Legal & Ethical Issues

IT ETHIC & CYBER LAW

Laws and Security

• Laws are rules adopted and enforced by governments to codify

expected behavior in modern society.
• The key difference between law and ethics is that law carries the
sanction of a governing authority and ethics do not.
• Ethics are based on cultural mores: relatively fixed moral
attitudes or customs of a societal group.
Copyrights

• Designed to protect expression of ideas

• Gives an author exclusive rights to make copies of the expression
and sell them to public
• Intellectual property (copyright law of 1978)
• Copyright must apply to an original work and It must be done in a
tangible medium of expression
• Originality of work (Ideas may be public domain)
• Copyrighted object is subjected to fair use
Copyright infringement

• Involves copying
• Not independent work (Two people can have copyright for
identically the same thing)

• Copyrights for computer programs

 Copyright law was amended in 1980 to include explicit definition
of software
 Program code is protected not the algorithm
 Controls rights to copy and distribute
Patent

• Protects innovations (Applies to results of science, technology and

engineering)
• Protects new innovations (Device or process to carry out an idea,
not idea itself)
• Excludes newly discovered laws of nature (2+2 = 4)
Patent

• Requirements of novelty
• If two build the same innovations, patent is granted to the first
inventor, regardless of who filed first
• Invention should be truly novel and unique
• Patent Office registers patents
• Patent on computer objects (PO has not encouraged patents for
software – as they are seen as representation of an algorithm)
Trade Secret

• Information must be kept secret

• If someone discovers the secret independently, then there is no
infringement – trade secret rights are gone
• Reverse-engineering can be used to attack trade secrets

• Computer trade secret (Design idea kept secret, Executable

distributed but program design remain hidden)
Comparison
Employee and Employer Rights

• Ownership of patents
• If employee lets employer file the patent employer is deemed to
own the patent and therefore the rights to the innovation
• Employer has right to patent if the employee’s job function
includes inventing the product

• Similar issues for ownership of copyright

• A special issue is work-for-hire, Employer is the author of the work
Employee and Employer Rights

• Work-for-hire situations
• The employer has a supervisory relationship overseeing the manner in
which the creative work is done
• The employer has right to fire the employee
• The employer arranges work to be done before the work was created
• A written statement that states the employer has hired the employee to
do certain work
• Alternate to work-for-hire is License
 Programmer owns the product- sells license to company
 Beneficial for the programmer
Computer crime

• Hard to predict for the following reason :

• Low computer literacy among lawyers, police agents, jurors, etc.
• Tangible evidence like fingerprints and physical clues may not
exist
• Forms of asset different (Is computer time an asset?)
• Juveniles (Many involve juveniles)
The Legal Environment

• Information security professionals and managers must possess a

rudimentary grasp of the legal framework within which their
organizations operate
• This legal environment can influence the organization, to a
greater or lesser extent depending on the nature of the
organization and the scale on which it operates
Types Of Law

• Civil law: pertains to relationships between and among individuals

and organizations
• Criminal law: addresses violations harmful to society and actively
enforced/prosecuted by the state
• Tort law: subset of civil law which allows individuals to seek
recourse against others in the event of personal, physical, or
financial injury
• Private law: regulates relationships among individuals and among
individuals and organizations
Types Of Law

• Encompasses family law, commercial law, and labor law

• Public law: regulates structure and administration of government
agencies and their relationships with citizens, employees, and
other governments (Includes criminal, administrative, and
constitutional law)
Computer Fraud and Abuse Act of 1986

• Computer Fraud and Abuse Act of 1986(CFA Act)

• cornerstone of many computer-related federal laws and
enforcement efforts
• Amended October 1996 by National Information Infrastructure
Protection Act of 1996 to increase penalties for selected crimes
• further modified by the USA Patriot Act of providing law
enforcement with broader latitude to combat terrorism related
activities
Communication Act of 1934

• Communication Act of 1934 was revised by the

Telecommunications Deregulation and Competition Act of 1996,
• which attempts to modernize archaic terminology of older act
• Provides penalties for misuse of telecommunications devices,
specifically telephones
Computer Security Act of 1987

• Computer Security Act of 1987, was one of first attempts to

protect federal computer systems by establishing minimum
acceptable security practices
• Act charged National Bureau of Standards and National Security
Agency with the following tasks:
 Developing standards, guidelines, and associated methods and
techniques for computer systems
 Developing uniform standards and guidelines for most federal
computer systems
Computer Security Act of 1987 (Continued)

