legal issues in information security chapter 5. objectives understand u.s. criminal law understand...

Legal Issues inLegal Issues inInformation SecurityInformation Security

Chapter 5Chapter 5

ObjectivesObjectives

Understand U.S. Criminal LawUnderstand U.S. Criminal Law Understand State LawsUnderstand State Laws Understand Laws of Other CountriesUnderstand Laws of Other Countries Understand Issues with ProsecutionUnderstand Issues with Prosecution Understand Civil IssuesUnderstand Civil Issues Understand Privacy IssuesUnderstand Privacy Issues

There are many legal issues with There are many legal issues with regard to information security regard to information security

Breaking into computers is against the Breaking into computers is against the law, most of the time.law, most of the time.

Civil issues of liability and privacy. Civil issues of liability and privacy. Risks with regard to employees and Risks with regard to employees and

other organizations on the network if other organizations on the network if internal security is lax.internal security is lax.

Violations of new laws that address Violations of new laws that address banking customers and medical banking customers and medical privacy. privacy.

Understand U.S. Criminal Law Understand U.S. Criminal Law

Computer Fraud and Abuse (18 US Code 1030)Computer Fraud and Abuse (18 US Code 1030) Forms the basis for federal intervention in computer crimes.Forms the basis for federal intervention in computer crimes.

Types of computer crime that are covered by the Types of computer crime that are covered by the statute.statute. Section (a) of the statute defines the crime as the Section (a) of the statute defines the crime as the

intentional access of a computer without authorization to do intentional access of a computer without authorization to do so. so.

A second part of the statute adds that the individual A second part of the statute adds that the individual accessing the computer has to obtain information that accessing the computer has to obtain information that should be protected.should be protected.

Understand U.S. Criminal Law Understand U.S. Criminal Law

Types of computer crime that are covered Types of computer crime that are covered by the statute … continued:by the statute … continued: Only the computers of the U.S. government or Only the computers of the U.S. government or

financial institutions are covered. financial institutions are covered. Later in the text, Later in the text, protected computers protected computers is is

defined to include computers used by financial defined to include computers used by financial institutions, the U.S. government, or any institutions, the U.S. government, or any computer used in interstate or foreign computer used in interstate or foreign commerce or communication.commerce or communication.

Based on this definition, most of the computers Based on this definition, most of the computers connected to the Internet will qualify, as they may connected to the Internet will qualify, as they may be used in interstate or foreign commerce or be used in interstate or foreign commerce or communicationcommunication

Understand U.S. Criminal LawUnderstand U.S. Criminal Law $5,000 is a minimum amount of damage that must $5,000 is a minimum amount of damage that must

occur before this statute may be used. occur before this statute may be used.

Includes the costs of investigating and correcting anything Includes the costs of investigating and correcting anything done by the individual who gains unauthorized access.done by the individual who gains unauthorized access.

The definition of damage does not include any The definition of damage does not include any impairment to the confidentiality of data even impairment to the confidentiality of data even though Section (a) does discuss disclosure of though Section (a) does discuss disclosure of information that is supposed to be protected by information that is supposed to be protected by the government.the government.

Other activity that is commonly performed by intruders Other activity that is commonly performed by intruders may not be illegal. For example, it was ruled in Georgia may not be illegal. For example, it was ruled in Georgia (see Moulton v. VC3, N.D. Ga., Civil Action File No. 1:00-(see Moulton v. VC3, N.D. Ga., Civil Action File No. 1:00-CV-434-TWT, 11/7/00) that scanning a system did not CV-434-TWT, 11/7/00) that scanning a system did not cause damage and thus could not be punished under cause damage and thus could not be punished under federal or Georgia state law.federal or Georgia state law.

Credit Card Fraud (18 US Code 1029)Credit Card Fraud (18 US Code 1029)

Credit Card Fraud (18 US Code 1029)Credit Card Fraud (18 US Code 1029)

This statute makes it a crime to possess fifteen or This statute makes it a crime to possess fifteen or more counterfeit credit cards. Many computer crimes more counterfeit credit cards. Many computer crimes involve the stealing of credit card numbers. In this involve the stealing of credit card numbers. In this case, 18 US Code 1029case, 18 US Code 1029 can be used to charge the can be used to charge the individual with a federal crime. individual with a federal crime.

