LAW Flashcards
Criminal Law
Society is the victim and proof must be “beyond a reasonable doubt”.
E.g., murder, assault, robbery, arson, etc.
incarceration, death and financial fines to “Punish and deter”
Criminal Computer Crimes:
Computer Fraud and Abuse Act
Identity Theft and Assumption Deterrence Act
Civil Law
AKA: Tort Law
Provide for an orderly society and govern acts that are not crimes but require an independent arbiter.
E.g., contract disputes, real estate transactions, employment matters, estate/probate
Administrative Law
AKA: Regulatory Law
Laws enacted by government (FDA, HIPPA, FAA, etc) - not Congress.
Policies, procedures, and regulations that govern the daily ops.
E.g., procedures used within a fed agency to obtain a new desk phone…to immigration policies.
Administrative laws do not require an act of the legislative branch (Congress) to implement at the federal level. Administrative laws consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government.
Private Regulation
Compliance is required by CONTRACT (eg: PCI-DSS)
Liability
Who is held accountable?
Who is to blame?
Who should pay?
Due Diligence and Due Care
Due Diligence - proper research to build and deploy new systems
Due Care - prudent person rule = what would a prudent person do in this situation?
Types of evidence
Real - tangible / physical (hard disks, usb drives — but NOT that data on them)
Direct - testimony from a first hand witness
Circumstantial - evidence to support circumstances for a point or other evidence.
Corroborative - supports facts of the case, not facts on their own (i.e, support other facts)
Chain of custody
Who handled it?
When did they handle it?
What did the do with it?
Where did they handle it?
Due Diligence vs Due Care vs Negligence
Due Diligence (DD) = R&D on tech in question»_space; the process of identifying and remediating the cyber risks that third-party vendors bring to your ecosystem
Due Care (DC) = take action (carry out change / fix / etc) based on DD»_space; taking reasonable steps to protect your organization’s reputatoin, financial, and legal best interests
Negligence = opposite of due care
The - Federal Sentencing Guidelines - formalized the prudent man rule and applied it to information security.
Type of Evidence
Real. = tangible and physical objects in IT (H/D, USB drive, etc) –> NOT the data on them.
Direct. = testimony from a first hand witness
Circumstantial = evidence to SUPPORt events for a point or other evidence.
Corroborative. = supports facts of the case - NOT facts on their own.
Hearsay. = not first-hand knowledge like log files. NOTE: rule 803 changes this.
Five rules of evidence
- Be authentic
- Be accurate
- Be complete
- Be convincing
- Be admissible
Computer Fraud and Abuse Act (CFAA)
Computer Fraud and Abuse Act
first major piece of cybercrime specific legislation in US.
Based on CCCA of 1984 which covered just ‘federal’ computers, CFAA covered all ‘federal interest’ computers…which is cross state line.
The original Computer Fraud and Abuse Act of 1984 covered only systems used by the government and financial institutions. The act was broadened in 1986 to include all federal interest systems. The Computer Abuse Amendments Act of 1994 further amended the CFAA to cover all systems that are used in interstate commerce, including a large portion (but not all) of the computer systems in the United States.
The Computer Fraud and Abuse Act, as amended, provides criminal and civil penalties for those individuals convicted of using viruses, worms, Trojan horses, and other types of malicious code to cause damage to computer systems.
Federal Sentencing Guidelines
1991
punishment guidelines to help judges.
Introduced ‘prudent man’ rule
FISMA
Federal information Systems Management Act
passed 2002
governs information security operations at federal agencies
The Federal Information Security Management Act (FISMA) includes provisions regulating information security at federal agencies. It places authority for classified systems in the hands of the National Security Agency (NSA) and authority for all other systems with the National Institute for Standards and Technology (NIST).
ECPA
Electronic Communications Privacy Act
makes it a crime to invade the electronic privacy of an individual.
Digital Millennium Copyright Act
of 1998.
prohibits the circumvention of copy protections mechanisms placed in digital media
limits the ability of ISP to monitor users
- transmission must be done by person OTHER THAN the ISP
- transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by ISP
- the ISP must not determine the recipients of material
- intermediate copies must not ordinarily be accessible to anyone other than recipients and must not be retained longer than necessary
- material must be transmitted with no modification to it’s content
Economic Espionage Act
of 1996.
provides penalties for individuals found guilty of the theft of trade secrets.
Software License Agreements
contractual = written agreements between software vendor and user.
shrink-wrap = agreements written on packaging and take effect when users opens
click-through = users requires to accept terms during installation
California’s SB 1386
first statewide requirement to notify individuals of a breach of PII. All but 3 states followed.
note that HIPAA covers federal PII.
GDPR
General Data Protection Regulation
EU
governs the user and exchange of PII.
COPPA
Children’s Online Privacy Protection Act (COPPA)
What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent?
13
Patent Protection
20 years from the date of application.
HIPPA
Health Insurance and Portability and Accountability Act of 1996
** The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 amended the privacy and security requirements of HIPAA.
What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances?
The Privacy Act of 1974 limits the ways government agencies may use information that private citizens disclose to them under certain circumstances.
ECPA
Electronic Communications Privacy Act
Gramm-Leach-Bliley Act
GLBA of 1999
strict barriers between government and financial.
Privacy Shield
The Privacy Shield framework, governed by the U.S. Department of Commerce and Federal Trade Commission, allows U.S. companies to certify compliance with EU data protection law.
Admissible Evidence (what is…)
- Relevant
- Material (i.e., related to..)
- Competent (i.e., legally obtained)
Types of Evidence
- real evidence
- documentary evidence»_space; best evidence»_space; parol evidence
- testimonial evidence
What regulation formalizes the prudent man rule that requires senior executives to take personal responsibility for their actions?
A. CFAA
B. Federal Sentencing Guidelines
C. GLBA
D. Sarbanes–Oxley
The Federal Sentencing Guidelines released in 1991 formalized the prudent man rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation.
When attempting to impose accountability on users, what key issue must be addressed?
A. Reliable log storage system
B. Proper warning banner notification
C. Legal defense/support of authentication
D. Use of discretionary access control
To effectively hold users accountable, your security must be legally defensible. Primarily, you must be able to prove in a court that your authentication process cannot be easily compromised. Thus, your audit trails of actions can then be tied to a human.
What regulation formalizes the prudent man rule, requiring that senior executives of an organization take personal responsibility for ensuring due care?
A. National Information Infrastructure Protection Act
B. Federal Information Security Management Act
C. Information Security Reform Act
D. Federal Sentencing Guidelines
d
The Federal Sentencing Guidelines formalized the prudent man rule and applied it to information security.
Generally, a privacy policy is designed to protect what?
A. A user’s privacy
B. The public’s freedom
C. Intellectual property
D. A company’s right to audit
The purpose of a privacy policy is to inform users where they do and do not have privacy for the primary benefit of the protection of the company’s right to audit and monitor user activity.