Computer Security - Discussion
giggles.desmoin
Ch4-CISSP.pdf
111
Chap ter 4 Laws, Reg u la tions, and Com pli ance
THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:
Do main 1: Se cu rity and Risk Man age ment 1.3 De ter mine com pli ance re quire ments
1.3.1 Con trac tual, le gal, in dus try stan dards, and reg u la tory re quire ments
1.3.2 Pri vacy re quire ments
1.4 Un der stand le gal and reg u la tory is sues that per tain to in for ma tion se cu rity in a global con text
1.4.1 Cy ber crimes and data breaches
1.4.2 Li cens ing and in tel lec tual prop erty re quire ments
1.4.3 Im port/ex port con trols
1.4.4 Trans-bor der data flow
1.4.5 Pri vacy
The world of com pli ance is a le gal and reg u la tory jun gle for in for ma tion tech nol ogy (IT) and cy ber se cu rity pro fes sion als. Na tional, state, and lo cal gov ern ments have all passed over lap ping laws reg u lat ing dif fer ent com po nents of cy ber se cu rity in a patch work man ner. This leads to an in cred i bly con fus ing land scape for se cu rity pro fes sion als who must rec on cile the laws of mul ti ple ju ris dic tions. Things be come even more com pli cated for multi na tional com pa nies, which must nav i gate the vari a tions be tween in ter na tional law as well.
Law en force ment agen cies have tack led the is sue of cy ber crime with gusto in re cent years. The leg isla tive branches of gov ern ments around the world have at least at tempted to ad dress is sues of cy ber crime. Many law en force ment agen cies have full-time, well-trained com puter crime in ves ti ga tors with ad vanced se cu rity train ing. Those who don’t usu ally know where to turn when they re quire this sort of ex pe ri ence.
In this chap ter, we’ll cover the var i ous types of laws that deal with com puter se cu rity is sues. We’ll ex am ine the le gal is sues sur round ing com puter crime, pri vacy, in tel lec tual prop erty, and a num ber of other re lated top ics. We’ll also cover ba sic in ves tiga tive tech niques, in clud ing the pros and cons of call ing in as sis tance from law en force ment.
Cat e gories of Laws Three main cat e gories of laws play a role in our le gal sys tem. Each is used to cover a va ri ety of
cir cum stances, and the penal ties for vi o lat ing laws in the dif fer ent cat e gories vary widely. In the fol low ing sec tions, you’ll learn how crim i nal law, civil law, and ad min is tra tive law in ter act to form the com plex web of our jus tice sys tem.
Crim i nal Law
Crim i nal law forms the bedrock of the body of laws that pre serve the peace and keep our so ci ety safe. Many high-pro file court cases in volve mat ters of crim i nal law; these are the laws that the po lice and other law en force ment agen cies con cern them selves with. Crim i nal law con tains pro hi bi tions against acts such as mur der, as sault, rob bery, and ar son. Penal ties for vi o lat ing crim i nal statutes fall in a range that in cludes manda tory hours of com mu nity ser vice, mon e tary penal ties in the form of fines (small and large), and de pri va tion of civil lib er ties in the form of prison sen tences.
112
Cops Are Smart!
A good friend of one of the au thors is a tech nol ogy crime in ves ti ga tor for the lo cal po lice de part ment. He of ten re ceives cases of com puter abuse in volv ing threat en ing emails and web site post ings.
Re cently, he shared a story about a bomb threat that had been emailed to a lo cal high school. The per pe tra tor sent a threat en ing note to the school prin ci pal declar ing that the bomb would ex plode at 1 p.m. and warn ing him to evac u ate the school. The au thor’s friend re ceived the alert at 11 a.m., leav ing him with only two hours to in ves ti gate the crime and ad vise the prin ci pal on the best course of ac tion.
He quickly be gan is su ing emer gency sub poe nas to In ter net ser vice providers and traced the email to a com puter in the school li brary. At 12:15 p.m., he con fronted the sus pect with sur veil lance tapes show ing him at the com puter in the li brary as well as au dit logs con clu sively prov ing that he had sent the email. The stu dent quickly ad mit ted that the threat was noth ing more than a ploy to get out of school a cou ple of hours early. His ex pla na tion? “I didn’t think there was any one around here who could trace stuff like that.”
He was wrong.
A num ber of crim i nal laws serve to pro tect so ci ety against com puter crime. In later sec tions of this chap ter, you’ll learn how some laws, such as the Com puter Fraud and Abuse Act, the Elec tronic Com mu ni ca tions Pri vacy Act, and the Iden tity Theft and As sump tion De ter rence Act (among oth ers), pro vide crim i nal penal ties for se ri ous cases of com puter crime. Tech ni cally savvy pros e cu tors teamed with con cerned law en force ment agen cies have dealt se ri ous blows to the “hack ing un der ground” by us ing the court sys tem to slap lengthy prison terms on of fend ers guilty of what used to be con sid ered harm less pranks.
In the United States, leg isla tive bod ies at all lev els of gov ern ment es tab lish crim i nal laws through elected rep re sen ta tives. At the fed eral level, both the House of Rep re sen ta tives and the Sen ate must pass crim i nal law bills by a ma jor ity vote (in most cases) in or der for the bill to be come law. Once passed, these laws then be come fed eral law and ap ply in all cases where the fed eral gov ern ment has ju ris dic tion (mainly cases that in volve in ter state com merce, cases that cross state bound aries, or cases that are of fenses against the fed eral gov ern ment it self). If fed eral ju ris dic tion does not ap ply, state au thor i ties han dle the case us ing laws passed in a sim i lar man ner by state leg is la tors.
All fed eral and state laws must com ply with the ul ti mate au thor ity that dic tates how the United States (U.S.) sys tem of gov ern ment works—the U.S. Con sti tu tion. All laws are sub ject to ju di cial re view by re gional courts with the right of ap peal all the way to the Supreme Court of the United States. If a court finds that a law is un con sti tu tional, it has the power to strike it down and ren der it in valid.
Keep in mind that crim i nal law is a se ri ous mat ter. If you find your self in volved—as a wit ness, de fen dant, or vic tim—in a mat ter where crim i nal au thor i ties be come in volved, you’d be well ad vised to seek ad vice from an at tor ney fa mil iar with the crim i nal jus tice sys tem and specif i cally with mat ters of com puter crime. It’s not wise to “go it alone” in such a com plex sys tem.
Civil Law Civil laws form the bulk of our body of laws. They are de signed to pro vide for an or derly so ci ety and gov ern
mat ters that are not crimes but that re quire an im par tial ar biter to set tle be tween in di vid u als and or ga ni za tions. Ex am ples of the types of mat ters that may be judged un der civil law in clude con tract dis putes, real es tate trans ac tions, em ploy ment mat ters, and es tate/pro bate pro ce dures. Civil laws also are used to cre ate the frame work of gov ern ment that the ex ec u tive branch uses to carry out its re spon si bil i ties. These laws pro vide bud gets for gov ern men tal ac tiv i ties and lay out the au thor ity granted to the ex ec u tive branch to cre ate ad min is tra tive laws (see the next sec tion).
Civil laws are en acted in the same man ner as crim i nal laws. They must pass through the leg isla tive process be fore en act ment and are sub ject to the same con sti tu tional pa ram e ters and ju di cial re view pro ce dures. At the fed eral level, both crim i nal and civil laws are em bod ied in the United States Code (USC).
The ma jor dif fer ence be tween civil laws and crim i nal laws is the way in which they are en forced. Usu ally, law en force ment au thor i ties do not be come in volved in mat ters of civil law be yond tak ing ac tion nec es sary to re store or der. In a crim i nal pros e cu tion, the gov ern ment, through law en force ment in ves ti ga tors and pros e cu tors, brings ac tion against a per son ac cused of a crime. In civil mat ters, it is in cum bent upon the per son who thinks they have been wronged to ob tain le gal coun sel and file a civil law suit against the per son they think is re spon si ble for their griev ance. The gov ern ment (un less it is the plain tiff or de fen dant) does not take sides in the dis pute or ar gue one po si tion or the other. The only role of the gov ern ment in civil mat ters is to pro vide the judges, ju ries, and court fa cil i ties used to hear civil cases and to play an ad min is tra tive role in man ag ing the ju di cial sys tem in ac cor dance with the law.
113
As with crim i nal law, it is best to ob tain le gal as sis tance if you think you need to file a civil law suit or if some one files a civil law suit against you. Al though civil law does not im pose the threat of im pris on ment, the los ing party may face se vere fi nan cial penal ties. You don’t need to look any fur ther than the nightly news for ex am ples—mul ti mil lion-dol lar cases against to bacco com pa nies, ma jor cor po ra tions, and wealthy in di vid u als are filed ev ery day.
Ad min is tra tive Law The ex ec u tive branch of our gov ern ment charges nu mer ous agen cies with wide-rang ing re spon si bil i ties to
en sure that gov ern ment func tions ef fec tively. It is the duty of these agen cies to abide by and en force the crim i nal and civil laws en acted by the leg isla tive branch. How ever, as can be eas ily imag ined, crim i nal and civil law can’t pos si bly lay out rules and pro ce dures that should be fol lowed in ev ery pos si ble sit u a tion. There fore, ex ec u tive branch agen cies have some lee way to en act ad min is tra tive law, in the form of poli cies, pro ce dures, and reg u la tions that gov ern the daily op er a tions of the agency. Ad min is tra tive law cov ers top ics as mun dane as the pro ce dures to be used within a fed eral agency to ob tain a desk tele phone to more sub stan tial is sues such as the im mi gra tion poli cies that will be used to en force the laws passed by Con gress. Ad min is tra tive law is pub lished in the Code of Fed eral Reg u la tions, of ten re ferred to as the CFR.
