Laws to Deter Information Theft
Espionage between organizations used to require a physical act, such as stealing paper documents and making physical copies. Identity theft was a factor only if someone lost a wallet or if it was stolen. Although information technologies such as networked file servers, tablets, and web-based applications have made data easier to manage, IT has also made that information far more vulnerable.
Federal and state laws have been created to act as deterrents to information theft. These laws require organizations to take steps to protect the sensitive data stored, processed, or transmitted by their IT infrastructure. There are penalties for both stealing information and failing to follow the regulations in safeguarding it.
These laws add other considerations with which organizations must comply. Organizations must protect data from breaches; they must also be able to tell if an information breach has occurred. An organization may have a legal obligation to inform all stakeholders about breaches that have occurred and any information that may have been compromised.
U.S. Federal Laws
The technology breakthroughs of the information age have allowed organizations to be more productive and automate many interactions with consumers and stakeholders through the Internet. This has had unfortunate drawbacks; individuals can now use the Internet to gain unauthorized access to an organization, putting sensitive data at risk. An IT professional must be aware of these risks, as well as the numerous laws and regulations affecting the organization.
Various regulations define an organization’s obligation to secure information. This section explores a few laws that cover unauthorized access of that information: the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act.
Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act (CFAA) is a federal criminal statute designed to protect electronic data from theft. The CFAA was enacted in 1984 and was designed to protect classified information maintained on governmental computer systems as well as financial and credit information maintained at financial institutions.
In 1994 and again in 1996, Congress expanded CFAA to cover any computer used in interstate commerce. The law was also amended to allow for private civil actions to help individuals injured in criminal activity that the CFAA prohibits. In 2002, the law was further expanded to cover a system located outside of the United States that is used in a manner that affects interstate or foreign commerce activities within the United States. The most recent amendment to the CFAA occurred in 2008 with the passage of the Identity Theft Enforcement and Restitution Act. This act revised CFAA to include provisions regulating spyware and cyberextortion. It also now requires identity thieves to pay restitution to their victims and forfeit any computer equipment used in identity theft.
The expansion of the CFAA has been an effective tool in protecting data stored on computers. This has allowed different types of civil actions to be brought against various activities. Here are some examples:
- Obtaining information from a computer through unauthorized access
- Trafficking in a computer password that can be used for unauthorized access
- Intentionally damaging computer data
- Stealing the identity of an individual
The CFAA allows an organization or individual affected by theft or destruction of data to seek relief and restitution from the courts as well as forces the return of stolen information. The CFAA also allows organizations to prevent the use of stolen information by their competitors in the marketplace. In this manner, the CFAA protects the rights of organizations and individuals that need to safeguard their sensitive information and processes from their competitors.
CFAA is based on unauthorized access to computers and information. “Unauthorized access” can be defined as using a computer to obtain or alter information in a system that the individual does not have a legitimate right to obtain or alter. For example, suppose an employee accesses and sends valuable company information through the Internet to a competitor right before his termination in hopes of obtaining a position with the competitor. The employee in this scenario could argue that the CFAA does not apply because he had legitimate access to the computer and data at that time. Under the CFAA, however, the courts would probably not agree with this assertion. A court could hold that the employee’s legitimate access ended when he no longer held the best interest of the company in mind. When the employee accessed and sent the proprietary information to the competitor, he lost authorization to the data.
Digital Millennium Copyright Act
The Digital Millennium Copyright Act (DMCA), passed in 1998, is the implementing legislation that facilitates the United States’ participation in World Intellectual Property Organization (WIPO) treaties. DMCA has two major provisions of interest to IT professionals. First, it makes it a crime to bypass technological mechanisms used to enforce copyright provisions or sell equipment designed to bypass those mechanisms. Second, it introduces requirements for Internet service providers to receive and respond to copyright infringement complaints.
FYI
There are exceptions to the DMCA. It allows for legitimate research of reverse engineering for interoperability requirements. For example, a research team could legally attempt to figure out how access control measures were coded for the purposes of allowing third-party applications to interface with the access controls. There is also an exception if prior approval from a legitimate authority has been granted to try to break through an access control measure. Another exception is the manufacturing and sale of parental control systems to allow parents to restrict what their children view on the Internet. There are also exceptions for some government activities and legitimate law enforcement actions.
Copyright Technology Protection
The DMCA prohibits unauthorized disclosure of data by circumventing an established technological measure of the organization. Technological measures include things like product keys for software, CD and DVD copy protection, system passwords, and so on. The DMCA also prohibits the manufacture or sale of programs or devices designed to break access control measures of an organization.
The idea behind the DMCA is that unless it is illegal to break implanted technology, malicious users could manipulate access control solutions and violate copyright laws without consequence. DMCA provides for legal liabilities and attempts to ward off malicious users while providing incentives for organizations to implement access controls.
