Legal and Privacy Issues in Information Security PDF

© mirjanajovic/DigitalVision Vectors/Getty Images CHAPTER 12 Criminal Law and Tort Law Issues in Cyberspace RIMINAL LAW REFERS to laws that the federal and state governments have C created to define unacceptable behavior. People who violate society’s acceptable levels of behavior commit crimes. Criminal law deals with crimes, whereas tort law refers to wrongful acts or harm for which an individual can sue the person who caused the harm. Tort law governs disputes between individuals. This chapter focuses on criminal and tort law issues that are unique to cyberspace. In particular, it focuses on how people can use computers in cybercrime Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. activities. It also reviews how people use computers to commit torts. Sometimes both criminal and tort law actions can be carried out against the same individual for the same actions. Chapter 12 Topics This chapter covers the following topics and concepts: What general criminal law concepts are What common criminal law issues in cyberspace are Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. What general tort law concepts are What common tort law issues in cyberspace are What some case studies and examples are Chapter 12 Goals When you complete this chapter, you will be able to: Discuss common criminal law concepts Describe the common criminal laws used to prosecute cybercrimes Discuss common tort law concepts Describe common tort principles used in cyberspace Explain the difference between criminal and tort law Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. General Criminal Law Concepts Cybercrimes, sometimes called computer crimes, involve situations where people use the internet or computers as the medium for, or target of, criminal activity. Some crimes, such as computer trespass, are prosecuted by extending existing criminal laws to new situations that have arisen with new technology. Computer networks facilitate these crimes. Other laws define new crimes that did not exist before computers. The use of computers as a medium to commit crimes is growing. Criminals also target computers and the data that they contain. Consider the following: A federal judge sentences a computer hacker to almost 5 years in prison for violating the Computer Fraud and Abuse Act (CFAA). The hacker created botnets and sold access to them. Other attackers used the botnets to launch distributed denial of service (DDoS) attacks. A federal judge sentences a defendant to 2.5 years in prison for taking nude videos of a news reporter and posting them to the internet. The judge also orders the defendant to pay restitution to the victim. The federal government charges three members of a hacking group with hijacking the website of a telecommunications company. The company’s users could not access the website for about 90 minutes. A man is charged with cyberextortion. He is alleged to have attempted to extort a life insurance company by threatening to send millions of computer spam messages. Authorities say he wanted to damage the reputation of the insurance company. Crimes are instances of wrongdoing, or actions that harm society. They are deviations from behavior that society, through its government, has defined as unacceptable. Some crimes do not even need individual victims. Society is the Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. “victim” of the crime. In simple terms, a crime is a violation of society’s code of conduct. Crime and the concept of criminal law are very old. The Sumerian and Babylonian civilizations included codes of conduct in their laws in 2100 B.C.E. Although these codes did not resemble modern criminal law, they did define conduct that society decided was not acceptable. NOTE Federal cases are titled “United States” versus the name of the defendant. This is because the government of the United States is prosecuting the defendant for a crime. State cases are titled with the name of the state versus the name of the defendant. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. As discussed in other chapters in this book, the American legal system is based in large part on English common law. The U.S. Constitution is the main source of law for the United States. The Constitution presumes that U.S. citizens will behave lawfully. However, it includes provisions for how the government should handle crimes in Article III. The Constitution even defines a specific crime. Article III, section 3, states that treason against the United States is a crime. The U.S. Congress has passed laws defining federal crimes since the formation of the government. Most states also have passed laws that have defined criminal offenses. Because crimes are wrongs against society, the government pursues the alleged wrongdoers. The federal government prosecutes violations of federal law, whereas state governments prosecute violations of state laws. Main Principles of Criminal Law Criminal law is very different from civil law. Each system has different goals. Criminal law aims to deter wrongful behavior through a combination of punishment and rehabilitation of the offender. In contrast, civil law aims to right personal wrongs. It does this by allowing people to sue to recover monetary compensation for injuries. This section focuses on substantive criminal law. Substantive law describes a person’s rights and responsibilities. It defines how people should relate to one another and how they should relate to the government. Substantive law also is known as