Modern business is all but dependent upon information technology (IT), and

reliance on the exchange of electronic information is rapidly becoming

entrenched in our day-to-day personal lives (e.g., through the Internet, wireless
devices, and other interactive means of data transfer). To an ever greater
degree, business relies on technologies that connect with its customers, and
with other businesses, for example, to streamline supply routes, control
inventory, and minimize time to market, exchange services and products in
business-to-business trade platforms, enhance distribution channels, boost
sales through e-commerce, improve fulfillment operations, and enrich customer
databases with valuable information concerning customer spending patterns
and the like. There are, in fact, companies,

RETHINKING THE SECURITY OF DATA IN LIGHT OF

MODERN IT
Modern IT, and particularly the Internet, has caused a rethinking of how corporate
data and personal information should be handled. Most of that information is now
in electronic form. It is quite common now for a business's key information to
reside in an electronic data format, sometimes never being transformed into paper
hardcopy at all. Because it can be easily accessed, copied, and widely distributed
in electronic form, via the Internet for
WHAT IS AT RISK?
CORPORATE DATA AND PERSONAL INFORMATION
Corporate data are often a valuable asset. Trade secrets, confidential business
information such as customer lists, and other sensitive business information such
as internal operating procedures are guarded with great care, are protected from
unauthorized disclosure to outsiders, and should be secured.
Additionally, the personal information of employees and consumers (sometimes
referred to in legal texts as nonpublic personal information, personally
identifiable information, or simply personal data), such as contact information,
financial data and transaction records, and personal health information, is
generally viewed as private and confidential to the individual and therefore
protected against unauthorized access by and disclosure to third parties. It is not
uncommon for a business to invest in the security of human management and
payroll systems to ensure adequate protection of information about employees.
Nor is it unusual for a business to safeguard consumer information, not only
because its unauthorized disclosure may pose a risk of regulatory noncompliance,
but also because such information may be considered a valuable asset, the
disclosure of which could result in a competitive loss in the marketplace.
Nature of the Data
Data of little commercial value, or that are not highly private to an individual,
may pose little risk. However, data that may pose a distinct risk if subject to a
security breach, and that may result in liability, could include sensitive
information such as the following:
1. Company trade secrets, which may include customer lists or
business methods. Rights in trade secrets are governed by state
law (Roton Barrier, Inc. v. Stanley Works, 1996). The Restatement
of Torts acknowledges that a customer list may be a trade secret (see
Restatement of Torts §757, Comment b). A business must protect
the secrecy of a trade secret to retain its trade secret status
(see Defiance Button Machine Co. v. C&C Metal Products Corp.,
1985, in which rights in a customer list were forfeited because
information was not kept confidential).
2. Information that may not necessarily be a trade secret, but which a
business nonetheless considers to be confidential (e.g., price lists,
internal policy manuals) and does not want disclosed to certain
other parties (e.g., competitors) or publicly (see Overholt Crop
Insurance Service Co. v. Travis, 1991, in which the court enforced a
company's rights in its customer information that had been revealed
under a confidential relationship, even if the information was
“technically not a trade secret”).
3. Confidential information of a business partner, of a contracting
entity, or of a business customer and of which an organization is in
possession and for which the organization has agreed to keep
confidential (e.g., through a contract, such as a nondisclosure
agreement).
4. Information collected from or about a consumer (such as contact
information, demographic information, transaction records, credit
report data, purchasing habits, or Web site surfing activity), which
may be subject to:
(a) Specific laws governing redisclosure and use of consumer information,
such as financial information and medical records. Examples of such laws
include the Financial Services Modernization Act of 1999 (more
commonly known as the Gramm-Leach-Bliley Act or GLB), which
governs the protection of “personally identifiable financial information,”
