Federal Information Security Law

Federal Information Security law1

FEDERAL INFORMATION SECURITY LAW

Michael J. Chapple

Office of Information Technologies

University of Notre Dame, Notre Dame, IN46556

Phone: 574-631-5863

Fax: 574-289-2039

Email:

and

Charles R. Crowell

Department of Psychology and Computer Applications Program

University of Notre Dame, Notre Dame, IN46556

Phone: 574-277-4774

Fax: 574-271-2058

Email:

Running Head: FEDERAL INFORMATION SECURITY LAW

FEDERAL INFORMATION SECURITY LAW

Introduction

The American legal system, along with many of its counterparts around the globe, is only beginning to grapple with the legal challenges of the information age. The past decade has witnessed a multitude of new laws and regulations seeking to address these challenges and provide a common framework for the legal and technical professions. Those charged with information security responsibilities face a myriad of complex and often vague requirements. In this article, we establish a four-level taxonomy for federal information security laws and explore the major components of each level.

Background

Mohamed Chawki, in a study of computer crime law, points out that the traditional definition of a computer crime as any crime that involves “the knowledge of computer technology for its perpetration, investigation, or prosecution” is far too broad for practical application (Chawki, 2005, p. 7). In this era of electronic organization, virtually every crime involves computer technology at some point in the investigative process. For example, a common burglary should not be considered a computer crime merely because the booking officer entered data on the crime into a department information system. Similarly, the fact that the criminal looked up driving directions on the Internet should not make a bank robbery a computer crime.

We seek to clarify these issues by creating a general taxonomy of information security laws. Our taxonomy includes the following four levels:

• Intellectual property laws protect the rights of authors, inventors and creators of other intellectual works. The major categories of intellectual property law are copyright law, trademark law, patent law and trade secret law.
• Computer-focused crime laws define transgressions and applicable punishments for offenses where the use of a computer is intrinsic to the crime. For example, a law prohibiting the use of a computer to eavesdrop on the electronic mail of a private individual is a computer-focused crime law. It is the very act of using the computer to eavesdrop that is the essential nature of the crime.
• Computer-related crime laws are those laws that involve the use of a computer but where the criminal activity is not defined by the use of a computer. For example, a law that bans the exchange of child pornography is computer-related, in that the crime may be committed using a computer, but is not computer-focused because it is illegal to exchange child pornography by any means. This category also includes those laws that require the use of computers to assist in the investigation of a crime, such as the Communications Assistance to Law Enforcement Act (CALEA) and the USA PATRIOT Act.
• Industry-specific laws do not apply to society as a whole but, rather, govern particular industries, such as the healthcare sector, higher education, or financial institutions. These laws are typically focused on protecting the confidentiality, integrity and/or availability of personal information maintained by those industries. Examples of industry-specific laws include the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act and the Family Educational Rights and Privacy Act (FERPA).

In the remainder of this article, we seek to explore this taxonomy in further detail. While the taxonomy may be applied to any body of law, due to space constraints, this article limits the discussion to federal laws in the United States. A myriad of state and local laws, as well as the laws of other nations, may also be classified under this taxonomy. We mention these briefly in the Future Trends section but leave the actual classification for future work.

It is also important to note that many information security crimes are prosecuted under traditional laws, rather than the specific laws presented in this taxonomy. Smith (2005) points out two examples of this: the charging of an individual with a felony offense for accessing an unprotected wireless network and a school district’s charge of criminal trespass against 13 students who accessed laptops issued to them with an administrative password that was taped to the bottom of the machines.

Intellectual Property Law

The legal principles protecting the rights of owners of creative works date back several centuries. As our society shifts from an industrial economy to a knowledge economy, these laws become increasingly important, as they protect the very essence of our economic engine. These intellectual property laws are critical to any information security program, as they provide the legal basis for protecting the intellectual property rights of individuals and organizations. In this section, we explore the four major areas of intellectual property law: copyrights, trademarks, patents and trade secrets.

On the federal level, the authority to create laws governing intellectual property stem directly from the United States Constitution, which, in Article 1, Section 8 states: “The Congress shall have the power to… promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.”

Copyrights

Copyrights protect any original work of authorship from unauthorized duplication or distribution. The Copyright Act defines eight categories that constitute covered works (Copyright Act, 1976):

• Literary works
• Musical works
• Dramatic works
• Pantomimes and choreographic works
• Pictorial, graphic and sculptural works
• Motion pictures and other audiovisual works
• Sound recordings
• Architectural works

The first category, literary works, is broadly interpreted to include almost any written work. This category has traditionally been used to include computer software, web content and a variety of other works of direct interest to information security professionals.

