Add to collection(s) Add to saved
  1. Business
  2. Management

Introduction to Information Security Chapter N

advertisement 
IT Risk Management,
Planning and Mitigation
TCOM 5253 / MSIS 4253
Legal, Ethical & Professional Issues
in Risk Management
13 September 2007
Charles G. Gray
(c) 2007 Charles G. Gray
1
Law and Ethics in Risk
Management
In civilized life, law floats in a
sea of ethics.
Earl Warren, Chief Justice, United States
Supreme Court, November 12, 1962
(c) 2007 Charles G. Gray
2
Learning Objectives
Upon completion of this session you
should be able to:
– Use the information as a guide for future
reference on laws, regulations, and
professional organizations.
– Differentiate between laws and ethics.
– Identify major national laws that relate to the
practice of information security.
– Understand the role of culture as it applies to
ethics in information security.
(c) 2007 Charles G. Gray
3
Ignorance no Excuse
• Ignorance (don’t know about it) of the law
is not an acceptable excuse
– Well established in legal decisions
• Ignorance of a policy or procedure may be
a defense
• It is incumbent upon IT managers to be
aware of federal, state, and local laws and
ordinances
(c) 2007 Charles G. Gray
4
Laws Applicable
• Not only to publicly traded companies
• Privately held companies as well
– Except Sarbanes Oxley
(c) 2007 Charles G. Gray
5
Risks of Breaking A Law
• Litigation
– Government (US or foreign)
• Federal regulatory agency, DoJ, state AG
– Criminal or civil action
– Tort
•
•
•
•
Loss of credibility (personal or work unit)
Loss of future business
Damage to corporate image, market value
Personal liability
(c) 2007 Charles G. Gray
6
Law and Ethics in Information
Security
• Laws - rules adopted for determining
expected behavior
– Laws are drawn from ethics
• Ethics define socially acceptable
behaviors
• Ethics in turn are based on cultural mores:
fixed moral attitudes or customs of a
particular group
(c) 2007 Charles G. Gray
7
Types of Law
• Civil law
– Wide variety of legal code guiding behavior
• International, federal, state, municipality
• Public law
– Criminal, administrative, constitutional law
• Tort law
– Recourse against others for personal,
physical or financial damage
• Private law
– Family, labor, commercial law
(c) 2007 Charles G. Gray
8
Relevant US Laws - General
• Communications Act of 1934 (“CA34”)
– Telecommunications Deregulation and
Competition Act of 1996 (“TA96”)
• Federal Records Act of 1950
– Records disposal requires approval of the
Archivist of the US
– Applies to e-mail
• Federal agencies must retain and manage
electronic documents
• Most work of public officials is public record and
subject to disclosure
(c) 2007 Charles G. Gray
9
Freedom of Information Act of
1966 / 1996 (FOIA)
• The Freedom of Information Act provides for
any person to request access to federal agency
records or information
– US Government agencies are required to disclose
any requested information on receipt of a written
request
• Some exceptions apply (e.g., national security)
• Does not apply to state or local government
agencies or to private businesses or individuals,
although many states have their own version of
the FOIA
– “Sunshine” laws
(c) 2007 Charles G. Gray
10
Important Legislation
• Omnibus Crime Control and Safe
Streets Act – 1968
– Title III – “Wiretap Act”
• Prohibits unauthorized wiretaps (common
carriers)
• All wiretaps require federal court
order/supervision
• Foreign Intelligence Surveillance Act (FISA) in
conjunction with AUMF may not require court
supervision (currently under review)
– AUMF (Authorization for Use of Military Force)
» PL 107-40, 18 September 2001
(c) 2007 Charles G. Gray
11
The Privacy Act of 1974
• Government’s protection of private
information
• Government may not conceal the
existence of any databases
– Recent activities seem to violate this (???)
• No disclosure to other individuals or
agencies without a court order, except
for criminal law enforcement activity
• Disclosing agency must keep a record
of what they told, and to whom
(c) 2007 Charles G. Gray
12
“Buckley Amendment”
• Family Educational Right to Privacy Act
(FERPA) – 1974
– Guarantees the right of privacy for grades,
finances, personally identifying information,
etc.
