Types of Laws Relevant to Computer Crimes
Given the difficulties in defining and prosecuting computer crimes, many prosecutors seek to convict computer criminals on more traditional criminal statutes, such as theft, fraud, extortion, and embezzlement. Intellectual property rights and privacy laws, in addition to specific computer crime laws, also exist to protect the general public and assist prosecutors.
The CISSP candidate should understand that because of the difficulty in prosecuting computer crimes, prosecutors often use more traditional crim- inal statutes, intellectual property rights, and privacy laws to convict criminals. In addition, you should also realize that specific computer crime laws do exist.
Intellectual property
Intellectual property is protected by U.S. law under one of four classifications:
Patents
Trademarks
Copyrights
Trade secrets
Intellectual property rights worldwide are agreed upon, defined, and enforced by various organizations and treaties, including the World Intellectual Property Organization (WIPO), World Customs Organization (WCO), World Trade Organization (WTO), United Nations Commission on International Trade Law (UNCITRAL), European Union (EU), and Trade-Related Aspects of Intellectual Property Rights (TRIPs).
Licensing violations are among the most prevalent examples of intellectual property rights infringement. Other examples include plagiarism, software piracy, and corporate espionage.
Patents
A patent, as defined by the U.S. Patent and Trademark Office (PTO) is “the grant of a property right to the inventor.” A patent grant confers upon the owner (either an individual or a company) “the right to exclude others from making, using, offering for sale, selling, or importing the invention.” In order to qualify for a patent, an invention must be novel, useful, and not obvious. An invention must also be tangible — an idea cannot be patented. Examples of computer-related objects that may be protected by patents are computer hardware and physical devices in firmware.
A patent is granted by the U.S. PTO for an invention that has been sufficiently documented by the applicant and that has been verified as original by the PTO. A U.S. patent is generally valid for 20 years from the date of application and is effective only within the U.S., including territories and possessions. Patent applications must be filed with the appropriate patent office in various countries throughout the world to receive patent protection in that country. The owner of the patent may grant a license to others for use of the invention or its design, often for a fee.
U.S. patent (and trademark) laws and rules are covered in 35 U.S.C. and 37 C.F.R., respectively. The Patent Cooperation Treaty (PCT) provides some international protection for patents. More than 130 countries worldwide have adopted the PCT. Patent infringements are not prosecuted by the U.S. PTO. Instead, the holder of a patent must enforce their patent rights through the appropriate legal system.
Patent grants were previously valid for only 17 years, but have recently been changed, for newly granted patents, to 20 years.
Trademark
A trademark, as defined by the U.S. PTO, is “any word, name, symbol, or device, or any combination, used, or intended to be used, in commerce to identify and distinguish the goods of one manufacturer or seller from goods manufactured or sold by others.” Computer-related objects that may be protected by trademarks include corporate brands and operating system logos. U.S. Public Law 105–330, the Trademark Law Treaty Implementation Act, provides some international protection for U.S. registered trademarks.
Copyright
A copyright is a form of protection granted to the authors of “original works of authorship,” both published and unpublished. A copyright protects a tangible form of expression rather than the idea or subject matter itself. Under the original Copyright Act of 1909, publication was generally the key to obtaining a federal copyright. However, the Copyright Act of 1976 changed this requirement, and copyright protection now applies to any original work of authorship immediately, from the time that it’s created in a tangible form. Object code or documentation are examples of computer-related objects that may be protected by copyrights.
Copyrights can be registered through the Copyright Office of the Library of Con- gress, but a work doesn’t need to be registered to be protected by copyright. Copyright protection generally lasts for the lifetime of the author plus 70 years.
Trade secret
A trade secret is proprietary or business-related information that a company or individual uses and has exclusive rights to. To be considered a trade secret, the information must meet the following requirements:
Must be genuine and not obvious: Any unique method of accomplishing a task would constitute a trade secret, especially if it is backed up by copyrighted, patented, or proprietary software or methods that give that organization a competitive advantage.
Must provide the owner a competitive or economic advantage and, there- fore, have value to the owner: For example, Google’s search algorithms — the “secret sauce” that makes it popular with users (and therefore advertisers) — aren’t universally known. Some secrets are protected.
