Lesson Three
Legal, Ethical Issues in
Information Security
Copyright © Center for Systems Security and Information Assurance
Lesson Objectives
•
•
•
•
•
•
Describe the fundamentals of the American legal system.
Define the basic terms associated with the legal process.
Explain the difference between criminal and civil law.
Describe the role of the Judicial branch.
Differentiate between laws and ethics.
Identify major national laws that relate to the practice of
information security.
• Understand the role of culture as it applies to ethics in
information security.
Copyright © Center for Systems Security and Information Assurance
Law and Ethics in
Information Security
• Laws
Rules adopted for determining expected behavior.
Laws are drawn from ethics
• Ethics
Define socially acceptable behaviors. Ethics, in turn,
are based on cultural mores: fixed moral attitudes or
customs of a particular group.
Copyright © Center for Systems Security and Information Assurance
Code of Ethics
• To perform all professional activities in
accordance with all applicable laws and the
highest ethical principles;
• To promote generally accepted information
security practices and standards.
• Discharge professional responsibilities with
diligence and honesty.
Copyright © Center for Systems Security and Information Assurance
Computing Ethics
Our study of computing ethics involves asking
the questions of “right and proper conduct when
using computers”
What is good, what is bad?
What is right, what is wrong?
Copyright © Center for Systems Security and Information Assurance
Computing Ethics
• When examining computing ethics, it is tempting
to oversimplify ethical problems by reducing them
to issues of computer crime and data security.
• In reality, the moral concerns and dilemmas
confronting computing professionals are far more
broad than in most other situations.
Copyright © Center for Systems Security and Information Assurance
Ten Commandments Of Computer
Ethics
1. Thou Shall Not Use A Computer To Harm Other
People.
2. Thou Shall Not Interfere With Other People’s
Computer Work.
3. Thou Shall Not Snoop Around In Other People’s
Computer Files.
4. Thou Shall Not Use A Computer To Steal.
5. Thou Shall Not Use A Computer To Bear False
Witness.
6. Thou Shall Not Copy Or Use Proprietary
Software For Which You have Not Paid.
(Created by the Computer Ethics Institute)
Copyright © Center for Systems Security and Information Assurance
Ten Commandments Of Computer
Ethics
7. Thou Shall Not Use Other People’s Computer
Resources Without Authorization Or Proper
Compensation.
8. Thou Shall Not Appropriate Other People’s
Intellectual Output.
9. Thou Shall Think About The Social
Consequences Of The Program You Are Writing
Or The System You Are Designing.
10. Thou Shall Always Use A Computer In Ways That
Insure Consideration And Respect For Your
Fellow Humans.
Created by the Computer Ethics Institute
Copyright © Center for Systems Security and Information Assurance
Law and Information Security
• Information technology professionals and
particularly those in the medical, legal, and
accounting fields, want to use the Internet to
conduct their businesses.
• Email and electronic communications have
become a part of everyday life.
• Security incidents have led to several new
federal and local laws as well as a rush by
organizations to take appropriate measures to
protect their assets.
Copyright © Center for Systems Security and Information Assurance
Source of American Law
• The sources of law in the American legal system are
protected by the following authority:
 U.S. Constitution
 Federal statutes
 Federal court decisions
 State constitutions
 State statutes
 State court decisions
• The U.S. Supreme Court, however, has the final decision
about the constitutionality of governmental actions.
Copyright © Center for Systems Security and Information Assurance
US Constitution
• The U.S. Constitution is the supreme law and is
the basis of our system of justice.
• Article I, II & III form and describe the legislative
branch, executive branch and the judicial branch.
• Article IV describes relations between the states.
• Article V is the amendment process.
• Article VI describes past debts, supremacy clause,
no religious test for federal office.
• Article VII describes the ratification process.
Copyright © Center for Systems Security and Information Assurance
United States Constitution
•
•
Bill of Rights – first ten amendments
The fundamental rights granted to individuals.
 The 1st, 10th, and 14th Amendments define equal
protection and due process.
