Fintech Case Study Task 1
Randy Sturgill
Western Governors University
C841: Legal Issues in Information Security
8-3-23
Task 1
A. show your know-how of the utility of the regulation with the aid of doing the subsequent: A1.
give an explanation for how the Computer Fraud and Abuse Act and the Electronic
Communications privacy Act especially relate to the crook pastime described within the case
study The Computer Fraud and Abuse Act (CFAA) pertains to this situation as it criminalizes
fraudulent acts the use of included computer systems. TechFite’s attention to working with
several net-primarily based businesses nearly guarantees that they're running with computers
utilized in interstate or overseas commerce, which are labeled as included computers by the
CFAA. the invention of the Metasploit tool and evidence of its use in the latest penetration and
scanning against different internet-based groups shows that the personnel has probably violated
CFAA restrictions. especially, the unauthorized get admission to protected computers with a
motive to defraud or cause harm. The Electronic Communications Privateness Act (ECPA)
relates to this situation as it prevents getting the right of entry to saved electronic
communications until allowed someplace else in the ECPA. The ECPA should turn out to be
referring to the case in approaches. The employees of TechFite could have violated ECPA if they
accessed the stored digital communications of different organizations whilst the use of the
Metasploit tool. additionally, the gathering of evidence on the occasion of a legal movement
against TechFite or its employees will need to observe ECPA rules. A2. explain how 3 legal
guidelines, guidelines, or felony instances follow within the justification of prison action based
totally upon negligence defined in the case study. criminal movement is justified against
TechFite for negligence that ended in violations of the pc Fraud and Abuse Act, Sarbanes-Oxley,
and the Digital Communications privacy Act. The CFAA states "Whoever intentionally accesses
a computer without authorization or exceeds authorized get right of entry to, and thereby obtains
data from any blanketed computer; will be punished as furnished in subsection (c) of this
segment." [1]. The of business Intelligence Unit didn't audit their consumer bills. due to this,
employees at TechFite exceed their legal get right of entry through escalation of privilege. This
led to gaining unauthorized get entry to financial and executive files from other departments
within the employer. due to the fact TechFite is engaged in Interstate commerce, the business's
computers are included under CFAA and the unauthorized get entry to statistics is unlawful.
Negligence becomes additionally tested in the advertising/income unit related to the Business
Intelligence unit. loss of separation of responsibilities no implementation of least privilege in this
phase resulted in a single individual having the ability to create a sales account and then file and
submit sales on that account. SOX segment 404 calls for executives to "(1) nation the
responsibility of control for organizing and maintaining an ok inner control structure and
approaches for economic reporting; and (2) include an evaluation, as of the quit of the most
recent monetary yr of the issuer, of the effectiveness of the inner manipulate structure and
approaches of the issuer for financial reporting." [2]. The unchecked get admission to employees
ought to the monetary reporting device prevents oversight into whether or not those sales had
been accurate, or whether or not they even came about. consequently, there's almost no signal of
an inner management shape for financial reporting, which leaves TechFite susceptible to felony
movement below the Sarbanes-Oxley Act. the lack of oversight throughout the BI Unit brought
about ability infringement of multiple sections of the ECPA. “title I of the ECPA typically
prohibits the subsequent behavior: 1) deliberately intercepting or endeavoring to intercept
electronic communications; 2) deliberately the usage of or endeavoring to use electronic
communications that have been obtained through interception; or 3) deliberately disclosing or
endeavoring to disclose to any other person the contents of the electronic communications which
have been obtained via interception. 18 u.s.C. § 2511(1)(a)…title II of the ECPA, or the stored
Communications Act, makes it unlawful to deliberately access, attain, adjust, or disclose the
contents of any stored digital communication, without right authorization. 18 United States. §§
2701(a) and 2701(a). identify II has two standard exceptions to its prohibitions: 1) the consent
exception; and a pair of) the issuer exception" [3]. The gathered digital evidence of the BI Unit's
scanning and penetration of other businesses makes it possible the BI Unit has been intercepting
and accessing the stored communications of other corporations in violation of identify I and II of
the ECPA. The investigators can have legal access to the stored emails they reviewed without a
warrant because of the name II's consent exception. TechFite is a personal entity and calls for all
employees to signal a launch allowing enterprise surveillance of any digital communications
using TechFite device. consequently, any evidence of crimes the investigators locate inside saved
electronic communications may be admissible proof in the courtroom because of the Silver
Platter Doctrine. A3. talk two instances wherein responsibility of due care changed into lacking.
two instances wherein due care becomes lacking are the lack of safeguarding consumer
information and the shortage of consumer account audits. Having no protection of client facts
thru the use of records loss prevention era could lead to untraceable abuse of consumer facts.
records loss prevention would offer controls to prevent the unauthorized transmission of
customer facts, and detection and monitoring of any tries to achieve this. this will have averted
the instances where the NDAs with Orange Leaf and Union town electronic Ventures were
violated by offering proprietary records to their competitors. The implementation of account
auditing should have averted a large amount of problems inside the BI Unit. making sure the
least privilege on all money owed, monitoring accounts to track tries to increase privilege, and
getting rid of unused debts is a fundamental parts of retaining statistics protection. This oversight
would have supplied a number of the internal controls required with the aid of SOX, avoided the
move-branch statistics breach, and could have avoided the setup of the Metasploit device via
disabling access to put-in software without administrative approval. A4. Describe how the
Sarbanes-Oxley Act (SOX) applies to the case study. The Sarbanes-Oxley Act's goals are to
shield buyers by using ensuring publicly traded agencies correctly document their budget. SOX
relates to this case due to more than one failure to make certain that TechFite’s finances are
valid. character individuals of the marketing and sales gadgets had too many privileges and were
able to create customers and then file and put up sales to those equal customers. This gives and
clean street to exaggerate sales or post non-existent sales, making the employer seem extra
profitable than its miles. members of the BI Unit were able to get entry to financial and
government files for which they did now not have authorization. this could have been finished to
regulate the documents in some way, which ends up in addition questions on the accuracy of
TechFite’s finances.
