Lesson Three Legal, Ethical Issues in Information Security Copyright © Center for Systems Security and Information Assurance Lesson Objectives • • • • • • Describe the fundamentals of the American legal system. Define the basic terms associated with the legal process. Explain the difference between criminal and civil law. Describe the role of the Judicial branch. Differentiate between laws and ethics. Identify major national laws that relate to the practice of information security. • Understand the role of culture as it applies to ethics in information security. Copyright © Center for Systems Security and Information Assurance Law and Ethics in Information Security • Laws Rules adopted for determining expected behavior. Laws are drawn from ethics • Ethics Define socially acceptable behaviors. Ethics, in turn, are based on cultural mores: fixed moral attitudes or customs of a particular group. Copyright © Center for Systems Security and Information Assurance Code of Ethics • To perform all professional activities in accordance with all applicable laws and the highest ethical principles; • To promote generally accepted information security practices and standards. • Discharge professional responsibilities with diligence and honesty. Copyright © Center for Systems Security and Information Assurance Computing Ethics Our study of computing ethics involves asking the questions of “right and proper conduct when using computers” What is good, what is bad? What is right, what is wrong? Copyright © Center for Systems Security and Information Assurance Computing Ethics • When examining computing ethics, it is tempting to oversimplify ethical problems by reducing them to issues of computer crime and data security. • In reality, the moral concerns and dilemmas confronting computing professionals are far more broad than in most other situations. Copyright © Center for Systems Security and Information Assurance Ten Commandments Of Computer Ethics 1. Thou Shall Not Use A Computer To Harm Other People. 2. Thou Shall Not Interfere With Other People’s Computer Work. 3. Thou Shall Not Snoop Around In Other People’s Computer Files. 4. Thou Shall Not Use A Computer To Steal. 5. Thou Shall Not Use A Computer To Bear False Witness. 6. Thou Shall Not Copy Or Use Proprietary Software For Which You have Not Paid. (Created by the Computer Ethics Institute) Copyright © Center for Systems Security and Information Assurance Ten Commandments Of Computer Ethics 7. Thou Shall Not Use Other People’s Computer Resources Without Authorization Or Proper Compensation. 8. Thou Shall Not Appropriate Other People’s Intellectual Output. 9. Thou Shall Think About The Social Consequences Of The Program You Are Writing Or The System You Are Designing. 10. Thou Shall Always Use A Computer In Ways That Insure Consideration And Respect For Your Fellow Humans. Created by the Computer Ethics Institute Copyright © Center for Systems Security and Information Assurance Law and Information Security • Information technology professionals and particularly those in the medical, legal, and accounting fields, want to use the Internet to conduct their businesses. • Email and electronic communications have become a part of everyday life. • Security incidents have led to several new federal and local laws as well as a rush by organizations to take appropriate measures to protect their assets. Copyright © Center for Systems Security and Information Assurance Source of American Law • The sources of law in the American legal system are protected by the following authority: U.S. Constitution Federal statutes Federal court decisions State constitutions State statutes State court decisions • The U.S. Supreme Court, however, has the final decision about the constitutionality of governmental actions. Copyright © Center for Systems Security and Information Assurance US Constitution • The U.S. Constitution is the supreme law and is the basis of our system of justice. • Article I, II & III form and describe the legislative branch, executive branch and the judicial branch. • Article IV describes relations between the states. • Article V is the amendment process. • Article VI describes past debts, supremacy clause, no religious test for federal office. • Article VII describes the ratification process. Copyright © Center for Systems Security and Information Assurance United States Constitution • • Bill of Rights – first ten amendments The fundamental rights granted to individuals. The 1st, 10th, and 14th Amendments define equal protection and due process. The 11th Amendment – protection to states from suits in federal courts by citizens of other states. http://www.house.gov/Constitution/Constitution.html Copyright © Center for Systems Security and Information Assurance Judicial Review Process • Judicial review is the power of the judicial branch of government to decide whether or not acts of government are constitutional and consistent. • Judges maintain limited government and the rule of law by upholding the supremacy of the Constitution, federal and local statutes and previous court decisions. • All courts in the United States, federal and state, may use the power of judicial review. Copyright © Center for Systems Security and Information Assurance Civil Versus Criminal Litigation The American Judicial system has two distinctly different court systems to deal with different issues. • Civil and criminal court system. • Basic differences between the systems: The purpose of litigation The parties involved Burden of proof needed to convict The remedies to be considered Copyright © Center for Systems Security and Information Assurance Purpose of Litigation • • Civil cases involve conflicts between people or institutions such as businesses. Criminal cases involve enforcing public codes of behavior as embodied in the laws, with the government prosecuting individuals