Decency Act of 1996

The Communications Decency Act of 1996 is a statute prohibiting anyone using interstate or communications from transmitting obscene or indecent materials when they know that the recipient is under 18 years of age - regardless of who initiated the communications.

http://usinfo.state.gov/usa/infousa/laws/majorlaw/s652titl.htm


The Question of Privacy• The issue of privacy has become one of the

hottest topics in information security.• The wide spread use of technology has provided

the ability to collect information on an individual, combine facts from separate sources, and merge it with other information.

• This aggregation of data from multiple sources permits unethical organizations to build databases of facts with frightening capabilities


U.S. Laws Addressing Individual Privacy

• Federal Privacy Act of 1974 • The Electronic Communications Privacy Act of

1986• The Health Insurance Portability & Accountability

Act Of 1996 (HIPAA) also known as the Kennedy-Kassebaum Act

• The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999


Freedom of Public Information

• It has been said that access and control of information is power.

• Congress pasted the Freedom of Information Act (FOIA) to provide: Greater scrutiny of government agencies. To enable individuals to access government records

that contained information about them.

http://www.november.org/resources/FOIA-PA.pdf


The Electronic Communications Privacy Act (ECPA) of 1986

• Assigns fines and prison sentences for anyone convicted of unauthorized interception and disclosure of electronic communications.

• Prohibits making use of an unlawfully overheard electronic communication if the interceptor knows that the message was unlawfully obtained.

• Prohibits access to stored messages, not just those in transit.

http://policyworks.gov/policydocs/5.pdf


Freedom of Information Act of 1966 (FOIA)

• The FOIA provides any person with the right to request access to federal agency records or information, not determined to be of national security.

• There are exceptions for information that is protected from disclosure, and the Act does not apply to state or local government agencies or to private businesses or individuals, although many states have their own version of the FOIA.


What is HIPAA• The Department of Health and Human Services has

developed a series of privacy regulations known collectively as the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").

• These regulations are designed to protect the privacy rights of individuals with regard to their confidential medical records.

• The act greatly restricts the dissemination and transmittal of personal patient information and will dramatically affect the way healthcare information is handled.

http://www.mtworld.com/tools_resources/understanding_hipaa.html


Gramm-Leach-Bliley Act (GLBA)

• Passed to ensure the protection of consumer privacy.

• Data protection provisions are comprehensive, requiring the Regulators (Banking, Insurance, FTC and SEC) to establish appropriate standards for safeguarding financial institutions' customer records and information.

• Affects a broad range of organizations including banks, insurance companies, securities firms, tax preparers, mortgage brokers and lenders, real estate agents and appraisers, financial planners and credit card companies.


Gramm-Leach-Bliley Act (GLBA)

• Compliance is mandatory. Financial institutions that do not meet these new information security requirements are subject to enforcement and liability exposure.

• Consequences for failing to comply include enforcement actions with fines up to $1,000,000 and other penalties.


Sarbanes-Oxley Act (Sarbox)

• A statue passed in (2002) to address the rash of corporate fraud. An attempt to fight corporate corruption.

• It involved the corporate officers, auditors, and attorneys of publicly traded companies.

• Corporate officers who willfully and knowingly certify a false financial report can be fined up to 4% million and 20 years in prison.


U.S. Laws Addressing US Copyright Law

• Intellectual property is recognized as a protected asset in the US

• US copyright law extends this right to the published word, including electronic formats

• Fair use of copyrighted materials includes the use to support news reporting, teaching,

scholarship, and a number of other related permissions

the purpose of the use has to be for educational or library purposes, not for profit, and should not be excessive


US Copyright Office


Export and Espionage Laws

• Economic Espionage Act (EEA) of 1996 • Security and Freedom Through Encryption

Act of 1997 (SAFE)


State & Local Statutes

• In addition to the national and international restrictions placed on an organization in the use of computer technology, each state or locality may have a number of laws and regulations that impact operations

• It is the responsibility of the information security professional to understand state laws and regulations and insure the organization’s security policies and procedures comply with those laws and regulations


California Database Security Breach Act

• This state law passed in 2003 covers any state agency, person or company that does business in California.

• It requires disclosure to California residents if a breach of personal information has or is believed to have occurred within 48 hours.

• It defines personal information as a name with a social security number, driver’s license number, state ID card, account number, credit or debit card number in combination with required security access codes.


Digital Millennium Copyright Act (DMCA)

• DMCA is the US version of an international effort to reduce the impact of copyright, trademark, and privacy infringement

• The European Union Directive 95/46/EC increases protection of individuals with regard to the processing of personal data and limits the free movement of such data

• The United Kingdom has already implemented a version of this directive called the Database Right


Exercise 3.1

IT Litigation

Select one of the following IT security cases. Write a one page summary of the facts of the case.

• Nigerian E-Mail Scammers • Student arrested in e-mail threat • Internet Sting Case Set for Trial • Michigan Wi-Fi Hackers


Exercise 3.2

Due Process in a Security Policy• As a security officer for the Acme Corporation you

are on the security policy team. You are asked to prepare a paper defining the companies need to provide due process to any employee charged with violating the policy. Develop 5 minute presentation explain the due process.


Exercise 3.3

Civil Versus Criminal Litigation

Explain the difference between civil and criminal cases in the following four areas:

• Burden of proof• Parties to the litigation • Purpose of litigation• Remedies to be considered

copyright © center for systems security and information assurance lesson three legal, ethical...

Documents