Copyright protection is automatic upon the creation of a work. It is desirable, but not required, to register copyright with the U.S. Copyright Office. It is highly desirable to mark copyrighted works with a simple copyright statement including the year of creation and the name of the copyright holder. For works created after 1978, copyright protection lasts for 70 years after the death of the last surviving author. The law protects works created on a work for hire basis or anonymously for 95 years from publication or 120 years from creation, whichever is shorter.

Trademarks

Trademark law protects words, phrases and designs that identify the products or services of a firm. The essential characteristic of a trademark is that it must uniquely distinguish the trademark holder’s goods or services from those of other providers. Therefore, trademarks may not be simply descriptive of the product or service but must contain the element of uniqueness. For example, it would not be possible to gain trademark protection on the term “blue automobile,” while it may be possible to gain protection for the term “Blue Streak Automobiles.”

Trademark protection is afforded by the Lanham Act (1946). The U.S. Patent and Trademark Office grants registrations with an initial duration of 10 years and the option to renew.

Patents

Patents protect inventions, processes and designs. They grant the inventor substantial protection in the form of exclusive rights to the patented concept. To protect against the abuse of this privilege, the U.S. Patent and Trademark Office strictly governs the issuance of patents. The three requirements for patent protection are that the invention must be novel, useful, and non-obvious. Patents granted for inventions or processes are valid for 17 years while design patents are valid for 14 years (Patent Act, 1952).

Trade Secrets

The Economic Espionage Act of 1996 makes it illegal to steal, misappropriate, duplicate or knowingly receive or possess a trade secret without appropriate permission. Trade secrets include any information that “derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by the public” and is the subject of “reasonable measures to keep such information secret” (Economic Espionage Act, 1996).

When designing an information security program, it is essential to recognize that trade secrets are defined by the confidentiality protection afforded them. If an organization fails to take reasonable efforts to maintain the confidentiality of a trade secret, this protection is lost. This is a major departure from patent protection, which requires public disclosure of the invention. Public disclosure of a trade secret nullifies the protection afforded to that secret and effectively releases it into the public domain.

Unlike patents, however, trade secrets have no defined period of validity. As long as a trade secret continues to meet the eligibility criteria, it enjoys indefinite protection under the law.

Digital Millennium Copyright Act

The Digital Millennium Copyright Act (DMCA) of 1998instituted a number of significant changes in U.S. copyright law. In addition to procedural changes required to implement World Intellectual Property Organization (WIPO) treaties, DMCA makes several modifications to the law designed to accommodate the changing digital environment of the Internet. For example, DMCA offers a safe harbor provision for Internet service providers, absolving them of liability for the infringing acts of customers, provided that they have policies to terminate the accounts of repeat copyright offenders and do not interfere with the technical measures used by copyright holders to protect their works. If providers meet these requirements, they are protected from liability caused by transitory communications, system caching, information residing on systems or networks at the direction of users and information location tools (such as search engines). Because this law contains provisions related to intellectual property violations, it could also be classified under the computer-related crime law category in this taxonomy. However, due to its focus on intellectual property issues, we place it in this category.

Computer-Focused Crime Law

Computer-focused crime laws center upon the transgressions and associated punishments when the use of a computer is intrinsic to the crime. When drafting computer-focused crime laws, legislators have the specific intent of outlawing the use of a computer to commit a crime. This category is separate and distinct from the next category, computer-related crime laws, crimes in which the perpetrator may utilize a computer as a support tool. In this section, we look at two of the major computer-focused crime laws: the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act.

Computer Fraud and Abuse Act

Congress originally passed the Computer Fraud and Abuse Act of 2001 in 1986 and later amended it in 1994, 1996 and 2001 to reflect the rapidly changing digital environment. Originally intended to protect data contained on the computers of government agencies and financial institutions, later amendments expanded the scope of the act to include any system involved in interstate commerce (Burke 2001). Offenses under the Computer Fraud and Abuse Act include:

• Gaining unauthorized access to a computer and obtaining national security data
• Gaining unauthorized access to a computer and obtaining any information
• Gaining unauthorized access to a computer used by or for the federal government and affecting the use of that system by the federal government
• Gaining unauthorized access to a computer and committing any fraud in excess of $5,000
• Gaining unauthorized access to a computer or knowingly causing the transmission of a program, code or command that causes damage that:
• Has an aggregate damage of $5,000 or more
• Affects the medical treatment of one or more individuals
• Causes physical injury to any person
• Poses a threat to public health or safety
• Affects a system used by or for a government entity in the administration of justice, national defense or national security.

In the offenses listed above, the term “gaining unauthorized access” should be interpreted as accessing a computer without authorization or exceeding authorized access. The term “computer,” unless specifically defined otherwise, should be interpreted as any computer that fits within the scope of the Computer Fraud and Abuse Act of 2001.

