You are previewing Legal Issues in Information Security.
O'Reilly logo
Legal Issues in Information Security

Book Description

PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES! Legal Issues in Information Security addresses the area where law and information security concerns intersect. Information systems security and legal compliance are now required to protect critical governmental and corporate infrastructure, intellectual property created by individuals and organizations alike, and information that individuals believe should be protected from unreasonable intrusion. Organizations must build numerous information security and privacy responses into their daily operations to protect the business itself, fully meet legal requirements, and to meet the expectations of employees and customers. Part 1 of this book discusses fundamental security and privacy concepts. Part 2 examines recent US laws that address information security and privacy. And Part 3 considers security and privacy for organizations.

Table of Contents

  1. Copyright
  2. Preface
    1. Purpose of This Book
    2. Learning Features
    3. Audience
  3. Acknowledgments
  4. About the Author
  5. ONE. Fundamental Concepts
    1. 1. Information Security Overview
      1. Why Is Information Security an Issue?
      2. What Is Information Security?
        1. What Is Confidentiality?
        2. What Is Integrity?
        3. What Is Availability?
      3. Common Information Security Concepts
        1. Vulnerabilities
        2. Threats
        3. Risks
        4. Safeguards
        5. Choosing Safeguards
      4. What Are Common Information Security Concerns?
        1. Shoulder Surfing
        2. Social Engineering
        3. Phishing and Targeted Phishing Scams
        4. Malware
        5. Spyware and Keystroke Loggers
        6. Logic Bombs
        7. Backdoors
        8. Denial of Service Attacks
      5. Do Different Types of Information Require Different Types of Protection?
        1. U.S. National Security Information
      6. What Are the Mechanisms That Ensure Information Security?
        1. Laws and Legal Duties
        2. Contracts
        3. Organizational Governance
        4. Voluntary Organizations
      7. Do Special Kinds of Data Require Special Kinds of Protection?
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 1 ASSESSMENT
    2. 2. Privacy Overview
      1. Why Is Privacy an Issue?
      2. What Is Privacy?
      3. How Is Privacy Different from Information Security?
      4. What Are the Sources of Privacy Law?
        1. Constitutional Law
        2. Federal Laws
          1. Census Confidentiality (1952)
          2. Freedom of Information Act (1966)
          3. Wiretap Act (1968, amended)
          4. Mail Privacy Statute (1971)
          5. Privacy Act (1974)
          6. Cable Communications Policy Act (1984)
          7. Electronic Communications Privacy Act (1986)
          8. Driver's Privacy Protection Act (1994)
          9. E-Government Act (2002)
        3. State Laws
        4. Common Laws
          1. Intrusion into Seclusion
          2. Portrayal in a False Light
          3. Appropriation of Likeness or Identity
          4. Public Disclosure of Private Facts
        5. Voluntary Agreements
      5. What Are Threats to Personal Data Privacy in the Information Age?
        1. Technology-Based Privacy Concerns
          1. Spyware, Keystroke Loggers, and Adware
          2. Cookies, Web Beacons, and Clickstreams
          3. RFID and GPS Technologies
          4. Security Breaches
        2. People-Based Privacy Concerns
          1. Phishing
          2. Social Engineering, Shoulder Surfing, and Dumpster Diving
          3. Social Networking Sites
            1. Information Sharing
            2. Security
          4. Online Data Gathering
      6. What Is Workplace Privacy?
        1. Telephone and Voice Mail Monitoring
        2. Video Surveillance Monitoring
        3. Computer Use Monitoring
        4. E-mail Monitoring
          1. Public Employees
      7. What Are General Principles for Privacy Protection in Information Systems?
        1. Privacy Policies and Data Privacy Laws
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 2 ASSESSMENT
      11. ENDNOTES
    3. 3. The American Legal System
      1. The American Legal System
        1. Federal Government
          1. Legislative Branch
          2. Executive Branch
          3. Judicial Branch
            1. Structure of the Federal Judiciary
        2. State Government
      2. Sources of Law
        1. Common Law
        2. Code Law
        3. Constitutional Law
        4. How Does It All Fit Together?
      3. Types of Law
        1. Civil
        2. Criminal
        3. Administrative
      4. The Role of Precedent
      5. Regulatory Authorities
      6. What Is the Difference Between Compliance and Audit?
      7. How Do Security, Privacy, and Compliance Fit Together?
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 3 ASSESSMENT
      11. ENDNOTES
  6. TWO. Laws Influencing Information Security
    1. 4. Security and Privacy of Consumer Financial Information
      1. Business Challenges Facing Financial Institutions
      2. The Different Types of Financial Institutions
      3. Consumer Financial Information
      4. Who Regulates Financial Institutions?
        1. The Federal Reserve System
        2. Federal Deposit Insurance Corporation
        3. National Credit Union Administration
        4. Office of the Comptroller of the Currency
        5. Office of Thrift Supervision
        6. Special Role of the Federal Trade Commission
      5. Federal Financial Institutions Examination Council (FFIEC)
      6. The Gramm-Leach-Bliley Act
        1. Purpose, Scope, and Main Requirements
        2. The Privacy Rule
        3. The Safeguards Rule
        4. The Pretexting Rule
        5. Oversight
      7. Federal Trade Commission Red Flags Rule
        1. Purpose
        2. Scope
        3. Main Requirements
        4. Oversight
        5. Implementation Concerns
      8. Payment Card Industry Standards
        1. Purpose
        2. Scope
        3. Main Requirements
        4. Oversight
      9. Case Studies and Examples
        1. FTC Privacy and Safeguards Rule Enforcement
        2. PCI DSS Example
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 4 ASSESSMENT
      13. ENDNOTES
    2. 5. Security and Privacy of Information Belonging to Children and Educational Records