 The 11th Amendment – protection to states from
suits in federal courts by citizens of other states.
http://www.house.gov/Constitution/Constitution.html
Copyright © Center for Systems Security and Information Assurance
Judicial Review Process
• Judicial review is the power of the judicial branch
of government to decide whether or not acts of
government are constitutional and consistent.
• Judges maintain limited government and the rule
of law by upholding the supremacy of the
Constitution, federal and local statutes and
previous court decisions.
• All courts in the United States, federal and state,
may use the power of judicial review.
Copyright © Center for Systems Security and Information Assurance
Civil Versus Criminal Litigation
The American Judicial system has two distinctly
different court systems to deal with different
issues.
• Civil and criminal court system.
• Basic differences between the systems:




The purpose of litigation
The parties involved
Burden of proof needed to convict
The remedies to be considered
Copyright © Center for Systems Security and Information Assurance
Purpose of Litigation
•
•
Civil cases involve conflicts between people or
institutions such as businesses.
Criminal cases involve enforcing public codes of
behavior as embodied in the laws, with the
government prosecuting individuals or
institutions.
Copyright © Center for Systems Security and Information Assurance
The Parties to a Lawsuit
The American system of justice is based on a
adversarial system of justice. This system is
designed to promote the discovery of the truth while
maintaining court impartiality.
The parties to a lawsuit include:
The party bringing the suit is called the “plaintiff”
The party accused is called the “defendant” (s)
Either party may also have intervening & joined parties
Copyright © Center for Systems Security and Information Assurance
Legal Burden of Proof
• The criminal standard of proof on the prosecution
is proof beyond all reasonable doubt, which means
proof to a high degree of probability but not proof
beyond a shadow of a doubt.
In a criminal case, the jury must be unanimous to
convict.
• The standard of proof on both parties is proof on
the balance of probabilities, i.e., that an allegation
is more probable than not.
The jury in a civil case is normally just a majority of the
jury to convict.
Copyright © Center for Systems Security and Information Assurance
Legal Remedies
• Civil law remedies:
Monetary Damages
A court injunction - an equitable remedy in the
form of a court order that prohibits a party from
continuing a particular activity.
• Criminal case remedies:
Criminal fine
Incarceration
Capital Punishment
Copyright © Center for Systems Security and Information Assurance
Code Law Versus Common Law
Jurisdictions
•
•
Code Law: The Code Napoleon takes the civilian
law approach. Civilian law is based on scholarly
research and the drafting of legal code which is
passed into law by the legislative branch. It is then
the judge's job to interpret that intent more than to
follow judicial precedent.
Common Law: Common law is law that comes
from the common people, not legislation
(practiced in 49 states). Common law is based on
two concepts: Do all you have agreed to do; Do
not encroach on other persons or their property.
Copyright © Center for Systems Security and Information Assurance
Judicial Precedent
•
•
•
Precedent is a previously reported decision by
an appellate court that establishes a point of law
on a specific issue.
In the law, decisions in previous cases play a
significant role in the presentation,
understanding, and outcome of new cases.
This is particularly true in the area of contract
law where few statutes (explicit legal rules)
exist.
Copyright © Center for Systems Security and Information Assurance
Judicial Precedent
• Stare Decisis, which means to stand by the
decided, whereby lower courts are bound to apply
the legal principles set down by superior courts in
earlier cases
• The binding part of a previous decision is the ratio
decidendi (reason for the decision) and it must be
followed by judges in later cases.
• Anything said obiter dictum (by the way) in the
original case is merely persuasive because it was
not strictly relevant to the matter in issue and does
not have to be followed.
Copyright © Center for Systems Security and Information Assurance
Jurisdiction
•
A court has no authority to decide a case unless
it has jurisdiction over the person or property
involved. To have jurisdiction, a court must have
authority over the subject matter of the case
 And the court must be able to exercise control over
the defendant,
 Or the property involved must be located in the area
under the court's control.
•
The extent of the court's control over persons
and property is set by law.
