Major Types and Classifications of Law
Our discussion of the major types and classifications of law consists of U.S. and international law, including many key concepts and terms that you need to understand for the CISSP exam.
Common law
Common law (also known as case law) originated in medieval England, and is derived from the decisions (or precedents) of judges. Common law is based on the doctrine of stare decisis (“let the decision stand”) and is often codified by statutes. Under the common law system of the United States, three major categories of laws are defined at the federal and state levels: criminal, civil (or tort), and administrative (or regulatory) laws.
Criminal law
Criminal law defines those crimes committed against society, even when the actual victim is a business or individual(s). Criminal laws are enacted to protect the general public. As such, in the eyes of the court, the victim is incidental to the greater cause.
Criminal penalties
Penalties under criminal law have two main purposes:
Punishment: Penalties may include jail/prison sentences, probation, fines, and/or financial restitution to the victim.
Deterrence: Penalties must be severe enough to dissuade any further criminal activity by the offender or anyone else considering a similar crime.
Burden of proof under criminal law
To be convicted under criminal law, a judge or jury must believe beyond a reasonable doubt that the defendant is guilty. Therefore the burden of proof in a criminal case rests firmly with the prosecution.
Classifications of criminal law
Criminal law has two main classifications, depending on severity, such as type of crime/attack or total loss in dollars:
Felony: More serious crimes, normally resulting in jail/prison terms of more than one year.
Misdemeanor: Less serious crimes, normally resulting in fines or jail/prison terms of less than one year.
Civil law
Civil (tort) law addresses wrongful acts committed against an individual or business, either willfully or negligently, resulting in damage, loss, injury, or death.
Civil penalties
Unlike criminal penalties, civil penalties don’t include jail or prison terms. Instead, civil penalties provide financial restitution to the victim:
Compensatory damages: Actual damages to the victim, including attorney/legal fees, lost profits, investigative costs, and so on
Punitive damages: Determined by a jury and intended to punish the offender
Statutory damages: Mandatory damages determined by law and assessed for violating the law
Burden of proof under civil law
Convictions under civil law are typically easier to obtain than under criminal law because the burden of proof is much less. To be convicted under civil law, a jury must believe based upon the preponderance of the evidence that the defendant is guilty. This simply means that the available evidence leads the judge or jury to a conclusion of guilt.
Liability and due care
The concepts of liability and due care are germane to civil law cases, but they’re also applicable under administrative law, which we discuss in the following section.
The standard criteria for assessing the legal requirements for implementing recommended safeguards is to evaluate the cost of the safeguard and the estimated loss from the corresponding threat, if realized. If the cost is less than the estimated loss and the organization doesn’t implement a safeguard, then a legal liability may exist. This is based on the principle of proximate causation, in which an action taken or not taken was part of a sequence of events that resulted in negative consequences.
Under the Federal Sentencing Guidelines, senior corporate officers may be personally liable if their organization fails to comply with applicable laws. Such individuals must follow the prudent man (or person) rule, which requires them to perform their duties:
In good faith
In the best interests of the enterprise
With the care and diligence that ordinary, prudent people in a similar position would exercise under similar circumstances
The concepts of due care and due diligence are related but distinctly different:
Due care: The conduct that a reasonable person exercises in a given situation, which provides a standard for determining negligence. In the practice of information security, due care relates to the steps that individuals or organizations take to perform their duties and implement security best practices.
Due diligence: The prudent management and execution of due care. It’s most often used in legal and financial circles to describe the actions that an organization takes to research the viability and merits of an investment or merger/acquisition opportunity. In the context of information security, due diligence commonly refers to risk identification and risk management practices, not only in the day-to-day operations of an organization, but also in the case of technology procurement, as well as mergers and acquisitions.
Lawyer-speak
Although the information in this sidebar is not tested on the CISSP examination, it may come in handy when you’re attempting to learn the various laws and regulations in this domain. You’ll find it helpful to know the correct parlance (fancy-speak for jargon) used. For example:
18 U.S.C. § 1030 (1986) (the Computer Fraud and Abuse Act of 1986) refers to Section 1030 in Title 18 of the 1986 edition of the United States Code, not “18 University of Southern California squiggly-thingy 1030 (1986).”
Federal statutes and administrative laws are usually cited in the following format:
The title number: Titles are grouped by subject matter.
The abbreviation for the code: For example, U.S.C. is United States Code; C.F.R. is Code of Federal Regulations
The section number: § means “The Word Formerly Known as Section.”
The year of publication: Listed in parentheses.
Other important abbreviations to understand include
Fed. Reg.: Federal Register.
Fed. R. Evid.: Federal Rules of Evidence.
PL: Public Law.
§§: Sections; for example, 18 U.S.C. §§ 2701–11 refers to sections 2701 through 2711.
v.: versus; for example, United States v. Moore. Note: The rest of the civilized world understands vs. to mean versus and v. to mean version or volume, but you need to remember two important points: Lawyers aren’t part of the civilized world, and they apparently charge by the letter (as well as by the minute).
Another important aspect of due care is the principle of culpable negligence. If an organization fails to follow a standard of due care in the protection of its assets, the organization may be held culpably negligent. In such cases, jury awards may be adjusted accordingly, and the organization’s insurance company may be required to pay only a portion of any loss — the organization may get stuck paying the rest of the bill!
Administrative law
Administrative (regulatory) laws define standards of performance and conduct for major industries (including banking, energy, and healthcare), organizations, and officials. These laws are typically enforced by various government agencies, and violations may result in financial penalties and/or imprisonment.
International law
Given the global nature of the Internet, it’s often necessary for many countries to cooperate in order to bring a computer criminal to justice. But because practically every country in the world has its own unique legal system, such cooperation is always difficult and often impossible. As a starting point, many countries disagree on exactly what justice is. Other problems include
Lack of universal cooperation: We can’t answer the question, “Why can’t we all just get along?” but we can tell you that it’s highly unlikely that a 14-year-old hacker in some remote corner of the world will commit some dastardly crime that unites us all in our efforts to take him down, bringing about a lasting world peace.
Different interpretations of laws: What’s illegal in one country (or even in one state in the U.S.) isn’t necessarily illegal in another.
Different rules of evidence: This problem can encompass different rules for obtaining and collecting evidence, as well as different rules for admissibility of evidence.
Low priority: Different nations have different views regarding the seriousness of computer crimes; and in the realm of international relations, computer crimes are usually of minimal concern.
Outdated laws and technology: Related to the low-priority problem. Technology varies greatly throughout the world, and many countries (not only the Third World countries) lag far behind others. For this reason and many others, computer crime laws are often a low priority and aren’t kept current. This problem is further exacerbated by the different technical capabilities of the various law enforcement agencies that may be involved in an international case.
Extradition: Many countries don’t have extradition treaties and won’t extradite suspects to a country that has different or controversial practices, such as capital punishment. Although capital punishment for a computer crime may sound extreme, recent events and the threat of cyberterrorism make this a very real possibility.
Besides common law systems (which we talk about in the section “Common law,” earlier in this chapter, other countries throughout the world use legal systems including
Civil law systems: Not to be confused with U.S. civil law, which is based on common law. Civil law systems use constitutions and statutes exclusively and aren’t based on precedent. The role of a judge in a civil law system is to interpret the law. Civil law is the most widespread type of law system used throughout the world.
Religious (or customary) law systems: Derived from religious beliefs and values. Common religious law systems include Sharia in Islam, Halakha in Judaism, and Canon law in Christianity.
Pluralistic (or mixed) law systems: Combinations of various systems, such as civil and common law, civil and religious law, and common and religious law.