and the Health Insurance Portability and Accountability Act (HIPAA),
which governs the protection of “protected health information.” In Europe,
the Data Protection Directive (1995) governs generally the protection of
“personal data.”
(b) More general consumer protection laws governing personal
information of consumers. Examples of such laws include the Federal
 Trade Commission Act (FTCA, 1914) and individual state consumer
protection laws.
(c) A commitment by the business to keep the consumer's information
private, such as in a Web site privacy policy or in a legally required privacy
notice (such as a GLB notice).
At the preventive stage, there are several security considerations, the evaluation
of which provides a good framework for assessing and testing security controls:
Physical security. Physical security refers to the security measures in place to
prevent unauthorized physical entry to the location at which computer equipment
is located and may include such relatively simple measures as locked entryways
and access to central computing rooms via authorized identification card only or
more sophisticated measures such as biometric screening systems such as
fingerprint or retinal scan recognition. Ordinarily, locked entryways and access
restricted to authorized identification cards would suffice, but other measures
may be considered when highly sensitive data are at issue.
Technical security. Technical security encompasses the use of logical security,
which includes implementation of hardware and software designed specifically
to secure data. Logical security has been defined as “security measures for
controlling access to electronic information resources through logical means
(e.g., via software or network controls), procedural controls related to software
development and change control, security of data, communications, and reduction
of risk from harmful and intrusive computer software.” See “University of
Central Florida” (2001)
Personnel and administrative security (employee and consultant policies and
procedures). The nature of the data may warrant that they be accessed by a limited
number of personnel having higher security clearance. Moreover, personnel with
access should be traiUnauthorized Access, Use, and Disclosure. Information of a
sensitive nature—for example, corporate trade secrets, confidential information
of a business partner, or personal information of consumers—poses a distinct risk
of liability if it is not properly safeguarded. Most organizations recognize that this
information should be kept confidential. Not all organizations, however,
appreciate how their IT infrastructure and policies impact the potential for
liability.ned as to the business' policies and procedures with regard to the use and
disclosure of such data. There should also be fail checks built into the system, or
some sort of counterintelligence mechanisms, to identify individuals who may
not follow procedures or who may, themselves, seek to access, copy, steal, or
release data improperly. Background checks may be made on persons being
considered for hire as employees or to be retained as consultants who are expected
to have access to sensitive data or to the systems that store or transmit such data.
Adequate training and ongoing support may minimize the risk of data being
inadvertently
deleted or altered by human error or ignorance. Adequately trained personnel
should administer the business' security policies and procedures.
Operational security. The overall operations of the business should be guided by
a security policy that takes into account the unique risks and vulnerabilities
associated with the attendant business practices, which will include several of the
foregoing security concerns
Corruption, Destruction, or Loss of Data. Liability may also arise from the
corruption, destruction, or loss of data. Where a business has contracted with
another to process certain data, implicit in which is the maintenance or
preservation of those data, or where a business expressly agrees to preserve
data (such as where a contract contemplates routine backup of data), the
corruption or loss of those data may lead to contractual liability. Adequate
procedures with respect to the handling of the data, as well as backup and
disaster recovery practices, should mitigate the potential for such loss.
Unauthorized Access, Use, and Disclosure. Information of a sensitive nature—
for example, corporate trade secrets, confidential information of a business
partner, or personal information of consumers—poses a distinct risk of liability
if it is not properly safeguarded. Most organizations recognize that this
information should be kept confidential. Not all organizations, however,
appreciate how their IT infrastructure and policies impact the potential for
liability.