• Developing technical, management, physical, and administrative

standards and guidelines for cost-effective security and privacy of
sensitive information in federal computer systems
• Developing guidelines for use by operators of federal computer
systems that contain sensitive information in training their
employees in security awareness and accepted security practice
• Developing validation procedures for, and evaluate the
effectiveness of, standards and guidelines through research and
liaison with other government and private agencies
Computer Security Act of 1987 (Continued)

• Established Computer System Security and Privacy Advisory Board

within Department of Commerce
• Amended Federal Property and Administrative Services Act of
1949, requiring National Bureau of Standards to distribute
standards and guidelines pertaining to federal computer systems,
making such standards compulsory and binding
• Requires mandatory periodic training in computer security
awareness and accepted computer security practice for all users
of federal computer systems
Privacy Laws

• Many organizations collect, trade, and sell personal information as

a commodity
• Many individuals are becoming aware of these practices and
looking to governments to protect their privacy
• In the past, not possible to create databases that contained
personal information collected from multiple sources
• Today, aggregation of data from multiple sources permits some to
build databases with alarming quantities of personal information
Privacy Laws (Continued)

• Federal Privacy Act of 1974, regulates the government’s use of

private information Created to ensure that government agencies
protect privacy of individuals’ and businesses’ information, and
hold them responsible if this information is released without
permission
• Electronic Communications Privacy Act of 1986 is a collection of
statutes that regulates the interception of wire, electronic, and
oral communications. Works in cooperation with the Fourth
Amendment of the U.S. Constitution which prohibits search and
seizure without a warrant
HIPAA

• Health Insurance Portability & Accountability Act Of 1996 (HIPAA),

also known as the Kennedy Kassebaum Act. Protects
confidentiality and security of health care data by establishing
and enforcing standards and standardizing electronic data
interchange
• Requires organizations that retain health care information to use
information security mechanisms to protect this information, as
well as policies and procedures to maintain them
• Requires comprehensive assessment of organization's information
security systems, policies, and procedures
HIPAA (Continued)

• HIPPA provides guidelines for the use of electronic signatures based on

security
• standards ensuring message integrity, user authentication, and non-
repudiation
• Five fundamental privacy principles:
 Consumer control of medical information
 Boundaries on the use of medical information
 Accountability for the privacy of private information
 Balance of public responsibility for the use of medical information for
the greater good measured against impact to the individual
 Security of health information
Gramm-Leach-Bliley Act

• Financial Services Modernization Act or Gramm-Leach-Bliley Act of

1999
• Applies to banks, securities firms, and insurance companies
• Requires all financial institutions to disclose privacy policies, to
describe how they share nonpublic personal information and
describe how customers can request that their information not be
shared with third parties
• Ensures that privacy policies are fully disclosed when a customer
initiates a business relationship, and distributed at least annually
for the duration of the professional association
Export and Espionage Laws

• Congress passed the Economic Espionage Act (EEA) in 1996

• In an attempt to protect intellectual property and competitive
advantage, it attempts to protect trade secrets
• Security and Freedom through Encryption Act of 1997
 Provides guidance on use of encryption
 Institutes measures of public protection from government intervention
 Reinforces individual’s right to use or sell encryption algorithms
without concern for the impact of other regulations requiring some
form of key registration
 Prohibits federal government from requiring use of encryption for
contracts, grants, and other official documents and correspondence
U.S. Copyright Law

• Extends protection to intellectual property, which includes words

published in electronic formats
• ‘Fair use’ allows material to be quoted so long as the purpose is
educational and not for profit, and the usage is not excessive
• Proper acknowledgement must be provided to author and/or
copyright holder of such works, including a description of the
location of source materials by using a recognized form of citation
Sarbanes-Oxley Act of 2002

• Enforces accountability for financial record keeping and reporting

at publicly traded corporations
• Requires that CEO and chief financial officer (CFO) assume direct
and personal accountability for completeness and accuracy of a
publicly traded organization’s financial reporting and record-
keeping systems
• As these executives attempt to ensure that the systems used to
record and report are sound—often relying upon the expertise of
CIOs and CISOs to do so—the related areas of availability and
confidentiality are also emphasized
International Laws And Legal Bodies