Copyright © Center for Systems Security and Information Assurance
Jurisdiction
• Certain judicial actions are transitory. They can be
brought wherever the defendant may be found and
served with a summons, and where the jurisdiction
has sufficient contact with one of the parties and
the incident that gave rise to the suit.
• Other actions - such as foreclosing on a piece of
property are local. They can be brought only in
the county where the subject of the suit is located.
Copyright © Center for Systems Security and Information Assurance
Original and Appellate Jurisdiction
•
•
Original jurisdiction is the authority to hear
trials.
Appellate jurisdiction is the authority to hear
appeals. The principal functions of an appellate
court are:
 to correct errors in the decisions of trial courts or in
the reasoning used by them in reaching those
decisions; and
 to develop the body of law through judicial
exposition.
Copyright © Center for Systems Security and Information Assurance
Types of Courts
•
Functional organization of federal and state
courts
 trial courts
 intermediate appellate courts
 highest appellate courts
•
Geographic organization of federal courts
 Made up of 94 U.S. judicial districts
 Organized into 12 regional circuits
http://www.usdoj.gov/usao/eousa/kidspage/circuit.html
Copyright © Center for Systems Security and Information Assurance
Federal Circuit Court System
Copyright © Center for Systems Security and Information Assurance
Venue
•
•
•
Venue refers to the county or district within a
state or the U.S. where the lawsuit is to be tried.
The venue of a lawsuit is set by statute, but it can
sometimes be changed to another county or
district.
Venue also may be changed for the convenience
of witnesses.
Copyright © Center for Systems Security and Information Assurance
Pleadings
A lawsuit begins when the person bringing the suit
files a complaint. Pleadings are certain formal
documents filed with the court that state the parties'
basic positions. Common pre-trial pleadings include:





Complaint (or petition or bill)
Counts
Answer
Reply
Counterclaims
Copyright © Center for Systems Security and Information Assurance
Pleadings
• Complaints are probably the most important
pleading in a civil case, since by setting out the
plaintiff's version of the facts and specifying the
damages, it frames the issues of the case.
• It includes various counts - that is, distinct
statements of the plaintiff’s cause of action highlighting the factual and legal basis of the suit.
Copyright © Center for Systems Security and Information Assurance
Pleadings
• Answer. This statement by the defendant usually
explains why the plaintiff should not prevail. It may
also offer additional facts, or plead an excuse.
• Reply. Any party in the case may have to file a
reply, which is an answer to new allegations
raised in pleadings.
Copyright © Center for Systems Security and Information Assurance
Pleadings
• Counterclaim. The defendant may file a
counterclaim, which asserts that the plaintiff has
injured the defendant in some way, and should
pay damages. ("You're suing me? Well then, I'm
suing you.")
 It may be filed separately or as part of the answer.
 If a counterclaim is filed, the plaintiff must be given the
opportunity to respond by filing a reply.
Copyright © Center for Systems Security and Information Assurance
Types of Motions
Motions are not pleadings but are requests for the
judge to make a legal ruling. Some of the most
common pre-trial motions include:
 Motion to Discover. A motion by which one party seeks
to gain information from the adverse party.
 Motion to Dismiss. This motion asks the court to dismiss
the suit because the suit doesn’t have a legally sound
basis, even if all the facts alleged are proven true.
Copyright © Center for Systems Security and Information Assurance
Motion for Summary Judgment
• Motion for Summary Judgment (sometimes
called motion for summary disposition).
• This motion asks the court for a judgment on the
merits of the case before the trial.
• It is properly made where there is no dispute
about the facts and only a question of law needs
to be decided.
Copyright © Center for Systems Security and Information Assurance
Due Process
•
•
Due process is the principle that guarantees
basic fairness, as embodied in current legal
doctrines. These take the form of procedural
protections against arbitrary actions by
governmental authorities and substantive rights
not to have life, liberty and property taken away
to serve the interest of an oppressive majority.
Due process, in the context of the United States,
refers to how and why laws are enforced. It
applies to all persons, citizens or aliens, as well
as to corporations.
