Cybercrimes and cryptographic attacks

Chapter 4 Laws, Regulations, and Compliance

Categories of Laws

Criminal Law

Civil Law

Administrative Law

overview

Criminal Law

Preserve peace

Keep society safe

Penalties include:

Community service

Fines

Prison

Enacted through legislation

Civil Law

Provide for orderly society

Govern matters that are not crimes

Enacted through legislation

Punishment can include financial penalties

Administrative Law

Policies, procedures, and regulations

Govern the daily operations of an entity

Enacted by government agencies, not the legislature

Laws

Computer Crime

Intellectual Property

Licensing

Import/Export

Privacy

overview

Computer Crime 1/2

Computer Fraud and Abuse Act (CFAA)

Federal interest computer

Accessing classified information, accessing system, fraud, malicious damage, modify medical records, traffic passwords

Any computer in use by the government, financial institutions, and interstate offenses

Amendments

Creating malware code, interstate commerce, imprisonment, and civil action from victims

Federal Sentencing Guidelines

Prudent man rule

Burden of proof: negligence, compliance, causal

Computer Crime 2/2

National Information Infrastructure Protection Act

CFAA – international, national infrastructure

Federal Information Security Management Act (FISMA)

Risk assessment, planning, training, testing, incident management

Federal Information Systems Modernization Act (FISMA)

Centralizing under DHS

Cybersecurity Enhancement Act

NIST establishing voluntary cybersecurity standards

Intellectual Property 1/2

Copyrights

Original works of authorship

Digital Millennium Copyright Act

Trademarks

Words, slogans, logos, etc., which identify a company, its products, and its services

Patents

Intellectual property rights of inventors

Intellectual Property 2/2

Trade Secrets

Intellectual property of an organization

Non-disclosure agreement (NDA)

Economic Espionage Act

Stealing trade secrets to benefit a foreign government

Stealing trade secrets

Licensing

Contractual license agreements

Shrink‐wrap license agreements

Click‐through license agreements

Cloud services license agreements

Import/Export

Trans‐border data flow of new technologies, intellectual property, and personally identifying information

International Traffic in Arms Regulations (ITAR)

United States Munitions List (USML)

Export Administration Regulations (EAR)

Commerce Control List (CCL)

Computer Export Controls

Encryption Export Controls

Privacy 1/5

U.S. Privacy Law (1/2)

Fourth Amendment

Privacy Act

Electronic Communications Privacy Act

Communications Assistance for Law Enforcement Act (CALEA)

Economic Espionage Act

Health Insurance Portability and Accountability Act (HIPAA)

Privacy 2/5

U.S. Privacy Law (2/2)

Health Information Technology for Economic and Clinical Health Act (HITECH)

Data Breach Notification Laws

Children’s Online Privacy Protection Act (COPPA)

Gramm‐Leach‐Bliley Act

USA PATRIOT Act

Family Educational Rights and Privacy Act (FERPA)

Identity Theft and Assumption Deterrence Act

Privacy 3/5

European Union Privacy Law (1/3)

Consent

Contract

Legal obligation

Vital interest of the data subject

Balance between the interests of the data holder and the interests of the data subject

Key rights of individuals

Privacy Shield agreement

Privacy 4/5

European Union Privacy Law (2/3)

Privacy Shield agreement

Informing Individuals About Data Processing

Providing Free and Accessible Dispute Resolution

Cooperating with the Department of Commerce

Maintaining Data Integrity and Purpose Limitation

Ensuring Accountability for Data Transferred to Third Parties

Transparency Related to Enforcement Actions

Ensuring Commitments Are Kept As Long As Data Is Held

Privacy 5/5

European Union Privacy Law (3/3)

European Union General Data Protection Regulation (GDPR)

Applies to organizations that are not based in the EU

24-hour data breach notification requirement

Centralized data protection authorities in each EU member state

Individuals will have access to their own data

Data portability provisions

The “right to be forgotten”

Compliance

Security regulation as become complex

Issues with regulatory agencies and contractual obligations

Overlapping and often contradictory requirements

May require full-time compliance staff

Compliance audits and reporting

Payment Card Industry Data Security Standard (PCI DSS)

Contracting and Procurement

Use of cloud and service vendors require contract scrutiny

Perform security review and vendor governance

Tailor the contract and review to your specific concerns

Conclusion

Read the Exam Essentials

Review the Chapter

Perform the Written Labs

Answer the Review Questions