NOTE

  1. Please do not use my post here as justification for doing any illegal.
  2. I am not a legal expert.
  3. These notes capture my personal interpretations of various cyber security laws.
  4. This post is a continuous work-in-progress. I apologize if you find anything incomplete/incorrect.


Hacking

US Computer Fraud and Abuse Act of 1986

Revises the definition of “financial institution” to which the financial record provisions of computer fraud law apply. Applies such provisions to any financial records (including those of corporations and small businesses), not just those of individuals and certain partnerships.

Modifies existing Federal law regarding accessing Federal computers. Makes the basic offense trespass. Removes criminal liability for exceeding (without the intent to defraud) authorized access to a Federal computer in one’s own department or agency.

Creates new Federal criminal offenses of: (1) property theft by computer occurring as part of a scheme to defraud; (2) altering, damaging, or destroying information in, or preventing the authorized use of, a Federal interest computer; and (3) trafficking in computer access passwords…

Exempts authorized law enforcement or intelligence activities.

The Computer Fraud and Abuse Act of 1986 established a handful of computer-related activites as criminal offenses. These activites include (but are not limited to) the following: accessing a government computer without authorization, stealing fiancial/government information, damaging or causing the loss of a protected computer, and collecting passwords.

References

Privacy

US Constitution

The right of the people to be secure in the persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated; and no Warrants shall issue, but on probable cause, supported by the oath or affirmation, and particularly describing the place to be searched, and the person or thing to be seized.

Your place cannot be searched or violated without a “warrant.” The warrant must (1) be supported by “probable cause,” (2) issued by someone like a judge, (3) specifically identify who and the location being searched as well as (4) what is expected to be seized.

References

US Electronic Communications Privacy Act of 1986

Makes it a criminal offense to: (1) willfully access, without authorization, a facility through which an electronic communication service is provided; or (2) willfully exceed an authorized access to such facility.

Restricts the interception of electronic communications; protects the privacy of stored electronic communications.

References

USA PATRIOT Act of 2001

Amends the Federal criminal code to authorize the interception of wire, oral, and electronic communications for the production of evidence of: (1) specified chemical weapons or terrorism offenses; and (2) computer fraud and abuse.

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, or USA PATRIOT Act of 2001 makes it legal for law enforcement to tap into your communications.

References

US Children Internet Protection Act (CIPA) of 2000

The protection measures must block or filter Internet access to pictures that are: (a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors). Schools subject to CIPA have two additional certification requirements:

  1. their Internet safety policies must include monitoring the online activities of minors; and
  2. as required by the Protecting Children in the 21st Century Act, they must provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyberbullying awareness and response.

CIPA, among other things, established requirements for protecting the innocence of children (through an “Internet Safety Policy”). It mandates pornography and/or obscene material be filtered in schools & public libraries, prohibits the unauthorized disclosure of personal information relating to children, and forbids minors from gaining unauthorized access to information systems. CIPA is applicable to institutions recieving grants via the “E-Rate” (Schools and Libraries Universal Service Support) funding program.

References

PII & PHI

(Personally Identifiable Information & Protected Health Information)

US Privacy Act of 1974

Prohibits disclosure by Federal agencies of any record contained in a system of records, except pursuant to a written request by or with the prior written consent of the individual to whom the record pertains.

Requires agencies which keep records systems to keep account of disclosures of records, and to inform the subjects of such disclosures.

Requires relevancy of records to official purposes; accuracy; disclosure of purposes to informants; publication annually of the existence, character, and accessibility of records systems; and appropriate safeguards to maintain confidentiality of such records…

Permits civil suits against agencies by individuals adversely affected by agency actions not in compliance with this Act. Describes remedies available in such actions.

Sets forth criminal penalties for noncompliance with this Act.

Provides for exemptions from this Act, such as for specified records of the Central Intelligence Agency and records of investigations compiled for law enforcement purposes.

Prohibits an agency from selling or renting an individual’s name and address.

The infamous Privacy Act of 1974 requires federal agencies to protect the information and records of “individuals involved” from unauthorized disclosure. Law enforcement and the CIA are exempted.

References

US Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009

text goes here

References

US Health Information Portability and Accountability Act (HIPAA) of 1996

text goes here

HIPAA help people maintain their health coverage and addresses the fraud, waste, and abuse of healthcare and health insurance. Its primarily organized into five Titles, with number two being the most commonly referenced. Title II mandates the protection (confidentiality and integrity) of PHI).