An attack on a computer system that allows the intruder to An attack on a computer system that allows the intruder to gain access to a large number of credit card numbers to gain access to a large number of credit card numbers to which he does not have authorized access is a violation of this which he does not have authorized access is a violation of this statute.statute.

The attack will be a violation even if the attack itself did not The attack will be a violation even if the attack itself did not

cause $5,000 in damage (as specified in 18 US Code 1030) if cause $5,000 in damage (as specified in 18 US Code 1030) if the attacker gains access to fifteen or more credit card the attacker gains access to fifteen or more credit card numbers.numbers.

Copyrights (18 US Code 2319)Copyrights (18 US Code 2319) Copyright Violations (18 US Code 2319)Copyright Violations (18 US Code 2319)

If an individual is found to be reproducing or distributing If an individual is found to be reproducing or distributing copyrighted material where at least ten copies have copyrighted material where at least ten copies have been made of one or more works and the total retail been made of one or more works and the total retail value of the copies exceeds $1,000 ($2,500 for harsher value of the copies exceeds $1,000 ($2,500 for harsher penalties). penalties).

If a computer system has been compromised and used If a computer system has been compromised and used as a distribution point for copyrighted software, the as a distribution point for copyrighted software, the individual who is providing the software for distribution individual who is providing the software for distribution is likely in violation of this statute, regardless of whether is likely in violation of this statute, regardless of whether the cost of the compromise exceeded $5,000.the cost of the compromise exceeded $5,000.

* The victim of this crime is not the owner of the system that was compromised but the holder of the copyright.* The victim of this crime is not the owner of the system that was compromised but the holder of the copyright.

Interception (18 US Code 2511)Interception (18 US Code 2511) Interception (18 US Code 2511)Interception (18 US Code 2511)

TThe wiretap statute outlaws the interception of telephone calls he wiretap statute outlaws the interception of telephone calls and other types of electronic communication and prevents law and other types of electronic communication and prevents law enforcement from using wiretaps without a warrant. enforcement from using wiretaps without a warrant.

An intruder into a computer system that places a “sniffer” on An intruder into a computer system that places a “sniffer” on the system is likely to be in violation of this statute.the system is likely to be in violation of this statute.

Any employee of an organization, as the service provider, can Any employee of an organization, as the service provider, can monitor communication in the normal course of his or her job monitor communication in the normal course of his or her job for the “protection of the rights or property of the provider.” for the “protection of the rights or property of the provider.” An organization can monitor its own networks and computer An organization can monitor its own networks and computer systems to protect them systems to protect them

** Make sure that your organization’s internal policies and procedures cover the monitoring of the Make sure that your organization’s internal policies and procedures cover the monitoring of the network. The policies and procedures should identify which employees are authorized to network. The policies and procedures should identify which employees are authorized to perform this monitoring and also inform all employees that such monitoring will take place .perform this monitoring and also inform all employees that such monitoring will take place .

Access to Electronic Information Access to Electronic Information (18 US Code 2701)(18 US Code 2701)

Access to Electronic Information (18 US Code Access to Electronic Information (18 US Code 2701)2701)

Prohibits unlawful access to stored communications, but Prohibits unlawful access to stored communications, but it also prohibits preventing authorized users from it also prohibits preventing authorized users from accessing systems that store electronic communications. accessing systems that store electronic communications.

This statute also has exceptions for the owner of the This statute also has exceptions for the owner of the service so that the provider of the service may access service so that the provider of the service may access any file on the system. any file on the system.

If an organization is providing the communications If an organization is providing the communications service, any file on the system can be accessed by service, any file on the system can be accessed by authorized employees of the organization.authorized employees of the organization.

Patriot ActPatriot Act The USA-Patriot Act (Uniting and Strengthening The USA-Patriot Act (Uniting and Strengthening

America by Providing Appropriate Tools Required to America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001)Intercept and Obstruct Terrorism Act of 2001)

Passed in response to the terrorist attacks of September 11, Passed in response to the terrorist attacks of September 11, 2001. 2001.