Must be reasonably protected from disclosure: This doesn’t mean that it must be kept absolutely and exclusively secret, but the owner must exercise due care in its protection.
Software source code or firmware code are examples of computer-related objects that an organization may protect as trade secrets.
Privacy and data protection laws
Privacy and data protection laws are enacted to protect information collected and maintained on individuals from unauthorized disclosure or misuse. Privacy laws are one area in which the United States lags behind many others, particularly, the European Union (EU), which has defined restrictive privacy regulations that prohibit the transfer of personal information to countries (including the United States) that don’t equally protect such information. The EU privacy rules include the following requirements about personal data and records:
Must be collected fairly and lawfully.
Must only be used for the purposes for which it was collected and only for a reasonable period of time.
Must be accurate and kept up to date.
Must be accessible to individuals who request a report on personal information held about themselves.
Individuals must have the right to have any errors in their personal data corrected.
Personal data can’t be disclosed to other organizations or individuals unless authorized by law or consent of the individual.
Transmission of personal data to locations where equivalent privacy protection cannot be assured is prohibited.
Several important pieces of privacy and data protection legislation include the Federal Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Gramm-Leach-Bliley Act (GLBA) in the United States, and the Data Protection Act (DPA) in the United Kingdom. Finally, the Payment Card Industry Data Security Standard (PCI DSS) is an example of an industry policing itself — without the need for government laws or regulations.
U.S. Federal Privacy Act of 1974, 5 U.S.C. § 552A
The Federal Privacy Act of 1974 protects records and information maintained by U.S. government agencies about U.S. citizens and lawful permanent residents. Except under certain specific conditions, no agency may disclose any record about an individual “except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” The Privacy Act also has provisions for access and amendment of an individual’s records by that individual, except in cases of “information compiled in reasonable anticipation of a civil action or proceeding.” The Privacy Act provides individual penalties for violations, including a misdemeanor charge and fines up to $5,000.
Although the Federal Privacy Act of 1974 pre-dates the Internet as we know it today, don’t dismiss its relevance. The provisions of the Privacy Act are as important as ever and remain in full force and effect today.
U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996, PL 104–191
HIPAA was signed into law effective August 1996. The HIPAA legislation provided Congress three years from that date to pass comprehensive health privacy legislation. When Congress failed to pass legislation by the deadline, the Department of Health and Human Services (HHS) received the authority to develop the privacy and security regulations for HIPAA. In October 1999, HHS released proposed HIPAA privacy regulations entitled “Privacy Standards for Individually Identifiable Health Information,” which took effect in April 2003. HIPAA security standards were subsequently published in February 2003 and took effect in April 2003. Organizations that must comply with HIPAA regulations are referred to as covered entities and include
Payers (or health plan): An individual or group health plan that provides — or pays the cost of — medical care; for example, insurers
Healthcare clearinghouses: A public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements, such as data warehouses
Health providers: A provider of medical or other health services, such as hospitals, HMOs, doctors, specialists, dentists, and counselors
Civil penalties for HIPAA violations include fines of $100 per incident, up to $25,000 per provision, per calendar year. Criminal penalties include fines up to $250,000 and potential imprisonment of corporate officers for up to ten years. Additional state penalties may also apply.
In 2009, Congress passed additional HIPAA provisions as part of the American Recovery and Reinvestment Act of 2009, requiring covered entities to publicly disclose security breaches involving personal information. (See the section “Disclosure laws” later in this chapter for a discussion of disclosure laws.)
U.S. Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009
The HITECH Act, passed as part of the American Recovery and Reinvestment Act of 2009, broadens the scope of HIPAA compliance to include the business associates of HIPAA covered entities. These include third-party administrators, pharmacy benefit managers for health plans, claims processing/billing/transcription companies, and persons performing legal, accounting and administrative work.
Another highly important provision of the HITECH Act promotes and, in many cases, funds the adoption of electronic health records (EHRs), in order to increase the effectiveness of individual medical treatment, improve efficiency in the U.S. healthcare system, and reduce the overall cost of healthcare. Anticipating that the widespread adoption of EHRs will increase privacy and security risks, the HITECH Act introduces new security and privacy-related requirements.