Al though ad min is tra tive law does not re quire an act of the leg isla tive branch to gain the force of law, it must com ply with all ex ist ing civil and crim i nal laws. Gov ern ment agen cies may not im ple ment reg u la tions that di rectly con tra dict ex ist ing laws passed by the leg is la ture. Fur ther more, ad min is tra tive laws (and the ac tions of gov ern ment agen cies) must also com ply with the U.S. Con sti tu tion and are sub ject to ju di cial re view.
To un der stand com pli ance re quire ments and pro ce dures, it is nec es sary to be fully versed in the com plex i ties of the law. From ad min is tra tive law to civil law to crim i nal law (and, in some coun tries, even re li gious law), nav i gat ing the reg u la tory en vi ron ment is a daunt ing task. The CISSP exam fo cuses on the gen er al i ties of law, reg u la tions, in ves ti ga tions, and com pli ance as they af fect or ga ni za tional se cu rity ef forts. How ever, it is your re spon si bil ity to seek out pro fes sional help (i.e., an at tor ney) to guide and sup port you in your ef forts to main tain le gal and legally sup port able se cu rity.
Laws Through out these sec tions, we’ll ex am ine a num ber of laws that re late to in for ma tion tech nol ogy. By
ne ces sity, this dis cus sion is U.S.-cen tric, as is the ma te rial cov ered by the CISSP exam. We’ll look briefly at sev eral high-pro file non-U.S. laws, such as the Eu ro pean Union’s Gen eral Data Pro tec tion Reg u la tion (GDPR). How ever, if you op er ate in an en vi ron ment that in volves for eign ju ris dic tions, you should re tain lo cal le gal coun sel to guide you through the sys tem.
Ev ery in for ma tion se cu rity pro fes sional should have a ba sic un der stand ing of the law as it
re lates to in for ma tion tech nol ogy. How ever, the most im por tant les son to be learned is know ing when it’s nec es sary to call in an at tor ney. If you think you’re in a le gal “gray area,” it’s best to seek pro fes sional ad vice.
Com puter Crime The first com puter se cu rity is sues ad dressed by leg is la tors were those in volv ing com puter crime. Early
com puter crime pros e cu tions were at tempted un der tra di tional crim i nal law, and many were dis missed be cause judges thought that ap ply ing tra di tional law to this mod ern type of crime was too far a stretch. Leg is la tors re sponded by pass ing spe cific statutes that de fined com puter crime and laid out spe cific penal ties for var i ous crimes. In the fol low ing sec tions, we’ll cover sev eral of those statutes.
The U.S. laws dis cussed in this chap ter are fed eral laws. But keep in mind that al most ev ery
state in the union has also en acted some form of leg is la tion re gard ing com puter se cu rity is sues. Be cause of the global reach of the in ter net, most com puter crimes cross state lines and, there fore, fall un der fed eral ju ris dic tion and are pros e cuted in the fed eral court sys tem. How ever, in some cir cum stances, state laws can be more re stric tive than fed eral laws and im pose harsher penal ties.
Com puter Fraud and Abuse Act
The Com puter Fraud and Abuse Act (CFAA) was the first ma jor piece of cy ber crime-spe cific leg is la tion in the United States. Con gress had ear lier en acted com puter crime law as part of the Com pre hen sive Crime Con trol Act (CCCA) of 1984, but CFAA was care fully writ ten to ex clu sively cover com puter crimes that crossed
114
state bound aries to avoid in fring ing on states’ rights and tread ing on thin con sti tu tional ice. The ma jor pro vi sions of the orig i nal CCCA made it a crime to per form the fol low ing:
Ac cess clas si fied in for ma tion or fi nan cial in for ma tion in a fed eral sys tem with out au tho riza tion or in ex cess of au tho rized priv i leges
Ac cess a com puter used ex clu sively by the fed eral gov ern ment with out au tho riza tion
Use a fed eral com puter to per pe trate a fraud (un less the only ob ject of the fraud was to gain use of the com puter it self)
Cause ma li cious dam age to a fed eral com puter sys tem in ex cess of $1,000
Mod ify med i cal records in a com puter when do ing so im pairs or may im pair the ex am i na tion, di ag no sis, treat ment, or med i cal care of an in di vid ual
Traf fic in com puter pass words if the traf fick ing af fects in ter state com merce or in volves a fed eral com puter sys tem
When Con gress passed the CFAA, it raised the thresh old of dam age from $1,000 to $5,000 but also dra mat i cally al tered the scope of the reg u la tion. In stead of merely cov er ing fed eral com put ers that pro cessed sen si tive in for ma tion, the act was changed to cover all “fed eral in ter est” com put ers. This widened the cov er age of the act to in clude the fol low ing:
Any com puter used ex clu sively by the U.S. gov ern ment
Any com puter used ex clu sively by a fi nan cial in sti tu tion
Any com puter used by the gov ern ment or a fi nan cial in sti tu tion when the of fense im pedes the abil ity of the gov ern ment or in sti tu tion to use that sys tem
Any com bi na tion of com put ers used to com mit an of fense when they are not all lo cated in the same state
When pre par ing for the CISSP exam, be sure you’re able to briefly de scribe the pur pose of
each law dis cussed in this chap ter.
CFAA Amend ments
In 1994, Con gress rec og nized that the face of com puter se cu rity had dras ti cally changed since the CFAA was last amended in 1986 and made a num ber of sweep ing changes to the act. Col lec tively, these changes are re ferred to as the Com puter Abuse Amend ments Act of 1994 and in cluded the fol low ing pro vi sions:
Out lawed the cre ation of any type of ma li cious code that might cause dam age to a com puter sys tem
Mod i fied the CFAA to cover any com puter used in in ter state com merce rather than just “fed eral in ter est” com puter sys tems
Al lowed for the im pris on ment of of fend ers, re gard less of whether they ac tu ally in tended to cause dam age
Pro vided le gal au thor ity for the vic tims of com puter crime to pur sue civil ac tion to gain in junc tive re lief and com pen sa tion for dam ages
Since the ini tial CFAA amend ments in 1994, Con gress passed ad di tional amend ments in 1996, 2001, 2002, and 2008 as part of other cy ber crime leg is la tion. We’ll dis cuss those as they come up in this chap ter.
While CFAA may be used to pros e cute a va ri ety of com puter crimes, it is also crit i cized by many in the se cu rity and pri vacy com mu nity as an over broad law. Un der some in ter pre ta tions, CFAA crim i nal izes the vi o la tion of a web site’s terms of ser vice. This law was used to pros e cute MIT stu dent Aaron Schwartz for down load ing a large num ber of aca demic re search pa pers from a data base ac ces si ble on the MIT net work. Schwartz com mit ted sui cide in 2013 and in spired the draft ing of a CFAA amend ment that would have ex cluded the vi o la tion of web site terms of ser vice from CFAA. That bill, dubbed Aaron’s Law, never reached a vote on the floor of Con gress.
Fed eral Sen tenc ing Guide lines
The Fed eral Sen tenc ing Guide lines re leased in 1991 pro vided pun ish ment guide lines to help fed eral judges in ter pret com puter crime laws. Three ma jor pro vi sions of these guide lines have had a last ing im pact on the in for ma tion se cu rity com mu nity.
115
The guide lines for mal ized the pru dent man rule, which re quires se nior ex ec u tives to take per sonal re spon si bil ity for en sur ing the due care that or di nary, pru dent in di vid u als would ex er cise in the same sit u a tion. This rule, de vel oped in the realm of fis cal re spon si bil ity, now ap plies to in for ma tion se cu rity as well.
The guide lines al lowed or ga ni za tions and ex ec u tives to min i mize pun ish ment for in frac tions by demon strat ing that they used due dili gence in the con duct of their in for ma tion se cu rity du ties.
The guide lines out lined three bur dens of proof for neg li gence. First, the per son ac cused of neg li gence must have a legally rec og nized obli ga tion. Sec ond, the per son must have failed to com ply with rec og nized stan dards. Fi nally, there must be a causal re la tion ship be tween the act of neg li gence and sub se quent dam ages.
Na tional In for ma tion In fra struc ture Pro tec tion Act of 1996
In 1996, Con gress passed yet an other set of amend ments to the Com puter Fraud and Abuse Act de signed to fur ther ex tend the pro tec tion it pro vides. The Na tional In for ma tion In fra struc ture Pro tec tion Act in cluded the fol low ing main new ar eas of cov er age:
Broad ens CFAA to cover com puter sys tems used in in ter na tional com merce in ad di tion to sys tems used in in ter state com merce
Ex tends sim i lar pro tec tions to por tions of the na tional in fra struc ture other than com put ing sys tems, such as rail roads, gas pipe lines, elec tric power grids, and telecom mu ni ca tions cir cuits
Treats any in ten tional or reck less act that causes dam age to crit i cal por tions of the na tional in fra struc ture as a felony
Fed eral In for ma tion Se cu rity Man age ment Act
The Fed eral In for ma tion Se cu rity Man age ment Act (FISMA), passed in 2002, re quires that fed eral agen cies im ple ment an in for ma tion se cu rity pro gram that cov ers the agency’s op er a tions. FISMA also re quires that gov ern ment agen cies in clude the ac tiv i ties of con trac tors in their se cu rity man age ment pro grams. FISMA re pealed and re placed two ear lier laws: the Com puter Se cu rity Act of 1987 and the Gov ern ment In for ma tion Se cu rity Re form Act of 2000.