      1. Challenges in Protecting Children on the Internet
        1. Identification of Children
        2. First Amendment and Censorship
        3. Defining Obscenity
      2. Children's Online Privacy Protection Act
        1. Purpose of COPPA
        2. Scope of the Regulation
        3. Main Requirements
          1. Gaining Parent's Consent
          2. Privacy Policy
          3. Privacy Policy Location
          4. Privacy Policy Content
        4. Oversight
      3. Children's Internet Protection Act (CIPA)
        1. Purpose
        2. Scope of the Regulation
        3. Main Requirements
          1. Internet Safety Policy
          2. Exceptions
        4. Oversight
      4. Family Educational Rights and Privacy
        1. Purpose and Scope
        2. Main Requirements
          1. Parent and Student Rights
          2. Protection of Records
          3. Annual Notification
          4. Exceptions
        3. Oversight
      5. Case Studies and Examples
        1. Liberty Financial and Children's Privacy
        2. Iconix Brand Group, Inc.
        3. Gonzaga University Student
        4. Release of Disciplinary Records
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 5 ASSESSMENT
      9. ENDNOTES
    3. 6. Security and Privacy of Health Information
      1. Business Challenges Facing the Health Care Industry
      2. Why Is Health Care Information So Sensitive?
      3. The Health Insurance Portability and Accountability Act
        1. Purpose
        2. Scope
        3. Main Requirements of the Privacy Rule
          1. Required Disclosures
          2. Permitted Uses and Disclosures
            1. Treatment, Payment, and Health Care Operations
            2. Uses and Disclosures Made After an Opportunity to Opt Out
            3. Made for Public Health and Safety Activities
            4. Limited Data Sets Used or Disclosed for Specified Activities
            5. Uses and Disclosures that Require Authorization
          3. Minimum Necessary Rule
          4. Other Individual Rights under the Privacy Rule
            1. Amendments of PHI
            2. Accounting of Disclosures
          5. Privacy Notices
          6. Administrative Requirements
        4. Main Requirements of the Security Rule
          1. Safeguards and Implementation Specifications
            1. Administrative Safeguards
            2. Physical Safeguards
            3. Technical Safeguards
        5. Oversight
      4. The HITECH Act
        1. Compliance and Enforcement
        2. Breach Notification Provisions
        3. Changes to the Privacy and Security Rules
      5. The Role of State Laws Protecting Medical Records
      6. Case Studies and Examples
        1. OCR Enforcement Information
        2. HIPAA and Federal Trade Communications Act
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 6 ASSESSMENT
      10. ENDNOTES
    4. 7. Corporate Information Security and Privacy Regulation
      1. The Enron Scandal and Securities-Law Reform
        1. Corporate Fraud at Enron
      2. Why Is Accurate Financial Reporting Important?
      3. The Sarbanes-Oxley Act of 2002
        1. Purpose and Scope
        2. Main Requirements
          1. Public Company Accounting Oversight Board
          2. Document Retention
          3. Certification
            1. Disclosure Controls
            2. Internal Controls
        3. Oversight
      4. Compliance and Security Controls
        1. COBIT
        2. GAIT
        3. ISO/IEC Standards
        4. NIST Computer Security Guidance
      5. SOX Influence in Other Types of Companies
      6. Corporate Privacy Issues
      7. Case Studies and Examples
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 7 ASSESSMENT
      11. ENDNOTES
    5. 8. Federal Government Information Security and Privacy Regulations