In the event of a breach of “unsecured protected health information,” the HITECH Act requires covered entities to notify the affected individuals and the Secretary of the U.S. Department of Health and Human Services (HHS). The regulation defines unsecured protected health information (PHI) as PHI that is not secured through the use of a technology or methodology to render it unusable, unreadable, or indecipherable to unauthorized individuals.
The notification requirements vary according to the amount of data breached
A data breach affecting more than 500 people must be reported immediately to the HHS, major media outlets and individuals affected by the breach, and must be posted on the official HHS website.
A data breach affecting fewer than 500 people must be reported to the individuals affected by the breach, and to the HHS secretary on an annual basis.
Finally, the HITECH Act also requires the issuance of technical guidance on the technologies and methodologies “that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals”. The guidance specifies data destruction and encryption as actions that render PHI unusable if it is lost or stolen. PHI that is encrypted and whose encryption keys are properly secured provides a “safe harbor” to covered entities and does not require them to issue data-breach notifications.
U.S. Gramm-Leach-Bliley Financial Services Modernization Act, PL 106-102
Gramm-Leach-Bliley (known as GLBA) opened up competition among banks, insurance companies, and securities companies. GLBA also requires financial institutions to better protect their customers’ personally identifiable information (PII) with three rules:
Financial Privacy Rule: Requires each financial institution to provide information to each customer regarding the protection of customers’ private information.
Safeguards Rule: Requires each financial institution to develop a formal written security plan that describes how the institution will protect its customers’ PII.
Pretexting Protection: Requires each financial institution to take precautions to prevent attempts by social engineers to acquire private information about institutions’ customers.
Civil penalties for GLBA violations are up to $100,000 for each violation. Furthermore, officers and directors of financial institutions are personally liable for civil penalties of not more than $10,000 for each violation.
U.K. Data Protection Act
Passed by Parliament in 1998, the U.K. Data Protection Act (DPA) applies to any organization that handles sensitive personal data about living persons. Such data includes
Names
Birth and anniversary dates
Addresses, phone numbers, and e-mail addresses
Racial or ethnic origins
Political opinions and religious (or similar) beliefs
Trade or labor union membership
Physical or mental condition
Sexual orientation or lifestyle
Criminal or civil records or allegations
The DPA applies to electronically stored information, but certain paper records used for commercial purposes may also be covered. The DPA consists of eight privacy and disclosure principles as follows:
“Personal data shall be processed fairly and lawfully and [shall not be processed unless certain other conditions (set forth in the Act) are met].”
“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”
“Personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.”
“Personal data shall be accurate and, where necessary, kept up-to-date.”
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
“Personal data shall be processed in accordance with the rights of data subjects under this Act.”
“Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
DPA compliance is enforced by the Information Commissioner’s Office (ICO), an independent official body. Penalties generally include fines which may also be imposed against the officers of a company.
Payment Card Industry Data Security Standard (PCI DSS)
Although not (yet) a legal mandate, the Payment Card Industry Data Security Standard (PCI DSS) is one example of an effective industry initiative for mandating and enforcing security standards. PCI DSS applies to any business worldwide that transmits, processes, or stores payment card (meaning credit card) transactions to conduct business with customers — whether that business handles thousands of credit card transactions a day or a single transaction a year. Compliance is mandated and enforced by the payment card brands (American Express, MasterCard, Visa, and so on) and each payment card brand manages its own compliance program.
Although PCI DSS is an industry standard rather than a legal mandate, many states are beginning to introduce legislation that would make PCI compliance (or at least compliance with certain provisions) mandatory for organizations that do business in that state.
PCI DSS requires organizations to submit an annual self-assessment and network scan, or to complete an onsite PCI data security assessments and quarterly network scans. The actual requirements depend on the number of payment card transactions handled by an organization and other factors, such as previous data loss incidents.
PCI DSS version 2.0 consists of six core principles, supported by 12 accompanying requirements, and more than 200 specific procedures for compliance. These include
Principle 1: Build and maintain a secure network:
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
• Requirement 2: Don’t use vendor-supplied defaults for system passwords and other security parameters.
Principle 2: Protect cardholder data:
• Requirement 3: Protect stored cardholder data.
• Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Principle 3: Maintain a vulnerability management program:
• Requirement 5: Use and regularly update antivirus software.
• Requirement 6: Develop and maintain secure systems and applications.
Principle 4: Implement strong access control measures:
• Requirement 7: Restrict access to cardholder data by business need-to-know.
• Requirement 8: Assign a unique ID to each person who has computer access.
• Requirement 9: Restrict physical access to cardholder data.
Principle 5: Regularly monitor and test networks:
• Requirement 10: Track and monitor all access to network resources and cardholder data.
• Requirement 11: Regularly test security systems and processes.
Principle 6: Maintain an information security policy:
• Requirement 12: Maintain a policy that addresses information security.
Penalties for non-compliance are levied by the payment card brands and include not being allowed to process credit card transactions, fines up to $25,000 per month for minor violations, and fines up to $500,000 for violations that result in actual lost or stolen financial data.
Disclosure laws
In an effort to combat identity theft, many U.S. states have passed disclosure laws that compel organizations to publicly disclose security breaches that may result in the compromise of personal data.
Although these laws typically include statutory penalties, the damage to an organization’s reputation and the potential loss of business — caused by the public disclosure requirement of these laws — can be the most significant and damaging aspect to affected organizations. Thus, public disclosure laws shame organizations into implementing more effective information security policies and practices to lessen the risk of a data breach occurring in the first place.
By requiring organizations to notify individuals of a data breach, disclosure laws fulfill a secondary purpose — allowing potential victims to take defensive or corrective action to help avoid or minimize the damage resulting from identity theft.
California Security Breach Information Act (SB-1386)
Passed in 2003, the California Security Breach Information Act (SB-1386) was the first U.S. state law to require organizations to notify all affected individuals “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement,” if their confidential or personal data is lost, stolen, or compromised, unless that data is encrypted.
The law is applicable to any organization that does business in the state of California — even a single customer or employee in California. An organization is subject to the law even if it doesn’t directly do business in California (for example, if it stores personal information about California residents for another company).
Other U.S. states have quickly followed suit, and 46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands now have public disclosure laws. However, these laws aren’t necessarily consistent from one state to another, nor are they without flaws and critics.
For example, until early 2008, Indiana’s Security Breach Disclosure and Identity Deception law (HEA 1101) did not require an organization to disclose a security breach “if access to the [lost or stolen] device is protected by a password [emphasis added] that has not been disclosed.” Indiana’s law has since been amended and is now one of the toughest state disclosure laws in effect, requiring public disclosure unless “all personal information . . . is protected by encryption.”
Finally, a provision in California’s and Indiana’s disclosure laws, as well as in most other states’ laws, allows an organization to avoid much of the cost of disclosure if the cost of providing such notice would exceed $250,000 or if more than 500,000 individuals would need to be notified. Instead, a substitute notice, consisting of e-mail notifications, conspicuous posting on the organization’s website, and notification of major statewide media, is permitted.
Data Accountability and Trust Act (DATA)
Introduced in the U.S. House of Representatives as H.R.4127 in October 2005 (then subsequently re-introduced as H.R.2221 in April 2009), the Data Accountability and Trust Act (DATA) has yet to become U.S. law at the time we write this book. However, it would be idealistic to believe that four years of congressional debate and passionate lobbying will not result in the passage of a new federal law. And because four years of work has resulted in more than just a crafty acronym, it is important to understand the potential impact of this federal disclosure law as currently proposed.
DATA would supersede the various state laws already in effect, and although this federal law would provide more consistency, the net effect would be to weaken many state disclosure laws because of specific provisions within DATA. For example, various definitions in DATA may create large loopholes in the federal law, statutory penalties may lessen both the compensatory and punitive effect of the law, and substitute notification guidelines may completely nullify the deterrent effect of disclosure laws.
Computer crime and information security laws
Important international computer crime and information security laws that the CISSP candidate should be familiar with include
U.S. Computer Fraud and Abuse Act of 1986
U.S. Electronic Communications Privacy Act of 1986
U.S. Computer Security Act of 1987
U.S. Federal Sentencing Guidelines of 1991 (not necessarily specific to computer crime, but certainly relevant)
U.S. Economic Espionage Act of 1996
U.S. Child Pornography Prevention Act of 1996
USA PATRIOT Act of 2001
U.S. Sarbanes-Oxley Act of 2002
U.S. CAN-SPAM Act of 2003
The Council of Europe’s Convention on Cybercrime of 2001
The Computer Misuse Act of 1990 (U.K.)