Several parts of the act have a direct impact on the federal Several parts of the act have a direct impact on the federal computer crime statutes:computer crime statutes:

Increased the maximum penalties for violations of 18 US Increased the maximum penalties for violations of 18 US Code 1030 to ten years for the first offense and twenty Code 1030 to ten years for the first offense and twenty years for subsequent offenses. With the new law, state years for subsequent offenses. With the new law, state offenses will count as prior offenses for sentencing.offenses will count as prior offenses for sentencing.

Patriot ActPatriot Act Several parts of the act have a direct impact on the Several parts of the act have a direct impact on the

federal computer crime statutes … continued:federal computer crime statutes … continued:

Modifies the wording of 18 US Code 1030 of the law Modifies the wording of 18 US Code 1030 of the law requiring $5,000 worth of damage to define damage as requiring $5,000 worth of damage to define damage as “any impairment of the integrity or availability of data, a “any impairment of the integrity or availability of data, a program, a system, or information.” program, a system, or information.”

This change makes reaching the $5,000 minimum much This change makes reaching the $5,000 minimum much easier.easier.

The new version of the law also allows for the combination The new version of the law also allows for the combination

of damages to multiple systems as long as the events or of damages to multiple systems as long as the events or attacks occurred within a one-year time frame.attacks occurred within a one-year time frame.

Patriot ActPatriot Act Several parts of the act have a direct impact on the Several parts of the act have a direct impact on the

federal computer crime statutes … continued:federal computer crime statutes … continued:

The term “loss” is also broadened to include any reasonable The term “loss” is also broadened to include any reasonable cost to the victim, including the cost of responding, cost to the victim, including the cost of responding, determining the damage, and restoring the systems to determining the damage, and restoring the systems to operation; and, revenue losses or other costs due to an operation; and, revenue losses or other costs due to an interruption of service (makes it easier to reach the $5,000 interruption of service (makes it easier to reach the $5,000 minimum).minimum).

Two new offenses were added to 18 US Code 1030:Two new offenses were added to 18 US Code 1030:

An individual has violated federal law if the actions taken An individual has violated federal law if the actions taken affect a computer system used by the government for justice, affect a computer system used by the government for justice, national defense, or national security regardless of the loss national defense, or national security regardless of the loss incurred. With this change, it is no longer required to compute incurred. With this change, it is no longer required to compute damages for attacks against Department of Defense damages for attacks against Department of Defense computer systems. computer systems.

An individual in the United States who attacks computers An individual in the United States who attacks computers outside of the United States can be prosecuted under federal outside of the United States can be prosecuted under federal law. law.

Patriot Act - Trap and Trace ChangesPatriot Act - Trap and Trace Changes

The Pen Register Statute (18 US Code 3127)The Pen Register Statute (18 US Code 3127)

Allows law enforcement to gain access to the Allows law enforcement to gain access to the phone numbers that were called from a particular phone numbers that were called from a particular telephone.telephone.

This statute did not allow for access to the content This statute did not allow for access to the content

of the phone call but only the numbers that were of the phone call but only the numbers that were called.called.

The Patriot Act of 2001 modified the language of The Patriot Act of 2001 modified the language of

the law to include any device or process that the law to include any device or process that records dialing, routing, addressing, or signaling records dialing, routing, addressing, or signaling information. information.

* The act does continue the prohibition on the recording of content.* The act does continue the prohibition on the recording of content.



Now possible to collect the following Now possible to collect the following information:information:

E-mail header informationE-mail header information Source and destination IP addressesSource and destination IP addresses Source and destination TCP and UDP port numbersSource and destination TCP and UDP port numbers

The law still prohibits the collection of:The law still prohibits the collection of: E-mail subject linesE-mail subject lines Contents of e-mailContents of e-mail Contents of downloaded filesContents of downloaded files



Trap and trace orders can now be obtained Trap and trace orders can now be obtained locally for devices that exist in another district. locally for devices that exist in another district.

For example, an investigation in New York could For example, an investigation in New York could obtain an order in New York that would be valid for obtain an order in New York that would be valid for information collection in California. information collection in California.

The only restriction is that the court issuing the The only restriction is that the court issuing the order must have jurisdiction over the offense.order must have jurisdiction over the offense.


