Types of Law

Name

Description

US - Computer Fraud and Abuse Act (CFAA)

The first major piece of US cybercrime-specific legislation. Main focus is on on federal systems. Made it a crime to:

• Access classified or financial information in a federal system without authorization.
• Use a federal computer to perpetrate a fraud.
• Cause malicious damage to a computer system exceeding $1,000.
• Modify medical records in a computer, impairing treatment.

USA - Federal Information Security Management Act (FISMA)

An act focused on formalizing infosec operations for the federal government.

• Mandatory for federal agencies to have formal infosec operations.
• Requires government agencies to include activities of contractors in their security management programs.
  
• FISMA repealed and replaced
  • Computer Security Act of 1987.
  • Government Information Security Reform Act of 2000.
    
• NIST (National Institute of Standards and Technology) is tasked with developing the FISMA implementation guidelines.

US - Digital Millennium Copyright Act (DMCA)

Covers literary, musical, and dramatic acts.

• Precedent for copyrighting computer software as it can fall under "literary work".
• Protects only the expression inherent in the software (actual source code).
  
• Ownership defaults to the creator of a work.
  • Exception: "Works for hire". i.e., the work belongs to you unless you've been hired to make it for someone else.
• Protection Duration: Typically lasts 70 years, but it can vary. 
  
• The 1st major revision included CD/DVD copy protections which introduced Digital Rights Management (DRM) – controversial at the time.

Provides punishment guidelines to assist federal judges in interpreting computer crime laws. Formalized the "prudent man" rule, emphasizing due care.

Burdens of Proof for Negligence include:

• Legal Obligation: The accused must have a legally recognized obligation.
  • E.g., Senior executives are responsible for ensuring due care.
• Failure to Comply: The accused must have failed to comply with recognized standards.
• Causal Relationship: There must be a direct link between the negligence act and the resulting damages.

US Identity Theft and Assumption Deterrence Act of 1998

Makes identity theft a crime against the person whose identity was stolen.

Economic Espionage: The theft or misappropriation of a trade secret with the intent or knowledge that the offense will benefit a foreign government, foreign instrumentality, or foreign agent.

• Made the theft of proprietary economic information an act of espionage.
• Expanded the legal definition of theft beyond just physical constraints.
  

• Amended EPCA.
• Permits wiretaps for law enforcement with the appropriate court order, independent of the technology.

• Sets privacy and security regulations.
• Enforces security measures for hospitals, physicians, and insurance companies.

• Updates HIPAA's privacy and security requirements.
• Extends obligations to organizations that handle PHI for a HIPAA-covered entity.

Focus on Services, banks, lenders, and insurance. Limitations include services and the data sharing among them.

Enacted in response to a number of major corporate and accounting scandals, including those affecting Enron, Tyco International, and WorldCom. The law's primary intent is to protect investors from fraudulent financial reporting by corporations.

Provides privacy rights to students over 18 and the parents of minor students.

• Expands law enforcement and intelligence agencies' powers.
• Broadens wiretapping authorizations from one at to a time to a blanket request. 
• Enacted shortly after 9/11 attacks in 2001.

Ensures the security of card transactions. Created in 2004 by major credit card companies. Objectives include: 

1. Maintain a secure transaction network.
2. Protect stored cardholder data.
3. Shield systems from malicious hackers.
4. Safeguard cardholder data both physically and digitally.
5. Continuously monitor and regularly test networks.
6. Uphold a formal information security policy.

Directive that established privacy measures for protecting personal data processed by information systems. Served as the precursor to EU privacy law. Non-European Organizations need to determine the applicability of these rules when operating or dealing with European data.

An agreement between the EU and US detailing specific requirements for processing personal information.  Compliant businesses get safe harbor from potential prosecution or legal consequences. Requirements include: 

• Informing individuals about data processing activities.
• Providing means for dispute resolution.
• Cooperating with the Department of Commerce and the Federal Trade Commission.
• Certifying businesses that adhere to these regulations.
  

Creation of unified data protection entities in each EU member state. Applicable to organizations collecting data from EU residents or those processing such information on behalf of another entity.

• Obligates companies to notify authorities of significant data breaches within 72 hours.
• Individuals have the right to access their personal data.
• Allows individuals to transfer personal data between service providers upon their request.
• Lets individuals demand companies to delete their information if it is no longer necessary.

• Regulates the export of items specifically designated as military and defense items.
• Department of Commerce's Bureau of Industry and Security.

• Regulates a broad set of items designed for commercial use that could have military applications.
• Governs the export of sensitive hardware and software products internationally.