subject matter law. Criminal law is only one of many categories of substantive law. Contract law, business law, property law, and tort law are all different types of substantive law. NOTE Attorneys often specialize in different subject matter areas. This is because of legal ethics rules that require an attorney to be minimally competent. There are many areas of law. It is easier for attorneys to meet ethical competency rules by focusing their practices in certain areas. Substantive criminal law defines the conduct that constitutes a crime. It also Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. establishes penalties. Governments can specify criminal penalties in the same statute that defines a crime. They also can list them in a separate penalty statute. Type of Wrongful Conduct Society recognizes two basic types of wrongful conduct. The first type is conduct or acts that society universally agrees are wrong, morally repugnant, or dangerous to other people. For example, almost all societies agree that murder and rape are wrong. Mala in se is a Latin term that defines these types of wrongful conduct. Mala in se means “evil in itself.” It describes conduct that is inherently wrong. Crimes that are mala in se include murder, rape, kidnapping, robbery, theft, and arson. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. Other types of conduct are mala prohibita. Mala prohibita is Latin for “wrong because it is prohibited.” Society defines conduct that is mala prohibita. This conduct is not inherently evil, but society prohibits it nonetheless. Crimes that are mala prohibita include intellectual property violations (where prohibited by law, such as federal copyright offenses), traffic law violations, and tax evasion. Many types of cybercrimes are mala prohibita. Crimes generally are classified into two groups, misdemeanors and felonies. The two types of crimes are usually distinguishable by the way society punishes the criminals who commit these crimes. Misdemeanors are less serious than felonies and bear a less severe penalty. A misdemeanor is generally punishable by no more than 1 year in prison. Felonies are more serious crimes. They are usually punishable by more than a year in prison. The levels of felonies and misdemeanors may vary from state to state. Some states have different levels of misdemeanors and felonies. Language such as “first degree” or “second degree” differentiates between different levels of crime. A state can prosecute some types of crimes as either a misdemeanor or a felony depending on the circumstances surrounding the crime. Elements of a Crime Criminal law is based on the principle that a guilty mind must accompany a criminal act. Another principle is that criminal conduct harms society. In short, the American system of law holds people responsible for their actions. A government must prove the following elements to show that a crime has been committed: Mens rea Actus reus Causation To prove that a crime has been committed, a government must show that a person acted with criminal intent. It must show that a person knowingly, intentionally, or recklessly engaged in criminal conduct. The Latin term mens rea means “guilty Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. mind.” Mens rea describes a person’s intent to commit a crime. Someone who lacks mens rea cannot be held responsible for a crime. Most criminal laws have language that specifies the amount of mens rea that a person must have to be held responsible for a crime. For example, the Wisconsin first-degree murder statute states: “Whoever causes the death of another human being with intent to kill that person or another is guilty of a Class A felony.”1 The “intent to kill” portion of the statute describes the mens rea required to commit a crime. NOTE Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. Some crimes do not require a particular mental state. For example, in most states, driving a car while under the influence of drugs or alcohol is a crime regardless of the mental state of the driver. Acts that are purely accidental do not meet the required mental showing for criminal prosecution. However, that does not mean that the government prosecutes only intentional actions. The government also can prosecute a person who acts recklessly for criminal behavior. A showing of recklessness means that a person acted in a manner that consciously disregarded whether or not harm could result from the actions. For example, the Wisconsin first-degree reckless homicide statute states: “Whoever recklessly causes the death of another human being under circumstances which show utter disregard for human life is guilty of a Class B felony.”2 The “which show utter disregard for human life” portion of the statute describes the mens rea required to commit this crime. Criminal statutes do not require governments to prove damages to prosecute a defendant for a crime. However, governments can use the amount of harm that a defendant causes to increase the level of the crime. The actus reus is the wrongful act that constitutes a crime. Actus reus is the Latin term for “guilty act.” To be a crime, the action must be voluntary. The actus reus requires a physical act in furtherance of a crime. For example, the U.S. Supreme Court held that a California law that punished people for being addicted to illegal drugs violated the Constitution.3 The California law made being “addicted” to drugs the offense, even if the person who was addicted to drugs never used or possessed drugs in the state. The law was