The Na tional In sti tute of Stan dards and Tech nol ogy (NIST), re spon si ble for de vel op ing the FISMA im ple men ta tion guide lines, out lines the fol low ing el e ments of an ef fec tive in for ma tion se cu rity pro gram:
Pe ri odic as sess ments of risk, in clud ing the mag ni tude of harm that could re sult from the unau tho rized ac cess, use, dis clo sure, dis rup tion, mod i fi ca tion, or de struc tion of in for ma tion and in for ma tion sys tems that sup port the op er a tions and as sets of the or ga ni za tion
Poli cies and pro ce dures that are based on risk as sess ments, cost-ef fec tively re duc ing in for ma tion se cu rity risks to an ac cept able level and en sur ing that in for ma tion se cu rity is ad dressed through out the life cy cle of each or ga ni za tional in for ma tion sys tem
Sub or di nate plans for pro vid ing ad e quate in for ma tion se cu rity for net works, fa cil i ties, in for ma tion sys tems, or groups of in for ma tion sys tems, as ap pro pri ate
Se cu rity aware ness train ing to in form per son nel (in clud ing con trac tors and other users of in for ma tion sys tems that sup port the op er a tions and as sets of the or ga ni za tion) of the in for ma tion se cu rity risks as so ci ated with their ac tiv i ties and their re spon si bil i ties in com ply ing with or ga ni za tional poli cies and pro ce dures de signed to re duce these risks
Pe ri odic test ing and eval u a tion of the ef fec tive ness of in for ma tion se cu rity poli cies, pro ce dures, prac tices, and se cu rity con trols to be per formed with a fre quency de pend ing on risk, but no less than an nu ally
A process for plan ning, im ple ment ing, eval u at ing, and doc u ment ing re me dial ac tions to ad dress any de fi cien cies in the in for ma tion se cu rity poli cies, pro ce dures, and prac tices of the or ga ni za tion
Pro ce dures for de tect ing, re port ing, and re spond ing to se cu rity in ci dents
Plans and pro ce dures to en sure con ti nu ity of op er a tions for in for ma tion sys tems that sup port the op er a tions and as sets of the or ga ni za tion
FISMA places a sig nif i cant bur den on fed eral agen cies and gov ern ment con trac tors, who must de velop and main tain sub stan tial doc u men ta tion of their FISMA com pli ance ac tiv i ties.
Fed eral Cy ber se cu rity Laws of 2014
In 2014, Pres i dent Barack Obama signed a se ries of bills into law that mod ern ized the fed eral gov ern ment’s ap proach to cy ber se cu rity is sues.
116
The first of these was the con fus ingly named Fed eral In for ma tion Sys tems Mod ern iza tion Act (also bear ing the acro nym FISMA). The 2014 FISMA mod i fied the rules of the 2002 FISMA by cen tral iz ing fed eral cy ber se cu rity re spon si bil ity with the De part ment of Home land Se cu rity. There are two ex cep tions to this cen tral iza tion: de fense-re lated cy ber se cu rity is sues re main the re spon si bil ity of the Sec re tary of De fense, while the Di rec tor of Na tional In tel li gence bears re spon si bil ity for in tel li gence-re lated is sues.
Sec ond, Con gress passed the Cy ber se cu rity En hance ment Act, which charges the NIST with re spon si bil ity for co or di nat ing na tion wide work on vol un tary cy ber se cu rity stan dards. NIST pro duces the 800 se ries of Spe cial Pub li ca tions re lated to com puter se cu rity in the fed eral gov ern ment. These are use ful for all se cu rity prac ti tion ers and are avail able for free on line at http://csrc.nist.gov/pub li ca tions/Pub sSPs.html.
The fol low ing are com monly used NIST stan dards:
NIST SP 800-53: Se cu rity and Pri vacy Con trols for Fed eral In for ma tion Sys tems and Or ga ni za tions. This stan dard is re quired for use in fed eral com put ing sys tems and is also com monly used as an in dus try cy ber se cu rity bench mark.
NIST SP 800-171: Pro tect ing Con trolled Un clas si fied In for ma tion in Non fed eral In for ma tion Sys tems and Or ga ni za tions. Com pli ance with this stan dard’s se cu rity con trols (which are quite sim i lar to those found in NIST 800-53) is of ten in cluded as a con trac tual re quire ment by gov ern ment agen cies. Fed eral con trac tors must of ten com ply with NIST SP 800-171.
The NIST Cy ber se cu rity Frame work (CSF) is a set of stan dards de signed to serve as a vol un tary risk- based frame work for se cur ing in for ma tion and sys tems.
The third law from this wave of new re quire ments was the Na tional Cy ber se cu rity Pro tec tion Act. This law charged the De part ment of Home land Se cu rity with es tab lish ing a na tional cy ber se cu rity and com mu ni ca tions in te gra tion cen ter. The role of this cen ter is to serve as the in ter face be tween fed eral agen cies and civil ian or ga ni za tions for shar ing cy ber se cu rity risks, in ci dents, anal y sis, and warn ings.
In tel lec tual Prop erty Amer ica’s role in the global econ omy is shift ing away from a man u fac turer of goods and to ward a provider
of ser vices. This trend also shows it self in many of the world’s large in dus tri al ized na tions. With this shift to ward pro vid ing ser vices, in tel lec tual prop erty takes on an in creas ingly im por tant role in many firms. In deed, it is ar guable that the most valu able as sets of many large multi na tional com pa nies are sim ply the brand names that we’ve all come to rec og nize. Com pany names such as Dell, Proc ter & Gam ble, and Merck bring in stant cred i bil ity to any prod uct. Pub lish ing com pa nies, movie pro duc ers, and artists de pend on their cre ative out put to earn their liveli hood. Many prod ucts de pend on se cret recipes or pro duc tion tech niques— take the leg endary se cret for mula for Coca-Cola or KFC’s se cret blend of herbs and spices, for ex am ple.
These in tan gi ble as sets are col lec tively re ferred to as in tel lec tual prop erty, and a whole host of laws ex ist to pro tect the rights of their own ers. Af ter all, it sim ply wouldn’t be fair if a mu sic store bought only one copy of each artist’s CD and burned copies for all of its cus tomers—that would de prive the artist of the ben e fits of their la bor. In the fol low ing sec tions, we’ll ex plore the laws sur round ing the four ma jor types of in tel lec tual prop erty—copy rights, trade marks, patents, and trade se crets. We’ll also dis cuss how these con cepts specif i cally con cern in for ma tion se cu rity pro fes sion als. Many coun tries pro tect (or fail to pro tect) these rights in dif fer ent ways, but the ba sic con cepts ring true through out the world.
Some coun tries are no to ri ous for vi o lat ing in tel lec tual prop erty rights. The most no table
ex am ple is China. China is world renowned for its bla tant dis re gard of copy right and patent law. If you’re plan ning to do busi ness in this re gion of the world, you should def i nitely con sult with an at tor ney who spe cial izes in this area.
Copy right and the Dig i tal Mil len nium Copy right Act
Copy right law guar an tees the cre ators of “orig i nal works of au thor ship” pro tec tion against the unau tho rized du pli ca tion of their work. Eight broad cat e gories of works qual ify for copy right pro tec tion.
Lit er ary works
Mu si cal works
Dra matic works
Pan tomimes and chore o graphic works
Pic to rial, graph i cal, and sculp tural works
Mo tion pic tures and other au dio vi sual works
117
Sound record ings
Ar chi tec tural works
There is prece dent for copy right ing com puter soft ware—it’s done un der the scope of lit er ary works. How ever, it’s im por tant to note that copy right law pro tects only the ex pres sion in her ent in com puter soft ware —that is, the ac tual source code. It does not pro tect the ideas or process be hind the soft ware. There has also been some ques tion over whether copy rights can be ex tended to cover the “look and feel” of a soft ware pack age’s graph i cal user in ter face. Court de ci sions have gone in both di rec tions on this mat ter; if you will be in volved in this type of is sue, you should con sult a qual i fied in tel lec tual prop erty at tor ney to de ter mine the cur rent state of leg is la tion and case law.
There is a for mal pro ce dure to ob tain a copy right that in volves send ing copies of the pro tected work along with an ap pro pri ate reg is tra tion fee to the U.S. Copy right Of fice. For more in for ma tion on this process, visit the of fice’s web site at www.copy right.gov. How ever, it is im por tant to note that of fi cially reg is ter ing a copy right is not a pre req ui site for copy right en force ment. In deed, the law states that the cre ator of a work has an au to matic copy right from the in stant the work is cre ated. If you can prove in court that you were the cre ator of a work (per haps by pub lish ing it), you will be pro tected un der copy right law. Of fi cial reg is tra tion merely pro vides the gov ern ment’s ac knowl edg ment that they re ceived your work on a spe cific date.
Copy right own er ship al ways de faults to the cre ator of a work. The ex cep tions to this pol icy are works for hire. A work is con sid ered “for hire” when it is made for an em ployer dur ing the nor mal course of an em ployee’s work day. For ex am ple, when an em ployee in a com pany’s pub lic re la tions de part ment writes a press re lease, the press re lease is con sid ered a work for hire. A work may also be con sid ered a work for hire when it is made as part of a writ ten con tract declar ing it as such.
Cur rent copy right law pro vides for a lengthy pe riod of pro tec tion. Works by one or more au thors are pro tected un til 70 years af ter the death of the last sur viv ing au thor. Works for hire and anony mous works are pro vided pro tec tion for 95 years from the date of first pub li ca tion or 120 years from the date of cre ation, which ever is shorter.
In 1998, Con gress rec og nized the rapidly chang ing dig i tal land scape that was stretch ing the reach of ex ist ing copy right law. To help meet this chal lenge, it en acted the hotly de bated Dig i tal Mil len nium Copy right Act (DMCA). The DMCA also serves to bring U.S. copy right law into com pli ance with terms of two World In tel lec tual Prop erty Or ga ni za tion (WIPO) treaties.
The first ma jor pro vi sion of the DMCA is the pro hi bi tion of at tempts to cir cum vent copy right pro tec tion mech a nisms placed on a pro tected work by the copy right holder. This clause was de signed to pro tect copy- pre ven tion mech a nisms placed on dig i tal me dia such as com pact discs (CDs) and dig i tal ver sa tile discs (DVDs). The DMCA pro vides for penal ties of up to $1,000,000 and 10 years in prison for re peat of fend ers. Non profit in sti tu tions such as li braries and schools are ex empted from this pro vi sion.