Cybercrime Act of 2001 (Australia)
U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030 (as amended)
In 1984, the first U.S. federal computer crime law, the U.S. Computer Fraud and Abuse Act, was passed. This intermediate act was narrowly defined and somewhat ambiguous. The law covered
Classified national defense or foreign relations information
Records of financial institutions or credit reporting agencies
Government computers
The U.S. Computer Fraud and Abuse Act of 1986 enhanced and strengthened the 1984 law, clarifying definitions of criminal fraud and abuse for federal computer crimes and removing obstacles to prosecution.
The Act established two new felony offenses for the unauthorized access of federal interest computers and a misdemeanor for unauthorized trafficking in computer passwords:
Felony 1: Unauthorized access, or access that exceeds authorization, of a federal interest computer to further an intended fraud, shall be punishable as a felony [Subsection (a)(4)].
Felony 2: Altering, damaging, or destroying information in a federal interest computer or preventing authorized use of the computer or information, that causes an aggregate loss of $1,000 or more during a one-year period or potentially impairs medical treatment, shall be punishable as a felony [Subsection (a)(5)].
This provision was stricken in its entirety and replaced with a more general provision, which we discuss later in this section.
Misdemeanor: Trafficking in computer passwords or similar information if it affects interstate or foreign commerce or permits unauthorized access to computers used by or for the U.S. government [Subsection (a)(6)].
The Act defines a federal interest computer (actually, the term was changed to protected computer in the 1996 amendments to the Act) as either a computer
“[E]xclusively for the use of a financial institution or the United States government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States government and the conduct constituting the offense affect that use by or for the financial institution or the government”
“[W]hich is used in interstate or foreign commerce or communication”
Several minor amendments to the U.S. Computer Fraud and Abuse Act were made in 1988, 1989, and 1990, and more significant amendments were made in 1994, 1996 (by the Economic Espionage Act of 1996), and 2001 (by the USA PATRIOT Act of 2001). The Act, in its present form, establishes seven specific computer crimes. In addition to the three that we discuss in the preceding list, these crimes include the following five provisions (we discuss subsection [a][5] in its current form in the following list):
Unauthorized access, or access that exceeds authorization, to a computer that results in disclosure of U.S. national defense or foreign relations information [Subsection (a)(1)].
Unauthorized access, or access that exceeds authorization, to a protected computer to obtain any information on that computer [Subsection (a)(2)].
Unauthorized access to a protected computer, or access that exceeds authorization, to a protected computer that affects the use of that computer by or for the U.S. government [Subsection (a)(3)].
Unauthorized access to a protected computer causing damage or reckless damage, or intentionally transmitting malicious code which causes damage to a protected computer [Subsection (a)(5), as amended].
Transmission of interstate or foreign commerce communication threatening to cause damage to a protected computer for the purpose of extortion [Subsection (a)(7)].
In the section “USA PATRIOT Act of 2001,” later in this chapter, we discuss major amendments to the U.S. Computer Fraud and Abuse Act of 1986 (as amended) that Congress introduced in 2001.
The U.S. Computer Fraud and Abuse Act of 1986 is the major computer crime law currently in effect. The CISSP exam likely tests your knowledge of the Act in its original 1986 form, but you should also be prepared for revisions to the exam that may cover the more recent amendments to the Act.
U.S. Electronic Communications Privacy Act (ECPA) of 1986
The ECPA complements the U.S. Computer Fraud and Abuse Act of 1986 and prohibits eavesdropping, interception, or unauthorized monitoring of wire, oral, and electronic communications. However, the ECPA does provide specific statutory exceptions, allowing network providers to monitor their networks for legitimate business purposes if they notify the network users of the monitoring process.
The ECPA was amended extensively by the USA PATRIOT Act of 2001. These changes are discussed in the upcoming “USA PATRIOT Act of 2001” section.
