1. Lesson 5-Legal Issues in Information Security

2. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues. Privacy issues.

3. U.S. Criminal Law Computer fraud and abuse: 18 US Code 1030 forms the basis for federal intervention in computer crimes. Section (a) of the statute defines computer crime as the intentional access of a computer without authorization. The statute states that the attacker has to obtain information that should be protected. The statute can be used only if the damage caused by the attack is $5,000 or above.

4. U.S. Criminal Law Credit card fraud and copyright: 18 US Code 1029 can be used in case of credit card frauds. The statute makes it a crime to possess fifteen or more counterfeit credit cards. 18 US Code 2319 defines criminal punishments for copyright violations. The statute can be used if at least 10 copies of one or more copyrighted works have been reproduced or distributed. The total retail value of the copies should exceed $1,000.

5. U.S. Criminal Law Interception: 18 US Code 2511 outlaws interception of telephone calls and other types of electronic communication. This law prevents law enforcement from using wiretaps without a warrant. An intruder placing a sniffer on a computer system is likely to be in violation of this law. If appropriate, the law allows an organization to monitor its network and computer systems for their protection.

6. U.S. Criminal Law Access to electronic information: 18 US Code 2701 prohibits unlawful access to stored communications. This statute also prohibits authorized users from accessing systems that store electronic information. The statute allows the provider of the service to access any file on the system.

7. U.S. Criminal Law Patriot Act: The USA-Patriot Act was passed in response to the September 11 terrorist attacks. The Patriot Act increased the maximum penalties for violations of 18 US Code 1030. It also modified the wording in 18 US Code 1030 to redefine “damage,” making it easier to reach the minimum $5,000 damage.

8. U.S. Criminal Law Patriot Act (continued): An action affecting a computer system used by the government for justice, national defense, or national security, is considered a violation of federal law. An individual inside the United States attacking a system outside the country can be prosecuted under federal law.

9. U.S. Criminal Law Patriot Act (continued): The Pen Register Statute (18 US Code 3127) allowed law enforcement to access telephone numbers dialed from a particular telephone. The Patriot Act modified the law to include any device or process that records dialing, routing, addressing, or signaling information.

10. U.S. Criminal Law Patriot Act (continued): It is now possible to collect e-mail header information and source and destination IP addresses, TCP, and UDP port numbers. The law prevents collection of e-mail subject lines and contents of e-mail and downloaded files. The Patriot Act modified the 18 US Code 2511 to allow interception by law enforcement to monitor the activities of an intruder.

11. U.S. Criminal Law Patriot Act (continued): For interception, consent of the owner must be given and it must be relevant to the investigation. The law states that the interception can only access communications to/from the trespasser. The majority of the Homeland Security Act is directed at the creation of the Department of Homeland Security.

12. State Laws The state laws differ from federal laws with respect to what constitutes a crime and how a crime may be punished. The concept of what constitutes a computer crime differs from state to state.

13. Laws of Other Countries Computer crime laws in other countries may have an effect on computer crime investigations in the United States. If an attack is sourced to a system in another country, the FBI will attempt to get assistance from the law enforcement agencies there.

14. Laws of Other Countries A country with no computer crime laws is unlikely to assist in the investigation. Unauthorized access to data in computers is a crime in most countries with computer crime laws.

15. Issues with Prosecution Before contacting law enforcement to prosecute offenders, the organization must develop an incident response procedure. If normal business procedures are followed, no special precautions need be taken to safeguard information as evidence. If the organization takes actions outside the scope of business procedures, precautions need to be taken.

16. Issues with Prosecution The organization’s general counsel should be consulted before contacting law enforcement. Advice should be taken from the organization counsel and law enforcement before any action is taken. Law enforcement is bound to follow rules to allow information gathered to be used as evidence.

17. Issues with Prosecution After taking possession of information, the law enforcement will control access and protect it as evidence as per procedures. The law enforcement cannot gather information off the network without a warrant, unless the organization willingly offers information.

18. Civil Issues Employees must be told that the organization can access or monitor any information on the systems or network at any time. The employees should be asked to sign copies of the organization’s policies to alleviate potential legal issues.

19. Civil Issues Downstream liability is when an organization is held liable if its compromised system is used to attack another organization. The question is whether the first organization took reasonable care and appropriate measures to prevent this occurring.

20. Privacy Issues The federal government has enacted privacy legislation for banking, financial and healthcare sectors. Customer information belongs to the customer and not to your organization.

21. Health Insurance Portability and Accountability Act (HIPAA) An organization must take appropriate measures to safeguard customer information from unauthorized disclosure. The Department of Health and Human Services published the final Health Information Portability and Accountability Act (HIPAA) security regulations in February 2003. HIPAA relates to the creation and enforcement of standards for the protection of health information.

22. Health Insurance Portability and Accountability Act (HIPAA) An organization must implement an addressable regulation if it is found to be reasonable and appropriate. If not, the organization must document why the regulation is not reliable or appropriate and implement an alternate mechanism. The overall goal of the regulations is to maintain the confidentiality, integrity, and availability of protected health information (PHI).

23. Health Insurance Portability and Accountability Act (HIPAA) Administrative safeguards: Security management process – regular risk analysis, appropriate security measures to manage risk, sanction policy for enforcement, and regular review of security log and activity information are required. Assigned security responsibility – an individual must be assigned responsibility for security.

