Skip to main content

Types of Law

Type of Law Description Key Takeaway
Criminal Law Contains prohibitions against actions like murder, assault, and robbery. Can lead to jail/prison.
Civil Law Addresses contractual disputes, real estate transactions, employment, estate, and probate. Often involves fights over money.
Administrative Law Defines standards of performance and conduct for industries, organizations, and government agencies. E.g., FDA regulations on drug safety.

Federal Acts and GuidelinesConcepts

Computer Fraud and Abuse Act (CFAA)

  • Introduction:
    • The first major piece of US cybercrime-specific legislation.
  • Provisions:
    • Made it a crime to:
      1. Access classified or financial information in a federal system without authorization.
      2. Use a federal computer to perpetrate a fraud.
      3. Cause malicious damage to a computer system exceeding $1,000.
      4. Modify medical records in a computer, impairing treatment.

Main focus is on unauthorized and malicious activities on federal systems.

Federal Sentencing Guidelines

  • Purpose:
    • Provides punishment guidelines to assist federal judges in interpreting computer crime laws.
    • Formalized the "prudent man" rule, emphasizing due care.
  • Burdens of Proof for Negligence:
    1. Legal Obligation: The accused must have a legally recognized obligation.
      1. E.g., Senior executives are responsible for ensuring due care.
    2. Failure to Comply: The accused must have failed to comply with recognized standards.
    3. Causal Relationship: There must be a direct link between the negligence act and the resulting damages.

Federal Information Security Management Act (FISMA)

  • Definition:

    • An act focused on formalizing infosec operations for the federal government.

  • Key Provisions:

    1. Mandatory for federal agencies to have formal infosec operations.
    2. Requires government agencies to include activities of contractors in their security management programs.

  • Historical Context:

    • FISMA repealed and replaced:
      • Computer Security Act of 1987.
      • Government Information Security Reform Act of 2000.

  • Guidelines:

    • NIST (National Institute of Standards and Technology) is tasked with developing the FISMA implementation guidelines.

It's unlikely that the specific details of NIST's guidelines for FISMA will be included in the exam.

Digital Millennium Copyright Act (DMCA)

  • Scope:
    • Covers literary, musical, and dramatic acts.
  • Copyrights & Software:
    • Precedent for copyrighting computer software as it can fall under "literary work".
    • Protects only the expression inherent in the software (actual source code).
  • Ownership:
    • Defaults to the creator of a work.
    • Exception: "Works for hire". i.e., the work belongs to you unless you've been hired to make it for someone else.
  • Protection Duration:
    • Typically lasts 70 years, but it can vary.
  • Revision:
    • The 1st major revision included CD/DVD copy protections which introduced Digital Rights Management (DRM) – controversial at the time.

Intellectual Property (IP) and Licensing

  • Trademarks:
    • Cover words, slogans, and logos identifying companies and products/services. E.g., Coca-Cola or IBM.
    • Purpose: Avoid marketplace confusion.
  • Patents:
    • Protect IP rights of inventors.
    • Requirements: Must be new, useful, not obvious.
    • Considerations:
      • Limited protection.
      • Disclosure of technology is required.
      • Not all patented technologies are marketed.

        warning E.g., Apple patents hinting at future products.

  • Trade Secrets:
    • Critical IP that should remain undisclosed.
    • Bypasses the limitations of copyrights and patents.

Licensing

  • Types:
    1. Contractual: Agreements written into a contract between a vendor and customer.
    2. Shrink-wrap: Old-school licensing with physical software purchases.
    3. Click-through: Common online agreements where users accept terms by clicking a button.
    4. Cloud Services: Advanced click-through, where terms are often hidden or require extra clicks. danger Often, full details are not immediately visible.

Length of Protections

  • Trademarks:
    • Last for 10 years.
    • Can potentially last indefinitely but must be renewed every decade.

Identity Theft and Assumption Deterrence Act

  • Scope:
    • Makes identity theft a crime against the person whose identity was stolen.
  • Penalties:
    • Up to a 15-year prison term and/or a $250,000 fine.
  • Year of Enactment:
    • Became law in 1998.

Types of Intellectual Property Protections

Patents

  • Duration:
    • Typically granted for 20 years from the date of application.
  • Examples:
    • Vapes: Patented 20 years ago, became popular after patent expiry.
    • Pharma: Vyvanse/Lisdexamphetamine.
  • Duration:
    • Lasts for the lifetime of the author plus an additional 70 years.
  • Notable Influences:
    • Lobbying by corporations, such as Disney, to continually extend the duration.

