Laws, Regulations, and Compliance Flashcards

1
Q

What is the Comprehensive Crime Control Act?

A

Passed in 1984. Several rules pertaining to the use of federal computers in crimes, trafficking in passwords, and doing damage to a federal computer in excess of $1,000.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the Computer Fraud and Abuse Act?

A

Passed in 1986. threshold raised to $5,000 but covered all federal “interest” computers, including any computers used by the federal government, a financial institution, or any combination of computers used when not located in the same state.

The CFAA amendments were passed in 1994. Outlawed the creation of any code that might damage a computer system. Covers any computer in interstate commerce. Allowed for imprisonment, and allows victims to pursue civil action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What was the National Information Infrastructure Protection Act?

A

Passed in 1996. Broadened CFAA to cover computer systems used in international commerce. Also covered key infrastructure separate from computer networks, Treats any intentional or reckless act causing damamge to critical infrastructure as a felony.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What were the Federal Sentencing guidelines?

A

Released in 1991. Formalized the prudent person rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary individuals would take. this applies to information security. Allows organizations and executives to minimize penalties for infractions by showing they used due diligence. Three burdens of proof. person accused of negligence must have a legally recognized obligation. Person must fail to comply with recognized standards. Must be a causal relationship between the act of negligence and subsequent damages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What was FISMA?

A

The Federal Information Security Management Act was passed in 2002. Requires federal agencies to implement an information security program. Replaced the Computer Security Act of 1987 and the Government Information Security Act of 2000. Required periodic risk assessments; policies and procedures based on the risk assessments, and subordinate plans for providing adequate information security for networks, facilities, etc. Also required security awareness training, periodic testing and evaluation of the effectiveness of these policies, a process for planning/implementing/evaluating remedial actions to address any deficiencies, procedures for responding to incidents, and plans for continuty of operations. Also covers contractors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What federal security requirements were passed in 2014?

A

Federal Information Security Modernization Act modified the 2002 FISMA by centralizing response in DHS except for defense and intelligence issues.

The Cybersecurity Enhancement Act required NIST to coordinate nationwide work on voluntary cybersecurity standards. Common NIST standards are 800-53 (Required security controls for federal agencies; also a benchmark for industry); 800-171 (similar to 800-53; required for federal contractors); and the Cybersecurity Framework, a set of standards designed to serve as a voluntary risk-based framework for securing information systems.

National Cybersecurity Protection Act, which charged DHS with setting up a national cybersecurity and communications integration center.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe copyright law.

A

Covers liteary works, musical works, dramatic works, pantomines and choreographic works, pictorial/graphical/sculpure works, motion pictures, sound recordings, and architectural works.

Copyright law only protections the actual source code in computer software, not the ideas behind it, and it’s not clear whether it covers a software package’s GUI.

Copyright ownership defaults to the creator of the work. If it was “for hire” the employer owns it.

Works are protected until 70 years after the last surviving author, except anonymous works and works for hire get protection for 95 years from the date of first publication or 120 years from the date of creation, whichever is shorter.

DMCA passed in 1998. Prohibits attempts to circumvent copyright protections, with penalties up to $1 million and 10 years in prison. Nonprofits are exempt from that.

Also limits the liability of ISPs when they are used by criminals. Similar to ““common carrier”” statutes. Allows the creation of software backups as long as the license allows for it, the usage complies with the agreement, and the copies are deleted when no longer needed.Streaming audio treated as ““eligible nonsubscription agreements.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are trademarks?

A

Words, slogans, and logos used to identify a company and its products or services. Goal is to avoid confusion in the marketplace. Do not have to officially register to get protectoin.

You can register a trademark that you intend to use but are not already using.

In the US, you can register a trademark for 10 years at a time. Must not be confusingly similar to another trademark, and should not be descriptive of the goods or services you are offering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are patents?

A

Utility patents protect the intellectual property rights of inventors. They give you 20 years from the date of application for exclusive use. The invention must be new, must be useful, and must not be obvious.

Common for hardware. Used for software but some see them as too broad.

Design patents protect the appearance of an invention and only last for 15 years.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are trade secrets?

A

Copyrights and patents have two major disadvantages for protecting trade secrets. Filing them requires you publicly disclose your work, which removes the secret part. Also only provide protection for a limited period. So you must create internal controls to preserve need to know, and have NDAs in place for those who are read in.

This is one of the best ways to protect software. Patent law does not provide adequate protection, and copyright law only protects the actual source code (so others could create their own code to do the same thing). So companies like Microsoft use this to protect their intellectual property.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Economic Espionage Act of 1996?

A

Anyone who steals trade secrets from a U.S. corporation with the intention to benefit a foreign government may be fined up to $500,000 and imprisoned for up to 15 years. People stealing trade secrets under other circumstances may be fined up to $250,000 and face 10 years in prison.

Extended the definition of property to cover proprietary economic information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the types of licensing agreements?

A

–contractual license agreements are written agreements between the software vendor and the customer, outlining the responsibilities of each. Most common for specialized/high priced software.
–Shrink wrap agreements are written on the outside of the packaging. You acknowledge the terms of service if you open the packaging.
–Click through license agreements means you click a button acknowledging the terms when you install it.
–Cloud services agreements build on click through. They flash legal terms on the screen for review, and there may not be a way to agree/disagree.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the Privacy Act?

A

Imposed regulations on federal agencies regarding the retention and release of information on individuals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the Electronic Communications Privacy Act of 1986?

A

Made is a crime to invade the personal privacy of an individual. Prohibits the interception or disclosure of electronic communications. Covers email, voicemails, and mobile phone conversations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is CALEA?

A

The Communications Assistance for Law Enforcement Act of 1994 required communications carriers to make wiretaps possible for any medium.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the Health Insurance Portability and Accountability Act of 1996?

A

Imposed privacy and security regulations on hospitals, doctors, etc.

17
Q

What is the Health Insurance Technology and Accountability Act of 1996?

A

Amended HIPAA. Any relationship between a covered entity and business associate must be covered by a business associate agreement. Also required individuals to be notified of data breaches impacting more than 500 people.

18
Q

What was the first U.S. state privacy law?

A

California SB 1386, passed in 2002, required notification of data breaches. Alabama and South Dakota have passed similar laws.

19
Q

What was the Children’s Online Privacy Act of 1998?

A

Rules for Web sites that cater to children or knowingly collect information from children. Must be a privacy policy, parents must be able to review information about their children and have it deleted, and parents must give consent to the collection of information on children under age 13.

20
Q

What was the Gramm-Leach-Bailey Act of 1999?

A

Created limitations of the types of information that can be exchanged between subsidiaries of the same corporation, and requires provision of written privacy policies.

21
Q

What is the Family Educational Rights and Privacy Act?

A

Parents and students have the right to inspect educational records. They can request corrections. Schools may not release personal information without written consent.

22
Q

What did GDPR say about data transfers?

A

Passed in 2016, went into effect in 2018, replaced DPD. It applies to all organizations that collect data from eU residents, even if they are not based in the EU.

If you are a company that wants to transfer data between subsidiaries, you can either adopt a set of standard contractual clauses, or you can adopt binding contractual rules. If you do this, every EU member nation where the data will be used must approve.

23
Q

What is the Canadian Personal Information Protection and Electronic Documents Act?

A

National level law on how businesses may collect, use, and disclose personal information.