– US Supreme Court held in 2002 that peer
grading does not violate FERPA (Owasso, OK)
– Risk of hackers (students?) obtaining access
to a school’s records
(c) 2007 Charles G. Gray
13
ECPA of 1986
• Electronic Communications Privacy Act
(ECPA) of 1986
– Prohibits unauthorized interception
• In transit
• In storage
• Includes private networks, but not
interceptions outside of the US (Echelon)
(c) 2007 Charles G. Gray
14
Computer Fraud and Abuse Act
• Passed in 1986, amended in 1989, 1990,
1994, 1996 and 2001
– 1996 - National Information Infrastructure
Protection Act
• 18 USC 1030
• Criminalizes hacking, denial-of-service,
viruses and other similar activities
• Punishment
– 1-5 years for first offense, 10 years for second
– Theft of sensitive government info, 10-20 years
– Harm or kill people – up to life in prison
(c) 2007 Charles G. Gray
15
Computer Matching and
Privacy Protection Act
• 1988 and 1989 Congress amended the
Privacy Act of 1974
• Prohibits federal agencies from
comparing their databases with other
agencies or with private databases
– Could any comparisons have avoided 9/11?
– Any effect on counter terrorism activities
today?
– Is this law good or not?
• When do the advantages outweigh the
(c) 2007 Charles G. Gray
disadvantages?
16
CALEA - 1994
• Communications Assistance for Law
Enforcement Act of 1994
– Digital Telephony Act
– All “providers and carriers” to ensure that
law enforcement can conduct legal
interceptions and electronic surveillance
• Equipment, facilities and services to
meet specified criteria (Section 103)
• Exceptions – Information service
providers, private networks
• Decryption by telco not required
(c) 2007 Charles G. Gray
17
ECPA of 1996
• Update of 1986 law due to technology
advancements
• Adds electronic mail
• Includes “any provider of wire or electronic
communications” – not just common carriers
• Disclosure of the identity of parties or existence
of a communication is NOT covered
– That is, disclosure of the fact (not content) is allowed
• Inadvertent discovery of criminal activity may be
disclosed to law enforcement officers
(c) 2007 Charles G. Gray
18
Children’s Online Privacy
Protection Act of 1998
• Protects collection of personal data on
children under the age of 13
– Websites, on-line services, pen pal services, email, message boards, or chat rooms
• Applies to any “child-oriented” site and any
site where the owner suspects that a user
is under 13 (on the internet, how do you know?)
• No protection for older children
(c) 2007 Charles G. Gray
19
2001 Treaty on Cybercrime
• Council of Europe (NOT the EU)
• Signed by the US, but NOT yet ratified by
the Senate
– President Bush has urged ratification
– Many dissenting voices
• Signatories agree to create computer
abuse laws and copyright protection
• Nations must cooperate to prosecute
attackers
(c) 2007 Charles G. Gray
20
USA PATRIOT Act of 2001
• “Uniting and Strengthening America by
Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism”
• Broad powers defined to intercept and
record wire, oral and electronic
communications relating to
– Terrorism
– Computer fraud and abuse
• Some provisions have been invalidated
(c) 2007 Charles G. Gray
21
Sarbanes-Oxley Act of 2002
• Applies to all publicly traded companies
– Includes non-US operations
• Stringent accounting/reporting rules
• “Internal controls”
– Insure reliable and accurate financial reports
• Track all data related directly or indirectly
to the financial state of the company
• Control and monitor anything that could
affect data accuracy
(c) 2007 Charles G. Gray
22
Sarbanes-Oxley Covers
• E-mail
• Instant messaging
• Documentation contained in:
– Word processing documents
– PowerPoint presentations
– Spreadsheets
– Custom-built databases
• Server cleaning
• Data backup
(c) 2007 Charles G. Gray
23
Sarbanes-Oxley Penalties
• If you “get it wrong” -
Personal criminal
liability for corporate
officers
(c) 2007 Charles G. Gray
24
HIPAA
• Healthcare Insurance Portability and
Accountability Act (1996)
– Serious consequences for violation
– HIPAA Security committee should have all
stakeholders represented (not just IT)
– Use NIST SP800-30 as a guide
– 54 standards and implementation features
• Document and retain all remediation
activities for at least six years
(c) 2007 Charles G. Gray
25
Financial Industry Laws