challenged. NOTE In civil law, no showing of mental state, or mens rea, is required. Under civil law, wrongdoers are responsible for their actions even if they did not intend to cause harm to another person. In Robinson v. California (1962), the U.S. Supreme Court said that there were Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. many ways that the state could make certain acts related to drug use illegal. However, simply making the status of being an addict illegal was a violation of the Constitution. The case stands for the proposition that criminal activity requires a voluntary, physical act. A wrongful act also can include the failure to act when there is a duty to do so. For example, parents have a duty to care for their children. A state may punish a parent who fails to take care of his or her children when that failure rises to a level of criminal conduct. For instance, in March 2010 the South Korean government arrested a couple for child neglect. The government alleged that the couple’s video game addiction led them to neglect their daughter, who starved to death. Tragically, the video game that the couple was addicted to involved caring for a “virtual child” in Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. an online game.4 Jurisdiction Courts can hear only cases, or disputes, that are within their jurisdiction. Jurisdiction describes the types of cases that a court has the authority to hear. Jurisdiction can be described in several different ways. Jurisdiction can be used to describe the function of a court. For example, trial courts generally have original jurisdiction. This is the ability to conduct trials and to hear initial disputes between parties. Appellate courts such as the U.S. Supreme Court have appellate jurisdiction. They can only review decisions made by lower courts. Jurisdiction also can describe the power of a court to hear a certain type of case and make a binding decision in that case. Courts must have the proper jurisdiction to make a valid judgment. To make a valid judgment, a court must have: Subject matter jurisdiction Personal jurisdiction Subject matter jurisdiction is the power of a court to decide certain types of cases. A court cannot decide cases where it has no subject matter jurisdiction. For example, federal courts have jurisdiction only to decide cases about federal laws. This is federal question jurisdiction. They also can decide certain types of disputes between citizens of different states. This is diversity of citizenship jurisdiction. In contrast, state courts can decide only cases about state laws or actions that occurred within the geographic boundaries of the state. FYI In both state and federal courts, jurisdiction also looks at geographical and political boundaries. If a person violates a federal law in Massachusetts, federal district courts in Massachusetts most likely have subject matter jurisdiction to decide the case. If the person violated only state law, Massachusetts state courts would have jurisdiction to decide the case. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Personal jurisdiction refers to a court’s ability to exercise power over a particular defendant. If a court does not have personal jurisdiction over a defendant, then it cannot impose a sentence on that person. Personal jurisdiction is important for both criminal and civil cases. Typically, state courts can exercise personal jurisdiction over people who commit acts within the state. For criminal law, personal jurisdiction comes into play when criminal acts are committed in several different states. It is also implicated when crimes affect residents in many different states. The U.S. Supreme Court addressed this issue in 1911.5 In Strassheim v. Daily, the Supreme Court used a “detrimental effects” test to determine if a state could exercise jurisdiction over a person who committed crimes Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. outside of the state. The Court’s test had three parts: Did the act occur outside the state? Did the act produce detrimental effects within the state? Were the acts the actual cause of detrimental effects within the state? The test focuses on the defendant’s intent. It also looks at the consequences of the defendant’s actions in a particular state. Under the detrimental effects test, a state criminal court can exercise jurisdiction over a person who commits actions outside of the state if those actions cause harm within the state. Jurisdictional Issues for Cybercrime Cases Jurisdiction is a particularly challenging issue concerning cybercrimes. Geographical boundaries do not limit computer networks. Cybercriminals can easily commit crimes that span across many states and countries. This makes it difficult for law enforcement to investigate these crimes. It is particularly difficult for law enforcement to identify criminals and collect evidence across the globe. It also makes it difficult for courts to hold cybercriminals responsible for their actions. Nigerian scams highlight the jurisdiction issues in cybercrime cases. These types of scams also are called “419 scams” or “advance fee fraud” schemes. (The “4-1-9” refers to the section of the Nigerian criminal code that addresses fraud schemes.) This type of scam has been around since the early 1900s, when it was called the Spanish Prisoner Con. Today many organizations refer to these types of scams as imposter scams— where someone pretending to be someone else asks you to send money or share personal information. Criminals originally conducted these scams