24. Health Insurance Portability and Accountability Act (HIPAA) Administrative safeguards (continued): Workforce security – procedures for authorization, workforce clearance, and termination are addressable by the organization. Information access management – isolating health care clearinghouse function is required. Procedures for access authorization, establishment and modification are addressable.

25. Health Insurance Portability and Accountability Act (HIPAA) Administrative safeguards (continued): Security awareness and training – periodic security updates, protection from malicious software, login monitoring, and password management are addressable. Security incident procedures – policies and procedures to address security incidents are required.

26. Health Insurance Portability and Accountability Act (HIPAA) Administrative safeguards (continued): Contingency plans – plans for data backup, disaster recovery, and emergency mode operation are required. Periodic testing and revisions of the contingency plans and assessment of the relative criticality of specific applications is addressable. Evaluation – performing periodic evaluations of security in response to changes in operations or environment is required.

27. Health Insurance Portability and Accountability Act (HIPAA) Administrative safeguards (continued): Business associate contracts and other arrangements – it is required that contracts requiring appropriate security be in place with any organization that shares PHI.

28. Health Insurance Portability and Accountability Act (HIPAA) Physical safeguards: Facility access controls – procedures for contingency plans, facility security plan, access control and validation, and recording repairs and modifications to the physical security of the facility are addressable. Workstation use – policies specifying the physical attributes of workstations that can access PHI are required.

29. Health Insurance Portability and Accountability Act (HIPAA) Physical safeguards (continued): Workstation security – physical security safeguards for all workstations that can access PHI are required. Device and media controls – procedures for disposing PHI and the media on which it was stored and the removal of PHI before reusing media are required. Records of movement of media, hardware is addressable.

30. Health Insurance Portability and Accountability Act (HIPAA) Technical safeguards: Access control – it is required that each user be assigned a unique identifier and that emergency access procedures be implemented. Automatic logoff and encryption/decryption of PHI are addressable. Audit controls – implementation of mechanisms that record and examine activity on systems containing PHI is required. Integrity – a method to authenticate electronic PHI is addressable.

31. Health Insurance Portability and Accountability Act (HIPAA) Technical safeguards (continued): Person or entity authentication – mechanisms to authenticate identity of individuals seeking access to PHI is required. Transmission security – mechanisms to detect unauthorized modification of PHI in transit and to encrypt PHI when appropriate are addressable.

32. Health Insurance Portability and Accountability Act (HIPAA) Organization requirements: Any contracts with organizations that will be able to access PHI must include provisions for security. Health plan documents must provide for the sponsor to take appropriate measures to protect PHI.

33. Health Insurance Portability and Accountability Act (HIPAA) Policies, procedures, and documentation requirements: The organization is required to keep documentation for six years from the date of creation. Policies and procedures must be made available to individuals who will be implementing the mechanisms.

34. Graham-Leach-Bliley Financial Services Modernization Act (GLBA) The Graham-Leach-Bliley Financial Services Modernization Act (GLBA) was passed in 1999. Section 502 of the act prohibits financial organizations from disclosing customer information without giving him a chance to opt out.

35. Graham-Leach-Bliley Financial Services Modernization Act (GLBA) The act requires financial institutions to safeguard customer information from unauthorized disclosure. For this purpose, financial oversight companies have published “Interagency Guidelines Establishing Standards for Safeguarding Customer Information”.

36. Graham-Leach-Bliley Financial Services Modernization Act (GLBA) The guidelines impose requirements on the financial organization’s security program. Information security program – Each organization must implement a comprehensive written security program. Board involvement – The organization’s board must approve the security program. Assessing risk – Each organization must conduct periodic risk assessments.

37. Graham-Leach-Bliley Financial Services Modernization Act (GLBA) The security mechanisms that the organization must use to manage and control risk are: Access controls to information. Physical access restrictions to systems and records. Encryption of sensitive information in transit. System change procedures.

38. Graham-Leach-Bliley Financial Services Modernization Act (GLBA) The security mechanisms that the organization must use to manage and control risk are: Dual control procedures, segregation of duties, and background checks. Intrusion detection systems. Incident response procedures. Environment protection.

39. Graham-Leach-Bliley Financial Services Modernization Act (GLBA) The guidelines identify the following requirements in case of third party involvement: Due diligence in selecting service providers. Requiring service providers to implement security. Monitoring service providers. Adjusting the program. Reporting to the board.

40. Summary 18 US Code 1030 is the primary computer crime statute. 18 US Code 1029 deals with credit card frauds. 18 US Code 2319 deals with copyright issues. 18 US Code 2511 prohibits interception of electronic information without warrants. 18 US Code 2701 prohibits unlawful access to stored information.

41. Summary The Patriot Act made several modifications to existing laws. The state laws regarding computer crime differ from the federal laws and from state to state. Computer crime laws in other countries can affect investigations in the United States. Organizations must have a detailed discussion of the options before contacting law enforcement to prosecute offenders.

42. Summary The organization must make it known that the employees should have no expectation of privacy. The information security staff and the general counsel of the organization must coordinate in case of downstream liability. HIPAA sets out regulations for the protection of health information.

43. Summary GLBA relates to privacy of customer information. GLBA led to the “Interagency Guidelines Establishing Standards for Safeguarding Customer Information”