• CA-1386 (California - 2003)
– This brought the ChoicePoint situation to light
• Financial Services Modernization Act
(1999)
– Gramm-Leach-Bliley Act (Title V-Privacy)
• Fair Credit Reporting Act (1996, rev 2002)
• Basel II Agreement (international banking)
(c) 2007 Charles G. Gray
26
HSPD-12
• Homeland Security Protection Directive
#12 (2004)
• FIPS PUB 201 Personal Identity
Verification for Federal Employees and
Contractors (Maybe states that access
federal systems)
– Requires “smart cards” to be issued
•
•
•
•
Authentication for access to specific applications
Building access based on security access level
Must interoperate with multiple IT vendors
Impregnable (an objective – not readily achievable
– maybe not ever)
(c) 2007 Charles G. Gray
27
Federal Information Processing
Standards (FIPS)
• 113 – 1985, Computer Data Authentication
• 140-1 – 1994, Security Requirements for
Cryptographic Modules
• 140-2 – 2001, Security Requirements for
Cryptographic Modules
• 180-2 – 2002, Secure Hash Standard
• 181 – Automated Password Generator
• 186-2 – Digital Signature Standard
(c) 2007 Charles G. Gray
28
More FIPS
• 188 – 1994, Standard Security Labels for
Information Transfer
• 190 – 1994, Guideline for the Analysis of
Local Area Network Security
• 196 – 1997, Entity Authentication Using PKI
• 197 – 2001, AES
• 200 – 2006, Minimum Security
Requirements for Federal Info Systems
• 2001-1 – 2006, Personal Identity
Verification (PIV)
(c) 2007 Charles G. Gray
29
Employee Privacy
• ECPA prohibits deliberate eavesdropping
on personal telephone calls
• Not applicable to (i.e., can be monitored)
– E-mail
– IM
– Web surfing
• Proposed “Notice of Electronic Monitoring”
Act died in committee in 2000
(c) 2007 Charles G. Gray
30
E-mail Archive Risks
• Federal Rules of Civil Procedure
– E-mail must be archived (can be outsourced)
• Inbound and outbound
• “Backup tapes” are not “archives”
– Easily searchable (“accessible”) by multiple
parties
• Assess the cost of the search
– Can run into millions of $$
• Social threats
– Offensive content, jokes, images, racial content
• Trade secrets, misleading market info,
customer information
(c) 2007 Charles G. Gray
31
Keep or Shred??
• By 2010 the world’s information base will
double every 11 hours (IBM Global Technology
Services, 2006)
• Document retention rules are complex and
changing (Rules of “discovery)
• It helps to have a document retention
policy
– Must provide for “standing still” even if there is
a remote “possibility” of litigation
– Eliminate low-value information ASAP, actively
manage what is kept
(c) 2007 Charles G. Gray
32
Consumer Privacy
• One of the hottest topics in information
management
• Unprecedented ability to collect information on
an individual, combine facts from separate
sources, and merge it with other information has
resulted in comprehensive databases of
information
• Aggregation of data from multiple sources
permits unethical organizations to build
databases of facts with frightening capabilities
(c) 2007 Charles G. Gray
33
Privacy of Customer Information
• Privacy of Customer Information
– CPNI
• State regulations vary – e.g., Washington
• FCC docket CC 96-115 June 2007 (“Pretexting”)
• HIPAA
– The Health Insurance Portability &
Accountability Act Of 1996 also known as the
Kennedy-Kassebaum Act
• The Financial Services Modernization Act
– Gramm-Leach-Bliley Act of 1999
(c) 2007 Charles G. Gray
34
Export and Espionage Laws
• Trading with the Enemy Act – 1917
• Export Administration Act of 1979
– Expired 2001, extended to 2007
• Presidential “Declaration of National Emergency”
under the International Emergency Economic
Powers Act
– Covers export of cryptography
– Wassenaar Arrangement (1996)
• Economic Espionage Act (EEA) of 1996
• Security and Freedom Through
Encryption Act of 1999
(c) 2007 Charles G. Gray
35
FISMA
• Federal Information Security Management
Act of 2002
– Title III of the E-Government Act of 2002
• Promote the development of key security
standards
• Applies to all federal government entities
and “affiliated parties” such as contractors
• Mandates annual audits
(c) 2007 Charles G. Gray
36
FISMA Objective
More secure information
systems within the federal
government including the
critical infrastructure of the
United States
(c) 2007 Charles G. Gray
37
FISMA Vision