Subsequently, dating turned into observed with 3 apparent shell corporations owned by way of a
companion of TechFite’s CISO. These 3 agencies funnel money into the sales department despite
no longer having any actual net presence, which is TechFite’s middle enterprise. This provides a
sturdy indication that the shell businesses are being used to artificially inflate TechFite’s income.
All of this leads to the enterprise violating section 404 of SOX, because of the employer's lack of
internal controls to verify the accuracy of its monetary reporting. The senior management of the
organization is susceptible under section 302, which requires them to certify the accuracy of their
mentioned economic announcement. All of this will lead to crook penalties as stated in SOX
segment 906. B. talk criminal theories with the aid of doing the subsequent: B1. explain how
proof inside the case examination helps claims of alleged criminal pastime in TechFite. The
proof within the case supports claims of alleged criminal pastime. Carl Jaspers went out of his
way to have dummy debts created and people identical bills had been used to violate CFAA by
using getting access to covered computer systems. The Senior control of the employer turned
into required to validate that the inner controls for financial reporting had been able to provide an
accurate account of the agency’s economic status. Eventually, the EnCase device supplied direct
evidence of BI Unit personnel scanning and penetrating different companies' networks. B1a.
become aware of who committed the alleged criminal acts and who had been the victims. The
people who may additionally have dedicated crook acts within the case examined are Noah
Stevenson (CEO), Carl Jaspers (CISO), Sarah Miller, Megan Rogers, and Jack Hudson. Noah
Stevenson is required by SOX to make certain internal controls for monetary reporting and
certify that the enterprise’s financial file is accurate. The shortage of controls to verify accuracy
means he may want to face crook fees underneath SOX segment 906. Carl Jaspers directed the
advent of dummy accounts that have been used to gain unauthorized get rights of entry to
computers blanketed by the CFAA. Carl Jaspers also has a tremendously suspicious relationship
with 3 obvious shell companies which might be probably being used to commit company fraud.
Sarah Miller, Megan Rogers, and Jack Hudson all used the Metasploit tool to test and penetrate
different corporations’ networks. If any interception of digital communications or access to
saved communications could result in a violation of the ECPA. The sufferers in this situation
study have been any companies whose proprietary records changed into shared due to lack of
inner information controls, rival organizations whose communications might also have been
intercepted or improperly accessed, and shareholders who invested in TechFite whilst it was
greater profitable than it turned into. B1b. Explain how existing cybersecurity policies and
techniques did not prevent the alleged criminal pastime. Lack of account auditing allowed Carl
Jaspers to boost the privilege of dummy accounts for unauthorized get right of entry to protected
computer systems in other departments. No implementation of the least privilege caused income
participants to have an excessive amount of access and cast doubt on the accuracy of TechFite’s
sales reviews. The precept of least privilege may also have avoided individuals from being able
to install the Metasploit device by requiring administrative approval to install a software
program.
B2. Explain how evidence in the case looks at supports claims of alleged acts of negligence in
TechFite. The case takes a look at exhibits that there was a clear lack of guidelines from Senior
control that would have averted TechFite’s problems. A policy in opposition to conflicts of
interest ought to have prevented the boss/subordinate relationship and Carl Jaspers’ enterprise
with a partner from college. If there has been any coverage for tracking the organization's
internal network, it did not appear enforced due to the dearth of audits and rampant consumer
account abuse. This negligence from the pinnacle is what allowed a toxic culture to form. B2a.
perceive who turned negligent and who has been the victim. Nadia Johnson turned negligent by
failing to pick out the dearth of internal oversight within the BI Unit. especially, the shortage of
person account audits, statistics loss prevention, and network tracking. Senior management at
TechFite become negligent for failing to enforce a separation of responsibilities coverage that
might guard purchaser records and enhance the accuracy of their financial reporting. TechFite
was additionally negligent for failing to put into effect a coverage preventing Boss/Subordinate
relationships that could result in conflicts of interest. The sufferers of this negligence were any
customers of TechFite whose facts turned into unprotected and compromised, the agencies
whose communications might also have been compromised via the Metasploit device, the
opposite departments of TechFite whose files have been illegally acquired, and again, any
shareholders who believed they were investing in an employer-based off accurate economic
reviews. B2b. explain how existing cybersecurity guidelines and procedures did not prevent
negligent practices. The cybersecurity policy that become in an area only worked to prevent
TechFite from external sources. An internally centered policy that mandated consumer account
audits, checking for escalation of privilege, scanning for unauthorized applications, and network
pastime tracking did now not exist, which shows negligence in accounting for insider threats.
Account audits might have avoided the dummy users and escalated privilege. Unauthorized
software scans would have detected the Metasploit software program. network tracking could
have found out the scanning and penetration of other businesses and the breaches into different
departments.
References
[1] United States Government. (1984). 18 U.S. Code § 1030 - Fraud and related activity
in connection with computers. Retrieved from https://www.law.cornell.edu/uscode/text/18/1030
[2] United States Government. (2018, October 19). Sarbanes Oxley Act of 2002. Retrieved from
http://legcounsel.house.gov/Comps/Sarbanes-oxley%20Act%20Of%202002.pdf [3] Caterine, M.
J. (n.d.). Privacy of electronic communications. Retrieved
fromhttps://www.americanbar.org/content/dam/aba/administrative/labor_law/meetings/2009/200
9_err _008.authcheckdam.pdf