Internet
Web Sites and the Internet
An overriding consideration in any legal assessment is whether the data are
collected from or accessible to the outside. Where an organization collects
information through a Web site or stores data on a server connected to the
Internet, the potential for unauthorized access and disclosure to someone outside
the organization may be greater than with a closed system. Furthermore, data that
are transmitted or stored unencrypted are at greater risk if intercepted or otherwise
accessed by an intruder. Consumer data collected via a Web site may also subject
a business to certain obligations under consumer protection laws, or perhaps
contractual liability under the business's own privacy policy if the terms in that
policy are not followed.
Outsourcing and Subcontracting
Utilizing third-party service providers may be an attractive option where such
providers are, given the efficiencies created by their niche expertise or their
economies of scale, capable of providing a service at reduced costs when
compared with supporting the service in-house. In other instances, there may be
no alternative to engaging an IT service provider, as is typically the case with a
telecommunications provider. Furthermore, vendors that concentrate on
providing a particular service may have expertise in an area that may be difficult
to replicate inhouse. A hosting company is a good example. Many hosting
companies maintain large server farms on which they host many Web sites for
their customers. A hosting company often negotiates favorable terms with
hardware and software providers, and with an Int

Legal, Privacy, and Ethical Issues in Computer Security

In this chapter:

 Program and data protection by patents, copyrights, and trademarks

 Computer crime
 Privacy
 Ethical analysis of computer security situations
 Codes of professional ethics

First, the courts tend to be reactive instead of proactive. That is, we have
to wait for a transgression to occur and then adjudicate it, rather than try
to prevent it in the first place. Second, fixing a problem through the courts
can be time consuming (sometimes taking years) and expensive; the latter
characteristic prevents all but the wealthy from addressing most security
issues.

Therefore, we have three motivations for studying the legal section of this
chapter:

 to know what protection the law provides for computers and data
 to appreciate laws that protect the rights of others with respect to
computers, programs, and data
 to understand existing laws as a basis for recommending new laws to
protect computers, data, and people

The next few sections address the following aspects of protection of the security
of computers.

 Protecting computing systems against criminals. Computer criminals

violate the principles of confidentiality, integrity, and availability for
computer systems. Preventing the violation is better than prosecuting it
after the fact. However, if other controls fail, legal action may be necessary.
 In this section we study several representative laws to determine what acts
are punishable under the law.
 Protecting code and data. Copyrights, patents, and trade secrets are all
forms of legal protection that can be applied to programs and, sometimes,
data. However, we must understand the fundamental differences between
the kind of protection these three provide and the methods of obtaining that
protection.
 Protecting programmers' and employers' rights. The law protects both
programmers and people who employ programmers. Generally,
programmers have only limited legal rights to access programs they have
written while employed. This section contains a survey of the rights of
employees and employers regarding programs written for pay.
 Protecting private data about individuals. We also consider the legal right
of privacy. The private affairs of every individual are protected by laws.
Computer security systems must be adequate to prevent unauthorized
disclosure of sensitive data about individuals. This section describes
sensitive data that must be protected.
 Protecting users of programs. When you buy a program, you expect it to
work properly. If it doesn't, you want the legal system to protect your rights
as a consumer. This section surveys the legal recourse you have to address
faulty programs.

Computer law is complex and emerging rather rapidly as it tries to keep up with
the rapid technological advances in and enabled by computing. We present the
fundamentals in this book not in their full detail as you would expect by someone
with a law degree, but as a situational analysis to heighten the awareness of those
who are not lawyers but who must deal with the law's implications. You should
consult a lawyer who understands and specializes in computer law in order to
apply the material of this section to any specific case. And, as most lawyers will
advise, ensuring legal protection by doing things correctly from the beginning is
far easier—and cheaper—than hiring a lawyer to sort out a web of conflict after
things have gone wrong.

 Copy
 Add Highlight
 Add Note

The next few sections address the following aspects of protection of the security
of computers.