• Standards for categorizing IS by mission
impact
• Standards for minimum security
requirements
• Guidance for selecting appropriate controls
• Guidance for assessing security controls in
IS and determining effectiveness
• Guidance for certifying and accrediting
information systems
(c) 2007 Charles G. Gray
38
FISMA Anticipated Results
• Cost-effective, risk-based IS programs
• Establish a level of due diligence for
federal agencies and contractors
• Consistent and cost-effective security
controls throughout the federal IT structure
• Consistent, comparable and repeatable
security control assessments
• More complete, reliable and trustworthy
information for authorizing officials
(c) 2007 Charles G. Gray
39
FISMA Related Publications
• FIPS 199 and 200
• NIST Special Publications
– 800-53
– 800-59
– 800-60
• Under development
– 800-37
– 800-53
– 800-53A
Note: see
http://csrc.nist.gov/publications/nistpubs
(c) 2007 Charles G. Gray
40
US Copyright Law
• Intellectual property is recognized as a
protected asset in the US
• US copyright law extends to the published
word, including electronic formats
• Fair use of copyrighted materials includes
– Use to support news reporting, teaching, scholarship,
and a number of other related permissions
– Purpose of the use has to be for educational or library
purposes, not for profit, and should not be excessive
(c) 2007 Charles G. Gray
41
State & Local Regulations
• States or localities may have a number of
laws and regulations that impact
operations
• It is the responsibility of the
information security professional to
understand state laws and regulations
and insure the organization’s security
policies and procedures comply with
those laws and regulations
(c) 2007 Charles G. Gray
42
PCI DSS
• Payment Card Industry Data Security
Standard (not a “legal” requirement)
• Visa, MasterCard, American Express,
Diners Club, Discover, JCB, others
– When the elephants dance, the mice get trampled
• Supersedes individual company
compliance standards
• Requirements
– Compliance with requirements
– Validation of PCI DSS requirements
(c) 2007 Charles G. Gray
43
PCI DSS Requirements
• Maintain firewalls
• No default passwords
• Protect stored cardholder
data
• Encrypt transmission of
cardholder data
• Regular update of
antivirus software
• Develop and maintain
secure systems
• Restrict access based on
“need to know”
• Unique ID for each
person with access
• Restrict physical access
to cardholder data
• Track and monitor all
access
• Regular test of security
systems
• Maintain a policy that
addresses info security
• (Implied) Validate all of
the above
(c) 2007 Charles G. Gray
44
International Laws and Legal
Bodies
• Council of Europe Cyber-Crime Convention
– Adopted 23 November 2001
– Creates an international task force to oversee a
range of security functions associated with
Internet activities,
– Standardize technology laws across
international borders
– Attempts to improve the effectiveness of international
investigations into breaches of technology law
• Convention is well received by advocates of
intellectual property rights with its emphasis on
copyright infringement prosecution
(c) 2007 Charles G. Gray
45
The EU “Data Directive”
• Directive 95/46/EC
– Issued by the EC on 24 July 1995
– Effective October 1998
• Intense negotiations between the EC and
the US
• Some data is exempt
– National defense/security
– Public safety
(c) 2007 Charles G. Gray
46
Key Elements of the Directive
• Broad definition of “personal data”
– Essentially ANY information relating to a
“natural person”
• Broad definition of “processing”
• Requires “unambiguous consent” of subject
• Principles for data quality
– Guaranteed right of access (right to object)
• “Automated” decisions prohibited
• Confidentiality and security
(c) 2007 Charles G. Gray
47
Potential Impacts
•
•
•
•
•
•
•
Mainframes, client/server systems
Intranet/extranet
E-mail
Telecopies (fax)
Notebook/laptop computers
PDAs
World Wide Web
(c) 2007 Charles G. Gray
48
Business Sectors Involved
•
•
•
•
•
•
•
•
Financial
Educational institutions
Media (Radio, TV, newspapers, web sites)
Pharmaceuticals/medical
Business/leisure travel
Telephone/data networks
Non-profit organizations
ISPs
(c) 2007 Charles G. Gray
49
Business Functions Affected
•
•
•
•
•
•
Human resources (record keeping, etc.)