The DMCA also lim its the li a bil ity of In ter net ser vice providers (ISP) when their cir cuits are used by crim i nals vi o lat ing the copy right law. The DMCA rec og nizes that ISPs have a le gal sta tus sim i lar to the “com mon car rier” sta tus of tele phone com pa nies and does not hold them li able for the “tran si tory ac tiv i ties” of their users. To qual ify for this ex emp tion, the ser vice provider’s ac tiv i ties must meet the fol low ing re quire ments (quoted di rectly from the Dig i tal Mil len nium Copy right Act of 1998, U.S. Copy right Of fice Sum mary, De cem ber 1998):
The trans mis sion must be ini ti ated by a per son other than the provider.
The trans mis sion, rout ing, pro vi sion of con nec tions, or copy ing must be car ried out by an au to mated tech ni cal process with out se lec tion of ma te rial by the ser vice provider.
The ser vice provider must not de ter mine the re cip i ents of the ma te rial.
Any in ter me di ate copies must not or di nar ily be ac ces si ble to any one other than an tic i pated re cip i ents and must not be re tained for longer than rea son ably nec es sary.
The ma te rial must be trans mit ted with no mod i fi ca tion to its con tent.
The DMCA also ex empts ac tiv i ties of ser vice providers re lated to sys tem caching, search en gines, and the stor age of in for ma tion on a net work by in di vid ual users. How ever, in those cases, the ser vice provider must take prompt ac tion to re move copy righted ma te ri als upon no ti fi ca tion of the in fringe ment.
Con gress also in cluded pro vi sions in the DMCA that al low the cre ation of backup copies of com puter soft ware and any main te nance, test ing, or rou tine us age ac tiv i ties that re quire soft ware du pli ca tion. These pro vi sions ap ply only if the soft ware is li censed for use on a par tic u lar com puter, the us age is in com pli ance with the li cense agree ment, and any such copies are im me di ately deleted when no longer re quired for a per mit ted ac tiv ity.
Fi nally, the DMCA spells out the ap pli ca tion of copy right law prin ci ples to the stream ing of au dio and/or video con tent over the in ter net. The DMCA states that these uses are to be treated as “el i gi ble non sub scrip tion
118
trans mis sions.”
Trade marks
Copy right laws are used to pro tect cre ative works; there is also pro tec tion for trade marks, which are words, slo gans, and lo gos used to iden tify a com pany and its prod ucts or ser vices. For ex am ple, a busi ness might ob tain a copy right on its sales brochure to en sure that com peti tors can’t du pli cate its sales ma te ri als. That same busi ness might also seek to ob tain trade mark pro tec tion for its com pany name and the names of spe cific prod ucts and ser vices that it of fers to its clients.
The main ob jec tive of trade mark pro tec tion is to avoid con fu sion in the mar ket place while pro tect ing the in tel lec tual prop erty rights of peo ple and or ga ni za tions. As with copy right pro tec tion, trade marks do not need to be of fi cially reg is tered to gain pro tec tion un der the law. If you use a trade mark in the course of your pub lic ac tiv i ties, you are au to mat i cally pro tected un der any rel e vant trade mark law and can use the ™ sym bol to show that you in tend to pro tect words or slo gans as trade marks. If you want of fi cial recog ni tion of your trade mark, you can reg is ter it with the United States Patent and Trade mark Of fice (USPTO). This process gen er ally re quires an at tor ney to per form a due dili gence com pre hen sive search for ex ist ing trade marks that might pre clude your reg is tra tion. The en tire reg is tra tion process can take more than a year from start to fin ish. Once you’ve re ceived your reg is tra tion cer tifi cate from the USPTO, you can de note your mark as a reg is tered trade mark with the ® sym bol.
One ma jor ad van tage of trade mark reg is tra tion is that you may reg is ter a trade mark that you in tend to use but are not nec es sar ily al ready us ing. This type of ap pli ca tion is called an in tent to use ap pli ca tion and con veys trade mark pro tec tion as of the date of fil ing pro vided that you ac tu ally use the trade mark in com merce within a cer tain time pe riod. If you opt not to reg is ter your trade mark with the PTO, your pro tec tion be gins only when you first use the trade mark.
The ac cep tance of a trade mark ap pli ca tion in the United States de pends on these two main re quire ments:
The trade mark must not be con fus ingly sim i lar to an other trade mark—you should de ter mine this dur ing your at tor ney’s due dili gence search. There will be an open op po si tion pe riod dur ing which other com pa nies may dis pute your trade mark ap pli ca tion.
The trade mark should not be de scrip tive of the goods and ser vices that you will of fer. For ex am ple, “Mike’s Soft ware Com pany” would not be a good trade mark can di date be cause it de scribes the prod uct pro duced by the com pany. The USPTO may re ject an ap pli ca tion if it con sid ers the trade mark de scrip tive.
In the United States, trade marks are granted for an ini tial pe riod of 10 years and can be re newed for un lim ited suc ces sive 10-year pe ri ods.
Patents
Patents pro tect the in tel lec tual prop erty rights of in ven tors. They pro vide a pe riod of 20 years dur ing which the in ven tor is granted ex clu sive rights to use the in ven tion (whether di rectly or via li cens ing agree ments). At the end of the patent ex clu siv ity pe riod, the in ven tion is in the pub lic do main avail able for any one to use.
Patents have three main re quire ments.
The in ven tion must be new. In ven tions are patentable only if they are orig i nal ideas.
The in ven tion must be use ful. It must ac tu ally work and ac com plish some sort of task.
The in ven tion must not be ob vi ous. You could not, for ex am ple, ob tain a patent for your idea to use a drink ing cup to col lect rain wa ter. This is an ob vi ous so lu tion. You might, how ever, be able to patent a spe cially de signed cup that op ti mizes the amount of rain wa ter col lected while min i miz ing evap o ra tion.
In the tech nol ogy field, patents have long been used to pro tect hard ware de vices and man u fac tur ing pro cesses. There is plenty of prece dent on the side of in ven tors in those ar eas. Re cent patents have also been is sued cov er ing soft ware pro grams and sim i lar mech a nisms, but these patents have be come some what con tro ver sial be cause many of them are viewed by the tech ni cal com mu nity as overly broad. The is suance of these broad patents led to the evo lu tion of busi nesses that ex ist solely as patent hold ing com pa nies that de rive their rev enue by en gag ing in le gal ac tion against com pa nies that they feel in fringe upon the patents held in their port fo lio. These com pa nies are known by many in the tech nol ogy com mu nity un der the deroga tory name “patent trolls.”
Trade Se crets
Many com pa nies have in tel lec tual prop erty that is ab so lutely crit i cal to their busi ness, and sig nif i cant dam age would re sult if it were dis closed to com peti tors and/or the pub lic—in other words, trade se crets. We pre vi ously men tioned two ex am ples of this type of in for ma tion from pop u lar cul ture—the se cret for mula for
119
Coca-Cola and KFC’s “se cret blend of herbs and spices.” Other ex am ples are plen ti ful; a man u fac tur ing com pany may want to keep se cret a cer tain man u fac tur ing process that only a few key em ploy ees fully un der stand, or a sta tis ti cal anal y sis com pany might want to safe guard an ad vanced model de vel oped for in- house use.
Two of the pre vi ously dis cussed in tel lec tual prop erty tools—copy rights and patents—could be used to pro tect this type of in for ma tion, but with these two ma jor dis ad van tages:
Fil ing a copy right or patent ap pli ca tion re quires that you pub licly dis close the de tails of your work or in ven tion. This au to mat i cally re moves the “se cret” na ture of your prop erty and may harm your firm by re mov ing the mys tique sur round ing a prod uct or by al low ing un scrupu lous com peti tors to copy your prop erty in vi o la tion of in ter na tional in tel lec tual prop erty laws.
Copy rights and patents both pro vide pro tec tion for a lim ited pe riod of time. Once your le gal pro tec tion ex pires, other firms are free to use your work at will (and they have all the de tails from the pub lic dis clo sure you made dur ing the ap pli ca tion process!).
There ac tu ally is an of fi cial process re gard ing trade se crets. By their na ture you don’t reg is ter them with any one; you keep them to your self. To pre serve trade se cret sta tus, you must im ple ment ad e quate con trols within your or ga ni za tion to en sure that only au tho rized per son nel with a need to know the se crets have ac cess to them. You must also en sure that any one who does have this type of ac cess is bound by a nondis clo sure agree ment (NDA) that pro hibits them from shar ing the in for ma tion with oth ers and pro vides penal ties for vi o lat ing the agree ment. Con sult an at tor ney to en sure that the agree ment lasts for the max i mum pe riod per mit ted by law. In ad di tion, you must take steps to demon strate that you value and pro tect your in tel lec tual prop erty. Fail ure to do so may re sult in the loss of trade se cret pro tec tion.
Trade se cret pro tec tion is one of the best ways to pro tect com puter soft ware. As dis cussed in the pre vi ous sec tion, patent law does not pro vide ad e quate pro tec tion for com puter soft ware prod ucts. Copy right law pro tects only the ac tual text of the source code and doesn’t pro hibit oth ers from rewrit ing your code in a dif fer ent form and ac com plish ing the same ob jec tive. If you treat your source code as a trade se cret, it keeps it out of the hands of your com peti tors in the first place. This is the tech nique used by large soft ware de vel op ment com pa nies such as Mi cro soft to pro tect their core base of in tel lec tual prop erty.
Eco nomic Es pi onage Act of 1996
Trade se crets are of ten the crown jew els of ma jor cor po ra tions, and the U.S. gov ern ment rec og nized the im por tance of pro tect ing this type of in tel lec tual prop erty when Con gress en acted the Eco nomic Es pi onage Act of 1996. This law has these two ma jor pro vi sions:
Any one found guilty of steal ing trade se crets from a U.S. cor po ra tion with the in ten tion of ben e fit ing a for eign gov ern ment or agent may be fined up to $500,000 and im pris oned for up to 15 years.
Any one found guilty of steal ing trade se crets un der other cir cum stances may be fined up to $250,000 and im pris oned for up to 10 years.