Computer Trespass ExceptionComputer Trespass Exception The Patriot Act modifies both 18 US Code 2511 The Patriot Act modifies both 18 US Code 2511

and 18 US Code 2701 to note that a person and 18 US Code 2701 to note that a person who is not authorized to access a system will who is not authorized to access a system will have no expectation of privacy. have no expectation of privacy.

The new law states that an interception The new law states that an interception requires the following:requires the following:

Consent of the owner must be given.Consent of the owner must be given. It must be relevant to an investigation.It must be relevant to an investigation. The interception cannot acquire communications The interception cannot acquire communications

other than to/from the trespasser.other than to/from the trespasser.

Patriot Act - Patriot Act - The Cable Act FixThe Cable Act Fix

The Patriot Act fixed a perceived conflict The Patriot Act fixed a perceived conflict between the needs of law enforcement between the needs of law enforcement when investigating computer crimes and when investigating computer crimes and the law regarding disclosure of what cable the law regarding disclosure of what cable customers are watching and/or doing customers are watching and/or doing online.online.

Since Since cable companiescable companies are now providing are now providing Internet access they are required to allow the Internet access they are required to allow the disclosure of wiretap and trap and trace disclosure of wiretap and trap and trace evidence to law enforcement under the same evidence to law enforcement under the same statutes identified by 18 US Code 3127.statutes identified by 18 US Code 3127.

Homeland Security ActHomeland Security Act

The Homeland Security Act of 2002 (the The Homeland Security Act of 2002 (the Cyber Security Enhancement Act of Cyber Security Enhancement Act of 2002)2002)

Created the Department of Homeland Security; Created the Department of Homeland Security; however, Section 225 does modify 18 US Code however, Section 225 does modify 18 US Code 1030 by increasing penalties for criminal acts. 1030 by increasing penalties for criminal acts.

Directs the United States Sentencing Commission Directs the United States Sentencing Commission to take into account the severity of the computer to take into account the severity of the computer crime when determining sentencing guidelines.crime when determining sentencing guidelines.

Understand State LawsUnderstand State Laws Computer crime laws in many states prohibit a Computer crime laws in many states prohibit a

person from performing certain acts without person from performing certain acts without authorization, including:authorization, including: Accessing a computer, system, or network.Accessing a computer, system, or network. Modifying, damaging, using, disclosing, copying, or Modifying, damaging, using, disclosing, copying, or

taking programs or data.taking programs or data. Introducing a virus or other contaminant into a computer Introducing a virus or other contaminant into a computer

system.system. Using a computer in a scheme to defraud.Using a computer in a scheme to defraud. Interfering with someone else’s computer access or use.Interfering with someone else’s computer access or use. Using encryption in aid of a crime.Using encryption in aid of a crime. Falsifying e-mail source information.Falsifying e-mail source information. Stealing an information service from a provider. Stealing an information service from a provider.

Understand State Laws - GeorgiaUnderstand State Laws - Georgia

Section 1030. Fraud and related activity in Section 1030. Fraud and related activity in connection with computersconnection with computers Intentionally accesses a computer without Intentionally accesses a computer without

authorization or exceeds authorized access, authorization or exceeds authorized access, and thereby obtains – and thereby obtains –

information contained in a financial record of a information contained in a financial record of a financial institution, or of a card issuer.financial institution, or of a card issuer.

Information from any department or agency of the Information from any department or agency of the United States.United States.

information from any protected computer if the information from any protected computer if the conduct involved an interstate or foreign conduct involved an interstate or foreign communication .communication .


Section 1030. Fraud and related activity in connection Section 1030. Fraud and related activity in connection with computerswith computers

Access a computer without authorization or exceeding Access a computer without authorization or exceeding authorized access, and by means of such conduct having authorized access, and by means of such conduct having obtained information that has been determined by the United obtained information that has been determined by the United States Government pursuant to an Executive order or statute States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to to the officer or employee of the United States entitled to receive it receive it


Section 1030. Fraud and related activity in Section 1030. Fraud and related activity in connection with computersconnection with computers

Access any nonpublic computer of a department or Access any nonpublic computer of a department or agency of the United States, accesses such a agency of the United States, accesses such a computer of that department or agency that is computer of that department or agency that is exclusively for the use of the Government of the exclusively for the use of the Government of the United States.United States.