The U.S. Electronic Communications Privacy Act (ECPA) provides the legal basis for network monitoring.
U.S. Computer Security Act of 1987
The U.S. Computer Security Act of 1987 requires federal agencies to take extra security measures to prevent unauthorized access to computers that hold sensitive information. In addition to identifying and developing security plans for sensitive systems, the Act requires those agencies to provide security-related awareness training for their employees. The Act also assigns formal government responsibility for computer security to the National Institute of Standards and Technology (NIST) for information security standards, in general, and to the National Security Agency (NSA) for cryptography in classified government/military systems and applications.
U.S. Federal Sentencing Guidelines of 1991
In November 1991, the United States Sentencing Commission published Chapter 8, “Federal Sentencing Guidelines for Organizations,” of the U.S. Federal Sentencing Guidelines. These guidelines establish written standards of conduct for organizations, provide relief in sentencing for organizations that have demonstrated due diligence, and place responsibility for due care on senior management officials with penalties for negligence, including fines of up to $290 million.
U.S. Economic Espionage Act of 1996
The U.S. Economic Espionage Act (EEA) of 1996 was enacted to curtail industrial espionage, particularly when such activity benefits a foreign entity. The EEA makes it a criminal offense to take, download, receive, or possess trade secret information that’s been obtained without the owner’s authorization. Penalties include fines of up to $10 million, up to 15 years in prison, and forfeiture of any property used to commit the crime. The EEA also enacted the 1996 amendments to the U.S. Computer Fraud and Abuse Act, which we talk about in the section “U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030 (as amended),” earlier in this chapter.
U.S. Child Pornography Prevention Act of 1996
The U.S. Child Pornography Prevention Act (CPPA) of 1996 was enacted to combat the use of computer technology to produce and distribute pornography involving children, including adults portraying children.
USA PATRIOT Act of 2001
Following the terrorist attacks against the United States on September 11, 2001, the USA PATRIOT Act of 2001 (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) was enacted in October 2001 and renewed in March 2006. (Many provisions originally set to expire have since been made permanent under the renewed Act.) This Act takes great strides to strengthen and amend existing computer crime laws, including the U.S. Computer Fraud and Abuse Act and the U.S. Electronic Communications Privacy Act (ECPA), as well as to empower U.S. law enforcement agencies, if only temporarily. U.S. federal courts have subsequently declared some of the Act’s provisions unconstitutional. The sections of the Act that are relevant to the CISSP exam include
Section 202 — Authority to Intercept Wire, Oral, and Electronic Communications Relating to Computer Fraud and Abuse Offenses: Under previous law, investigators couldn’t obtain a wiretap order for violations of the Computer Fraud and Abuse Act. This amendment authorizes such action for felony violations of that Act.
Section 209 — Seizure of Voice-Mail Messages Pursuant to Warrants: Under previous law, investigators could obtain access to e-mail under the ECPA but not voice-mail, which was covered by the more restrictive wiretap statute. This amendment authorizes access to voice-mail with a search warrant rather than a wiretap order.
Section 210 — Scope of Subpoenas for Records of Electronic Communications: Under previous law, subpoenas of electronic records were restricted to very limited information. This amendment expands the list of records that can be obtained and updates technology-specific terminology.
Section 211 — Clarification of Scope: This amendment governs privacy protection and disclosure to law enforcement of cable, telephone, and Internet service provider records.
Section 212 — Emergency Disclosure of Electronic Communications to Protect Life and Limb: Prior to this amendment, no special provisions existed that allowed a communications provider to disclose customer information to law enforcement officials in emergency situations, such as an imminent crime or terrorist attack, without exposing the provider to civil liability suits from the customer.
Section 214 — Pen Register and Trap and Trace Authority under FISA (Foreign Intelligence Surveillance Act): Clarifies law enforcement authority to trace communications on the Internet and other computer networks, and it authorizes the use of a pen/trap device nationwide, instead of limiting it to the jurisdiction of the court.
A pen/trap device refers to a pen register that shows outgoing numbers called from a phone and a trap and trace device that shows incoming numbers that called a phone. Pen registers and trap and trace devices are collectively referred to as pen/trap devices because most technologies allow the same device to perform both types of traces (incoming and outgoing numbers).