      1. Information Security Challenges Facing the Federal Government
      2. The Federal Information Security Management Act
        1. Purpose and Scope
        2. Main Requirements
          1. Agency Information Security Programs
          2. The Role of NIST
          3. Central Incident Response Center
          4. National Security Systems
        3. Oversight
      3. Protecting Privacy in Federal Information Systems
        1. The Privacy Act of 1974
        2. The E-Government Act of 2002
        3. OMB Breach Notification Policy
      4. Import and Export Control Laws
      5. Case Studies and Examples
        1. Missing Hard Drives
        2. Social Networking Sites
        3. The Future of FISMA
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 8 ASSESSMENT
      9. ENDNOTES
    6. 9. State Laws Protecting Citizen Information and Breach Notification Laws
      1. History of State Actions to Protect Personal Information
        1. ChoicePoint Data Breach
      2. Breach Notification Regulations
        1. California Breach Notification Act
        2. Other Breach Notification Laws
          1. Activities That Constitute a Breach
          2. Entities Covered by the Law
          3. Time for Notification
          4. Contents of Notification
          5. Encryption Requirements
          6. Penalties for Failure to Notify
          7. Private Cause of Action
      3. Data-Specific Security and Privacy Regulations
        1. Minnesota and Nevada: Requiring Businesses to Comply with Payment Card Industry Standards
        2. Indiana: Limiting SSN Use and Disclosure
      4. Encryption Regulations
        1. Massachusetts: Protecting Personal Information
        2. Nevada Law: Standards-Based Encryption
      5. Data Disposal Regulations
        1. Washington: Everyone Has an Obligation
        2. New York: Any Physical Record
      6. Case Studies and Examples
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 9 ASSESSMENT
      10. ENDNOTES
    7. 10. Intellectual Property Law
      1. The Digital Wild West and the Importance of Intellectual Property Law
      2. Legal Ownership and the Importance of Protecting Intellectual Property
      3. Patents
        1. Patent Basics
          1. Patent Requirements
          2. The Patent Process
        2. Infringement and Remedies
        3. What Is the Difference Between Patents and Trade Secrets?
      4. Trademarks
        1. Trademark Basics
          1. Use in Commerce
          2. Distinctive
          3. The Registration Process
        2. Infringement and Remedies
        3. Relationship of Trademarks on Domain Names
      5. Copyright
        1. Copyright Basics
          1. Copyright Registration
        2. Infringement and Remedies
          1. Fair Use
      6. Protecting Copyrights Online—The Digital Millennium Copyright Act (DMCA)
        1. DMCA Basics
          1. Technology Protection Measures
          2. Online Copyright Infringement
          3. Computer Maintenance
        2. DMCA Implementation Concerns
      7. Case Studies and Examples
        1. Trade Secrets
        2. Service Provider Liability for Copyright Infringement
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 10 ASSESSMENT
      11. ENDNOTES
    8. 11. The Role of Contracts
      1. General Contracting Principles
        1. Contract Form
        2. Capacity to Contract
        3. Contract Legality
        4. Form of Offer
        5. Form of Acceptance
        6. Meeting of the Minds
        7. Consideration
        8. Performance and Breach of Contract
        9. Contract Repudiation
      2. Contracting Online
        1. Legal Capacity Online
          1. Form of Offer and Acceptance
            1. E-mail Communications
            2. Text and Instant Messages
            3. Twitter and other Social Networking Sites