Auditing and accounting
Business consulting
Call centers
Customer service centers
Etc., etc., etc.
(c) 2007 Charles G. Gray
50
Other Countries Considering the
EU Approach
•
•
•
•
•
•
Iceland
Liechtenstein
Monaco
Norway
Russia
Switzerland
•
•
•
•
•
•
New Zealand
Australia
Hong Kong
Canada
Japan
Others (?)
(c) 2007 Charles G. Gray
51
US “Safe Harbor” Agreement
• Concept approved by EC 27 July 2000
• Narrowly averted a trade war
• Applies to companies regulated by
– Federal Trade Commission
– Department of Transportation
• Department of Commerce has oversight
• Essentially voluntary and self-enforcing
– Participant list is available on-line at
http://web.ita.doc.gov (~650 companies)
(c) 2007 Charles G. Gray
52
European Directive 2006/24/EC
• “Data Retention Directive” 15 March 2006
• Public communications networks
– “Traffic data” to identify the user (not content)
– Telephone calls or call attempts
• Voice, voice mail, conference calls, data calls, call
forwarding, call transfer, messaging, SMS, etc.
– Internet user ID
– Cell user ID
• Retain for 6 to 24 months
(c) 2007 Charles G. Gray
53
Europe to US Air Travel
• Original plan from 2004 negated by
European court
• New agreement effective January 2008
– Airlines must transmit PNR (19 data fields) to
DHS 72 hours prior to departure
• No-match PNR kept for seven days
• False-positive match kept for seven years
• Confirmed match kept for 99 years (I ask, on what
kind of storage media??)
– Limited to counterterrorism, serious crimes,
public health emergencies, flight from custody
(c) 2007 Charles G. Gray
54
Digital Millennium Copyright Act
(DMCA) of 1998
• Implements two WIPO treaties
acknowledged by the US
• Copyright protection
– Berne Convention
– Trade-Related Aspects of Intellectual Property
Rights (TRIPs)
• Copyright, patents, trademarks, trade secrets,
industrial designs, integrated circuit layouts
(c) 2007 Charles G. Gray
55
The United Nations Charter
• Provides for information security during
information warfare
– Use of IT to conduct lawful military offensive
operations by a sovereign state
• EW/IW has a long history
– Jamming
– Intercepting
• Encryption
– Spoofing
(c) 2007 Charles G. Gray
56
OECD Security Guidelines
• Awareness of the need for security of ICT
systems (“Culture of Security”)
• Participants are responsible for the
security of ICT systems and networks
• Respond in a timely and co-operative
manner to security incidents.
• Respect the legitimate interests of others
• Compatible with essential elements of a
democratic society
(c) 2007 Charles G. Gray
57
OECD Security Guidelines (2)
• Participants should conduct regular risk
assessments
• Incorporate security as an essential
element of ICT systems
• Adopt a comprehensive approach to
security management
• Review and reassess – modify policies,
practices and procedures as appropriate
(c) 2007 Charles G. Gray
58
Policy Versus Law
• Most organizations develop and formalize
a body of expectations called policy
• Policies function in an organization like
laws
• Violations may be pursued administratively
or via litigation
(c) 2007 Charles G. Gray
59
Enforcing Policy
• For a policy to become enforceable, it
must be:
– Distributed to all individuals who are expected to
comply with it
– Readily available for employee reference
– Easily understood with multi-language translations
and translations for visually impaired, or literacyimpaired employees
– Acknowledged by the employee, usually by means of
a signed consent form
• ALL four conditions must be met for the
organization have a reasonable
expectation of effective policy
(c) 2007 Charles G. Gray
60
Ethical Concepts in
Information Security
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
The Ten Commandments of Computer Ethics from The Computer
Ethics Institute
Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people's computer work.