Copyright © Center for Systems Security and Information Assurance
Due Process Guarantees
•
•
Due process requires that laws be written so that
a reasonable person can understand what is
criminal behavior.
Generally, due process guarantees the following:
 Right to a fair public trial conducted in a competent
manner
 Right to be present at the trial
 Right to an impartial jury
 Right to be heard in one’s own defense
Copyright © Center for Systems Security and Information Assurance
U.S. Laws Addressing
Information Security
• Computer Fraud and Abuse Act of 1986
• Communications Decency Act of 1996 USA
Patriot Act of 2001
• National Information Infrastructure Protection Act
of 1996
• Telecommunications Deregulation and
Competition Act of 1996
• Communications Decency Act (CDA)
• Computer Security Act of 1987
Copyright © Center for Systems Security and Information Assurance
The Computer Fraud and Abuse Act of
1986
• The Computer Fraud and Abuse Act of 1986
focuses primarily on protecting "governmentinterest" computers.
• Specifically, the law prohibits the use of "a
program, information, code or command" with
intent to damage, cause damage to, or deny
access to a computer system or network.
• The Act also specifically prohibits unintentional
damage if the perpetrator demonstrates reckless
disregard of the risks of causing such damage.
http://www.usdoj.gov/criminal/cybercrime/1030_new.html
Copyright © Center for Systems Security and Information Assurance
Communications Decency Act
of 1996
The Communications Decency Act of 1996 is a
statute prohibiting anyone using interstate or
communications from transmitting obscene or
indecent materials when they know that the
recipient is under 18 years of age - regardless of
who initiated the communications.
http://usinfo.state.gov/usa/infousa/laws/majorlaw/s652titl.htm
Copyright © Center for Systems Security and Information Assurance
The Question of Privacy
•
•
•
The issue of privacy has become one of the
hottest topics in information security.
The wide spread use of technology has provided
the ability to collect information on an individual,
combine facts from separate sources, and
merge it with other information.
This aggregation of data from multiple sources
permits unethical organizations to build
databases of facts with frightening capabilities
Copyright © Center for Systems Security and Information Assurance
U.S. Laws Addressing
Individual Privacy
• Federal Privacy Act of 1974
• The Electronic Communications Privacy Act of
1986
• The Health Insurance Portability & Accountability
Act Of 1996 (HIPAA) also known as the
Kennedy-Kassebaum Act
• The Financial Services Modernization Act or
Gramm-Leach-Bliley Act of 1999
Copyright © Center for Systems Security and Information Assurance
Freedom of Public Information
• It has been said that access and control of
information is power.
• Congress pasted the Freedom of Information Act
(FOIA) to provide:
 Greater scrutiny of government agencies.
 To enable individuals to access government records
that contained information about them.
http://www.november.org/resources/FOIA-PA.pdf
Copyright © Center for Systems Security and Information Assurance
The Electronic Communications
Privacy Act (ECPA) of 1986
• Assigns fines and prison sentences for anyone
convicted of unauthorized interception and
disclosure of electronic communications.
• Prohibits making use of an unlawfully overheard
electronic communication if the interceptor knows
that the message was unlawfully obtained.
• Prohibits access to stored messages, not just those
in transit.
http://policyworks.gov/policydocs/5.pdf
Copyright © Center for Systems Security and Information Assurance
Freedom of Information
Act of 1966 (FOIA)
• The FOIA provides any person with the right to
request access to federal agency records or
information, not determined to be of national
security.
• There are exceptions for information that is
protected from disclosure, and the Act does not
apply to state or local government agencies or to
private businesses or individuals, although many
states have their own version of the FOIA.
Copyright © Center for Systems Security and Information Assurance
What is HIPAA
• The Department of Health and Human Services has
developed a series of privacy regulations known
collectively as the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA").
• These regulations are designed to protect the
privacy rights of individuals with regard to their
confidential medical records.
• The act greatly restricts the dissemination and
transmittal of personal patient information and will
dramatically affect the way healthcare information is
handled.
http://www.mtworld.com/tools_resources/understanding_hipaa.html
Copyright © Center for Systems Security and Information Assurance
Gramm-Leach-Bliley Act (GLBA)
• Passed to ensure the protection of consumer
privacy.