Trade Secrets

  • Duration:
    • Indefinite.
  • Definition:
    • Intellectual property critical to a business that must not be disclosed.

Types
of

ImportLaw and ExportRegulations

Controls

Governing

Regulations
in

4th

Amendment
  • The
    • foundational basis for privacy rights in the USA.

    • Purpose:

    • Purpose:

    • Key Update:

    • Provisions:
    • Purpose:

    • Purpose:

        • Key Points:

          Privacy

                InternationalName

                Traffic                		 Arms

                Description

                Regulations                		CategoryCriminal

                US - Computer Fraud and Abuse Act (ITAR)CFAA)

                The first major piece of US cybercrime-specific legislation. Main focus is on on federal systems. Made it a crime to:

                • Access classified or financial information in a federal system without authorization.
                • Use a federal computer to perpetrate a fraud.
                • Cause malicious damage to a computer system exceeding $1,000.
                • Modify medical records in a computer, impairing treatment.
                		DigitalYes

                USA - Federal Information Security Management Act (PurposeFISMA:)

                Regulates

                An act focused on formalizing infosec operations for the exportfederal government.

                • Mandatory for federal agencies to have formal infosec operations.
                • Requires government agencies to include activities of itemscontractors specificallyin designatedtheir assecurity militarymanagement programs.
                • FISMA repealed and defensereplaced items.
                  • Computer Security Act of 1987.
                  • Government Information Security Reform Act of 2000.
                • NIST (National Institute of Standards and Technology) is tasked with developing the FISMA implementation guidelines.
                		DigitalNo

                ExportUS Administration- RegulationsDigital Millennium Copyright Act (EAR)DMCA)

                Covers literary, musical, and dramatic acts.

                • Purpose:Precedent for copyrighting computer software as it can fall under "literary work".
                • Protects only the expression inherent in the software (actual source code).
                • Ownership defaults to the creator of a work.
                  • RegulatesException: a broad set of items designed"Works for commercialhire". use that could have military applications.
                  • Governsi.e., the exportwork ofbelongs sensitiveto hardwareyou andunless softwareyou've productsbeen internationally.hired to make it for someone else.
                • Protection Duration: Typically lasts 70 years, but it can vary. 
                • The 1st major revision included CD/DVD copy protections which introduced Digital Rights Management (DRM) – controversial at the time.
                		DigitalYes
                US Federal Sentencing Guidelines

                Provides punishment guidelines to assist federal judges in interpreting computer crime laws. Formalized the "prudent man" rule, emphasizing due care.

                Burdens of Proof for Negligence include:

                • Legal Obligation: The accused must have a legally recognized obligation.
                  • E.g., Senior executives are responsible for ensuring due care.
                • Failure

                  Encryptionto ExportComply: Controls

                  The
                    accused must have failed to comply with recognized standards.
                  • Causal

                    Origin:Relationship: DepartmentThere ofmust Commerce'sbe Bureaua ofdirect Industrylink between the negligence act and Security.

                  • Historical Context: Exporting even low-grade encryption technology outside the USresulting was initially very restrictive.

                  • Current Scenario: Now, there are specific categories for retail and mass-market security software. Firms can submit products for review to obtain export approval from the commerce department.

                  • Key Point: Encryption export controls still restrict certain encryption technologies from being exported outside the US.

                    damages.
                		 DigitalGuideline

                US Identity Theft and Assumption Deterrence Act of 1998

                Makes identity theft a crime against the person whose identity was stolen.

                 


                		DigitalYes, up to a 15-year prison term and/or a $250,000 fine.
                Economic Espionage Act of 1996

                Main Purpose: Made the theft of proprietary economic information an act of espionage.

              • Significant Change: Expanded the legal definition of theft beyond just physical constraints.

              • Definition:

                • Economic Espionage:Espionage: The theft or misappropriation of a trade secret with the intent or knowledge that the offense will benefit a foreign government, foreign instrumentality, or foreign agent.

                • Privacy (USA)

                Key Definitions

                • Made

                  PII:the Personalitytheft Identifiableof Information.

                  proprietary economic information an act of espionage.
                • Expanded

                  PHI:the Personallegal Healthdefinition Information.

                  of theft beyond just physical constraints.
                		 Business Yes
                Privacy Act of 1974 Limits federal government agencies from disclosing private information without the affected individual's prior written consent. Privacy Yes
                US - Electronic Communications Privacy Act (EPCA)EPCA) of 1986 Criminalizes the invasion of electronic privacy of individuals. Digital, Privacy EPCA
                US - Comm Assistance for Law Enforcement Act (CALEA)CALEA) of 1994
                • Amended EPCA.
                • Permits wiretaps for law enforcement with the appropriate court order, independent of the technology.
                		 Privacy No
                US - Health Insurance Portability and Accountability Act (HIPAA)HIPAA)
                • Sets privacy and security regulations.
                • Enforces security measures for hospitals, physicians, and insurance companies.
                		 Health  

