Lesson 5-Legal Issues in Information Security

Overview

U.S. criminal law.

State laws.

Laws of other countries.

Issues with prosecution.

Civil issues.

Privacy issues.

U.S. Criminal Law

Computer fraud and abuse:

18 US Code 1030 forms the basis for federal intervention in

computer crimes.

Section (a) of the statute defines computer crime as the intentional

access of a computer without authorization.

The statute states that the attacker has to obtain information that

should be protected.

The statute can be used only if the damage caused by the attack is

$5,000 or above.

U.S. Criminal Law

Credit card fraud and copyright:

18 US Code 1029 can be used in case of credit card frauds.

The statute makes it a crime to possess fifteen or more counterfeit

credit cards.

18 US Code 2319 defines criminal punishments for copyright

violations.

The statute can be used if at least 10 copies of one or more

copyrighted works have been reproduced or distributed.

The total retail value of the copies should exceed $1,000.

U.S. Criminal Law

Interception:

18 US Code 2511 outlaws interception of telephone calls and other

types of electronic communication.

This law prevents law enforcement from using wiretaps without a

warrant.

An intruder placing a sniffer on a computer system is likely to be in

violation of this law.

If appropriate, the law allows an organization to monitor its network

and computer systems for their protection.

U.S. Criminal Law

Access to electronic information:

18 US Code 2701 prohibits unlawful access to stored

communications.

This statute also prohibits authorized users from accessing

systems that store electronic information.

The statute allows the provider of the service to access any file

on the system.

U.S. Criminal Law

Patriot Act:

The USA-Patriot Act was passed in response to the September

11 terrorist attacks.

The Patriot Act increased the maximum penalties for violations

of 18 US Code 1030.

It also modified the wording in 18 US Code 1030 to redefine

“damage,” making it easier to reach the minimum $5,000

damage.

U.S. Criminal Law

Patriot Act (continued):

An action affecting a computer system used by the

government for justice, national defense, or national security,

is considered a violation of federal law.

An individual inside the United States attacking a system

outside the country can be prosecuted under federal law.

U.S. Criminal Law

Patriot Act (continued):

The Pen Register Statute (18 US Code 3127) allowed law

enforcement to access telephone numbers dialed from a

particular telephone.

The Patriot Act modified the law to include any device or

process that records dialing, routing, addressing, or signaling

information.

U.S. Criminal Law

Patriot Act (continued):

It is now possible to collect e-mail header information and source

and destination IP addresses, TCP, and UDP port numbers.

The law prevents collection of e-mail subject lines and contents of

e-mail and downloaded files.

The Patriot Act modified the 18 US Code 2511 to allow interception

by law enforcement to monitor the activities of an intruder.

U.S. Criminal Law

Patriot Act (continued):

For interception, consent of the owner must be given and it

must be relevant to the investigation.

The law states that the interception can only access

communications to/from the trespasser.

The majority of the Homeland Security Act is directed at the

creation of the Department of Homeland Security.

State Laws

The state laws differ from federal laws with respect to what

constitutes a crime and how a crime may be punished.

The concept of what constitutes a computer crime differs

from state to state.

Laws of Other Countries

Computer crime laws in other countries may have an effect

on computer crime investigations in the United States.

If an attack is sourced to a system in another country, the

FBI will attempt to get assistance from the law enforcement

agencies there.

Laws of Other Countries

A country with no computer crime laws is unlikely to assist

in the investigation.

Unauthorized access to data in computers is a crime in

most countries with computer crime laws.

Issues with Prosecution

Before contacting law enforcement to prosecute offenders,

the organization must develop an incident response

procedure.

If normal business procedures are followed, no special

precautions need be taken to safeguard information as

evidence.

If the organization takes actions outside the scope of business

procedures, precautions need to be taken.

Issues with Prosecution

The organization’s general counsel should be consulted

before contacting law enforcement.

Advice should be taken from the organization counsel and

law enforcement before any action is taken.

Law enforcement is bound to follow rules to allow

information gathered to be used as evidence.

Issues with Prosecution

After taking possession of information, the law enforcement

will control access and protect it as evidence as per

procedures.

The law enforcement cannot gather information off the

network without a warrant, unless the organization willingly

offers information.

Civil Issues

Employees must be told that the organization can access or

monitor any information on the systems or network at any

time.

The employees should be asked to sign copies of the

organization’s policies to alleviate potential legal issues.

Civil Issues

Downstream liability is when an organization is held liable if

its compromised system is used to attack another

organization.

The question is whether the first organization took

reasonable care and appropriate measures to prevent this

occurring.

Privacy Issues

The federal government has enacted privacy legislation for

banking, financial and healthcare sectors.

Customer information belongs to the customer and not to

your organization.

Health Insurance Portability and Accountability Act (HIPAA)

An organization must take appropriate measures to safeguard

customer information from unauthorized disclosure.

The Department of Health and Human Services published the

final Health Information Portability and Accountability Act

(HIPAA) security regulations in February 2003.

HIPAA relates to the creation and enforcement of standards

for the protection of health information.

Health Insurance Portability and Accountability Act (HIPAA)

An organization must implement an addressable regulation if

it is found to be reasonable and appropriate.

If not, the organization must document why the regulation is

not reliable or appropriate and implement an alternate

mechanism.

The overall goal of the regulations is to maintain the

confidentiality, integrity, and availability of protected health

information (PHI).

Health Insurance Portability and Accountability Act (HIPAA)

Administrative safeguards:

Security management process – regular risk analysis,

appropriate security measures to manage risk, sanction

policy for enforcement, and regular review of security log

and activity information are required.