Section 217 — Interception of Computer Trespasser Communications: Under previous law, it was permissible for organizations to monitor activity on their own networks but not necessarily for law enforcement to assist these organizations in monitoring, even when such help was specifically requested. This amendment allows organizations to authorize persons “acting under color (pretense or appearance) of law” to monitor trespassers on their computer systems.
Section 220 — Nationwide Service of Search Warrants for Electronic Evidence: Removes jurisdictional issues in obtaining search warrants for e-mail. For an excellent example of this problem, read The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, by Clifford Stoll (Doubleday).
Section 814 — Deterrence and Prevention of Cyberterrorism: Greatly strengthens the U.S. Computer Fraud and Abuse Act, including raising the maximum prison sentence from 10 years to 20 years.
Section 815 — Additional Defense to Civil Actions Relating to Preserving Records in Response to Government Requests: Clarifies the “statutory authorization” (government authority) defense for violations of the ECPA.
Section 816 — Development and Support of Cybersecurity Forensic Capabilities: Requires the Attorney General to establish regional computer forensic laboratories, maintain existing laboratories, and provide forensic and training capabilities to Federal, State, and local law enforcement personnel and prosecutors.
The USA PATRIOT Act of 2001 changes many of the provisions in the computer crime laws, particularly the U.S. Computer Fraud and Abuse Act, which we discuss in the section “U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030 (as amended),” later in this chapter; and the Electronic Communications Privacy Act of 1986, which we detail in the section “U.S. Electronic Communications Privacy Act (ECPA) of 1986,” earlier in this chapter. As a security professional, you must keep abreast of current laws and affairs to perform your job effectively.
U.S. Sarbanes-Oxley Act of 2002 (SOX)
In the wake of several major corporate and accounting scandals, SOX was passed in 2002 to restore public trust in publicly held corporations and public accounting firms by establishing new standards and strengthening existing standards for these entities including auditing, governance, and financial disclosures.
SOX established the Public Company Accounting Oversight Board (PCAOB), which is a private-sector, nonprofit corporation responsible for overseeing auditors in the implementation of SOX. PCAOB’s “Accounting Standard 2” recognizes the role of information technology as it relates to a company’s internal controls and financial reporting. The Standard identifies the responsibility of Chief Information Officers (CIOs) for the security of information systems that process and store financial data, and it has many implications for information technology security and governance.
U.S. CAN-SPAM Act of 2003
The U.S. CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes standards for sending commercial e-mail messages, charges the U.S. Federal Trade Commission (FTC) with enforcement of the provision, and provides penalties that include fines and imprisonment for violations of the Act.
Directive 95/46/EC on the protection of personal data (1995, EU)
In 1995, the European Parliament ratified this essential legislation that protects personal information for all European citizens. The directive states that personal data should not be processed at all, except when certain conditions are met.
A legitimate concern about the disposition of European citizens’ personal data when it leaves computer systems in Europe and enters computer systems in the U.S. led to the creation of the Safe Harbor program (discussed in the following section).
Safe Harbor (1998)
In an agreement between the European Union and the U.S. Department of Commerce in 1998, the U.S. Department of Commerce developed a certification program called Safe Harbor. This permits U.S.-based organizations to certify themselves as properly handling private data belonging to European citizens.
The Council of Europe’s Convention on Cybercrime (2001)
The Convention on Cybercrime is an international treaty, currently signed by more than 40 countries (the U.S. ratified the treaty in 2006), requiring criminal laws to be established in signatory nations for computer hacking activities, child pornography, and intellectual property violations. The treaty also attempts to improve international cooperation with respect to monitoring, investigations, and prosecution.
The Computer Misuse Act 1990 (U.K.)
The Computer Misuse Act 1990 (U.K.) defines three criminal offenses related to computer crime: unauthorized access (whether successful or unsuccessful), unauthorized modification, and hindering authorized access (Denial of Service).
Cybercrime Act 2001 (Australia)
The Cybercrime Act 2001 (Australia) establishes criminal penalties, including fines and imprisonment, for people who commit computer crimes (including unauthorized access, unauthorized modification, or Denial of Service) with intent to commit a serious offense.