or institutions. Copyright © Center for Systems Security and Information Assurance The Parties to a Lawsuit The American system of justice is based on a adversarial system of justice. This system is designed to promote the discovery of the truth while maintaining court impartiality. The parties to a lawsuit include: The party bringing the suit is called the “plaintiff” The party accused is called the “defendant” (s) Either party may also have intervening & joined parties Copyright © Center for Systems Security and Information Assurance Legal Burden of Proof • The criminal standard of proof on the prosecution is proof beyond all reasonable doubt, which means proof to a high degree of probability but not proof beyond a shadow of a doubt. In a criminal case, the jury must be unanimous to convict. • The standard of proof on both parties is proof on the balance of probabilities, i.e., that an allegation is more probable than not. The jury in a civil case is normally just a majority of the jury to convict. Copyright © Center for Systems Security and Information Assurance Legal Remedies • Civil law remedies: Monetary Damages A court injunction - an equitable remedy in the form of a court order that prohibits a party from continuing a particular activity. • Criminal case remedies: Criminal fine Incarceration Capital Punishment Copyright © Center for Systems Security and Information Assurance Code Law Versus Common Law Jurisdictions • • Code Law: The Code Napoleon takes the civilian law approach. Civilian law is based on scholarly research and the drafting of legal code which is passed into law by the legislative branch. It is then the judge's job to interpret that intent more than to follow judicial precedent. Common Law: Common law is law that comes from the common people, not legislation (practiced in 49 states). Common law is based on two concepts: Do all you have agreed to do; Do not encroach on other persons or their property. Copyright © Center for Systems Security and Information Assurance Judicial Precedent • • • Precedent is a previously reported decision by an appellate court that establishes a point of law on a specific issue. In the law, decisions in previous cases play a significant role in the presentation, understanding, and outcome of new cases. This is particularly true in the area of contract law where few statutes (explicit legal rules) exist. Copyright © Center for Systems Security and Information Assurance Judicial Precedent • Stare Decisis, which means to stand by the decided, whereby lower courts are bound to apply the legal principles set down by superior courts in earlier cases • The binding part of a previous decision is the ratio decidendi (reason for the decision) and it must be followed by judges in later cases. • Anything said obiter dictum (by the way) in the original case is merely persuasive because it was not strictly relevant to the matter in issue and does not have to be followed. Copyright © Center for Systems Security and Information Assurance Jurisdiction • A court has no authority to decide a case unless it has jurisdiction over the person or property involved. To have jurisdiction, a court must have authority over the subject matter of the case And the court must be able to exercise control over the defendant, Or the property involved must be located in the area under the court's control. • The extent of the court's control over persons and property is set by law. Copyright © Center for Systems Security and Information Assurance Jurisdiction • Certain judicial actions are transitory. They can be brought wherever the defendant may be found and served with a summons, and where the jurisdiction has sufficient contact with one of the parties and the incident that gave rise to the suit. • Other actions - such as foreclosing on a piece of property are local. They can be brought only in the county where the subject of the suit is located. Copyright © Center for Systems Security and Information Assurance Original and Appellate Jurisdiction • • Original jurisdiction is the authority to hear trials. Appellate jurisdiction is the authority to hear appeals. The principal functions of an appellate court are: to correct errors in the decisions of trial courts or in the reasoning used by them in reaching those decisions; and to develop the body of law through judicial exposition. Copyright © Center for Systems Security and Information Assurance Types of Courts • Functional organization of federal and state courts trial courts intermediate appellate courts highest appellate courts • Geographic organization of federal courts Made up of 94 U.S. judicial districts Organized into 12 regional circuits http://www.usdoj.gov/usao/eousa/kidspage/circuit.html Copyright © Center for Systems Security and Information Assurance Federal Circuit Court System Copyright © Center for Systems Security and Information Assurance Venue • • • Venue refers to the county or district within a state or the U.S. where the lawsuit is to be tried. The venue of a lawsuit is set by statute, but it can sometimes be changed to another county or district. Venue also may be changed for the convenience of witnesses. Copyright © Center for Systems Security and Information Assurance Pleadings A lawsuit begins when the person bringing the suit files a complaint. Pleadings are certain formal documents filed with the court that state the parties' basic positions. Common pre-trial pleadings include: Complaint (or petition or bill) Counts Answer Reply Counterclaims Copyright © Center for Systems Security and Information Assurance Pleadings • Complaints are probably the most important pleading in a civil case, since by setting out the plaintiff's version of the facts and specifying the damages, it frames the issues of the case. • It includes various counts - that is, distinct statements of the plaintiff’s cause