The terms of the Eco nomic Es pi onage Act give true teeth to the in tel lec tual prop erty rights of trade se cret own ers. En forc ing this law re quires that com pa nies take ad e quate steps to en sure that their trade se crets are well pro tected and not ac ci den tally placed into the pub lic do main.
Li cens ing Se cu rity pro fes sion als should also be fa mil iar with the le gal is sues sur round ing soft ware li cens ing
agree ments. Four com mon types of li cense agree ments are in use to day.
Con trac tual li cense agree ments use a writ ten con tract be tween the soft ware ven dor and the cus tomer, out lin ing the re spon si bil i ties of each. These agree ments are com monly found for high-priced and/or highly spe cial ized soft ware pack ages.
Shrink-wrap li cense agree ments are writ ten on the out side of the soft ware pack ag ing. They com monly in clude a clause stat ing that you ac knowl edge agree ment to the terms of the con tract sim ply by break ing the shrink-wrap seal on the pack age.
Click-through li cense agree ments are be com ing more com mon place than shrink-wrap agree ments. In this type of agree ment, the con tract terms are ei ther writ ten on the soft ware box or in cluded in the soft ware doc u men ta tion. Dur ing the in stal la tion process, you are re quired to click a but ton in di cat ing that you have read the terms of the agree ment and agree to abide by them. This adds an ac tive con sent to the process, en sur ing that the in di vid ual is aware of the agree ment’s ex is tence prior to in stal la tion.
120
Cloud ser vices li cense agree ments take click-through agree ments to the ex treme. Most cloud ser vices do not re quire any form of writ ten agree ment and sim ply flash le gal terms on the screen for re view. In some cases, they may sim ply pro vide a link to le gal terms and a check box for users to con firm that they read and agree to the terms. Most users, in their ex cite ment to ac cess a new ser vice, sim ply click their way through the agree ment with out read ing it and may un wit tingly bind their en tire or ga ni za tion to oner ous terms and con di tions.
In dus try groups pro vide guid ance and en force ment ac tiv i ties re gard ing soft ware li cens ing.
You can get more in for ma tion from their web sites. One ma jor group is the Soft ware Al liance at www.bsa.org.
Im port/Ex port The fed eral gov ern ment rec og nizes that the very same com put ers and en cryp tion tech nolo gies that drive
the in ter net and e-com merce can be ex tremely pow er ful tools in the hands of a mil i tary force. For this rea son, dur ing the Cold War, the gov ern ment de vel oped a com plex set of reg u la tions gov ern ing the ex port of sen si tive hard ware and soft ware prod ucts to other na tions. The reg u la tions in clude the man age ment of trans bor der data flow of new tech nolo gies, in tel lec tual prop erty, and per son ally iden ti fy ing in for ma tion.
Un til re cently, it was dif fi cult to ex port high-pow ered com put ers out side the United States, ex cept to a se lect hand ful of al lied na tions. The con trols on ex port ing en cryp tion soft ware were even more se vere, ren der ing it vir tu ally im pos si ble to ex port any en cryp tion tech nol ogy out side the coun try. Re cent changes in fed eral pol icy have re laxed these re stric tions and pro vided for more open com merce.
Two sets of fed eral reg u la tions gov ern ing im ports and ex ports are of par tic u lar in ter est to cy ber se cu rity pro fes sion als.
The In ter na tional Traf fic in Arms Reg u la tions (ITAR) con trols the ex port of items that are specif i cally des ig nated as mil i tary and de fense items, in clud ing tech ni cal in for ma tion re lated to those items. The items cov ered un der ITAR ap pear on a list called the United States Mu ni tions List (USML), main tained in 22 CFR 121.
The Ex port Ad min is tra tion Reg u la tions (EAR) cover a broader set of items that are de signed for com mer cial use but may have mil i tary ap pli ca tions. Items cov ered by EAR ap pear on the Com merce Con trol List (CCL) main tained by the U.S. De part ment of Com merce. No tably, EAR in cludes an en tire cat e gory cov er ing in for ma tion se cu rity prod ucts.
Com puter Ex port Con trols
Cur rently, U.S. firms can ex port high-per for mance com put ing sys tems to vir tu ally any coun try with out re ceiv ing prior ap proval from the gov ern ment. There are ex cep tions to this rule for coun tries des ig nated by the De part ment of Com merce’s Bu reau of In dus try and Se cu rity as coun tries of con cern based on the fact that they pose a threat of nu clear pro lif er a tion, they are clas si fied as state spon sors of ter ror ism, or other con cerns. These coun tries in clude Cuba, Iran, North Ko rea, Su dan, and Syria.
You can find a list of coun tries and their cor re spond ing com puter ex port tiers on the
De part ment of Com merce’s web site at www.bis.doc.gov.
En cryp tion Ex port Con trols
The De part ment of Com merce’s Bu reau of In dus try and Se cu rity sets forth reg u la tions on the ex port of en cryp tion prod ucts out side the United States. Un der pre vi ous reg u la tions, it was vir tu ally im pos si ble to ex port even rel a tively low-grade en cryp tion tech nol ogy out side the United States. This placed U.S. soft ware man u fac tur ers at a great com pet i tive dis ad van tage to for eign firms that faced no sim i lar reg u la tions. Af ter a lengthy lob by ing cam paign by the soft ware in dus try, the pres i dent di rected the Com merce De part ment to re vise its reg u la tions to fos ter the growth of the Amer i can se cu rity soft ware in dus try.
Cur rent reg u la tions now des ig nate the cat e gories of re tail and mass mar ket se cu rity soft ware. The rules now per mit firms to sub mit these prod ucts for re view by the Com merce De part ment, but the re view will take no longer than 30 days. Af ter suc cess ful com ple tion of this re view, com pa nies may freely ex port these prod ucts.
Pri vacy
121
The right to pri vacy has for years been a hotly con tested is sue in the United States. The main source of this con tention is that the Con sti tu tion’s Bill of Rights does not ex plic itly pro vide for a right to pri vacy. How ever, this right has been up held by nu mer ous courts and is vig or ously pur sued by or ga ni za tions such as the Amer i can Civil Lib er ties Union (ACLU).
Eu ro peans have also long been con cerned with their pri vacy. In deed, coun tries such as Switzer land are world renowned for their abil ity to keep fi nan cial se crets. Later in this chap ter, we’ll ex am ine how the Eu ro pean Union data pri vacy laws im pact com pa nies and in ter net users.
U.S. Pri vacy Law
Al though there is no con sti tu tional guar an tee of pri vacy, a myr iad of fed eral laws (many en acted in re cent years) are de signed to pro tect the pri vate in for ma tion the gov ern ment main tains about cit i zens as well as key por tions of the pri vate sec tor such as fi nan cial, ed u ca tional, and health care in sti tu tions. In the fol low ing sec tions, we’ll ex am ine a num ber of these fed eral laws.
Fourth Amend ment The ba sis for pri vacy rights is in the Fourth Amend ment to the U.S. Con sti tu tion. It reads as fol lows:
The right of the peo ple to be se cure in their per sons, houses, pa pers, and ef fects, against un rea son able searches and seizures, shall not be vi o lated, and no war rants shall is sue, but upon prob a ble cause, sup ported by oath or af fir ma tion, and par tic u larly de scrib ing the place to be searched, and the per sons or things to be seized.
The di rect in ter pre ta tion of this amend ment pro hibits gov ern ment agents from search ing pri vate prop erty with out a war rant and prob a ble cause. The courts have ex panded their in ter pre ta tion of the Fourth Amend ment to in clude pro tec tions against wire tap ping and other in va sions of pri vacy.
The Pri vacy Act of 1974 is per haps the most sig nif i cant piece of pri vacy leg is la tion re strict ing the way the fed eral gov ern ment may deal with pri vate in for ma tion about in di vid ual cit i zens. It se verely lim its the abil ity of fed eral gov ern ment agen cies to dis close pri vate in for ma tion to other peo ple or agen cies with out the prior writ ten con sent of the af fected in di vid u als. It does pro vide for ex cep tions in volv ing the cen sus, law en force ment, the Na tional Ar chives, health and safety, and court or ders.
Pri vacy Act of 1974 The Pri vacy Act man dates that agen cies main tain only the records that are nec es sary for con duct ing their busi ness and that they de stroy those records when they are no longer needed for a le git i mate func tion of gov ern ment. It pro vides a for mal pro ce dure for in di vid u als to gain ac cess to records the gov ern ment main tains about them and to re quest that in cor rect records be amended.
The Pri vacy Act of 1974 ap plies only to gov ern ment agen cies. Many peo ple mis un der stand
this law and be lieve that it ap plies to how com pa nies and other or ga ni za tions han dle sen si tive per sonal in for ma tion, but that is not the case.
Elec tronic Com mu ni ca tions Pri vacy Act of 1986 The Elec tronic Com mu ni ca tions Pri vacy Act (ECPA) makes it a crime to in vade the elec tronic pri vacy of an in di vid ual. This act broad ened the Fed eral Wire tap Act, which pre vi ously cov ered com mu ni ca tions trav el ing via a phys i cal wire, to ap ply to any il le gal in ter cep tion of elec tronic com mu ni ca tions or to the in ten tional, unau tho rized ac cess of elec tron i cally stored data. It pro hibits the in ter cep tion or dis clo sure of elec tronic com mu ni ca tion and de fines those sit u a tions in which dis clo sure is le gal. It pro tects against the mon i tor ing of email and voice mail com mu ni ca tions and pre vents providers of those ser vices from mak ing unau tho rized dis clo sures of their con tent.
One of the most no table pro vi sions of the ECPA is that it makes it il le gal to mon i tor mo bile tele phone con ver sa tions. In fact, such mon i tor ing is pun ish able by a fine of up to $500 and a prison term of up to five years.
Com mu ni ca tions As sis tance for Law En force ment Act (CALEA) of 1994 The Com mu ni ca tions As sis tance for Law En force ment Act (CALEA) of 1994 amended the Elec tronic Com mu ni ca tions Pri vacy Act of 1986. CALEA re quires all com mu ni ca tions car ri ers to make wire taps pos si ble for law en force ment with an ap pro pri ate court or der, re gard less of the tech nol ogy in use.