Intent to defraud, accesses a protected computer Intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, without authorization, or exceeds authorized access, and by means of such conduct furthers the intended and by means of such conduct furthers the intended fraud and obtains anything of value ($5,000).fraud and obtains anything of value ($5,000).

Knowingly causes the transmission of a program, Knowingly causes the transmission of a program, information, code, or command, and as a result of information, code, or command, and as a result of such conduct, intentionally causes damage without such conduct, intentionally causes damage without authorization, to a protected computer authorization, to a protected computer


Section 1030. Fraud and related Section 1030. Fraud and related activity in connection with computersactivity in connection with computers

Intentionally accesses a protected computer Intentionally accesses a protected computer without authorization, and as a result of without authorization, and as a result of such conduct, recklessly causes damage; or such conduct, recklessly causes damage; or intentionally accesses a protected computer intentionally accesses a protected computer without authorization, and as a result of without authorization, and as a result of such conduct, causes damage and caused, such conduct, causes damage and caused, or would have caused:or would have caused:

loss to 1 or more persons during any 1-year loss to 1 or more persons during any 1-year period for purposes of an investigation, period for purposes of an investigation, prosecution, or other proceedings.prosecution, or other proceedings.


Modification or impairment, or potential Modification or impairment, or potential modification or impairment, of the medical modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or examination, diagnosis, treatment, or care of 1 or more individuals.more individuals.

Physical injury to any person.Physical injury to any person. A threat to public health or safety.A threat to public health or safety. Damage affecting a computer system used by or Damage affecting a computer system used by or

for a government entity in furtherance of the for a government entity in furtherance of the administration of justice, national defense, or administration of justice, national defense, or national security.national security.

Knowingly and with intent to defraud traffics in any Knowingly and with intent to defraud traffics in any password or similar information through which a password or similar information through which a computer may be accessed without authorization, if computer may be accessed without authorization, if such trafficking affects interstate or foreign such trafficking affects interstate or foreign commerce; or such computer is used by or for the commerce; or such computer is used by or for the Government of the United States.Government of the United States.


Intent to extort from any person any money or Intent to extort from any person any money or other thing of value, transmits in interstate or other thing of value, transmits in interstate or foreign commerce any communication containing foreign commerce any communication containing any threat to cause damage to a protected any threat to cause damage to a protected computer.computer.

Understand Laws of Other Understand Laws of Other Countries Countries

International computer crime laws vary from country to country. International computer crime laws vary from country to country.

Many countries have no computer crime laws at all.Many countries have no computer crime laws at all.

When the ILOVEYOU virus was traced to an individual who lived in When the ILOVEYOU virus was traced to an individual who lived in the Philippines, he could not be prosecuted because the Philippines the Philippines, he could not be prosecuted because the Philippines did not have a law that made it a crime to write and distribute a did not have a law that made it a crime to write and distribute a computer virus (since then, a computer crime law has been enacted). computer virus (since then, a computer crime law has been enacted).

Computer crime laws in other countries may have an effect on Computer crime laws in other countries may have an effect on computer crime investigations in the United States as well.computer crime investigations in the United States as well.

If an investigation shows that the attack came from a computer If an investigation shows that the attack came from a computer system in another country, the FBI will attempt to get assistance system in another country, the FBI will attempt to get assistance from the law enforcement organizations in that country (through the from the law enforcement organizations in that country (through the legal liaison at the U.S. embassy in that country). If the other country legal liaison at the U.S. embassy in that country). If the other country has no computer crime laws, it is unlikely that they will assist in the has no computer crime laws, it is unlikely that they will assist in the investigation.investigation.

Understand Issues with Understand Issues with Prosecution Prosecution

If your organization is the victim of computer crime, your If your organization is the victim of computer crime, your organization might choose to contact law enforcement in organization might choose to contact law enforcement in order to prosecute the offenders. order to prosecute the offenders.

A detailed discussion of the options and how the A detailed discussion of the options and how the organization may choose to proceed should be discussed organization may choose to proceed should be discussed during the development of the organization’s incident during the development of the organization’s incident response procedure. response procedure.