 Protecting computing systems against criminals. Computer criminals

violate the principles of confidentiality, integrity, and availability for
computer systems. Preventing the violation is better than prosecuting it
after the fact. However, if other controls fail, legal action may be necessary.
 In this section we study several representative laws to determine what acts
are punishable under the law.
 Protecting code and data. Copyrights, patents, and trade secrets are all
forms of legal protection that can be applied to programs and, sometimes,
data. However, we must understand the fundamental differences between
the kind of protection these three provide and the methods of obtaining that
protection.
 Protecting programmers' and employers' rights. The law protects both
programmers and people who employ programmers. Generally,
programmers have only limited legal rights to access programs they have
written while employed. This section contains a survey of the rights of
employees and employers regarding programs written for pay.
 Protecting private data about individuals. We also consider the legal right
of privacy. The private affairs of every individual are protected by laws.
Computer security systems must be adequate to prevent unauthorized
disclosure of sensitive data about individuals. This section describes
sensitive data that must be protected.
 Protecting users of programs. When you buy a program, you expect it to
work properly. If it doesn't, you want the legal system to protect your rights
as a consumer. This section surveys the legal recourse you have to address
faulty programs.
 Table 9-1 shows how these three forms of protection compare in
several significant ways.

Table 9-1. Comparing Copyright, Patent, and Trade Secret Protection.

Copyright Patent Trade Secret

Protects Expression of idea, Invention—the A secret,

not idea itself way something competitive
works advantage

Protected Yes; intention is to Design filed at No

object made promote Patent Office
public publication

Requirement Yes No No
to distribute

Ease of filing Very easy, do-it- Very No filing

yourself complicated;
 Table 9-1. Comparing Copyright, Patent, and Trade Secret Protection.

Copyright Patent Trade Secret

specialist
lawyer
suggested

Duration Life of human 19 years Indefinite

originator plus 70
years, or total of 95
years for a
company

Legal Sue if Sue if invention Sue if secret

protection unauthorized copy copied improperly
sold obtained
Information Is Not Depletable

Unlike tangible things and services, information can be sold again and
again without depleting stock or diminishing quality. For example, a
credit bureau can sell the same credit report on an individual to an
unlimited number of requesting clients. Each client pays for the
information in the report. The report may be delivered on some tangible
medium, such as paper, but it is the information, not the medium, that has
the value.

Information Can Be Replicated

The value of information is what the buyer will pay the seller. But after
having bought the information, the buyer can then become a seller and
can potentially deprive the original seller of further sales. Because
information is not depletable, the buyer can enjoy or use the information
and can also sell it many times over, perhaps even making a profit.

Information Has a Minimal Marginal Cost

The marginal cost of an item is the cost to produce another one after
having produced some already. If a newspaper sold only one copy on a
particular day, that one issue would be prohibitively expensive because it
would have to cover the day's cost (salary and benefits) of all the writers,
editors, and production staff, as well as a share of the cost of all equipment
for its production. These are fixed costs needed to produce a first copy.

The Value of Information Is Often Time Dependent

If you knew for certain what the trading price of a share of Microsoft stock
would be next week, that information would be extremely valuable
because you could make an enormous profit on the stock market. Of
course, that price cannot be known today. But suppose you knew that
Microsoft was certain to announce something next week that would cause
the price to rise or fall. That information would be almost as valuable as
knowing the exact price, and it could be known in advance. However,
knowing yesterday's price for Mic

Information Is Often Transferred Intangibly

A newspaper is a printed artifact. The news agent hands it to a customer,

who walks away with it. Both the seller and the buyer realize and
acknowledge that something has been acquired. Furthermore, it is evident
if the newspaper is seriously damaged; if a serious production flaw
appears in the middle, the defect is easy to point out.

epted by the legal system.

Why Computer Crime Is Hard to Define

From these examples, it is clear that the legal community has not
accommodated advances in computers as rapidly as has the rest of society.
Some people in the legal process do not understand computers and
computing, so crimes involving computers are not always treated
properly. Creating and changing laws are slow processes, intended to
involve substantial thought about the effects of proposed changes. This
deliberate process is very much out of pace with a technology that is
progressing as fast as computing.