For example, let’s take a look at the case of Universal City Studios v. Reimerdes, in which eight motion picture studios employed the DMCA against a defendant who posted DVD decrypting software on his website.
Upon the advent of DVDs, movie studios were concerned with the piracy aspect of the new technology. Unlike analog video, digital video can be replicated without any degradation in video quality. In the mid-1990s, the Content Scramble System (CSS) was created in partnership with the consumer electronics industry to help defend against piracy.
CSS provides encryption to a DVD’s sound and graphics files according to predefined algorithms, making it supposedly impossible to replicate a legitimate studio-sanctioned DVD. This technology was then licensed to consumer electronics manufacturers for use in creating DVD players for retail sale.
In the fall of 1999, a teenager was able to crack the encryption. He reverse-engineered an officially licensed DVD player. This allowed for the creation of a computer program capable of decrypting the DVDs. This program allowed the DVDs to be viewed on noncompliant computers. It also allowed the decrypted files to be copied. The software was then posted on the Internet, where it could be downloaded from hundreds of sites.
The movie studios, using the DMCA, sought a legal solution to the problem. Using the anti-circumvention provisions of the DMCA, the courts found that the software generated to break the encryption on the DVD players constituted technology and was designed to circumvent the technology implemented by the studios for the copyright protection of their proprietary DVDs. As a result, the court ruled in favor of the studios using the DMCA.
ISP Requirements
DMCA also requires that Internet service providers (ISPs) receive and respond to copyright complaints in a timely manner. ISPs who meet the requirements of DMCA qualify for safe harbor status, which protects them from prosecution for the activities of their customers. The DMCA requires ISPs to:
- Block access to any potentially infringing material when they receive proper notice from a copyright owner.
- Notify users of their policy regarding copyright infringement and the consequences that may occur if users engage in unlawful activity.
- Implement measures to terminate the access of repeat infringers.
The specific provisions of DMCA vary depending upon the services provided by the ISP.
State Laws
All U.S. states now have laws that apply to unauthorized access to confidential information. Because they have many parts in common, this section covers one law in depth. The California Identity Theft Statute will give you a basic understanding of state laws designed to protect data.
The California Identity Theft Statute requires businesses operating in California to notify customers when the business has reason to believe that personal information has been disclosed through unauthorized access. Personal information is defined as a Social Security number (SSN), driver’s license number, or physical address maintained in digital form.
As soon as an organization realizes that there has been an unauthorized disclosure, the organization must notify the owner of the information that a breach has occurred. The law further provides for any individual damaged by the breach to bring a lawsuit to recover any loss incurred due to the information disclosure and failure of the organization to issue a timely notification.
The purpose of the California Identity Theft Statute is to provide sufficient notice to individuals whose personal information has been stolen so they can take appropriate actions in a timely manner to prevent further damage by the data thieves.
The following are some of the elements of the California Identity Theft Statute that apply to data access and handling:
- Any person who, with the intent to defraud, acquires, transfers, or retains possession of personally identifying information of another person, is guilty of a crime punishable by up to $1,000 and 1 year in jail.
- Businesses are required to take reasonable steps to destroy all records containing personal information by shredding, erasing, or modifying the information to make it unreadable.
- Businesses and governmental agencies must notify individuals when any of the following unencrypted personal information has been accessed in a computer security breach: SSN, driver’s license number, account number, credit card number, or debit card number.
NOTE
Identity theft is one of the fastest growing crimes being committed on the Internet. Data thieves sell personal information to criminals, who then open credit card accounts, purchase products, or commit to other financial obligations using the stolen identities. Early notice that identity theft has occurred and action by individuals to protect themselves following a security breach will help reduce the impact of this type of criminal activity.
Furthermore individuals, commercial entities, and certain governmental entities including public universities and colleges may not:
- Publicly display or post SSNs.
- Print SSNs on ID cards or badges.
- Require people to transmit SSNs over the Internet unless the connection is secure or the number is encrypted.
- Require people to use their SSN to log on to the Internet without a password.
- Print SSNs on mailed documents unless required by state or federal law.
- Embed or encode SSNs on a card or document where it cannot otherwise be printed. This includes chips, radio frequency identification (RFID), magnetic strips, and barcodes.
- Mail SSNs where the number is visible without opening the envelope.
TIP
The California Identity Theft Statute, used as an example in this section, is representative of many states’ identity theft laws. Some of these laws, including California’s go so far as to explicitly criminalize identity theft. If you are in a position to safeguard personally identifiable information, research the specific laws that apply in your state. You can begin by visiting your state’s Office of the Attorney General website.
Financial institutions are prohibited from sharing or selling nondirectory personally identifiable information without obtaining the consumer’s consent.