During the development of this procedure, your During the development of this procedure, your organization should involve legal counsel and also seek organization should involve legal counsel and also seek advice from local law enforcement. advice from local law enforcement.

Your discussion with local law enforcement will provide Your discussion with local law enforcement will provide information on their capabilities, their interest in computer information on their capabilities, their interest in computer crimes, and the type of damage that must be done before a crimes, and the type of damage that must be done before a crime actually occurs.crime actually occurs.

Evidence CollectionEvidence Collection

If normal business procedures are followed, any If normal business procedures are followed, any information can be used to prosecute the perpetrator information can be used to prosecute the perpetrator This means that if you normally make backups of your This means that if you normally make backups of your

systems and those backups contain information that shows systems and those backups contain information that shows where the attack came from or what was done, this where the attack came from or what was done, this

information can be usedinformation can be used.. Information is not evidence until a law enforcement officer Information is not evidence until a law enforcement officer

takes possession of it. takes possession of it. If your organization takes actions such as calling an If your organization takes actions such as calling an

outside consultant to perform a forensic examination outside consultant to perform a forensic examination of the system, you are now taking actions that are of the system, you are now taking actions that are not part of normal business practices not part of normal business practices


In this case, your organization should take In this case, your organization should take appropriate precautions. These may include any appropriate precautions. These may include any of the following:of the following:

Making at least two image copies of the computer’s Making at least two image copies of the computer’s hard driveshard drives

Limiting access to one of the copies and bagging it so Limiting access to one of the copies and bagging it so that any attempts to tamper with it can be identified that any attempts to tamper with it can be identified

Making secure checksums of the information on the Making secure checksums of the information on the disks so that changes to the information can be disks so that changes to the information can be identifiedidentified


The evidence collection procedure to be followed The evidence collection procedure to be followed should be developed prior to the event and should be developed prior to the event and should be created with the advice of organization should be created with the advice of organization counsel and law enforcement.counsel and law enforcement.

Contacting Law EnforcementContacting Law Enforcement Get your organization’s general counsel involved before law Get your organization’s general counsel involved before law

enforcement is contacted. enforcement is contacted. The general counsel should be available to speak with law The general counsel should be available to speak with law

enforcement when they come on-site. enforcement when they come on-site. Once law enforcement is contacted and comes on-site to Once law enforcement is contacted and comes on-site to

investigate, the rules change. investigate, the rules change. Law enforcement will be acting as officers of the court and Law enforcement will be acting as officers of the court and

as such are bound by rules that must be followed in order as such are bound by rules that must be followed in order to allow information that is gathered to be used as to allow information that is gathered to be used as evidence. evidence.

When law enforcement takes possession of backup copies When law enforcement takes possession of backup copies or information from a system, they will control access to it or information from a system, they will control access to it and protect it as evidence according to their procedures.and protect it as evidence according to their procedures.

If further information is to be gathered from the network, law enforcement will If further information is to be gathered from the network, law enforcement will have to get a subpoena or a warrant to gather more information have to get a subpoena or a warrant to gather more information

Understand Civil Issues Understand Civil Issues

Computers and computer networks are provided Computers and computer networks are provided by an organization for the business use of by an organization for the business use of employees: employees: Monitoring the network is not in violation of the wiretap Monitoring the network is not in violation of the wiretap

laws since the organization is the owner and operator of laws since the organization is the owner and operator of the computer network.the computer network.

Employees should be informed that internal monitoring Employees should be informed that internal monitoring may occur, and this should be communicated to them in may occur, and this should be communicated to them in a policy and when they login through a login banner.a policy and when they login through a login banner.

All employees should be provided copies of organization All employees should be provided copies of organization policies (including information and security policies) and policies (including information and security policies) and asked to sign that they have received and understood asked to sign that they have received and understood the policies. This procedure should reoccur periodically.the policies. This procedure should reoccur periodically.

Understand Privacy Issues Understand Privacy Issues Health Insurance Portability and Health Insurance Portability and

Accountability Act (HIPAA – 1966)Accountability Act (HIPAA – 1966) This law places the responsibility for creating and This law places the responsibility for creating and

enforcing the standards for the protection of health enforcing the standards for the protection of health information under the Department of Health and Human information under the Department of Health and Human Services. Services.