Adding to the problem of a rapidly changing technology, a computer can

perform many roles in a crime. A particular computer can be the subject,
object, or medium of a crime. A computer can be attacked (attempted
unauthorized access), used to attack (impersonating a legitimate node on
a network), and used as a means to commit crime (Trojan horse or fake
login). Computer crime statutes must address all of these evils.
Why Computer Crime Is Hard to Prosecute

Even when everyone acknowledges that a computer crime has been

committed, computer crime is hard to prosecute for the following reasons.

 Lack of understanding. Courts, lawyers, police agents, or jurors do not

necessarily understand computers. Many judges began practicing law
before the invention of computers, and most began before the widespread
use of the personal computer. Fortunately, computer literacy in the courts
is improving as judges, lawyers, and police officers use computers in their
daily activities.
 Lack of physical evidence. Police and courts have for years depended on
tangible evidence, such as fingerprints. As readers of Sherlock Holmes
know, seemingly minuscule clues can lead to solutions to the most
complicated crimes (or so Doyle would have you believe). But with many
computer crimes there simply are no fingerprints and no physical clues of
any sort.
 Lack of recognition of assets. We know what cash is, or diamonds, or even
negotiable securities. But are twenty invisible magnetic spots really
equivalent to a million dollars? Is computer time an asset? What is the
value of stolen computer time if the system would have been idle during
the time of the theft?
 Lack of political impact. Solving and obtaining a conviction for a murder
or robbery is popular with the public, and so it gets high priority with
prosecutors and police chiefs. Solving and obtaining a conviction for an
obscure high-tech crime, especially one not involving obvious and
significant loss, may get less attention. However, as computing becomes
more pervasive, the visibility and impact of computer crime will increase.
 Complexity of Case. Basic crimes that everyone understands, such as
murder, kidnapping, or auto theft, can be easy to prosecute. A complex
money-laundering or tax fraud case may be more difficult to present to a
jury because jurors have a hard time following a circuitous accounting trail.
But the hardest crime to present may be a high-tech crime, described, for
example, as root access by a buffer overflow in which memory was
overwritten by other instructions, which allowed the attacker to copy and
execute code at will and then delete the code, eliminating all traces of entry
(after disabling the audit logging, of course).
 Juveniles. Many computer crimes are committed by juveniles. Society
understands immaturity and disregards even very serious crimes by
juveniles because the juveniles did not understand the impact of their
actions. A more serious, related problem is that many adults see juvenile
computer crimes as childhood pranks, the modern equivalent of tipping
over an outhouse.
Threats to Privacy

Many of the threats to privacy are not new. Bribing insiders, especially
poorly paid ones, has worked for centuries. A break-in usually involves
loss of some valuables, such as jewelry, silver, or electronics. But who can
say whether the laptop computer was stolen just because it was a
computer or because it contained sensitive data? And public records have
been, by definition, open to the public. So loss of the privacy in those
records is not new. Or is it?
TRANSACTIONS PERFORMED BY THE PERSON ATM , CREDIT CARDS, CELL PHONE, TRANSPONDERS,ETC

DBMS

Poor System Security

People are the weak link in any security system, and insiders are involved
in the majority of computer security incidents [CSI02, DTI02]. Whether
through carelessness, poor understanding, pressure, or simple human
error, insiders unintentionally expose private data. Personal details are
discarded in unprotected trash, inadvertently displayed on web sites, or
unknowingly stored in files on a computer (such as in a cookie or as part
of a query embedded in a “favorite” URL). Add to that the malicious
approaches in which workers are bribed, coerced, or tricked into
compromising security.
Government Threats

Big Brother is watching. Just as marketers use computers to correlate

disparate data and to infer more about you, so also does the government.
The taxing authorities would like to know about your spending and
banking patterns in order to ensure that you are paying all the taxes you
owe. The medical authorities would like to know who has recently traveled
to areas where a particular disease may be prevalent and to track that
person's health over time. Crime investigators would like to know
everyone who passed near a crime scene at the time of commission in
order to obtain clues and locate potential witnesses

Computer Use

The biggest risk to individuals' privacy probably is the Internet. Although

e-mail and web surfing are two activities in which we engage voluntarily,
not everyone is conscious of the enormous volume of data that can be
collected.
E-mail is best likened to a post card in the regular mail. From the time the
card is placed in the post by the sender to the time it arrives in your mail
box, many people have easy access to the card and its message. For
example, the mail carrier who delivers the card and every postal worker
who handles it in transit could read it. In the same way, the contents of an
e-mail message are often open to view by anyone between the sender and
receiver.

