Chapter 4 - Laws, Regulations, and Compliance Flashcards
What are the categories of law
Criminal law - laws that police and law enforcement concern them with and threaten other people’s rights
Civil law - designed to provide an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations.
Administrative law - executive orders, policies, procedures, regulations, that govern daily operations of the agency.
Where are Administrative laws published?
Code of Federal Regulations (CFR)
What is the CFAA
Computer Fraud and Abuse Act
crime to:
Access govt systems without authorization
Cause malicious damage in excess of $1000
MOdify med records
Any financial systems
Any combination of computers used to commit offense when not all located in the same state
An ammendment to what act made it illegal to produce malicious code for any reason?
CFAA - Computer Fraud and Abuse Act
What was the purpose of the National Information Infrastructure Protection Act of 1996
Broadens the CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce.
Extends similar protections to critical infrastructure (railroads, gas pipelines, electric power grids, and telecom systems)
What law requires that federal agencies implement an information security program that covers the agency’s operations?
FISMA - Federal Information Security Management Act
In 2014 President Obama signed into law - modernization of federal government approach to cyber security. Consolidated Cyber security with the Homeland security.
FISMA - Federal Information Systems Modernization Act
What are the two exceptions to the FISMA consolidation of cybersecurity within DHS?
Defense related cyber - DoD
Intelligence related cyber - DNI
A law that charges NIST with the responsibility for coordinating nationwide work on voluntary cybersecurity standards.
Cybersecurity Enhancement Act
Law charging homeland security with establishing a national cybersecurity and communications ntegration center that serves as the interface between federal agencies and civilian orgs for sharing cybersecurity risks, incidents, analysis, and warnings.
National Cybersecurity Protection Act
Intangible assets that take the form of secretive recipes, processes, or production techniques
Intellectual Property
Original works of authorship can be protected by?
Copyright Law Literary music drama sound records architectural graphical
Can copyright protect software such as the look and feel of a graphical interface and/or the ideas and processes?
The courts have gone both ways on the look and feel and ideas and processes are not protected - only the source code.
Do you need to go through copyright court to prove copyright status?
No - original creators have copyright as long as they can prove they were the author.
Law was created to penalize copyright offenders through pirated media.
Digital Millenium Copyright Act
$1 MM fine
10 years prisonment
Protection mechanism for words, slogans, mottos, logos
Trademark
Three requirements of a utility patent
New - original idea
Useful - actually work and accomplish a task
Not obvious - can’t patent a drinking cup as a rainwater collection device
Difference between design and utility patent
A design patent only protects something for 15 years vice 20 years
Design patent only covers the appearance of the invention
Easier to obtain design patent
What are the benefits and disadvantages of a trade secret
Do not expire
No public disclosure required
Must create and maintain NDA and access policies that sufficiently demonstrate it is a trade secret. (failure to do so results in loss of trade secret status).
What law governs protects trade secrets from theft.
Economic Espionage Act of 1996
Anyone found guilty of stealing trade secrets from a US corporation with the intention of benefiting a foreign government or agency may be fined up to 500k and imprisonment for 15 years
Anyone found guilty if stealing trade secrets under other circumstances may be fined up to 250k and imprisonment for ten years.
Written agreement between the software vendor and the customer, outlining the responsibilities of each.
Contractual license agreement
usually found on high-priced and/or highly specialized software
Written agreement on the outside of software packaging that includes a clause that user acknowledges agreement by opening package.
Shrink wrap license agreement
Agreement terms are included in software documentation and user is required to click a button acknowledging that they agree to the terms of the agreement.
Click through license agreement
Law governing import/export that controls the export of items that specifically designated as military and defense items, including technical information related to those items.
International Traffic in Arms Regulations (ITAR)
Law governing import/export that controls a broad set of items that are designed for commercial use but have military applications.
Export Administration Regulations (EAR)
Law severely limiting the ability of the federal government to disclose private information about individual citizens to other people or among agencies wthout written consent of affected individuals, court orders, law enforcement, or health and safety.
Privacy act of 1974
Law protects against the monitoring of email and voicemail communications and prevents providers of those services from making unauthorized disclosures of their content.
Electronic Communications Privacy Act of 1986 (ECPA)
Law requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.
Communications Assistance for Law Enforcement Act (1994)
Privacy and security regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Law updated HIPPA’s privacy and security requirements and was implemented through the HIPAA Omnibus Rule in 2013. What is unique about it?
Helath information Technology for Economic and Clinical Health Act of 2009 (HITECH)
Provisions a data breach notification rule at the federal level.
Law protects kids from websites collecting information about them. Parents must be provided with the opportunity to review any information collected from their children. Parents must give verifiable consent to the collection of information about their children younger than 13.
Children’s Online Privacy Protection Act of 1998 (COPPA)
Allowed banks to share information but restricted the personal information that could be shared among banks to protect privacy.
Gramm-Leach Biley Act of 1999
Law broadens powers of law enforcement and intelligence agencies when monitoring electronic communications. Allows blanket warrants for individuals rather than just circuits.
USA Patriot act of 2001
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Requirements of the European Union Data Protection Directive (DPD) prescribe that all processing of personal data meet one of the following criteria:
Consent Contract Legal Obligation Vital interest of data subject Right to access data Right to know data's source Right to correct inaccurate data Right to withhold consent to process data in some situations Right to legal action should these rights be violated
How does the European Union General Data Protection Regulation (GDPR) expand upon the EU Data protection Directive (DPD)
Widened the scope of DPD
Applies to all orgs that collect data from EU residents
Law applies to orgs not based in the EU if they collect data about EU residents
What are the stipulations of cross-border information sharing in the EU
Orgs may adopt a set of standard contractual clauses that have been approved for use in situations where information is being transferred outside of EU.
ORgs may adopt binding corporate rules that regulate data transfers between internal units of the same firm.
What are the stipulations of cross-border information sharing in the EU
Orgs may adopt a set of standard contractual clauses that have been approved for use in situations where information is being transferred outside of EU.
Orgs may adopt binding corporate rules that regulate data transfers between internal units of the same firm.
What are the stipulations of cross-border information sharing in the EU
Orgs may adopt a set of standard contractual clauses that have been approved for use in situations where information is being transferred outside of EU.
Orgs may adopt binding corporate rules that regulate data transfers between internal units of the same firm.
Canadian Law that restricts how commercial businesses may collect, use, and disclose personal information
Personal Information protection and Electronic Documentation Act - PIPEDA
