Examples of Statutes
As a few examples from the
1980s have pointed out, in the early days, prosecution of computer crimes was
hampered by lack of clear appreciation of the nature or seriousness of crime
involving computers. Although theft, harm to persons, and damage to property
have been crimes for a long time, in some cases new laws were useful to make it
obvious to the courts what computer-related behavior was unacceptable. Most
states now have laws covering computer crime of one sort or another. Also,
computer-related crimes now appear in sentencing guidelines.
In this section we highlight
a few of the laws defining aspects of crime against or using computers.
U.S. Computer Fraud and Abuse Act
The primary federal statute,
18 USC 1030, was enacted in 1984 and has been amended several times since. This
statute prohibits
unauthorized access to a
computer containing data protected for national defense or foreign relations
concerns
unauthorized access to a
computer containing certain banking or financial information
unauthorized access, use,
modification, destruction, or disclosure of a computer or information in a
computer operated on behalf of the U.S. government
accessing without permission
a "protected computer," which the courts now interpret to include any
computer connected to the Internet
computer fraud
transmitting code that causes
damage to a computer system or network
trafficking in computer
passwords
Penalties range from $5,000
to $100,000 or twice the value obtained by the offense, whichever is higher, or
imprisonment from 1 year to 20 years, or both.
U.S. Economic Espionage Act
This 1996 act outlaws use of
a computer for foreign espionage to benefit a foreign country or business or
theft of trade secrets.
U.S. Electronic Funds Transfer Act
This law prohibits use,
transport, sale, receipt, or supply of counterfeit, stolen, altered, lost, or
fraudulently obtained debit instruments in interstate or foreign commerce.
U.S. Freedom of Information Act
The Freedom of Information
Act provides public access to information collected by the executive branch of
the federal government. The act requires disclosure of any available data,
unless the data fall under one of several specific exceptions, such as national
security or personal privacy. The law's original intent was to release to
individuals any information the government had collected on them. However, more
corporations than individuals file requests for information as a means of
obtaining information about the workings of the government. Even foreign
governments can file for information. This act applies only to government
agencies, although similar laws could require disclosure from private sources.
The law's effect is to require increased classification and protection for
sensitive information.
U.S. Privacy Act
The Privacy Act of 1974
protects the privacy of personal data collected by the government. An
individual is allowed to determine what data have been collected on him or her,
for what purpose, and to whom such information has been disseminated. An
additional use of the law is to prevent one government agency from accessing
data collected by another agency for another purpose. This act requires
diligent efforts to preserve the secrecy of private data collected.
U.S. Electronic Communications Privacy Act
This law, enacted in 1986,
protects against electronic wiretapping. There are some important
qualifications. First, law enforcement agencies are always allowed to obtain a
court order to access communications or records of them. And an amendment to
the act requires Internet service providers to install equipment as needed to
permit these court -ordered wiretaps. Second, the act allows Internet service
providers to read the content of communications in order to maintain service or
to protect the provider itself from damage. So, for example, a provider could
monitor traffic for viruses.
GrammLeachBliley
The U.S. GrammLeachBliley Act
(Public Law 106-102) of 1999 covers privacy of data for customers of financial
institutions. Each institution must have a privacy policy of which it informs
its customers, and customers must be given the opportunity to reject any use of
the data beyond the necessary business uses for which the private data were
collected. The act and its implementation regulations also require financial
institutions to undergo a detailed security-risk assessment. Based on the
results of that assessment, the institution must adopt a comprehensive
"information security program" designed to protect against
unauthorized access to or use of customers' nonpublic personal information.
HIPAA
In 1996, Public Law 104-191,
the Health Insurance Portability and Accountability Act (HIPAA) was passed in
the United States. Although the first part of the law concerned the rights of
workers to maintain health insurance coverage after their employment was terminated,
the second part of the law required protection of the privacy of individuals'
medical records. HIPAA and its associated implementation standards mandate
protection of "individually identifiable healthcare information,"
that is, medical data that can be associated with an identifiable individual.
To protect the privacy of individuals' healthcare data, healthcare providers
must perform standard security practices, such as the following:
Enforce need to know.
Ensure minimum necessary
disclosure.
Designate a privacy officer.
Document information security
practices.
Track disclosures of
information.
Develop a method for
patients' inspection and copying of their information.
Train staff at least every
three years.
Perhaps most far-reaching is
the requirement for healthcare organizations to develop "business
associate contracts," which are coordinated agreements on how data shared
among entities will be protected. This requirement could affect the sharing and
transmittal of patient information among doctors, clinics, laboratories,
hospitals, insurers, and any other organizations that handle such data.
USA Patriot Act
Passed in 2001 in reaction to
terrorist attacks in the United States, the USA Patriot Act includes a number
of provisions supporting law enforcement's access to electronic communications.
Under this act, law enforcement need only convince a court that a target is
probably an agent of a foreign power in order to obtain a wiretap order. The
main computer security provision of the Patriot Act is an amendment to the
Computer Fraud and Abuse Act:
Knowingly causing the
transmission of code resulting in damage to a protected computer is a felony.
Recklessly causing damage to
a computer system as a consequence of unauthorized access is also a felony.
Causing damage (even
unintentionally) as a consequence of unauthorized access to a protected
computer is a misdemeanor.
The CAN SPAM Act
Unsolicited "junk"
e-mail or spam is certainly a problem. Analysts estimate that as much as 70
percent of all e-mail traffic is spam.
To address pressure from
their constituents, in 2003 U.S. lawmakers passed the Controlling the Assault
of Non-Solicited Pornography and Marketing (CAN SPAM) Act. (One wonders how
many staff members it took to find a sequence of words to yield that acronym.)
Key requirements of the law are these:
It bans false or misleading
header information.
It prohibits deceptive
subject lines.
It requires commercial e-mail
to give recipients an opt-out method.
It bans sale or transfer of e-mail
addresses of people who have opted out.
It requires that commercial
e-mail be identified as an advertisement.
Critics of the law point out
that it preempts state laws, and some states had stronger laws. It also can be
read as permitting commercial e-mail as long as the mail is not deceptive.
Finally, and most importantly, it does little to regulate spam that comes from
offshore: a spam sender simply sends spam from a foreign mailer, perhaps in a
country more interested in generating business for its national ISPs than in
controlling worldwide junk e-mail. The most telling result: The volume of spam
has not declined since the law.
California Breach Notification
The first state in the U.S.
to enact such a law, California passed SB1386, effective in 2003. This law
requires any company doing business in California or any California government
agency to notify individuals of any breach that has, or is reasonably believed
to have, compromised personal information on any California resident. As a
state law, it is limited to California residents and California companies. At
least 20 other states have since followed with some form of breach
notification.
The most widely reported
application of the law was in February 2005 when Choicepoint disclosed that some
California residents had been affected by loss of 145,000 pieces of personal
identity information. Initially only affected California residents were
informed, but after news of that disclosure was made public, Choicepoint
revealed how many people total were involved and began notifying them.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.