• Many domestic laws and customs, do not apply to international

trade which is governed by international treaties and trade
agreements
• Because of cultural differences and political complexities of the
relationships among nations, there are currently few international
laws relating to privacy and information security
Policy versus Law

• Key difference between policy and law is that ignorance of policy

is an acceptable defense; therefore policies must be:
 Distributed to all individuals who are expected to comply with
them
 Readily available for employee reference
 Easily understood, with multilingual translations and translations
for visually impaired or low-literacy employees
 Acknowledged by the employee, usually by means of a signed
consent form
Ethics

• An objectively defined standard of right and wrong

• Often idealistic principles
• In a given situation several ethical issues may be present
• Different from law
Law and Ethics in Information Security

• Laws are rules adopted and enforced by governments to codify

expected behavior in modern society
• Key difference between law and ethics is that
• law carries the sanction of a governing authority and ethics do not
• Ethics are based on cultural mores: relatively fixed moral
attitudes or customs of a societal group
Law vs. Ethics

Law Ethics
• Described by formal written • Described by unwritten principles
documents • Interpreted by each individual
• Interpreted by courts • Presented by philosophers,
• Established by legislatures religions, professional groups
representing all people • Personal choice
• Applicable to everyone • Priority determined by an
• Priority determined by laws if two individual if two principles
laws conflict conflict
• Court is final arbiter for right • No external arbiter
• Enforceable by police and courts • Limited enforcement
Ethical reasoning

• Consequence-based, Based on the good that results from an action

• Rule-based, Based on the certain prima facie duties of people
Codes of ethics

• IEEE professional codes of ethic

 To avoid real or perceived conflict of interest whenever
possible, and to disclose them to affected parties when they do
exist
 To be honest and realistic in stating claims or estimates based
on available data
• ACM professional codes of ethics
 Be honest and trustworthy
 Give proper credit for intellectual property
The Ten Commandments of Computer Ethics
(from The Computer Ethics Institute)

• Thou shalt not use a computer to harm other people

• Thou shalt not interfere with other people's computer work
• Thou shalt not snoop around in other people's computer files
• Thou shalt not use a computer to steal
• Thou shalt not use a computer to bear false witness
• Thou shalt not copy or use proprietary software for which you have not paid
• Thou shalt not use other people's computer resources without authorization or proper
compensation
• Thou shalt not appropriate other people's intellectual output
• Thou shalt think about the social consequences of the program you are writing or the system
you are designing
• Thou shalt always use a computer in ways that ensure consideration and respect for your
fellow humans
Differences In Ethical Concepts

• Studies reveal that individuals of different nationalities have

different perspectives on the ethics of computer use
• Difficulties arise when one nationality’s ethical behavior does not
correspond to that of another national group
• Categories : Software licensing, Illicit use, Misuse of Corporate
resources
Ethics And Education

• Differences in computer use ethics are not exclusively cultural

• Found among individuals within the same country, same social
class, same company
• Key studies reveal that overriding factor in leveling ethical
perceptions within a small population is education
• Employees must be trained and kept up to date on information
security topics, including the expected behaviors of an ethical
employee
Deterring Unethical and Illegal Behavior

• Responsibility of information security personnel to do everything

in their power to deter unethical and illegal acts, using policy,
education, training, and technology as controls or safeguards to
protect the information and systems
• Many security professionals understand technological means of
protection
• Many underestimate the value of policy
Deterring Unethical and Illegal Behavior

• Three general categories of unethical behavior that organizations

and society should seek to eliminate:
 Ignorance
 Accident
 Intent
• Deterrence is the best method for preventing an illegal or
unethical activity, Example: laws, policies, and technical controls
Deterring Unethical and Illegal Behavior

• Generally agreed that laws, policies and their associated penalties

only deter if three conditions are present:
 Fear of penalty
 Probability of being caught
 Probability of penalty being administered
Certifications And Professional Organizations

• A number of professional organizations have established codes of

conduct and/or codes of ethics that members are expected to
follow
• Codes of ethics can have a positive effect on an individual’s
judgment regarding computer use
• Remains individual responsibility of security professionals to act
ethically and according to the policies and procedures of their
employers, professional organizations, and laws of society
Association of Computing Machinery

• ACM is a respected professional society, originally established in

1947 as “the world's first educational and scientific computing
society”
• One of few organizations that strongly promotes education and
provides discounted membership for students
• ACM’s code of ethics requires members to perform their duties in
a manner befitting an ethical computing professional