Eco nomic Es pi onage Act of 1996 The Eco nomic Es pi onage Act of 1996 ex tends the def i ni tion of prop erty to in clude pro pri etary eco nomic in for ma tion so that the theft of this in for ma tion can be con sid ered in dus trial or cor po rate es pi onage. This changed the le gal def i ni tion of theft so that it was no longer re stricted by phys i cal con straints.
Health In sur ance Porta bil ity and Ac count abil ity Act of 1996 In 1996, Con gress passed the Health In sur ance Porta bil ity and Ac count abil ity Act (HIPAA), which made nu mer ous changes to the laws gov ern ing health in sur ance and health main te nance or ga ni za tions (HMOs). Among the pro vi sions of HIPAA are pri vacy and se cu rity reg u la tions re quir ing strict se cu rity mea sures for hos pi tals, physi cians, in sur ance com pa nies, and other or ga ni za tions that process or store pri vate med i cal in for ma tion about in di vid u als.
122
HIPAA also clearly de fines the rights of in di vid u als who are the sub ject of med i cal records and re quires or ga ni za tions that main tain such records to dis close these rights in writ ing.
The HIPAA pri vacy and se cu rity reg u la tions are quite com plex. You should be fa mil iar with
the broad in ten tions of the act, as de scribed here. If you work in the health care in dus try, con sider de vot ing time to an in-depth study of this law’s pro vi sions.
Health In for ma tion Tech nol ogy for Eco nomic and Clin i cal Health Act of 2009 In 2009, Con gress amended HIPAA by pass ing the Health In for ma tion Tech nol ogy for Eco nomic and Clin i cal Health (HITECH) Act. This law up dated many of HIPAA’s pri vacy and se cu rity re quire ments and was im ple mented through the HIPAA Om nibus Rule in 2013.
One of the changes man dated by the new reg u la tions is a change in the way the law treats busi ness as so ciates, which are or ga ni za tions that han dle pro tected health in for ma tion (PHI) on be half of a HIPAA cov ered en tity. Any re la tion ship be tween a cov ered en tity and a busi ness as so ciate must be gov erned by a writ ten con tract known as a busi ness as so ciate agree ment (BAA). Un der the new reg u la tion, busi ness as so ciates are di rectly sub ject to HIPAA and HIPAA en force ment ac tions in the same man ner as a cov ered en tity.
HITECH also in tro duced new data breach no ti fi ca tion re quire ments. Un der the HITECH Breach No ti fi ca tion Rule, HIPAA-cov ered en ti ties that ex pe ri ence a data breach must no tify af fected in di vid u als of the breach and must also no tify both the Sec re tary of Health and Hu man Ser vices and the me dia when the breach af fects more than 500 in di vid u als.
Data Breach No ti fi ca tion Laws
HITECH’s data breach no ti fi ca tion rule is unique in that it is a fed eral law man dat ing the no ti fi ca tion of af fected in di vid u als. Out side of this re quire ment for health care records, data breach no ti fi ca tion re quire ments vary widely from state to state.
In 2002, Cal i for nia passed SB 1386 and be came the first state to im me di ately dis close to in di vid u als the known or sus pected breach of per son ally iden ti fi able in for ma tion. This in cludes un en crypted copies of a per son’s name in con junc tion with any of the fol low ing in for ma tion:
So cial Se cu rity num ber
Driver’s li cense num ber
State iden ti fi ca tion card num ber
Credit or debit card num ber
Bank ac count num ber in con junc tion with the se cu rity code, ac cess code, or pass word that would per mit ac cess to the ac count
Med i cal records
Health in sur ance in for ma tion
In the years fol low ing SB 1386, many (but not all) other states passed sim i lar laws mod eled on the Cal i for nia data breach no ti fi ca tion law. As of 2017, only Al abama and South Dakota do not have state breach no ti fi ca tion laws.
For a com plete list ing of state data breach no ti fi ca tion laws, see www.ncsl
.org/re search/telecom mu ni ca tions-and-in for ma tion-tech nol ogy/se cu rity-breach-no ti fi ca tion-laws.aspx.
Chil dren’s On line Pri vacy Pro tec tion Act of 1998 In April 2000, pro vi sions of the Chil dren’s On line Pri vacy Pro tec tion Act (COPPA) be came the law of the land in the United States. COPPA makes a se ries of de mands on web sites that cater to chil dren or know ingly col lect in for ma tion from chil dren.
Web sites must have a pri vacy no tice that clearly states the types of in for ma tion they col lect and what it’s used for, in clud ing whether any in for ma tion is dis closed to third par ties. The pri vacy no tice must also in clude con tact in for ma tion for the op er a tors of the site.
Par ents must be pro vided with the op por tu nity to re view any in for ma tion col lected from their chil dren and per ma nently delete it from the site’s records.
123
Par ents must give ver i fi able con sent to the col lec tion of in for ma tion about chil dren younger than the age of 13 prior to any such col lec tion. Ex cep tions in the law al low web sites to col lect min i mal in for ma tion solely for the pur pose of ob tain ing such parental con sent.
Gramm-Leach-Bliley Act of 1999 Un til the Gramm-Leach-Bliley Act (GLBA) be came law in 1999, there were strict gov ern men tal bar ri ers be tween fi nan cial in sti tu tions. Banks, in sur ance com pa nies, and credit providers were se verely lim ited in the ser vices they could pro vide and the in for ma tion they could share with each other. GLBA some what re laxed the reg u la tions con cern ing the ser vices each or ga ni za tion could pro vide. When Con gress passed this law, it re al ized that this in creased lat i tude could have far-reach ing pri vacy im pli ca tions. Be cause of this con cern, it in cluded a num ber of lim i ta tions on the types of in for ma tion that could be ex changed even among sub sidiaries of the same cor po ra tion and re quired fi nan cial in sti tu tions to pro vide writ ten pri vacy poli cies to all their cus tomers by July 1, 2001.
USA PA TRIOT Act of 2001 Con gress passed the Unit ing and Strength en ing Amer ica by Pro vid ing Ap pro pri ate Tools Re quired to In ter cept and Ob struct Ter ror ism (USA PA TRIOT) Act of 2001 in di rect re sponse to the Sep tem ber 11, 2001, ter ror ist at tacks in New York City and Wash ing ton, DC. The PA TRIOT Act greatly broad ened the pow ers of law en force ment or ga ni za tions and in tel li gence agen cies across a num ber of ar eas, in clud ing when mon i tor ing elec tronic com mu ni ca tions.
One of the ma jor changes prompted by the PA TRIOT Act re volves around the way gov ern ment agen cies ob tain wire tap ping au tho riza tions. Pre vi ously, po lice could ob tain war rants for only one cir cuit at a time, af ter prov ing that the cir cuit was used by some one sub ject to mon i tor ing. Pro vi sions of the PA TRIOT Act al low au thor i ties to ob tain a blan ket au tho riza tion for a per son and then mon i tor all com mu ni ca tions to or from that per son un der the sin gle war rant.
An other ma jor change is in the way the gov ern ment deals with In ter net ser vice providers (ISPs). Un der the terms of the PA TRIOT Act, ISPs may vol un tar ily pro vide the gov ern ment with a large range of in for ma tion. The PA TRIOT Act also al lows the gov ern ment to ob tain de tailed in for ma tion on user ac tiv ity through the use of a sub poena (as op posed to a wire tap).
Fi nally, the USA PA TRIOT Act amends the Com puter Fraud and Abuse Act (yes, an other set of amend ments!) to pro vide more se vere penal ties for crim i nal acts. The PA TRIOT Act pro vides for jail terms of up to 20 years and once again ex pands the cov er age of the CFAA.
The PA TRIOT Act has a com plex leg isla tive his tory. Many of the key pro vi sions of the PA TRIOT Act ex pired in 2015 when Con gress failed to pass a re newal bill. How ever, Con gress later passed the USA Free dom Act in June 2015, which re stored key pro vi sions of the PA TRIOT Act that will re main in force un til they ex pire in De cem ber 2019, un less they are once again re newed by Con gress.
Fam ily Ed u ca tional Rights and Pri vacy Act The Fam ily Ed u ca tional Rights and Pri vacy Act (FERPA) is an other spe cial ized pri vacy bill that af fects any ed u ca tional in sti tu tion that ac cepts any form of fund ing from the fed eral gov ern ment (the vast ma jor ity of schools). It grants cer tain pri vacy rights to stu dents older than 18 and the par ents of mi nor stu dents. Spe cific FERPA pro tec tions in clude the fol low ing:
Par ents/stu dents have the right to in spect any ed u ca tional records main tained by the in sti tu tion on the stu dent.
Par ents/stu dents have the right to re quest cor rec tion of records they think are er ro neous and the right to in clude a state ment in the records con test ing any thing that is not cor rected.
Schools may not re lease per sonal in for ma tion from stu dent records with out writ ten con sent, ex cept un der cer tain cir cum stances.
Iden tity Theft and As sump tion De ter rence Act In 1998, the pres i dent signed the Iden tity Theft and As sump tion De ter rence Act into law. In the past, the only le gal vic tims of iden tity theft were the cred i tors who were de frauded. This act makes iden tity theft a crime against the per son whose iden tity was stolen and pro vides se vere crim i nal penal ties (up to a 15-year prison term and/or a $250,000 fine) for any one found guilty of vi o lat ing this law.
124
Pri vacy in the Work place
One of the au thors of this book had an in ter est ing con ver sa tion with a rel a tive who works in an of fice en vi ron ment. At a fam ily Christ mas party, the au thor’s rel a tive ca su ally men tioned a story he had read on line about a lo cal com pany that had fired sev eral em ploy ees for abus ing their in ter net priv i leges. He was shocked and couldn’t be lieve that a com pany would vi o late their em ploy ees’ right to pri vacy.