via fax or mailed letters. They now conduct them with ease through email and even text messages. In these types of scams, a person receives an email from someone purporting to be an official of a foreign government or agency. The email writer usually offers large sums of money in return for helping someone in trouble. In some cases, the email claims that the government has made it difficult for the wealthy writer to cash a large check. (In the original scams the government referenced was the Nigerian government. This is how the modern-day version of the imposter scam got this name.) The writer asks the victim to advance the victim’s own funds to cover the check, and to help cash it. The writer promises that the victim will get a hefty reward for his or her assistance. A victim who advances funds soon learns that the check or underlying business transaction is fraudulent. The money advanced is lost. People operating outside the United States who send targeted emails to U.S. residents commit many of these types of crimes. In 2019, imposter scams featured prominently in the top international fraud reports to the econsumer.gov international partnership.8 Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. These cases are extremely difficult to investigate and prosecute. How would a victim in Lafayette, Indiana, be able to use the resources of local law enforcement to investigate a crime committed by a person who lives in another country? Local police, prosecutors, and courts have limited power to investigate and prosecute these types of international cases. State subpoenas and court orders do not usually apply across international boundaries. These jurisdictional issues are becoming more common as internet crime grows. The Supreme Court’s detrimental effects test used in the Strassheim case is a common law rule. Many states have enacted legislation that codifies the detrimental effects test. For example, Alaska law states that state courts have jurisdiction over crimes that are “commenced outside the state but consummated inside.”6 Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. NOTE The United States ratified the Convention on Cybercrime in August 2006. Issues about jurisdiction are not just questions between the states. Personal jurisdiction also can be an international issue. It is one of the main obstacles in cybercrime cases because of the truly global nature of the internet. The Council of Europe Convention on Cybercrime, which went into force in 2004, increases cooperation in the investigation and prosecution of cybercrimes. Members of the convention must adopt legislation to criminalize certain types of cyber-related offenses and copyright infringement. They also agree to assist one another in criminal investigations. Sixty-five nations have ratified it.7 Criminal Procedure Criminal procedure is the body of rules that govern how governments prosecute people for crimes. These procedural rules make sure that criminal defendants receive due process. Due process means that a defendant in a criminal case is entitled to a fair and consistent process within the courts. The laws of criminal procedure make sure that the government safeguards the defendant’s constitutional rights. They also provide the government with a method for fairly prosecuting defendants for their crimes. FYI A prosecutor is a government official who represents the government in criminal cases. Prosecutors decide whether to charge a person with a crime and put on the court case against that person. U.S. attorneys are federal prosecutors. States usually grant prosecutorial power to county governments. State prosecuting attorneys might be called district attorneys, county attorneys, state’s attorneys, or simply county prosecutors. Most criminal procedure principles stem from the U.S. Constitution. This means Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. that many processes are similar among the states and the federal government. However, some procedural rules are unique to each jurisdiction. The description provided here is intentionally general and is meant to be a guide. The process also can be different depending upon whether the crime committed is a misdemeanor or felony. A criminal case begins when a law enforcement agency begins an investigation. Law enforcement agencies have certain rules that they must follow as they conduct their investigation. When law enforcement officers complete their investigation, they send the case to the prosecutor. A prosecutor then reviews the case and decides whether to bring charges against the person that law enforcement identified as the Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. perpetrator of the crime. Prosecutors have a lot of discretion in determining whether to charge a person with a crime. If a prosecutor decides to charge a person with a crime, he or she must file a written document in court to start the criminal process. In some states, a prosecutor may file a document called an information. An information specifies the charges against the perpetrator of the crime. The prosecutor can exercise discretion when filing an information. In other states, defendants have a right to a grand jury indictment. A grand jury is a panel of citizens who hear evidence presented by a prosecutor. The grand jury determines if there is enough evidence to bring a person to trial for a crime. The grand jury issues an indictment if it determines that the evidence is sufficient. An indictment is the formal written criminal charges issued by a grand jury. FYI