ETHICAL ISSUES IN COMPUTER SECURITY

This final section helps clarify thinking about the ethical issues involved
in computer security. We offer no answers. Rather, after listing and
explaining some ethical principles, we present several case studies to
which the principles can be applied. Each case is followed by a list of
possible ethical issues involved, although the list is not necessarily all-
inclusive or conclusive. The primary purpose of this section is to explore
some of the ethical issues associated with computer security and to show
how ethics functions as a control.

Differences Between the Law and Ethics

As we noted earlier, law is not always the appropriate way to deal with
issues of human behavior. It is difficult to define a law to preclude only the
events we want it to. For example, a law that restricts animals from public
places must be refined to permit guide dogs for the blind. Lawmakers,
who are not computer professionals, are hard pressed to think of all the
exceptions when they draft a law. Even when a law is well conceived and
well written, its enforcement may be difficult. The courts are
overburdened, and prosecuting relatively minor infractions may be
excessively time consuming relative to the benefit.

An ethic is different from a law in several important ways. First, laws apply
to everyone: One may disagree with the intent or the meaning of a law, but
that is not an excuse for disobeying the law. Second, the courts have a
regular process for determining which law supersedes which if two laws
conflict. Third, the laws and the courts identify certain actions as right and
others as wrong. From a legal standpoint, anything that is not illegal is
right. Finally, laws can be enforced to rectify wrongs done by unlawful
behavior.

By contrast, ethics are personal: two people may have different

frameworks for making moral judgments. What one person thinks is
perfectly justifiable, another would never consider doing. Second, ethical
positions can and often do come into conflict. As an example, the value of
a human life is very important in most ethical systems. Most people would
not cause the sacrifice of one life, but in the right context some would
approve of sacrificing one person to save another, or one to save many
others. The value of one life cannot be readily measured against the value
of others, and many ethical decisions must be founded on precisely this
ambiguity. Yet, there is no arbiter of ethical positions: when two ethical
goals collide, each person must choose which goal is dominant. Third, two
people may assess ethical values differently; no universal standard of right
and wrong exists in ethical judgments. Nor can one person simply look to
what another has done as guidance for choosing the right thing to do.
Finally, there is no enforcement for ethical choices. These differences are
summarized in Table 9-3.

Table 9-3. Contrast of Law vs. Ethics.

Law Ethics

Described by formal, written Described by unwritten principles

documents

Interpreted by courts Interpreted by each individual

Established by legislatures Presented by philosophers, religions,

representing all people professional groups

Applicable to everyone Personal choice

Priority determined by courts if Priority determined by an individual

two laws conflict if two principles conflict

Court is final arbiter of “right” No external arbiter

Enforceable by police and Limited enforcement

courts
Ethical Principles Are Not Universal

Ethical values vary by society, and from person to person within a society.
For example, the concept of privacy is important in Western cultures. But
in Eastern cultures, privacy is not desirable because people associate
privacy with having something to hide. Not only is a Westerner's desire
for privacy not understood, but in fact it has a negative connotation.
Therefore, the attitudes of people may be affected by culture or
background.

Ethics Does Not Provide Answers

Ethical pluralism is recognizing or admitting that more than one position

may be ethically justifiable—even equally so—in a given situation.
Pluralism is another way of noting that two people may legitimately
disagree on issues of ethics. We expect and accept disagreement in such
areas as politics and religion.