As you’ve read in this chap ter, the U.S. court sys tem has long up held the tra di tional right to pri vacy as an ex ten sion of ba sic con sti tu tional rights. How ever, the courts have main tained that a key el e ment of this right is that pri vacy should be guar an teed only when there is a “rea son able ex pec ta tion of pri vacy.” For ex am ple, if you mail a let ter to some one in a sealed en ve lope, you may rea son ably ex pect that it will be de liv ered with out be ing read along the way—you have a rea son able ex pec ta tion of pri vacy. On the other hand, if you send your mes sage on a post card, you do so with the aware ness that one or more peo ple might read your note be fore it ar rives at the other end—you do not have a rea son able ex pec ta tion of pri vacy.
Re cent court rul ings have found that em ploy ees do not have a rea son able ex pec ta tion of pri vacy while us ing em ployer-owned com mu ni ca tions equip ment in the work place. If you send a mes sage us ing an em ployer’s com puter, in ter net con nec tion, tele phone, or other com mu ni ca tions de vice, your em ployer can mon i tor it as a rou tine busi ness pro ce dure.
That said, if you’re plan ning to mon i tor the com mu ni ca tions of your em ploy ees, you should take rea son able pre cau tions to en sure that there is no im plied ex pec ta tion of pri vacy. Here are some com mon mea sures to con sider:
Clauses in em ploy ment con tracts that state the em ployee has no ex pec ta tion of pri vacy while us ing cor po rate equip ment
Sim i lar writ ten state ments in cor po rate ac cept able use and pri vacy poli cies
Lo gon ban ners warn ing that all com mu ni ca tions are sub ject to mon i tor ing
Warn ing la bels on com put ers and tele phones warn ing of mon i tor ing
As with many of the is sues dis cussed in this chap ter, it’s a good idea to con sult with your le gal coun sel be fore un der tak ing any com mu ni ca tions-mon i tor ing ef forts.
Eu ro pean Union Pri vacy Law
On Oc to ber 24, 1995, the Eu ro pean Union (EU) Par lia ment passed a sweep ing di rec tive out lin ing pri vacy mea sures that must be in place for pro tect ing per sonal data pro cessed by in for ma tion sys tems. The di rec tive went into ef fect three years later in Oc to ber 1998. The di rec tive re quires that all pro cess ing of per sonal data meet one of the fol low ing cri te ria:
Con sent
Con tract
Le gal obli ga tion
Vi tal in ter est of the data sub ject
Bal ance be tween the in ter ests of the data holder and the in ter ests of the data sub ject
The di rec tive also out lines key rights of in di vid u als about whom data is held and/or pro cessed:
Right to ac cess the data
Right to know the data’s source
Right to cor rect in ac cu rate data
Right to with hold con sent to process data in some sit u a tions
Right of le gal ac tion should these rights be vi o lated
Even or ga ni za tions based out side Eu rope must con sider the ap pli ca bil ity of these rules due to trans bor der data flow re quire ments. In cases where per sonal in for ma tion about Eu ro pean Union cit i zens leaves the EU, those send ing the data must en sure that it re mains pro tected. Amer i can com pa nies do ing busi ness in Eu rope can ob tain pro tec tion un der the Pri vacy Shield agree ment be tween the EU and the United States that al lows
125
the De part ment of Com merce and the Fed eral Trade Com mis sion (FTC) to cer tify busi nesses that com ply with reg u la tions and of fer them “safe har bor” from pros e cu tion.
You may have heard that the safe har bor agree ment be tween the United States and the
Eu ro pean Union was de clared in valid by the Eu ro pean Court of Jus tice in Oc to ber 2015. This is true and left com pa nies us ing safe har bor in le gal limbo for nine months. The Pri vacy Shield agree ment re places the in val i dated safe har bor agree ment and was ap proved by the Eu ro pean Com mis sion in July 2016.
To qual ify for Pri vacy Shield pro tec tion, U.S. com pa nies con duct ing busi ness in Eu rope must meet these seven re quire ments for the pro cess ing of per sonal in for ma tion:
In form ing In di vid u als About Data Pro cess ing Com pa nies must in clude a com mit ment to the Pri vacy Shield Prin ci ples in their pri vacy pol icy, mak ing it en force able by U.S. law. They must also in form in di vid u als of their rights un der the Pri vacy Shield frame work.
Pro vid ing Free and Ac ces si ble Dis pute Res o lu tion Com pa nies par tic i pat ing in the Pri vacy Shield must pro vide con sumers with a re sponse to any com plaints within 45 days and agree to an ap peal process that in cludes bind ing ar bi tra tion.
Co op er at ing with the De part ment of Com merce Com pa nies cov ered by the agree ment must re spond in a timely man ner to any re quests for in for ma tion re ceived from the U.S. De part ment of Com merce re lated to their par tic i pa tion in the Pri vacy Shield.
Main tain ing Data In tegrity and Pur pose Lim i ta tion Com pa nies par tic i pat ing in Pri vacy Shield must only col lect and re tain per sonal in for ma tion that is rel e vant to their stated pur pose for col lect ing in for ma tion.
En sur ing Ac count abil ity for Data Trans ferred to Third Par ties Pri vacy Shield par tic i pants must fol low strict re quire ments be fore trans fer ring in for ma tion to a third party. These re quire ments are de signed to en sure that the trans fer is for a lim ited and spe cific pur pose and that the re cip i ent will pro tect the pri vacy of the in for ma tion ad e quately.
Trans parency Re lated to En force ment Ac tions If a Pri vacy Shield par tic i pant re ceives an en force ment ac tion or court or der be cause they fail to com ply with pro gram re quire ments, they must make pub lic any com pli ance or as sess ment re ports sub mit ted to the FTC.
En sur ing Com mit ments Are Kept As Long As Data Is Held Or ga ni za tions that leave the Pri vacy Shield agree ment must con tinue to an nu ally cer tify their com pli ance as long as they re tain in for ma tion col lected un der the agree ment.
For more in for ma tion on the Pri vacy Shield Frame work pro tec tions avail able to Amer i can
com pa nies, visit the FTC’s Pri vacy Shield web site at https://www.ftc.gov/tips-ad vice/busi ness- cen ter/pri vacy-and-se cu rity/u.s.-eu-safe-har bor-frame work.
Eu ro pean Union Gen eral Data Pro tec tion Reg u la tion
The Eu ro pean Union passed a new, com pre hen sive law cov er ing the pro tec tion of per sonal in for ma tion in 2016. The Gen eral Data Pro tec tion Reg u la tion (GDPR) is sched uled to go into ef fect on May 25, 2018, and will re place the older data pro tec tion di rec tives on that date. The main pur pose of this law is to pro vide a sin gle, har mo nized law that cov ers data through out the Eu ro pean Union.
A ma jor dif fer ence be tween the GDPR and the data pro tec tion di rec tive is the widened scope of the reg u la tion. The new law ap plies to all or ga ni za tions that col lect data from EU res i dents or process that in for ma tion on be half of some one who col lects it. Im por tantly, the law even ap plies to or ga ni za tions that are not based in the EU, if they col lect in for ma tion about EU res i dents. De pend ing upon how this is in ter preted by the courts, it may have the ef fect of be com ing an in ter na tional law be cause of its wide scope. The abil ity of the EU to en force this law glob ally re mains an open ques tion.
Some of the key pro vi sions of the GDPR in clude the fol low ing:
A data breach no ti fi ca tion re quire ment that man dates that com pa nies in form au thor i ties of se ri ous data breaches within 24 hours
The cre ation of cen tral ized data pro tec tion au thor i ties in each EU mem ber state
Pro vi sions that in di vid u als will have ac cess to their own data
126
Data porta bil ity pro vi sions that will fa cil i tate the trans fer of per sonal in for ma tion be tween ser vice providers at the in di vid ual’s re quest
The “right to be for got ten” that al lows peo ple to re quire com pa nies to delete their in for ma tion if it is no longer needed
Com pli ance Over the past decade, the reg u la tory en vi ron ment gov ern ing in for ma tion se cu rity has grown in creas ingly
com plex. Or ga ni za tions may find them selves sub ject to a wide va ri ety of laws (many of which were out lined ear lier in this chap ter) and reg u la tions im posed by reg u la tory agen cies or con trac tual obli ga tions.
Pay ment Card In dus try Data Se cu rity Stan dard
The Pay ment Card In dus try Data Se cu rity Stan dard (PCI DSS) is an ex cel lent ex am ple of a com pli ance re quire ment that is not dic tated by law but by con trac tual obli ga tion. PCI DSS gov erns the se cu rity of credit card in for ma tion and is en forced through the terms of a mer chant agree ment be tween a busi ness that ac cepts credit cards and the bank that pro cesses the busi ness’s trans ac tions.
PCI DSS has 12 main re quire ments.
In stall and main tain a fire wall con fig u ra tion to pro tect card holder data.
Do not use ven dor-sup plied de faults for sys tem pass words and other se cu rity pa ram e ters.
Pro tect stored card holder data.
En crypt trans mis sion of card holder data across open, pub lic net works.
Pro tect all sys tems against mal ware and reg u larly up date an tivirus soft ware or pro grams.
De velop and main tain se cure sys tems and ap pli ca tions.
Re strict ac cess to card holder data by busi ness need-to-know.
Iden tify and au then ti cate ac cess to sys tem com po nents.
Re strict phys i cal ac cess to card holder data.
Track and mon i tor all ac cess to net work re sources and card holder data.
Reg u larly test se cu rity sys tems and pro cesses.
Main tain a pol icy that ad dresses in for ma tion se cu rity for all per son nel.
Each of these re quire ments is spelled out in de tail in the full PCI DSS stan dard, which can be found at www.pcise cu ri ty s tan dards.org/.
Deal ing with the many over lap ping, and some times con tra dic tory, com pli ance re quire ments fac ing an or ga ni za tion re quires care ful plan ning. Many or ga ni za tions em ploy full-time IT com pli ance staff re spon si ble for track ing the reg u la tory en vi ron ment, mon i tor ing con trols to en sure on go ing com pli ance, fa cil i tat ing com pli ance au dits, and meet ing the or ga ni za tion’s com pli ance re port ing obli ga tions.