The act calls for the standardization of patient health The act calls for the standardization of patient health information, unique identifiers for individuals, and most information, unique identifiers for individuals, and most importantly, security standards for protecting the importantly, security standards for protecting the confidentiality and integrity of patient health information.confidentiality and integrity of patient health information.

The compliance dates for various types of organizations The compliance dates for various types of organizations are as follows:are as follows:

Health plans: April 20, 2005Health plans: April 20, 2005 Small health plans (plans with annual receipts of $5 Small health plans (plans with annual receipts of $5

million or less): April 20, 2006million or less): April 20, 2006 Health care clearinghouses: April 20, 2005Health care clearinghouses: April 20, 2005 Health care providers: April 20, 2005Health care providers: April 20, 2005

Understand Privacy IssuesUnderstand Privacy Issues

The Graham-Leach-Bliley Financial The Graham-Leach-Bliley Financial Services Modernization Act (GLBA – Services Modernization Act (GLBA – 1999)1999) One of the key aspects of this act is related to the One of the key aspects of this act is related to the

privacy of customer information. privacy of customer information. Specifically, Section 502 of the act prohibits the Specifically, Section 502 of the act prohibits the

financial organization from disclosing a customer’s financial organization from disclosing a customer’s private information unless the organization has private information unless the organization has disclosed that this may occur and given the disclosed that this may occur and given the customer a chance to opt out of the disclosure.customer a chance to opt out of the disclosure.

In addition to the privacy issue, financial institutions In addition to the privacy issue, financial institutions are also required to protect customer records from are also required to protect customer records from unauthorized disclosure.unauthorized disclosure.

Prosecute the Offender Prosecute the Offender

Step by Step _ The Project StepsStep by Step _ The Project Steps Locate the attack strategy.Locate the attack strategy. Assuming that the attack was successful, Assuming that the attack was successful,

identify which federal computer crime statutes identify which federal computer crime statutes would be violated by the attack. Don’t forget to would be violated by the attack. Don’t forget to estimate the total damage suffered by your estimate the total damage suffered by your organization.organization.

Now identify which systems would be used to Now identify which systems would be used to develop evidence of the attack. What evidence develop evidence of the attack. What evidence would exist?would exist?

Identify how this evidence would be protected.Identify how this evidence would be protected. Determine if you would be able to identify the Determine if you would be able to identify the

source of the attack.source of the attack.

Key TermsKey Terms 18 US Code 1029 (Credit Card Fraud) (117)18 US Code 1029 (Credit Card Fraud) (117) 18 US Code 1030 (Computer Fraud and Abuse) (116)18 US Code 1030 (Computer Fraud and Abuse) (116) 18 US Code 2319 (Copyrights) (117)18 US Code 2319 (Copyrights) (117) 18 US Code 2511 (Interception) (118)18 US Code 2511 (Interception) (118) 18 US Code 2701 (Access to Electronic Information) (118)18 US Code 2701 (Access to Electronic Information) (118) downstream liability (127)downstream liability (127) due diligence (134)due diligence (134) evidence collection (124)evidence collection (124) expectation of privacy (120)expectation of privacy (120) Graham-Leach-Bliley Financial Services Modernization Act (GLBA) (132)Graham-Leach-Bliley Financial Services Modernization Act (GLBA) (132) Health Insurance Portability and Accountability Act (HIPAA) (129)Health Insurance Portability and Accountability Act (HIPAA) (129) Homeland Security Act (Cyber Security Enhancement Act) (121)Homeland Security Act (Cyber Security Enhancement Act) (121) internal monitoring (127)internal monitoring (127) protected computers (117)protected computers (117) USA-Patriot Act (Uniting and Strengthening America by Providing USA-Patriot Act (Uniting and Strengthening America by Providing

Appropriate Tools Required to Intercept and Obstruct Terrorism Act of Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001) (119)2001) (119)

legal issues in information security chapter 5. objectives understand u.s. criminal law understand...

Documents

computer crimes

computer system

criminal law computer

privacy issues

federal crime

protected computers

us code

credit card fraud