of action highlighting the factual and legal basis of the suit. Copyright © Center for Systems Security and Information Assurance Pleadings • Answer. This statement by the defendant usually explains why the plaintiff should not prevail. It may also offer additional facts, or plead an excuse. • Reply. Any party in the case may have to file a reply, which is an answer to new allegations raised in pleadings. Copyright © Center for Systems Security and Information Assurance Pleadings • Counterclaim. The defendant may file a counterclaim, which asserts that the plaintiff has injured the defendant in some way, and should pay damages. ("You're suing me? Well then, I'm suing you.") It may be filed separately or as part of the answer. If a counterclaim is filed, the plaintiff must be given the opportunity to respond by filing a reply. Copyright © Center for Systems Security and Information Assurance Types of Motions Motions are not pleadings but are requests for the judge to make a legal ruling. Some of the most common pre-trial motions include: Motion to Discover. A motion by which one party seeks to gain information from the adverse party. Motion to Dismiss. This motion asks the court to dismiss the suit because the suit doesn’t have a legally sound basis, even if all the facts alleged are proven true. Copyright © Center for Systems Security and Information Assurance Motion for Summary Judgment • Motion for Summary Judgment (sometimes called motion for summary disposition). • This motion asks the court for a judgment on the merits of the case before the trial. • It is properly made where there is no dispute about the facts and only a question of law needs to be decided. Copyright © Center for Systems Security and Information Assurance Due Process • • Due process is the principle that guarantees basic fairness, as embodied in current legal doctrines. These take the form of procedural protections against arbitrary actions by governmental authorities and substantive rights not to have life, liberty and property taken away to serve the interest of an oppressive majority. Due process, in the context of the United States, refers to how and why laws are enforced. It applies to all persons, citizens or aliens, as well as to corporations. Copyright © Center for Systems Security and Information Assurance Due Process Guarantees • • Due process requires that laws be written so that a reasonable person can understand what is criminal behavior. Generally, due process guarantees the following: Right to a fair public trial conducted in a competent manner Right to be present at the trial Right to an impartial jury Right to be heard in one’s own defense Copyright © Center for Systems Security and Information Assurance U.S. Laws Addressing Information Security • Computer Fraud and Abuse Act of 1986 • Communications Decency Act of 1996 USA Patriot Act of 2001 • National Information Infrastructure Protection Act of 1996 • Telecommunications Deregulation and Competition Act of 1996 • Communications Decency Act (CDA) • Computer Security Act of 1987 Copyright © Center for Systems Security and Information Assurance The Computer Fraud and Abuse Act of 1986 • The Computer Fraud and Abuse Act of 1986 focuses primarily on protecting "governmentinterest" computers. • Specifically, the law prohibits the use of "a program, information, code or command" with intent to damage, cause damage to, or deny access to a computer system or network. • The Act also specifically prohibits unintentional damage if the perpetrator demonstrates reckless disregard of the risks of causing such damage. http://www.usdoj.gov/criminal/cybercrime/1030_new.html Copyright © Center for Systems Security and Information Assurance Communications Decency Act of 1996 The Communications Decency Act of 1996 is a statute prohibiting anyone using interstate or communications from transmitting obscene or indecent materials when they know that the recipient is under 18 years of age - regardless of who initiated the communications. http://usinfo.state.gov/usa/infousa/laws/majorlaw/s652titl.htm Copyright © Center for Systems Security and Information Assurance The Question of Privacy • • • The issue of privacy has become one of the hottest topics in information security. The wide spread use of technology has provided the ability to collect information on an individual, combine facts from separate sources, and merge it with other information. This aggregation of data from multiple sources permits unethical organizations to build databases of facts with frightening capabilities Copyright © Center for Systems Security and Information Assurance U.S. Laws Addressing Individual Privacy • Federal Privacy Act of 1974 • The Electronic Communications Privacy Act of 1986 • The Health Insurance Portability & Accountability Act Of 1996 (HIPAA) also known as the Kennedy-Kassebaum Act • The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999 Copyright © Center for Systems Security and Information Assurance Freedom of Public Information • It has been said that access and control of information is power. • Congress pasted the Freedom of Information Act (FOIA) to provide: Greater scrutiny of government agencies. To enable individuals to access government records that contained information about them. http://www.november.org/resources/FOIA-PA.pdf Copyright © Center for Systems Security and Information Assurance The Electronic Communications Privacy Act (ECPA) of 1986 • Assigns fines and prison sentences for anyone convicted of unauthorized interception and disclosure of electronic communications. • Prohibits making use of an unlawfully overheard electronic communication if the interceptor knows that the message was unlawfully obtained. • Prohibits access to stored messages, not just those in transit. http://policyworks.gov/policydocs/5.pdf Copyright © Center for Systems Security