References

Net Neutrality

US Telecommunications Act of 1934, Title II

text goes here

Recognizes the Internet as a free utility; cannot deny access to users.

References



Free Speech

US Communications Decency Act, Section 230

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider

Online service providers are not liable for what their users post.

References



Social Media

California Senate Bill 1411

text goes here

Summary goes here

References



Spam

US CAN-SPAM Act of 2003

  1. Don’t use false or misleading header info
  2. Don’t use deceptive subject lines
  3. Identify the message as an ad
  4. Tell recipients where you’re located
  5. Tell recipients how to opt out of receiving future email from you
  6. Honor opt-out request promptly

Enforced by the FTC. Learn more about nationally opting-out of junk mail from NYU here.

References



Finance

US Sarbanes-Oxley (SOX) Act of 2002

text goes here

The Sarbanes-Oxley (SOX) Act of 2002 is comprised of 11 Titles with two of special significance: Title I and Title III. Title I addresses the oversight of accounting firms, auditing, and compliance. Title III emphasizes on the responsibilities of the Chief Executive Officer and Chief Financial Officer, both must certify and approve their organization’s financial reports.

References



US Gramm-Leach-Bliley Act of 1999

text goes here

The Gramm-Leach-Bliley Act of 1999 applies to financial institutions or organizations “significantly engaged” in activities related to finance. It mandates the protection of Personally Identifiable Information (PII) through three general rules: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting provisions. The Financial Privacy Rule addresses the collection of personal information. The Safeguards Rule addresses how this information is protected, and the Pretexting provisions protect individuals from others attempting to gain information through false pretense (social engineering attacks).

References



Payment Card Industry Data Security Standard (PCI DSS) of 2004

text goes here

The Payment Card Industry Data Security Standard (PCI DSS) was established in 2004 to combat credit card fraud. Credit card companies like Visa, MasterCard, American Express, and Discover joined forces and developed requirements for operational and technical security controls. In order to comply with the PCI DSS, organizations must (1) Assess security controls, (2) Remediate vulnerabilities, and (3) Report compliance.

References



Information Security Programs

US Federal Information Security Management Act (FISMA) of 2002

text goes here

FISMA of 2002 (requires InfoSec for federal information systems; use NIST SPs for compliance and governance.) The Federal Information Security Management Act of 2002 establishes information security requirements for systems used by the federal government. It was introduced under the E-Government Act of 2002, Public Law 107-37, as Title III. It establishes a framework for protecting the infrastructure, operation, and data of the federal government. It also mandates the coordination between civilian, national security, and law enforcement agencies. Lastly, it emphasizes on the importance of risk management in protecting federal information systems. In order to facilitate guidelines for FISMA-compliance, the National Institute of Standards and Technology (NIST) created Special Publications (SP) such as NIST SP 800-18, NIST SP 800-30, NIST SP 800-37, NIST SP 800-53 as well as Federal Information Processing Standard (FIPS) Publication 199 and FIPS Publication.

References



US DoD IT Risk Management Framework (RMF)

text goes here

Supporting NIST Special Publications

  • NIST SP 800-18 (System security plans)
  • NIST SP 800-30 (Risk assessments)
  • NIST SP 800-37 (RMF roles and process)
  • NIST SP 800-53 (Baseline controls)
  • FIPS 199 (Security categorization)
  • FIPS 200 (Baseline controls)

References



US DoD Directive 8500.1

…establishes policy and assigns responsibilities under Section 2224 of title 10 USC.

Outlines IA responsibilities for DoD personnel; “Defense in Depth” DoD Directive 8500.1 These responsibilities pertain to the Information Assurance (IA) of DoD information systems. DoD personnel fulfill their responsibilities and achieve IA by integrating personnel, operations, and technology (otherwise known as a “defense in depth”). To summarize, DoD personnel must ensure a series of complimentary security controls are implemented and enforced under the DoDD 8500.1.

References



US Clinger-Cohen Act of 1996

text goes here

The Clinger-Cohen Act of 1996 addresses the systems development lifecycle (SDLC) of information systems. This entails the acquisition, usage, and disposal of equipment. For instance, organizations should “life cycle” hardware every three to five years to ensure the greatest protection of the enterprise.

References



US Paperwork Reduction Act of 1995

text goes here

The Paperwork Reduction Act of 1995 introduced the concept of “Information Resource Management (IRM).” IRM is essentially the art of managing resources to efficiently and effectively accomplish the mission of the Department of Defense (DoD). For example, the DoD should strive to require as little paperwork as possible when interacting with the public. In other words, the act requires the reduction of “red tape.”

References