Assigned security responsibility – an individual must be

assigned responsibility for security.

Health Insurance Portability and Accountability Act (HIPAA)

Administrative safeguards (continued):

Workforce security – procedures for authorization,

workforce clearance, and termination are addressable by

the organization.

Information access management – isolating health care

clearinghouse function is required. Procedures for access

authorization, establishment and modification are

addressable.

Health Insurance Portability and Accountability Act (HIPAA)

Administrative safeguards (continued):

Security awareness and training – periodic security updates,

protection from malicious software, login monitoring, and

password management are addressable.

Security incident procedures – policies and procedures to

address security incidents are required.

Health Insurance Portability and Accountability Act (HIPAA)

Administrative safeguards (continued):

Contingency plans – plans for data backup, disaster recovery,

and emergency mode operation are required. Periodic testing

and revisions of the contingency plans and assessment of the

relative criticality of specific applications is addressable.

Evaluation – performing periodic evaluations of security in

response to changes in operations or environment is required.

Health Insurance Portability and Accountability Act (HIPAA)

Administrative safeguards (continued):

Business associate contracts and other arrangements – it is

required that contracts requiring appropriate security be in

place with any organization that shares PHI.

Health Insurance Portability and Accountability Act (HIPAA)

Physical safeguards:

Facility access controls – procedures for contingency plans,

facility security plan, access control and validation, and

recording repairs and modifications to the physical security of

the facility are addressable.

Workstation use – policies specifying the physical attributes of

workstations that can access PHI are required.

Health Insurance Portability and Accountability Act (HIPAA)

Physical safeguards (continued):

Workstation security – physical security safeguards for all

workstations that can access PHI are required.

Device and media controls – procedures for disposing PHI and

the media on which it was stored and the removal of PHI

before reusing media are required. Records of movement of

media, hardware is addressable.

Health Insurance Portability and Accountability Act (HIPAA)

Technical safeguards:

Access control – it is required that each user be assigned a unique

identifier and that emergency access procedures be implemented.

Automatic logoff and encryption/decryption of PHI are addressable.

Audit controls – implementation of mechanisms that record and

examine activity on systems containing PHI is required.

Integrity – a method to authenticate electronic PHI is addressable.

Health Insurance Portability and Accountability Act (HIPAA)

Technical safeguards (continued):

Person or entity authentication – mechanisms to authenticate

identity of individuals seeking access to PHI is required.

Transmission security – mechanisms to detect unauthorized

modification of PHI in transit and to encrypt PHI when

appropriate are addressable.

Health Insurance Portability and Accountability Act (HIPAA)

Organization requirements:

Any contracts with organizations that will be able to access PHI

must include provisions for security.

Health plan documents must provide for the sponsor to take

appropriate measures to protect PHI.

Health Insurance Portability and Accountability Act (HIPAA)

Policies, procedures, and documentation requirements:

The organization is required to keep documentation for six

years from the date of creation.

Policies and procedures must be made available to individuals

who will be implementing the mechanisms.

Graham-Leach-Bliley Financial Services Modernization Act (GLBA)

The Graham-Leach-Bliley Financial Services Modernization

Act (GLBA) was passed in 1999.

Section 502 of the act prohibits financial organizations from

disclosing customer information without giving him a

chance to opt out.

Graham-Leach-Bliley Financial Services Modernization Act (GLBA)

The act requires financial institutions to safeguard customer

information from unauthorized disclosure.

For this purpose, financial oversight companies have

published “Interagency Guidelines Establishing Standards

for Safeguarding Customer Information”.

Graham-Leach-Bliley Financial Services Modernization Act (GLBA)

The guidelines impose requirements on the financial

organization’s security program.

Information security program – Each organization must

implement a comprehensive written security program.

Board involvement – The organization’s board must

approve the security program.

Assessing risk – Each organization must conduct periodic

risk assessments.

Graham-Leach-Bliley Financial Services Modernization Act (GLBA)

The security mechanisms that the organization must use to

manage and control risk are:

Access controls to information.

Physical access restrictions to systems and records.

Encryption of sensitive information in transit.

System change procedures.

Graham-Leach-Bliley Financial Services Modernization Act (GLBA)

The security mechanisms that the organization must use to

manage and control risk are:

Dual control procedures, segregation of duties, and

background checks.

Intrusion detection systems.

Incident response procedures.

Environment protection.

Graham-Leach-Bliley Financial Services Modernization Act (GLBA)

The guidelines identify the following requirements in case

of third party involvement:

Due diligence in selecting service providers.

Requiring service providers to implement security.

Monitoring service providers.

Adjusting the program.

Reporting to the board.

Summary

18 US Code 1030 is the primary computer crime statute.

18 US Code 1029 deals with credit card frauds.

18 US Code 2319 deals with copyright issues.

18 US Code 2511 prohibits interception of electronic

information without warrants.

18 US Code 2701 prohibits unlawful access to stored

information.

Summary

The Patriot Act made several modifications to existing laws.

The state laws regarding computer crime differ from the

federal laws and from state to state.

Computer crime laws in other countries can affect

investigations in the United States.

Organizations must have a detailed discussion of the options

before contacting law enforcement to prosecute offenders.

Summary

The organization must make it known that the employees

should have no expectation of privacy.

The information security staff and the general counsel of

the organization must coordinate in case of downstream

liability.

HIPAA sets out regulations for the protection of health

information.

Summary

GLBA relates to privacy of customer information.

GLBA led to the “Interagency Guidelines Establishing

Standards for Safeguarding Customer Information”