and Information Assurance Freedom of Information Act of 1966 (FOIA) • The FOIA provides any person with the right to request access to federal agency records or information, not determined to be of national security. • There are exceptions for information that is protected from disclosure, and the Act does not apply to state or local government agencies or to private businesses or individuals, although many states have their own version of the FOIA. Copyright © Center for Systems Security and Information Assurance What is HIPAA • The Department of Health and Human Services has developed a series of privacy regulations known collectively as the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). • These regulations are designed to protect the privacy rights of individuals with regard to their confidential medical records. • The act greatly restricts the dissemination and transmittal of personal patient information and will dramatically affect the way healthcare information is handled. http://www.mtworld.com/tools_resources/understanding_hipaa.html Copyright © Center for Systems Security and Information Assurance Gramm-Leach-Bliley Act (GLBA) • Passed to ensure the protection of consumer privacy. • Data protection provisions are comprehensive, requiring the Regulators (Banking, Insurance, FTC and SEC) to establish appropriate standards for safeguarding financial institutions' customer records and information. • Affects a broad range of organizations including banks, insurance companies, securities firms, tax preparers, mortgage brokers and lenders, real estate agents and appraisers, financial planners and credit card companies. Copyright © Center for Systems Security and Information Assurance Gramm-Leach-Bliley Act (GLBA) • Compliance is mandatory. Financial institutions that do not meet these new information security requirements are subject to enforcement and liability exposure. • Consequences for failing to comply include enforcement actions with fines up to $1,000,000 and other penalties. Copyright © Center for Systems Security and Information Assurance Sarbanes-Oxley Act (Sarbox) • A statue passed in (2002) to address the rash of corporate fraud. An attempt to fight corporate corruption. • It involved the corporate officers, auditors, and attorneys of publicly traded companies. • Corporate officers who willfully and knowingly certify a false financial report can be fined up to 4% million and 20 years in prison. Copyright © Center for Systems Security and Information Assurance U.S. Laws Addressing US Copyright Law • Intellectual property is recognized as a protected asset in the US • US copyright law extends this right to the published word, including electronic formats • Fair use of copyrighted materials includes the use to support news reporting, teaching, scholarship, and a number of other related permissions the purpose of the use has to be for educational or library purposes, not for profit, and should not be excessive Copyright © Center for Systems Security and Information Assurance US Copyright Office Copyright © Center for Systems Security and Information Assurance Export and Espionage Laws • • Economic Espionage Act (EEA) of 1996 Security and Freedom Through Encryption Act of 1997 (SAFE) Copyright © Center for Systems Security and Information Assurance State & Local Statutes • • In addition to the national and international restrictions placed on an organization in the use of computer technology, each state or locality may have a number of laws and regulations that impact operations It is the responsibility of the information security professional to understand state laws and regulations and insure the organization’s security policies and procedures comply with those laws and regulations Copyright © Center for Systems Security and Information Assurance California Database Security Breach Act • • • This state law passed in 2003 covers any state agency, person or company that does business in California. It requires disclosure to California residents if a breach of personal information has or is believed to have occurred within 48 hours. It defines personal information as a name with a social security number, driver’s license number, state ID card, account number, credit or debit card number in combination with required security access codes. Copyright © Center for Systems Security and Information Assurance Digital Millennium Copyright Act (DMCA) • • • DMCA is the US version of an international effort to reduce the impact of copyright, trademark, and privacy infringement The European Union Directive 95/46/EC increases protection of individuals with regard to the processing of personal data and limits the free movement of such data The United Kingdom has already implemented a version of this directive called the Database Right Copyright © Center for Systems Security and Information Assurance Exercise 3.1 IT Litigation Select one of the following IT security cases. Write a one page summary of the facts of the case. • Nigerian E-Mail Scammers • Student arrested in e-mail threat • Internet Sting Case Set for Trial • Michigan Wi-Fi Hackers Copyright © Center for Systems Security and Information Assurance Exercise 3.2 • Due Process in a Security Policy As a security officer for the Acme Corporation you are on the security policy team. You are asked to prepare a paper defining the companies need to provide due process to any employee charged with violating the policy. Develop 5 minute presentation explain the due process. Copyright © Center for Systems Security and Information Assurance Exercise 3.3 Civil Versus Criminal Litigation Explain the difference between civil and criminal cases in the following four areas: • Burden of proof • Parties to the litigation • Purpose of litigation • Remedies to be considered Copyright © Center for Systems Security and Information Assurance