        2. Existence and Enforcement
        3. Authenticity and Non-Repudiation
      3. Special Types of Contracts in Cyberspace
        1. Shrinkwrap Contracts
        2. Clickwrap Contracts
        3. Browsewrap Contracts
      4. How Do These Contracts Regulate Behavior?
      5. Emerging Contract Law Issues
        1. Cloud Computing
        2. Information Security Terms in Contracts
          1. Data Definition and Use
          2. General Data Protection Terms
          3. Compliance with Legal and Regulatory Requirements
      6. Case Studies and Examples
        1. Contract Formation via E-mail
        2. Contract Dispute Statistics
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 11 ASSESSMENT
      10. ENDNOTES
    9. 12. Criminal Law and Tort Law Issues in Cyberspace
      1. General Criminal Law Concepts
        1. Main Principles of Criminal Law
          1. Type of Wrongful Conduct
          2. Elements of a Crime
          3. Jurisdiction
        2. Criminal Procedure
      2. Common Criminal Laws Used in Cyberspace
        1. The Computer Fraud and Abuse Act (1984)
        2. Computer Trespass or Intrusion
        3. Theft of Information
        4. Interception of Communications Laws
        5. Spam and Phishing Laws
        6. Cybersquatting
        7. Malicious Acts
        8. Well-Known Cybercrimes
      3. General Tort Law Concepts
        1. Strict Liability Torts
        2. Negligence Torts
        3. Intentional Torts
        4. Civil Procedure
      4. Common Tort Law Actions in Cyberspace
        1. Defamation
        2. Intentional Infliction of Emotional Distress
        3. Trespass Torts
        4. Privacy Violations
      5. Case Studies and Examples
        1. CAN-SPAM Act
        2. Defamation
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 12 ASSESSMENT
      9. ENDNOTES
  7. THREE. Security and Privacy in Organizations
    1. 13. Information Security Governance
      1. What Is Information Security Governance?
        1. Information Security Governance Planning
        2. Common Information Security Governance Roles
        3. Information Security Governance and Management
        4. Information Security Governance in the Federal Government
      2. Information Security Governance Documents
        1. Policies
        2. Standards
        3. Procedures
        4. Guidelines
        5. Creating Information Security Policies
          1. Policy Development Process
      3. Recommended Information Security Policies
        1. Acceptable Use Policies
          1. AUP Terms
          2. Enforcement
        2. Anti-Harassment Policies
          1. Workplace Privacy and Monitoring Policies
        3. Data Retention and Destruction Policies
          1. Data Retention Policies
          2. Data Destruction Policies
        4. Intellectual Property Policies
        5. Authentication and Password Policies
        6. Security Awareness and Training
      4. Case Studies and Examples
        1. Acceptable Use Case Study
        2. Intellectual Property Example
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 13 ASSESSMENT
      8. ENDNOTES
    2. 14. Risk Analysis, Incident Response, and Contingency Planning
      1. Contingency Planning
      2. Risk Management
        1. Risk Assessment Process
          1. Risk Assessment Team
          2. Identifying Assets, Vulnerabilities, and Threats
          3. Likelihood and Potential Loss
            1. Quantitative Risk Analysis
            2. Qualitative Risk analysis
          4. Document Needed Controls
        2. Risk Response
        3. Training Employees
        4. Continuously Monitoring
      3. Three Types of Contingency Planning
        1. Incident Response Planning
          1. Incident Response Team
          2. IR Plan Process
