Legal Flashcards
Common Law
Common Law- used in US, Canada, UK. Uses preceding cases and judicial precedence as determinants of law. Judicial interpretations can change as society changes.
Civil Law
Civil Law- most common; judicial precedents and case rulings do not carry as much weight as in Common Law.
Religious Law
Religious Law- based on religious doctrine. Islam (aka Sharia) uses Qur’an and Hadith for it foundation
Customary Law
Customary Law- commonly accepted customs and practices are treated as law eg best practices
US Common Law categories
US Common Law categories:
• Criminal – Crimes committed against society. Penalties include Jail time.
Proof must be: “Beyond a reasonable doubt”
• Civil (Tort) – Wrongful acts against another party. Penalties include financial restitution
Proof must be: “based upon the preponderance of evidence”
• Administrative (Regulatory) – Define standards of performance and conduct for major
industries. Penalties include both financial penalties and jail time. Eg FAA, HIPAA, FDA, FCC
Civil Penalty Types
Civil Penalty Types:
o Compensatory – Based on actual damages to the victim
o Punitive – Intended as a punishment. Usually awarded by a jury
o Statutory – Mandatory damages determined by law
Council on Europe Convention on Cybercrime
Council on Europe Convention on Cybercrime- computer crime council for international coorporations where systems as target and systems as a tool
IP
Intellectual Property: Licensing is the most prevalent violation, followed by plagiarism, piracy and corporate espionage. Protected through:
- Patent
- Trademark
- Copyright
- Trade Secret
Patents
Patents – A government granted property right given to an inventor. Good for 20 yrs
Trademark
Trademark ™ – A name, logo or symbol used in commerce to identify a company’s goods. SM (service mark) brands a service offering. Attacks: counterfeiting, dilution (kleenex), cybersquatting, typosquatting
Copyright
Copyright – Protection granted to authors of original works. US: 70 yrs after author death, 95-120yrs after corporation creation/publishing; Europe: 70 yrs after death of author
o First sale- permits purchaser of copyright material to sell it to another person
o Fair use- allows duplication of copyrighted material without consent of copyright holder if it does not reduce the value of the original work
Trade Secret
Trade Secret – Proprietary information that a party has exclusive rights to.
To qualify as a trade secret information must meet the following requirements:
o Must be genuine and not obvious
o Must provide the owner with competitive or economic advantage
o Must be reasonably protected from disclosure
WIPO
WIPO- Main international organization run by the UN is the World Intellectual Property Organization (WIPO)
Import/Export restrictions
Import/Export restrictions- Cryptosystems import/export limited by many countries; WASSENAAR Agreement makes it illegal to export munitions to terrorist sponsored nations
Internet crime problems
Problems associated with internet crime: • Cross jurisdictional problems • Lack of skill of investigators • No laws for the crime in the location it was committed • “Rules of Evidence” are not consistent • Lack of tangible evidence
Prudent Man Rule
Prudent Man Rule: To Perform duties that prudent people would do in similar circumstances
Due care
Due care- is a minimum standard of protection; org will engage in practices that a prudent, right thinking person would consider appropriate
Due Diligence
Due Diligence- requires that an org will continually scrutinize their practices to ensure that that are always meeting/exceeding protection requirements; means actively management and a formal process
Proximate Causation
Proximate Causation: A natural, direct, uninterrupted consequence of an act from which an injury results and as without which the injury would not have occurred
Culpable Negligence
Culpable Negligence: recklessly acting without reasonable caution and putting another person at risk of injury or harm (or failing to do something with the same consequences)
Forensics
Forensics is evidence-centric relevant to crimes; must preserve the crime scene; o Identification o Preservation o Collection o Examination o Analysis- not using original media; use binary backup o Presentation o Decision
Media Analysis
Media Analysis- binary images capture all data. 4 types of data:
o Allocated space- contains active data
o Unallocated space- no active data
o Slack space- leftover space in a cluster
o Bad blocks/cluster/sector- usually marked as unreadable due to physical defect; can be used to hide data
Forensics SW Analysis
Forensics SW Analysis – comparing or reverse engineering SW; uses disassemblers; virtualization; debuggers
Incident response
Incident response (vs Forensics) identifies, contains and recovers from incidents. Every action must be documented for legal proceedings
Evidence should be…
Evidence should be relevant, authentic, accurate, complete, and convincing
Direct evidence
Direct – An eyewitness account
Real evidence
Real (Physical) – Tangible objects related to the crime like weapons, surveillance tapes
Circumstantial evidence
Circumstantial- serves to establish the circumstances of other evidence
Corroborative evidence
Corroborative- additional support for a fact; does not establish a fact on its own
Hearsay evidence
Hearsay- second-hand evidence (business and computer generated records); normally inadmissible; Rule 803 (a record made near the time) & Rule 1001 (printouts, memory) make can make data admissable
Demonstrative evidence
Demonstrative – Expert testimony, models or simulations
Best Evidence Rule
Best Evidence Rule: Documentary evidence. Requires that writings, recordings or photographs should be the originals. It was established to prevent tampering.