• Data protection provisions are comprehensive,
requiring the Regulators (Banking, Insurance,
FTC and SEC) to establish appropriate
standards for safeguarding financial institutions'
customer records and information.
• Affects a broad range of organizations including
banks, insurance companies, securities firms,
tax preparers, mortgage brokers and lenders,
real estate agents and appraisers, financial
planners and credit card companies.
Copyright © Center for Systems Security and Information Assurance
Gramm-Leach-Bliley Act (GLBA)
• Compliance is mandatory. Financial institutions
that do not meet these new information security
requirements are subject to enforcement and
liability exposure.
• Consequences for failing to comply include
enforcement actions with fines up to $1,000,000
and other penalties.
Copyright © Center for Systems Security and Information Assurance
Sarbanes-Oxley Act (Sarbox)
• A statue passed in (2002) to address the rash of
corporate fraud. An attempt to fight corporate
corruption.
• It involved the corporate officers, auditors, and
attorneys of publicly traded companies.
• Corporate officers who willfully and knowingly
certify a false financial report can be fined up to
4% million and 20 years in prison.
Copyright © Center for Systems Security and Information Assurance
U.S. Laws Addressing
US Copyright Law
• Intellectual property is recognized as a protected
asset in the US
• US copyright law extends this right to the
published word, including electronic formats
• Fair use of copyrighted materials includes
 the use to support news reporting, teaching,
scholarship, and a number of other related
permissions
 the purpose of the use has to be for educational or
library purposes, not for profit, and should not be
excessive
Copyright © Center for Systems Security and Information Assurance
US Copyright Office
Copyright © Center for Systems Security and Information Assurance
Export and Espionage Laws
•
•
Economic Espionage Act (EEA) of 1996
Security and Freedom Through Encryption
Act of 1997 (SAFE)
Copyright © Center for Systems Security and Information Assurance
State & Local Statutes
•
•
In addition to the national and international
restrictions placed on an organization in the use
of computer technology, each state or locality
may have a number of laws and regulations that
impact operations
It is the responsibility of the information security
professional to understand state laws and
regulations and insure the organization’s security
policies and procedures comply with those laws
and regulations
Copyright © Center for Systems Security and Information Assurance
California Database Security Breach Act
•
•
•
This state law passed in 2003 covers any state agency,
person or company that does business in California.
It requires disclosure to California residents if a breach of
personal information has or is believed to have occurred
within 48 hours.
It defines personal information as a name with a social
security number, driver’s license number, state ID card,
account number, credit or debit card number in
combination with required security access codes.
Copyright © Center for Systems Security and Information Assurance
Digital Millennium Copyright Act
(DMCA)
•
•
•
DMCA is the US version of an international effort
to reduce the impact of copyright, trademark, and
privacy infringement
The European Union Directive 95/46/EC
increases protection of individuals with regard to
the processing of personal data and limits the free
movement of such data
The United Kingdom has already implemented a
version of this directive called the Database Right
Copyright © Center for Systems Security and Information Assurance
Exercise 3.1
IT Litigation
Select one of the following IT security cases. Write a
one page summary of the facts of the case.
• Nigerian E-Mail Scammers
• Student arrested in e-mail threat
• Internet Sting Case Set for Trial
• Michigan Wi-Fi Hackers
Copyright © Center for Systems Security and Information Assurance
Exercise 3.2
•
Due Process in a Security Policy
As a security officer for the Acme Corporation you
are on the security policy team. You are asked to
prepare a paper defining the companies need to
provide due process to any employee charged
with violating the policy. Develop 5 minute
presentation explain the due process.
Copyright © Center for Systems Security and Information Assurance
Exercise 3.3
Civil Versus Criminal Litigation
Explain the difference between civil and criminal
cases in the following four areas:
• Burden of proof
• Parties to the litigation
• Purpose of litigation
• Remedies to be considered
Copyright © Center for Systems Security and Information Assurance