        2. Disaster Recovery and Business Continuity Planning
          1. DR/BC Team
          2. DR/BC Plan Development
        3. Testing the Plan
      4. Special Considerations
        1. Addressing Compliance Requirements
        2. When to Call the Police
        3. Public Relations
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 14 ASSESSMENT
      8. ENDNOTES
    3. 15. Computer Forensics and Investigations
      1. What Is Computer Forensics?
      2. What Is the Role of a Computer Forensic Examiner?
      3. Collecting, Handling, and Using Digital Evidence
        1. The Investigative Process
          1. Identification
          2. Preservation
          3. Collection
          4. Examination
          5. Presentation
        2. Guiding Principles for Forensic Examination
      4. Legal Issues Involving Digital Evidence
        1. Authority to Collect Evidence
          1. The Fourth Amendment and Search Warrants
          2. Federal Laws Regarding Electronic Data Collection
            1. The Electronic Communications Privacy Act
            2. The Wiretap Act
            3. The Pen Register and Trap and Trace Statute
        2. Admissibility of Evidence
          1. The Hearsay Rule
          2. The Best Evidence Rule
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 15 ASSESSMENT
      8. ENDNOTES
  8. A. Answer Key
  9. B. Standard Acronyms
  10. C. Law and Case Citations
    1. U.S. Federal Laws
    2. Court Rules
    3. Court Cases
  11. D. The Constitution of the United States of America
      1. Article. I.
        1. Section. 1.
        2. Section. 2.
        3. Section. 3.
        4. Section. 4.
        5. Section. 5.
        6. Section. 6.
        7. Section. 7.
        8. Section. 8.
        9. Section. 9.
        10. Section. 10.
      2. Article. II.
        1. Section. 1.
        2. Section. 2.
        3. Section. 3.
        4. Section. 4.
      3. Article III.
        1. Section. 1.
        2. Section. 2.
        3. Section. 3.
      4. Article. IV.
        1. Section. 1.
        2. Section. 2.
        3. Section. 3.
        4. Section. 4.
      5. Article. V.
      6. Article. VI.
      7. Article. VII.
    1. Amendments to the Constitution of the United States of America.
      1. Amendment I (1791)
      2. Amendment II (1791)
      3. Amendment III (1791)
      4. Amendment IV (1791)
      5. Amendment V (1791)
      6. Amendment VI (1791)
      7. Amendment VII (1791)
      8. Amendment VIII (1791)
      9. Amendment IX (1791)
      10. Amendment × (1791)
      11. Amendment XI (1795)
      12. Amendment XII (1804)
      13. Amendment XIII (1865)
        1. Section 1.
        2. Section 2.
      14. Amendment XIV (1868)
        1. Section 1.
        2. Section 2.
        3. Section 3.
        4. Section 4.
        5. Section 5.
      15. Amendment XV (1870)
        1. Section 1.
        2. Section 2.
      16. Amendment XVI (1913)
      17. Amendment XVII (1913)
      18. Amendment XVIII (1919)
        1. Section 1.
        2. Section 2.
        3. Section 3.
      19. Amendment XIX (1920)
      20. Amendment XX (1933)
        1. Section 1.
        2. Section 2.
        3. Section 3.
        4. Section 4.
        5. Section 5.
        6. Section 6.
      21. Amendment XXI (1933)
        1. Section 1.
        2. Section 2.
        3. Section 3.
      22. Amendment XXII (1951)
        1. Section 1.
        2. Section 2.
      23. Amendment XXIII (1961)
        1. Section 1.
        2. Section 2.
      24. Amendment XXIV (1964)
        1. Section 1.
        2. Section 2.
      25. Amendment XXV (1967)
        1. Section 1.
        2. Section 2.
        3. Section 3.
        4. Section 4.
      26. Amendment XXVI (1971)
        1. Section 1.
        2. Section 2.
      27. Amendment XXVII (1992)
  12. Glossary of Key Terms
  13. References