Thou shalt not snoop around in other people's computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you
have not paid.
Thou shalt not use other people's computer resources without
authorization or proper compensation.
Thou shalt not appropriate other people's intellectual output.
Thou shalt think about the social consequences of the program
you are writing or the system you are designing.
Thou shalt always use a computer in ways that insure
consideration and respect for your fellow humans.
(c) 2007 Charles G. Gray
61
Cultural Differences in Ethical
Concepts
• Differences in cultures cause problems in
determining what is ethical and what is not
ethical
• Studies of ethical sensitivity to computer use
reveal different ethnic groups/nationalities have
different perspectives
• Difficulties arise when one nationality’s ethical
behavior contradicts that of another national
group ( E.g., Multi-national corporations)
(c) 2007 Charles G. Gray
62
Ethics and Education
• Employees must be trained and kept aware of
topics related to information security, including
the expected behaviors of an ethical employee
• Especially important in areas of information
security, as many employees may not have the
formal technical training to understand that their
behavior is unethical or even illegal
• Proper ethical and legal training is vital to
creating an informed, well prepared, and low-risk
system user
(c) 2007 Charles G. Gray
63
Deterrence to Unethical and
Illegal Behavior
• Deterrence - preventing an illegal or
unethical activity
– Laws, policies, and technical controls
• Laws and policies only deter if three
conditions are present:
– Fear of penalty
– Probability of being caught
– Probability of penalty being administered
(c) 2007 Charles G. Gray
64
Codes of Ethics, Certifications,
and Professional Organizations
• Many organizations have codes of conduct
and/or codes of ethics
• Codes of ethics can have a positive effect
• Unfortunately, just having a code of ethics is not
enough
• It is the responsibility of security professionals to
act ethically and according to the policies and
procedures of their employer, their professional
organization, and the laws of society
(c) 2007 Charles G. Gray
65
Association of Computing
Machinery
• The ACM is a respected professional society
– originally established in 1947 as “the world's first
educational and scientific computing society”
• The ACM’s code of ethics requires members to
perform their duties in a manner befitting an
ethical computing professional
• The code contains specific references to
protecting the confidentiality of information,
causing no harm, protecting the privacy of
others, and respecting the intellectual property
and copyrights of others
(c) 2007 Charles G. Gray
66
International Information Systems
Security Certification Consortium
• The (ISC)2 is a non-profit organization
– focuses on the development and implementation of
information security certifications and credentials
• The code of ethics put forth by (ISC)2 is primarily
designed for information security professionals
who have earned a certification from (ISC)2
• This code focuses on four mandatory canons:
– Protect society, the commonwealth, and the
infrastructure
– Act honorably, honestly, justly, responsibly, and legally
– Provide diligent and competent service to principals
– Advance and protect the profession
(c) 2007 Charles G. Gray
67
System Administration, Networking,
and Security (SANS) Institute
• The System Administration, Networking,
and Security Institute, or SANS, is a
professional organization with a large
membership dedicated to the protection of
information and systems
• SANS offers a set of certifications called
the Global Information Assurance
Certification or GIAC
(c) 2007 Charles G. Gray
68
Information Systems Audit and
Control Association
• Professional association with a focus on
auditing, control, and security
• Although it does not focus exclusively on
information security, the Certified Information
Systems Auditor or CISA certification does
contain many information security components
• The ISACA also has a code of ethics for its
professionals
• It requires many of the same high standards for
ethical performance as the other organizations
and certifications
(c) 2007 Charles G. Gray
69
