Legal and Professional Issues In
Information Security
Introduction

You must understand scope of an organization’s legal
and ethical responsibilities

To minimize liabilities/reduce risks, the information
security practitioner must:

Understand current legal environment

Stay current with laws and regulations

Watch for new issues that emerge
Life for Computer
Professionals

Binary
Problem
solutions either
work or not. Little room for
gray areas.

Physical and mathematical laws ultimate authority
when disputes arise

Guiding Philosophy - “Tell me what you need and I will
create a system with appropriate trade-offs at least
cost to solve your problem.”
When Worlds Collide . . .
Legal community always behind the
technology curve
 As a result, analogies often made
between new technological
paradigms and old world systems some more easily defended than
others.
 Different interpretations would
result in different laws

Patents

Competing products must use
different method for achieving
same task to avoid payments

Definite lifespan beyond which
patent information freely
available for use by the public
Copyright

Specific work

Automatically held when work is
created, but easier to defend if it
is registered

Definite lifetime beyond which
the work is freely available to the
public
Trademark

Specific name or phrase

Generic terms cannot be trademarked

Trademarks can be lost if they are not defended
Lost
trademarks: aspirin,
kleenex
Held Trademarks: Coke,
Pepsi
ISP Liability

What is an Internet Service Provider Like?
 Phone
Company: Route
information flows between
individuals
 Newspaper: Package content
for distribution in a public
forum

Answer determines ISP’s legal liability

The rules have been in a constant state of flux in recent
years
Modern Era
Communications Decency Act

ISP may monitor user activity (according to policy)

If statement to the effect that ISP does not take
responsibility for user traffic in place then no ISP
liability, BUT
Area
for complaints must be
available
Complaint
response must
happen in a timely fashion
DMCA

Digital Millennium Copyright Act

If a copyright infringement is claimed a web
site must be taken down (however tenuous
the claim may be)

Web site can only be reinstated after an
appeals process.
Near Future? . . .

ISP’s may be required to monitor user
traffic with a 40 day data-log.

ISP’s not explicitly exempt from liability

Hacker/Security Tools Illegal

Citizens must provide passwords for
data seized by police
Privacy in the Workplace

Test for employers/employees - “Do you
have a reasonable expectation of
privacy?”

A case can be made that private e-mail
on business machines still private, but
this is not the law

Work-related material on business
machines is definitely not private
Privacy in E-mail
 Legally,
e-mail is like a postal
letter

Expectation of privacy in transit

Mail loses its special protected status once it
leaves the letter carrier's grasp
 For
e-mail,

Expectation of privacy while signal travels over
Internet

E-mail loses its protected status at the mail server
whether you have read it or not
Business E-mail

Electronic Communications Privacy Act
(1986) says all business communication
belongs to that business

Deleting e-mail can be ruled spoliation
(intentionally destroying company
records)

Archive worthless if it cannot be
indexed effectively (in effect, saving
everything can be equivalent to saving
nothing)
What about Privacy at Home?

A lot of public information is considered private.

An increasing amount of public information available on
the Internet

Reverse phone lookups

Campaign Contributions

Housing prices

Driver’s license information and photographs
Data Collection

Data collection has few boundaries
Jurisdiction

“The Internet has no boundaries”

Is that really true?

If you break a law in Finland, but you were on the
Internet in the United States, what happens to you?

What if you are in California and you break a law in
Japan?
E-Commerce Big Questions

Did you sell an illegal item to a resident of community
X?

Did you try to stop the flow of illegal sales into X?
Law and Ethics in Information Security

Laws: rules that mandate or prohibit
certain societal behavior

Ethics: define socially acceptable
behavior

Cultural mores: fixed moral attitudes or
customs of a particular group; ethics
based on these

Laws carry sanctions of a governing
authority; ethics do not
Types of Law

Civil

Criminal

Tort (Wrongful)

Private

Public
Policy Versus Law

Most organizations develop and formalize a body of
expectations called policy

Policies serve as organizational laws

To be enforceable, policy must be distributed, readily
available, easily understood, and acknowledged by
employees
Association of Computing Machinery (ACM)

ACM established in 1947 as “the world's first
educational and scientific computing society”

Code of ethics contains references to protecting
information confidentiality, causing no harm,
protecting others’ privacy, and respecting others’
intellectual property
International Information Systems Security
Certification Consortium, Inc. (ISC)2

Non-profit organization focusing on
development and implementation of
information security certifications and
credentials

Code primarily designed for information
security professionals who have certification
from (ISC)2

Code of ethics focuses on four mandatory
canons
System Administration, Networking, and
Security Institute (SANS)

Professional organization with a large membership dedicated to
protection of information and systems

SANS offers set of certifications called Global Information
Assurance Certification (GIAC)
Information Systems Audit and Control
Association (ISACA)

Professional association with focus on auditing,
control, and security

Concentrates on providing IT control practices
and standards

ISACA has code of ethics for its professionals
Computer Security Institute
(CSI)

Provides information and training to
support computer, networking, and
information security professionals

Though without a code of ethics, has
argued for adoption of ethical behavior
among information security
professionals
Information Systems Security
Association (ISSA)

Nonprofit society of information security (IS)
professionals

Primary mission to bring together qualified IS
practitioners for information exchange and
educational development

Promotes code of ethics similar to (ISC)2, ISACA and
ACM
Other Security Organizations

Internet Society (ISOC): promotes
development and implementation of
education, standards, policy and
education to promote the Internet

Computer Security Division (CSD):
division of National Institute for
Standards and Technology (NIST);
promotes industry best practices and is
important reference for information
security professionals
Other Security Organizations
(continued)

CERT Coordination Center (CERT/CC): center of Internet
security expertise operated by Carnegie Mellon University

Computer Professionals for Social Responsibility (CPSR): public
organization for anyone concerned with impact of computer
technology on society
Organizational Liability and the Need
for Counsel

Liability is legal obligation of an entity;
includes legal obligation to make
restitution for wrongs committed

Organization increases liability if it
refuses to take measures known as due
care

Due diligence requires that an
organization make valid effort to
protect others and continually maintain
that level of effort
Summary

Laws: rules that mandate or prohibit
certain behavior in society; drawn
from ethics

Ethics: define socially acceptable
behaviors; based on cultural mores
(fixed moral attitudes or customs of a
particular group)

Types of law: civil, criminal, tort law,
private, public
Summary

Many organizations have codes of
conduct and/or codes of ethics

Organization increases liability if
it refuses to take measures known
as due care

Due
diligence
requires
that
organization make valid effort to
protect others and continually
maintain that effort