Or ga ni za tions that are not mer chants but store, process, or trans mit credit card
in for ma tion on be half of mer chants must also com ply with PCI DSS. For ex am ple, the re quire ments ap ply to shared host ing providers who must pro tect the card holder data en vi ron ment.
Or ga ni za tions may be sub ject to com pli ance au dits, ei ther by their stan dard in ter nal and ex ter nal au di tors or by reg u la tors or their agents. For ex am ple, an or ga ni za tion’s fi nan cial au di tors may con duct an IT con trols au dit de signed to en sure that the in for ma tion se cu rity con trols for an or ga ni za tion’s fi nan cial sys tems are suf fi cient to en sure com pli ance with the Sar banes-Ox ley Act (SOX). Some reg u la tions, such as PCI DSS, may re quire the or ga ni za tion to re tain ap proved in de pen dent au di tors to ver ify con trols and pro vide a re port di rectly to reg u la tors.
In ad di tion to for mal au dits, or ga ni za tions of ten must re port reg u la tory com pli ance to a num ber of in ter nal and ex ter nal stake hold ers. For ex am ple, an or ga ni za tion’s Board of Di rec tors (or, more com monly, that board’s Au dit Com mit tee) may re quire pe ri odic re port ing on com pli ance obli ga tions and sta tus. Sim i larly, PCI DSS re quires or ga ni za tions that are not com pelled to con duct a for mal third-party au dit to com plete and sub mit a self-as sess ment re port out lin ing their com pli ance sta tus.
127
Con tract ing and Pro cure ment The in creased use of cloud ser vices and other ex ter nal ven dors to store, process, and trans mit sen si tive
in for ma tion leads or ga ni za tions to a new fo cus on im ple ment ing se cu rity re views and con trols in their con tract ing and pro cure ment pro cesses. Se cu rity pro fes sion als should con duct re views of the se cu rity con trols put in place by ven dors, both dur ing the ini tial ven dor se lec tion and eval u a tion process and as part of on go ing ven dor gov er nance re views.
These are some ques tions to cover dur ing these ven dor gov er nance re views:
What types of sen si tive in for ma tion are stored, pro cessed, or trans mit ted by the ven dor?
What con trols are in place to pro tect the or ga ni za tion’s in for ma tion?
How is our or ga ni za tion’s in for ma tion seg re gated from that of other clients?
If en cryp tion is re lied on as a se cu rity con trol, what en cryp tion al go rithms and key lengths are used? How is key man age ment han dled?
What types of se cu rity au dits does the ven dor per form, and what ac cess does the client have to those au dits?
Does the ven dor rely on any other third par ties to store, process, or trans mit data? How do the pro vi sions of the con tract re lated to se cu rity ex tend to those third par ties?
Where will data stor age, pro cess ing, and trans mis sion take place? If out side the home coun try of the client and/or ven dor, what im pli ca tions does that have?
What is the ven dor’s in ci dent re sponse process, and when will clients be no ti fied of a po ten tial se cu rity breach?
What pro vi sions are in place to en sure the on go ing in tegrity and avail abil ity of client data?
This is just a brief list ing of some of the con cerns you may have. Tai lor the scope of your se cu rity re view to the spe cific con cerns of your or ga ni za tion, the type of ser vice pro vided by the ven dor, and the in for ma tion that will be shared with them.
Sum mary Com puter se cu rity nec es sar ily en tails a high de gree of in volve ment from the le gal com mu nity. In this
chap ter, you learned about the laws that gov ern se cu rity is sues such as com puter crime, in tel lec tual prop erty, data pri vacy, and soft ware li cens ing.
There are three ma jor cat e gories of law that im pact in for ma tion se cu rity pro fes sion als. Crim i nal law out lines the rules and sanc tions for ma jor vi o la tions of the pub lic trust. Civil law pro vides us with a frame work for con duct ing busi ness. Gov ern ment agen cies use ad min is tra tive law to pro mul gate the day-to- day reg u la tions that in ter pret ex ist ing law.
The laws gov ern ing in for ma tion se cu rity ac tiv i ties are di verse and cover all three cat e gories. Some, such as the Elec tronic Com mu ni ca tions Pri vacy Act and the Dig i tal Mil len nium Copy right Act, are crim i nal laws where vi o la tions may re sult in crim i nal fines and/or prison time. Oth ers, such as trade mark and patent law, are civil laws that gov ern busi ness trans ac tions. Fi nally, many gov ern ment agen cies pro mul gate ad min is tra tive law, such as the HIPAA Se cu rity Rule, that af fects spe cific in dus tries and data types.
In for ma tion se cu rity pro fes sion als should be aware of the com pli ance re quire ments spe cific to their in dus try and busi ness ac tiv i ties. Track ing these re quire ments is a com plex task and should be as signed to one or more com pli ance spe cial ists who mon i tor changes in the law, changes in the busi ness en vi ron ment, and the in ter sec tion of those two realms.
It’s also not suf fi cient to sim ply worry about your own se cu rity and com pli ance. With in creased adop tion of cloud com put ing, many or ga ni za tions now share sen si tive and per sonal data with ven dors that act as ser vice providers. Se cu rity pro fes sion als must take steps to en sure that ven dors treat data with as much care as the or ga ni za tion it self would and also meet any ap pli ca ble com pli ance re quire ments.
Exam Es sen tials Un der stand the dif fer ences be tween crim i nal law, civil law, and ad min is tra tive law. Crim i nal
law pro tects so ci ety against acts that vi o late the ba sic prin ci ples we be lieve in. Vi o la tions of crim i nal law are pros e cuted by fed eral and state gov ern ments. Civil law pro vides the frame work for the trans ac tion of busi ness be tween peo ple and or ga ni za tions. Vi o la tions of civil law are brought to the court and ar gued by the two af fected par ties. Ad min is tra tive law is used by gov ern ment agen cies to ef fec tively carry out their day-to-day busi ness.
128
Be able to ex plain the ba sic pro vi sions of the ma jor laws de signed to pro tect so ci ety against com puter crime. The Com puter Fraud and Abuse Act (as amended) pro tects com put ers used by the gov ern ment or in in ter state com merce from a va ri ety of abuses. The Elec tronic Com mu ni ca tions Pri vacy Act (ECPA) makes it a crime to in vade the elec tronic pri vacy of an in di vid ual.
Know the dif fer ences among copy rights, trade marks, patents, and trade se crets. Copy rights pro tect orig i nal works of au thor ship, such as books, ar ti cles, po ems, and songs. Trade marks are names, slo gans, and lo gos that iden tify a com pany, prod uct, or ser vice. Patents pro vide pro tec tion to the cre ators of new in ven tions. Trade se cret law pro tects the op er at ing se crets of a firm.
Be able to ex plain the ba sic pro vi sions of the Dig i tal Mil len nium Copy right Act of 1998. The Dig i tal Mil len nium Copy right Act pro hibits the cir cum ven tion of copy pro tec tion mech a nisms placed in dig i tal me dia and lim its the li a bil ity of In ter net ser vice providers for the ac tiv i ties of their users.
Know the ba sic pro vi sions of the Eco nomic Es pi onage Act of 1996. The Eco nomic Es pi onage Act pro vides penal ties for in di vid u als found guilty of the theft of trade se crets. Harsher penal ties ap ply when the in di vid ual knows that the in for ma tion will ben e fit a for eign gov ern ment.
Un der stand the var i ous types of soft ware li cense agree ments. Con trac tual li cense agree ments are writ ten agree ments be tween a soft ware ven dor and user. Shrink-wrap agree ments are writ ten on soft ware pack ag ing and take ef fect when a user opens the pack age. Click-wrap agree ments are in cluded in a pack age but re quire the user to ac cept the terms dur ing the soft ware in stal la tion process.
Un der stand the no ti fi ca tion re quire ments placed on or ga ni za tions that ex pe ri ence a data breach. Cal i for nia’s SB 1386 im ple mented the first statewide re quire ment to no tify in di vid u als of a breach of their per sonal in for ma tion. All but three states even tu ally fol lowed suit with sim i lar laws. Cur rently, fed eral law only re quires the no ti fi ca tion of in di vid u als when a HIPAA-cov ered en tity breaches their pro tected health in for ma tion.
Un der stand the ma jor laws that gov ern pri vacy of per sonal in for ma tion in both the United States and the Eu ro pean Union. The United States has a num ber of pri vacy laws that af fect the gov ern ment’s use of in for ma tion as well as the use of in for ma tion by spe cific in dus tries, such as fi nan cial ser vices com pa nies and health care or ga ni za tions that han dle sen si tive in for ma tion. The EU has a more com pre hen sive Gen eral Data Pro tec tion Reg u la tion that gov erns the use and ex change of per sonal in for ma tion.
Ex plain the im por tance of a well-rounded com pli ance pro gram. Most or ga ni za tions are sub ject to a wide va ri ety of le gal and reg u la tory re quire ments re lated to in for ma tion se cu rity. Build ing a com pli ance pro gram en sures that you be come and re main com pli ant with these of ten over lap ping re quire ments.
Know how to in cor po rate se cu rity into the pro cure ment and ven dor gov er nance process. The ex panded use of cloud ser vices by many or ga ni za tions re quires added at ten tion to con duct ing re views of in for ma tion se cu rity con trols dur ing the ven dor se lec tion process and as part of on go ing ven dor gov er nance.
Writ ten Lab
1. What are the key pro vi sions of the Pri vacy Shield Frame work agree ment be tween the United States and the Eu ro pean Union?
2. What are some com mon ques tions that or ga ni za tions should ask when con sid er ing out sourc ing in for ma tion stor age, pro cess ing, or trans mis sion?
3. What are some com mon steps that em ploy ers take to no tify em ploy ees of sys tem mon i tor ing?