Secondary evidence
Secondary evidence- copies of documents or oral descriptions
Dumpster Diving
Dumpster Diving: Going through another party’s trash looking for useful information. In many cases this is NOT considered illegal.
Chain of Custody
Chain of Custody: Procedures that requires a history showing how evidence was Collected, Analyzed, stored, transported and preserved in order to be presented in court
Reasonable Searches
Reasonable Searches- (companies should make aware about monitoring and search)
o if the property is in plainsight or at a public checkpoint
o exigent circumstances- immediate threat to human life or destruction of evidence
o private citizens not acting as agents of law enforcements
Enticement
Enticement: When someone is provided with a favorable opportunity to commit a crime
Entrapment
Entrapment: When someone is induced or persuaded to commit a crime that they had no previous intention to commit
MOM
MOM- Why crimes are committed:
o Motivations- Who commits these crimes and why; What do they get out of these acts
o Opportunities- Where do opportunities exist for computer crimes; When would someone take advantage of these opportunities
o Means- Who has the capabilities to commit these types of crimes
Opt-in
Opt-in (choose to do something)
Opt-out
Opt-out (chosen for them by default)
OECD
OECD guidelines (Org for Economic Cooperation and Development)- used by Europe, US, Japan and others. Has following principles:
o Collection Limitation- Collected fairly and lawfully
o Data Quality- Be accurate and kept up-to-date
o Purpose Specification- Used for the intended purpose
o Use Limitation- never be disclosed w/out consent or legal requirement
o Security Safeguards- protected against unauthorized use, disclosure, alteration
o Openness- readily available
o Individual Participation- find out if an entity holds their data; give reason for being held; challenge the content of data
o Accountability- accountable for adhering to above principles
EU Data Protection Directive
EU Data Protection Directive
o Notify individuals how their personal data is collected and used
o Allow individuals to opt out of sharing
o Require that individuals to opt into sharing most personal data
o Provide reasonable protections for personal data
EU-US Safe Harbor
EU-US Safe Harbor- US has less stringent privacy protections; Safe Harbor provides that EU data can be onward transfer to US companies by US company complying with EU Data Protection Directive.
US Federal Privacy Act of 1974
US Federal Privacy Act of 1974: Protects records and information maintained by US government agencies about US citizens and lawfully permanent residents. Citizens have access to the data relative to them.
HIPAA
US Health Insurance Portability and Accountability Act (HIPAA) addresses four key areas:
• Administrative Procedures – Requires formally documented security management practices
• Physical Safeguards – Requires physical protection for computing systems and media
• Technical Security Services – Requires technical access controls including authentication, authorization and auditing.
• Technical Security Mechanisms – Requires protection of data during transit
US Computer Fraud and Abuse Act of 1986
US Computer Fraud and Abuse Act of 1986 covered government and financial computers resulting in $5000 damages for a year
US Electronic Communications Privacy Act (ECPA) of 1986
US Electronic Communications Privacy Act (ECPA) of 1986:
• Prohibits eavesdropping and wire tapping
• Provides the legal basis for companies to monitor their own networks
USA Patriot Act of 2001
USA Patriot Act of 2001- expanded law enforcement coverage for wiretaps, electronic monitoring, search & seizure w/out requiring immediate disclosure
GLBA
Graham-Leach-Bliley Act (GLBA)- requires financial institutions to protect confidentiality and integrity of consumer financial info
California Senate Bill 1386
California Senate Bill 1386- requires organization with breached personal data to notify them
SOX
Sarbanes-Oxley Act 2002 (SOX)- regulatory compliance for publicly traded companies; ensures financial disclosure and auditor independence
PCI-DSS
PCI-DSS- payment card security protection through policy, devices, control, and monitoring
Attestation
Attestation- having a 3rd party review the practices of the service provider; use ISO 27001 or PCI-DSS
(ISC)2 Ethics
(ISC)2 Ethics- most testable code on exam. Contains: o preamble (intro), o canons (mandatory), o guidance (advisory).
Canons (in priority) are:
o Protect society, the commonwealth, and the infrastructure
o Act honorably, honestly, justly, responsibly, and legally
o Provide diligent and competent service to principles
o Advance and protect the organization
Computer Ethics Institute
Computer Ethics Institute- ten commandments of Computer Ethics (Thou shalt not…)
IAB Ethics
IAB (internet Activities Board) Ethics- 5 practices considered unethical:
o Unauthorized access to internet resources
o Disrupt intended use of internet
o Waste internet resources
o Destroys integrity of computer-based information
o Compromises the privacy of others
