Principles of Cybersecurity, 1st Edition page 59

Copyright Goodheart-Willcox Co., Inc. Chapter 2 Information Security Fundamentals 59 located outside the United States may also have to comply with legal regulations set by those countries. For example, the European Union (EU) adopted strong data privacy rules, the General Data Protection Regulation (GDPR) act. The GDPR act was adopted in April 2016. Enforcement began in May 2018. Any company with business or customer interests in the EU must be compliant with this act. Some of the major federal US laws that apply to cybersecurity measures include: • Computer Fraud and Abuse Act (CFAA) • Electronic Communication Privacy Act (ECPA) • Gramm-Leach-Bliley Act (GLBA) • Sarbanes-Oxley Act (SOX) and • Health Insurance Portability and Accountability Act (HIPAA). The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules that also apply to businesses who accept credit cards. In addition to federal law and compliance regulations, many states have their own computer security laws. These must be followed if a company conducts business within the state that enacted the law. Laws and Standards Laws are enacted by the government. Federal laws are passed by Congress, as shown in Figure 2-17. They apply everywhere throughout the country. State laws are passed by individual state legislatures. They apply only within the state. Standards are different from laws. An industry standard is a set of rules adopted by a particular industry. Businesses in that industry agree to follow the rules in the standard. Computer Fraud and Abuse Act The Computer Fraud and Abuse Act (CFAA) deals with unauthorized access of computers. It covers primarily protected computers located on US govern- mental systems, fi nancial institutions, and interstate or foreign communication. In theory, most computers and cell phones are probably covered under this law. The law was originally enacted in 1986. It has been updated several times since it fi rst took effect. While there are many specifi c aspects to the law, some of its main points deal with individuals who knowingly access computers for which they are not authorized to do so. The law covers both criminal and civil litigation. Many computer hackers have found themselves prosecuted under this law. Criminal penalties include fi nes and imprisonment. Fines could also be assessed for civil litigation. There are many critics of the law. Much of the criticism is based in part due to the very broad nature of the law. This has resulted in some controversial prosecutions. One of the most debated prosecutions was of Aaron Swartz. He connected his computer to the MIT network and downloaded 2.7 million academic papers. These papers were freely available to anyone on campus, including visitors, by using the JSTOR service. JSTOR (pronounced jay-store) is a nonprofi t organization that maintains a large digital library and collaborates with academic institutions. In Swartz’s case, JSTOR did not fi le a complaint over the downloads, but the Justice Department ultimately charged him with 13 felony counts. The possible penalties included jail time of 50 years and fi nes of up to a million dollars. The CFAA has been used to prosecute unauthorized access, such as the case of Matthew Keys, a former Social Media Editor for Reuters. After being fi red from Bulent Demir/Shutterstock.com Figure 2-17. Congress passes federal laws that apply throughout the United States.

Previous Page Next Page

Principles of Cybersecurity, 1st Edition Page 59 (71 of 634)

Resources and Downloads

Help