The Fifth Amendment to the U.S. Constitution requires that a federal grand jury issue charges for some federal crimes. A defendant can waive the grand jury requirement. If a defendant waives the grand jury requirement, then the federal prosecutor files an information to start criminal proceedings. Federal grand juries contain between 16 and 23 people. The Federal Rules of Criminal Procedure set this number. Grand juries conduct their deliberations in secret. You can read the Handbook for Federal Grand Jurors at https://www.uscourts.gov/sites/default/files/grand-handbook.pdf. A criminal prosecution begins once a grand jury returns an indictment or after a prosecutor files an information. At this point, the perpetrator of the crime becomes a defendant. In a criminal case, the defendant is the person accused of a crime. The next step in the criminal process is the initial hearing. This is sometimes called an arraignment. The purpose of this hearing is to begin the formal court process. At this hearing, a court must: Inform the defendant about the charges. Advise the defendant about his or her legal and constitutional rights. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. During the initial hearting the defendant must enter a response to the charges, called a plea. A defendant can enter a plea of guilty or not guilty. In some cases, she or he also can enter a plea of nolo contendere, which is Latin for “I do not wish to contend.” It is also called a plea of no contest. A no-contest plea is not a guilty plea. However, it has the same effect as one. Most jurisdictions have limits on how and when defendants can use this type of plea. If a defendant enters a guilty plea, the court will set a date to sentence the defendant. A 2018 study found that 90 percent of federal defendants plead guilty.9 That same study found that only 2 percent of federal defendants have cases that go to trial. If the defendant enters a not-guilty plea, the court sets the case for trial. The U.S. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. Constitution guarantees criminal defendants the right to a trial by jury. Article III of the Constitution guarantees this right, and the Sixth Amendment to the Constitution clarifies the scope of the right. Under the Sixth Amendment, criminal defendants are entitled to a court- appointed attorney if they cannot afford one on their own. Courts usually grant this request only when a defendant faces a prison sentence. The Supreme Court case of Gideon v. Wainwright (1963) held that a court must appoint an attorney to an indigent defendant charged with a felony.10 The defendant must prove that he or she is indigent and cannot afford an attorney. The Supreme Court in the Gideon case also held that a conviction is automatically reversed if a state denies a defendant the right to counsel. After the arraignment, the prosecution and the defendant’s attorneys will begin the discovery process. Discovery is the process where the government gives the defendant the evidence that it plans to use in the defendant’s trial. U.S. Supreme Court cases have held that the government must disclose: NOTE The defendant’s right to an attorney arises when a criminal proceeding begins. A defendant may voluntarily waive the right to counsel and represent himself or herself. A court must decide that a person is mentally competent in order to do this. The court also must warn the person that there are dangers to self- representation. Any deals that the prosecution made with a witness (Giglio v. United States).11 Any evidence it has that might help prove the defendant’s innocence (Brady v. Maryland).12 Courts strictly regulate the criminal discovery process. The rules for the process are clear. A court has a wide range of actions it can take against parties that fail to comply with discovery rules. A court can even dismiss the case if the prosecution fails to comply with the rules of the process. Failure to turn over evidence that might help prove the defendant’s innocence can cause a conviction to be overturned. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. If a criminal case goes to trial, the government bears the burden of proving that the defendant violated the law. In criminal cases, the government must prove the defendant’s guilt beyond a reasonable doubt. This is the highest burden of proof that a prosecutor must meet. Reasonable doubt does not mean that a juror is 100 percent convinced of the defendant’s guilt. It does mean, however, that a juror must be fully satisfied that the prosecution has eliminated any reasonable doubts about the defendant’s guilt. NOTE The Sixth Amendment to the U.S. Constitution guarantees defendants a speedy trial. State criminal Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. procedure rules include time limits for all the steps in the criminal process. In Strunk v. United States (1973), the U.S. Supreme Court held that a court must dismiss a criminal charge if a state violates the defendant’s speedy trial rights.13 The government has a high burden of proof in criminal cases because criminal punishments infringe on a person’s fundamental rights. These rights include the right to liberty, property, and life. Criminal penalties can include jail time, probation, financial penalties, or even a death sentence. A court may impose these penalties only if the government meets its high burden of proof. A criminal case ends when a jury decides that a defendant is innocent or guilty. It also ends if the jury cannot reach a decision. A hung jury is a jury that is unable to reach a decision because the jurors disagree. A court will declare a mistrial if the jury cannot reach a decision. In this case, the government may decide to refile the charges and prosecute the defendant again. A defendant who is convicted may appeal. Different rights allow a defendant to appeal a ruling or conviction to a higher court. These rules are beyond the scope of this discussion. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. Common Criminal Laws Used in Cyberspace A computer, or any electronic device, can play one of four roles in crime: To commit a crime—Unauthorized access to data (hacking) and online fraud are two examples where a computer is used to commit a crime. To facilitate a crime— Cyberstalking, identity theft, phishing scams, and software piracy are examples of crimes facilitated, or aided, by computers. As a target of crime—Denial of service (DoS) and distributed denial of service (DDoS) attacks, computer viruses, and communications sabotage are examples of crimes where the computer itself is the target of the crime. As a witness to crime—Computerized record-keeping systems may provide evidence of an underlying crime or event. Just because a computer or electronic device is involved in a crime does not make that crime a cybercrime. For example, a person simply using a computer and printer to create a forged document commits a criminal act. It is no different than if that same person used a printing press and ink to forge the document. The crime is still a forgery. Cybercrimes are different. Cybercrimes, also called computer crimes, are crimes that use computers as a medium to commit a crime or where the computer itself is the target of the crime. Cyberstalking, identity theft, and phishing scams are examples of crimes facilitated by computers. DoS and DDoS attacks, computer viruses, and communications sabotage are examples of crimes where the computer itself is the target of the crime. The distinction between the types of crime is subtle but important. Both the federal government and individual states have created several laws that address cybercrime. This chapter talks primarily about federal cybercrime laws. Federal laws will likely have the most impact on cybercrime. This is because Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. geography or state and national borders do not matter to cybercriminals. The internet truly blurs these lines. A criminal can easily initiate a cybercrime in one state and harm a victim in another. Also, because cybercrime statutes vary widely between the states, federal laws may end up being more comprehensive. NOTE It is important to remember that many states criminalize the same behavior that federal cybercrime laws address. The Computer Fraud and Abuse Act (1984) Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. Congress passed the Computer Fraud and Abuse Act (CFAA) in 1984.14 It is the first piece of federal legislation that identified computer crimes as distinct offenses. The federal government used the CFAA in 1990 to prosecute the creator of the Morris worm. This was the first prosecution under the CFAA. The CFAA provides both criminal and civil penalties. NOTE The Internet Crime Complaint Center (IC3) is a partnership between the U.S. Federal Bureau of Investigation (FBI) and the National White Collar Crime Center. Their 2019 Internet Crime Report showed that the total loss linked to online fraud was $3.5 billion.15 You can read the report at https://pdf.ic3.gov/2019_IC3Report.pdf. In enacting the CFAA, Congress chose to address a series of computer-related offenses in a single statute. The CFAA limits federal jurisdiction to situations where cybercrime is interstate in nature or when certain “protected computers” are the target of crime. The CFAA criminalizes the act of causing certain types of damage to a protected computer without authorization or by exceeding authorized access. A protected computer is any of the following: A federal government computer A financial institution computer A computer used in interstate or foreign commerce16 FYI The CFAA does not define what access “without authorization” means. However, it does define what “exceeding authorized access” means.17 The failure to define the scope and limits of “without authorization” is one of the biggest criticisms of the CFAA. Many CFAA cases boil down to questions of access. There is a split among federal courts as to the meaning of authorized access under the CFAA. In April 2020, the U.S. Supreme Court agreed to hear a CFAA case in its upcoming term. As of this writing, no date for oral arguments has been set. The name of the case to watch is Van Buren v. United States. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. You can follow the court’s docket at https://www.supremecourt.gov/docket/docketfiles/html/public/19- 783.html. The CFAA treats protected computers as the victim of a crime. It addresses the following types of criminal activity: NOTE Under the CFAA, essentially any computer that connects to the internet is a protected computer because the internet facilitates commerce between different states. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. Unauthorized access to a government computer Unauthorized access to information on a protected computer Unauthorized access to a protected computer that causes damage Unauthorized access to a protected computer with an intent to defraud Threatening to damage a protected computer Unauthorized trafficking of passwords or other computer access information that allows people to access other computers without authorization and with the intent to defraud Computer espionage NOTE Some sections of the CFAA require the government to show that the intruder caused damage. Under the. CFAA, damage is “any impairment to the integrity or availability of data, a program, a system, or information.”19 The CFAA does not just address intruders or outsider attacks on protected computers. It also considers that insiders may exceed the access that they have been granted in a protected computer system. Because these people already have access to these systems, their access is not unauthorized. However, in some cases, they commit a crime if they exceed their scope of authorized access. Under the CFAA, a person exceeds authorized access when he or she accesses a computer with authorization but uses that access to get or alter information that he or she is not allowed to use or alter.18 TABLE 12-1 summarizes the CFAA provisions and potential penalties. In all instances, the penalties described are increased significantly if a defendant has a previous CFAA conviction. TABLE 12-1 Computer Fraud and Abuse Act Summary CRIMINAL ACTIVITY ACTION GENERAL PENALTY Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. A defendant can receive a fine, or up to 1 Protected computer trespass Unauthorized access year in prison, or both. A defendant can receive a fine, or up to 1 year in prison, or both. Unauthorized access The defendant also can be sentenced for Obtaining information from a Access in excess of a felony and up to 5 years in prison if protected computer authorized access aggravating factors exist. Repeat offenders can receive a fine, or 10 years in prison, or both. Access of a protected Unauthorized access A defendant can receive a fine, or up to 5 computer with intent to Access in excess of years in prison, or both. defraud authorized access Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. Damage by Code Transmission: A defendant can receive a fine, or 10 years in prison, or both. The defendant also can receive 20 years in prison for Knowingly transmits a subsequent convictions or causing program, incorporation, or damage leading to serious bodily injury. A code that intentionally causes defendant can receive life imprisonment if Access to a protected damage the offense causes or attempts to cause computer that causes damage Intentional access that death. recklessly causes damage Reckless Damage: Intentional access that causes A defendant can receive a fine, or 5 years damage and loss in prison, or both. Repeat offenders can receive a fine, or 20 years in prison, or both. Damage and Loss: A defendant can receive a fine, or 10 years in prison, or both. Threatening to damage a A defendant can receive a fine, or up to 5 Intent to extort computer years in prison, or both. A defendant can receive a fine, or up to 1 Knowing action, with intent to year in prison, or both. Trafficking in passwords defraud Repeat offenders can receive a fine, or 10 years in prison, or both. Knowing access and willful transmission of information A defendant can receive a fine, or up to Computer espionage that could be used to injure 10 years in prison, or both. the U.S. or its interests Computer Trespass or Intrusion The CFAA is the main federal law addressing cybercrime. In addition to the CFAA, the federal government has some other laws that address computer trespass or intrusion. These laws generally address computers that the U.S. government owns or controls. Some laws, such as the CFAA, expand this definition to include computers used in interstate commerce. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. State Laws Against Computer Trespass It is important to keep in mind that states also may have computer trespass statutes that prohibit unauthorized access to computer systems or networks. Depending on the jurisdiction, these crimes have a variety of names. In many states, the mere act of intentionally entering a computer system or network without permission is a crime. In most jurisdictions, first-time computer trespass is a misdemeanor. The penalties for computer trespass may escalate if a person is charged and convicted of more than one offense. Most trespass statutes address only unauthorized access into a computer system. They stop short of addressing actual computer tampering, access to information, or the injection of computer viruses or worms. These types of crimes, which are malicious in nature, typically are addressed in other statutes. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. Federal law addresses fraud and related activity in connection with access devices. It outlaws the production, use, or sale of counterfeit or unauthorized access devices.20 Access devices include any item that can be used to obtain money, goods, or things of value. They include items such as card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications services. A person who violates this law commits a felony. He or she can be imprisoned for 10 to 20 years depending upon the nature of the violation. Theft of Information Theft of information via computer networks is on the rise. Most of these crimes take the form of theft of personal identifying information or financial information. Financial gain is nearly always the motive for these crimes. The U.S. Federal Trade Commission (FTC) announced that fraud and identity theft were number one and two, respectively, on its list of top three consumer complaints for 2019.21 The federal Identity Theft and Assumption