Electronic Communications Privacy Act

The Electronic Communications Privacy Act (ECPA) of 1986 protects the rights of individuals who may become the subject of electronic surveillance by government agencies or other third parties. It includes two separate components: the Wiretap Act and the Stored Communications Act (SCA). The Wiretap Act makes it illegal to intercept (or attempt to intercept) any wire, oral or electronic communication outside of several specific circumstances identified in the law (such as when approved by a court order or when conducted as part of a quality assurance monitoring effort). The SCA protects communications stored on a computer against unauthorized access or alteration. It further protects stored communications against actions that prevent authorized access to those communications.

Computer-Related Crime Law

The third category in our taxonomy, computer-related crime laws, includes laws that govern crimes which commonly involve the use of a computer but do not meet the criteria of a computer-focused crime.

Child Pornography Laws

Society has long held the tenet that any molestation or exploitation of children via the creation or distribution of pornography is objectionable and has codified this abhorrence in the law. Unfortunately, the growth of the Internet has led to an increased ability of child pornography traffickers to market their wares with a greater degree of anonymity. This technological shift required a corresponding shift in the law. At the federal level, Congress enacted and amended a number of laws to ban child pornography on the Internet.

The majority of child pornography prosecutions take place under Title 18, Section 2252 of the United States Code (Waters, 1997). This law bans the interstate or foreign transportation of sexually explicit materials that involve minors and was amended specifically to include the transmission of such materials through the use of a computer.

The Child Protection and Obscenity Enforcement Act of 1988 requires that the producers of sexually explicit materials maintain documented records of the ages of all actors and models used in their productions.

The Communications Decency Act of 1996 was originally intended to ban the transmission of obscene and indecent images to any recipient who was less than 18 years of age. The courts overturned the indecency provisions of this Act on constitutional grounds, but the obscenity provisions still may be used to prosecute child pornographers who transmit images to minors.

Identity Theft and Assumption Deterrence Act

The Identity Theft and Assumption Deterrence Act of 1998amended federal law to address computer-related elements encompassed by the crime of identity theft. Specifically, Congress outlawed the possession or use of electronic devices, computer hardware and computer software designed primarily for the production of false identity documents. This Act also modified the definition of “means of identification” under the law to include biometric data, electronic identification numbers, addresses or routing codes, and telecommunication identifying information or access codes.

USA PATRIOT Act

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act enhances the authority granted to the federal government when conducting counterterrorism operations and places additional requirements on service providers. In a legal summary of the act, Iuliano (2003) notes that the critical changes that impact information security programs are that the Act:

• Exempts voicemail from wiretap requirements, allowing law enforcement officials access through a search warrant
• Provides law enforcement officials with authority to track and monitor Internet traffic
• Increases penalties for computer-focused crimes

Communications Assistance for Law Enforcement Act

Law enforcement agencies have long employed the use of court-ordered wiretaps in investigations to obtain evidence of criminal activity. Up until the past two decades, agents could implement these wiretaps simply by attaching electronic eavesdropping devices to an analog telephone network. The emergence of digital and mobile communications devices increased the technical difficult of implementing wiretaps and caused Congress to pass the Communications Assistance for Law Enforcement Act (CALEA) of 1994. CALEA requires that communications providers cooperate with law enforcement efforts to obtain wiretaps and to do so in a manner that can not be detected by the communicating parties.

For ten years, both the government and telecommunications providers interpreted CALEA to apply to voice communications over telephone networks. In a 2005 notice of proposed rulemaking, the Federal Communications Commission stated that the government intends to apply CALEA to Internet service providers (Federal Communications Commission, 2004). This new interpretation of CALEA raises a number of critical issues as it requires service providers to make substantial equipment investments in order to comply. For example, a coalition of higher education organizations illustrated these issues in a response to the Federal Communications Commission’s proposal. They argue that the proposed interpretation would impose an unjustified cost burden upon academia (Higher Education Coalition, 2005).

Industry-Specific Law

In addition to the broad laws identified in the previous sections of this taxonomy, there are a number of laws that apply to specific industries, due to their unique access to sensitive data. These include regulations on healthcare providers, financial institutions, public corporations, and others.

Child Online Privacy Protection Act

The Child Online Privacy Protection Act (COPPA) of 1998 regulates the conduct of business with minors using the Internet. It requires that businesses obtain parental consent before knowingly collecting personal information from children under the age of 13. It also requires that these online services provide parents with any information collected from their children, offers them the opportunity to revoke consent, and demands the removal of such information at any time upon parental request. As pointed out by Isenberg (2000), the cost of compliance with this Act may be steep. He illustrates this point through the case of SurfMonkey, a site which reportedly spent over $50,000 on COPPA compliance and instituted a 4,673 word privacy policy.