CSI - Computer Security Institute
• Provides information and certification to support
the computer, networking, and information
security professional
• While CSI does not promote a single certification
certificate like the CISSP or GISO, it does
provide a range of technical training classes in
the areas of Internet Security, Intrusion
Management, Network Security, Forensics, as
well as technical networking
(c) 2007 Charles G. Gray
70
Other Security Organizations
• Information Systems Security Association (ISSA)®
• Internet Society or ISOC
• Computer Security Division (CSD) of the National
Institute for Standards and Technology (NIST)
– contains a resource center known as the Computer Security
Resource Center - one of the most comprehensive sets of
publicly available information on the entire suite of information
security topics
• CERT® Coordination Center or CERT/CC, is a center of
Internet security expertise operated by Carnegie Mellon
University
• Computer Professionals for Social Responsibility
(CPSR) promotes the development of ethical computing
(c) 2007 Charles G. Gray
71
Key US Federal Agencies
• The Federal Bureau of Investigation’s
National Infrastructure Protection Center
(NIPC) (www.nipc.gov)
– National InfraGard Program
• National Security Agency (NSA)
– The NSA is “the Nation's cryptologic
organization”
• The U.S. Secret Service
(c) 2007 Charles G. Gray
72
Organizational Liability and the
Need for Counsel
• Liability is the legal obligation of an entity
• Liability extends beyond a legal obligation or
contract to include liability for a wrongful act and
the legal obligation to make restitution
• Liability increases if an organization refuses to
take strong measures known as “due care”
• “Due diligence” requires that an organization
make a valid effort to protect others and
continually maintain this level of effort
(c) 2007 Charles G. Gray
73
Due Care Theory
• Seller has a duty to exercise due care to
protect consumers from harm that the
seller can reasonably foresee
• The organization ensures that every
employee knows what is acceptable or not
acceptable behavior – and knows the
consequences of unethical or illegal
behavior
(c) 2007 Charles G. Gray
74
Due Care in Action
• Buyers & sellers don’t meet as equals
– Sellers have better knowledge & expertise
– Buyers are in a vulnerable situation
• Seller should protect consumers by:
– Design
– Choice of materials/software
– Quality control
– Warnings, labels, & instructions
• Failure by a seller to exercise due care is
considered to be negligence
(c) 2007 Charles G. Gray
75
Due Diligence
• Make a valid effort to protect others
– Continuous ongoing process
• With the internet, potential for harm is
worldwide
• “Long arm of jurisdiction”
– A court’s right to hear a case if the wrong was
committed in its territory, or involving its
citizens
• Trial in the injured party’s home area
invariably favors the injured party
(c) 2007 Charles G. Gray
76
Due Diligence (FDIC example)
• Management is responsible to verify
compliance of all COTS and vendorsupplied software
– Assure compliance with ALL laws and
regulations (Bank Secrecy Act, PATRIOT Act,
Money Laundering Act, etc.)
• Evaluate and confirm compliance prior to
purchase
• Financial institution management is
responsible even if software fails to perform
(c) 2007 Charles G. Gray
77
P2P Due Diligence (Limewire)
• CEO said he “was not aware of the extent
of security problems . . .”
• Classified military orders, corporate
accounting documents, terrorist threat
assessments, tax returns, etc.
• US Patent Office report:
– “Stunning to see features that are incredibly
easy to misuse”
• Could be liable for thousands of lawsuits
(c) 2007 Charles G. Gray
78
Related documents
CHARLES LAW PRACTICE PROBLEMS
CHARLES LAW PRACTICE PROBLEMS
Absolute Zero In the late 1700s Jacques Charles showed that for a
Absolute Zero In the late 1700s Jacques Charles showed that for a
Saint Charles Middle School
Saint Charles Middle School
Charles's Law • Proposed by Jacques Charles in 1780 and
Charles's Law • Proposed by Jacques Charles in 1780 and
Organization Structure, Culture, and Change
Organization Structure, Culture, and Change
Project Step 2: Initial Review of Background material
Project Step 2: Initial Review of Background material
Download
advertisement