                Yes

                US - Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)HITECH)
                • Updates HIPAA's privacy and security requirements.
              • Coverage:
                • Extends obligations to organizations that handle PHI for a HIPAA-covered entity.
                		•  Digital,
                Health                		 Yes
                US - Children's Online Privacy Protection Act (COPAA)COPAA) Sets requirements for websites targeting children or collecting information from them. Privacy Sometimes
                US - Gramm-Leach-Bliley Act (GLBA)GLBA)

              • Focus:

                  on
                • Services, banks, lenders, and insurance.
                Limitations
              • Limitations:
                • Restrictsinclude services and the data sharing among them.

                		•  Business Yes
                US - Sarbanes-Oxley Act (SOX) of 2002

                Enacted in response to a number of major corporate and accounting scandals, including those affecting Enron, Tyco International, and WorldCom. The law's primary intent is to protect investors from fraudulent financial reporting by corporations.

                		BusinessYes
                Family Educational Rights and Privacy Act (FERPA)FERPA)
              • Rights:

                • Provides privacy rights to students over 18 and the parents of minor students.

                		•  Privacy No
                USA PATRIOT Act of 2001
                • Expands law enforcement and intelligence agencies' powers.
                • Broadens wiretapping authorizations from one at to a time to a blanket request. 
                • Enacted shortly after 9/11 attacks in 2001.
                		 Privacy
                PCI DSS (Payment Card Industry Data Security Standard)
              • Purpose:

                • Ensures the security of card transactions.

              • History:
                • Created in 2004 by major credit card companies.
                Objectives
                • include: 
              • Objectives:

                1. Maintain a secure transaction network.
                2. Protect stored cardholder data.
                3. Shield systems from malicious hackers.
                4. Safeguard cardholder data both physically and digitally.
                5. Continuously monitor and regularly test networks.
                6. Uphold a formal information security policy.
                		•  Finance Not (EU)a
                law;

                standards implemented by the banks. 

                European Union Privacy Law - 1998
              • Overview:

                • Directive that established privacy measures for protecting personal data processed by information systems.

                  •  
                • Served as the precursor to EU privacy law.
              • For Non-European Organizations:
                • Needneed to determine the applicability of these rules when operating or dealing with European data.

                		•  Privacy
                USEU: Privacy Shield
              • Definition:

                • An agreement between the EU and US detailing specific requirements for processing personal information.

                  •  
                • Compliant
              • businesses get safe Keyharbor from potential prosecution or legal consequences. Requirements:
                  include: 

                  • Informing individuals about data processing activities.
                  • Providing means for dispute resolution.
                  • Cooperating with the Department of Commerce and the Federal Trade Commission.
                  • Certifying businesses that adhere to these regulations.
              • Benefits for Compliant Businesses:
                • Safe harbor from potential prosecution or legal consequences.
                		•  Privacy
                EU - GDPR (General Data Protection Regulation)
              • Scope:

                Creation

                  of
                • unified data protection entities in each EU member state. Applicable to organizations collecting data from EU residents or those processing such information on behalf of another entity.
              • Key Provisions:
                1. Data Breach Notification:

                  • Obligates companies to notify authorities of significant data breaches within 72 hours.hours.
                2. Centralized Data Protection Authorities:
                  • Creation of unified data protection entities in each EU member state.
                3. Data Access:
                  • Individuals have the right to access their personal data.data.
                4. Data Portability:
                  • Allows individuals to transfer personal data between service providers upon their request.
                5. Right to be Forgotten:
                  • Lets individuals demand companies to delete their information if it is no longer necessary.
                		• PrivacyNo

                Exporting even low-grade encryption technology outside the US was initially very restrictive. Now, there are specific categories for retail and mass-market security software. Firms can submit products for review to obtain export approval from the commerce department. Some encryption export controls still restrict certain encryption technologies from being exported outside the US.

                US - International Traffic in Arms Regulations (ITAR)

                 

                • Regulates the export of items specifically designated as military and defense items.
                • Department of Commerce's Bureau of Industry and Security.

                • Historical Context

                • Key Point

                		Governing Regultaion
                US - Export Administration Regulations (EAR)
                • Regulates a broad set of items designed for commercial use that could have military applications.
                • Governs the export of sensitive hardware and software products internationally.
                		Governing Regulation

                 

                Back to top