Deterrence Act (1998) makes identity theft a federal crime.22 The law makes it illegal for anyone to knowingly transfer or use another person’s identification with the intent to commit a crime. Under the law, an identification document is any document made or issued by the federal or a state government. Identifying information includes items you may be familiar with as personally identifiable information, such as name, Social Security number (SSN), and driver’s license number. It also includes: Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation Unique electronic identification number, address, or routing code Electronic serial number or any other number or signal that identifies a specific telecommunications device or account Any other piece of information that may be used to identify a specific person Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. If a person violates the law, she or he is subject to fines and criminal penalties of up to 15 years in prison. This period increases to 30 years in special circumstances, such as where identity theft is used to facilitate terrorism. Violators also must give any personal property used to commit identity theft crimes to the government. The U.S. Secret Service, FBI, U.S. Postal Inspection Service, and Social Security Administration’s Office of the Inspector General all have the power to investigate crimes committed under this law. NOTE The FTC’s identity theft website provides useful information about preventing identity theft. You can read Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. more at https://www.consumer.ftc.gov/topics/identity-theft. Interception of Communications Laws Federal laws that address the illegal interception of communications forbid the use of eavesdropping technologies without a court order. Communications covered by the statutes include email, radio communications, electronic communications, data transmission, and telephone calls. The federal Wiretap Act (1968, amended) governs real-time interception of the contents of a communication.23 It does not apply to transmission information. The Act forbids the real-time interception of any wire, oral, or electronic communication. Communications covered by the Act include email, radio communications, data transmissions, and telephone calls. A person who violates the Act can be fined or imprisoned for up to 5 years, or both. NOTE The Pen Register and Trap and Trace Statute governs access to the real-time interception of headers, logs, and other transmission information.24 The Electronic Communications Privacy Act (ECPA; 1986) governs access to stored electronic communications.25 This includes access to the contents of the communication and the headers and other transmission information. The ECPA is an amendment to the original Wiretap Act. The ECPA governs access to the contents of stored communications, as well as access to transmission data about the communications. Under the ECPA, no one may access the contents of these communications unless it is allowed somewhere else in the ECPA. A person who violates the Act can be fined or imprisoned for up to 5 years, or both. Repeat offenders can be imprisoned up to 10 years. Spam and Phishing Laws Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Congress created the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act in 2003.26 The Act covers unsolicited commercial email messages known as spam. Spam is unsolicited electronic junk mail that a user may receive. Spam is a nuisance to the recipient. The CAN-SPAM Act has both civil and criminal provisions. The CAN-SPAM Act requires commercial email senders to meet certain requirements. Commercial messages are messages with content that advertises or promotes a product or service. The Act also forbids sending sexually explicit email unless it has a label or marking that identifies it as explicit.27 Commercial email message senders must meet the following CAN-SPAM Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 04:04:22. requirements: Do not use false or misleading header information. Do not use deceptive subject lines. Identify the email message as a commercial advertisement. Include a valid physical postal address. Inform message recipients how to opt-out of future email messages. Promptly process opt-out requests. Monitor the actions of third parties that advertise on the sender’s behalf.28 NOTE The FTC helps businesses understand the CAN-SPAM Act. You can view their business compliance guide at https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business. The FTC enforces the civil provisions of the CAN-SPAM Act. Violations of the Act are enforced by the FTC in the same way that it enforces unfair or deceptive trade practices.29 The FTC also has promulgated rules for businesses to follow. The FTC completed its first review of the CAN-SPAM Act in 2019 and determined that it would make no changes to the rule because of its benefit to consumers.30 The CAN-SPAM Act also has criminal provisions. It includes penalties for: Accessing another person’s computer without permission to send spam Using false information to register for multiple email accounts or domain names Relaying or retransmitting spam messages through a computer to mislead others about the origin of the email Harvesting email addresses or generating them through a dictionary attack Taking advantage of open relays or open proxies without permission to send spam31

Legal and Privacy Issues in Information Security PDF

Document Details

Tags

Related

Summary

Full Transcript