Western Governor’s University

Legal Issues in Information Security

C841

[Your Name here]

IHP4 Task 1: Legal Analysis

TechFite’s Applications Division works in a highly competitive environment that is

sensitive to ethical violations and non-adherence to regulations. Recent conduct involving

unauthorised access to data, weak internal controls, and suspicious client relationships show

problems shed light on the issues of concern with respect to the US law and normative business

ethics. The author delves into these with a focus on the legal, regulatory and ethical frameworks

before proposing policy changes that reflect trends in practice and compliance.

A1. CFAA and ECPA

The Computer Fraud and Abuse Act (CFAA) prohibits the unauthorized access to

protected systems, which has been clearly violated by the actions of TechFite’s Applications

Division (Lashway and Stein, 2022). Through the use of dummy accounts to access powerful

systems across the organization the Business Intelligence (BI) Unit engaged in conduct that is

considered as computer fraud under the CFAA guidelines. Such intrusion not only violates the

law, but also violates the company’s goodwill and consumer loyalty.

On the other hand, the Electronic Communications Privacy Act (ECPA) governs

electronic communication by ensuring that privacy and confidentiality in communication are

protected (Mali, 2021). In the case, the improper manipulation of proprietary information from

clients Orange Leaf and Union City Electronic Ventures especially in marketing and sales, is in

violation of ECPA. Precisely, looking at how the BI Unit has been using data from clients,

without their consent, is a clear indication of the violation of the ECPA guidelines leading to

extreme financial consequences.

For starters, using client data in sales (even in initial stages) can be in contravention of

Intellectual Property (IP) rights. This follows the fact that intellectual assets are often valuable to

many technology firms. In this case, TechFite violated the client’s IP by processing the data

without proper security measures. This not only risks the violation of IP laws but also leads to

possible litigations.

With the processing of identifying personal information in this context without

sufficiently stringent measures, TechFite risks running afoul with the following data protection

laws: Failure to implement stringent data access security policies pose risks to the privacy of

clients, resulting to claim suits and fines as a result of violation of consumer privacy laws.

Non-Disclosure Agreements (NDA) are necessary in consulting relationships because

such engagements involve parties sharing valuable information in the course of the relationship

(Denga, 2023). TechFite violates client confidentiality, which could result in NDA violations, as

seen in PepsiCo, Inc. v. Redmond. This case shows that there are legal implications of using and

or disclosing other’s proprietary information hence the need for TechFite to enhance its handling

of data (Hoffman, 2022).

A3. Duty of Due Care

Lack of enforced data segregation between divisions is not only a legal concern but a

clear violation of corporate governance. Therefore, strict division of the client information with

one office not having access to the other office would help mitigate conflicts of interest and

unintentional leakage of clients’ information. This plays a good role in maintaining client trust

and reputation to the regulators. On the other hand, allowing full access across BI and

marketing/sales functions violate the concept of “least privilege” and put TechFite at risk for
external threats and internal frauds. The absence of such basic measures implies negligence at a

system level.

A4. SOX

Being a public company means that TechFite has to adhere to SOX guidelines that

require strict compliance on issues to do with reporting of financial information (Sebastian,

2022). Therefore, the use of “dummy” clients at the BI Unit could lead to distortion of sales and

performance that would give a wrong financial picture. This could draw a lot of attention from

the SOX and trigger regulatory fines which are not beneficial to TechFite hence the need for the

company to adopt full compliance to SOX in all the financial and operational processes.

B1/B1a. Criminal Evidence, Activity, Actors and Victims

Some of the activities that the BI Unit asked the employees to carry out included acts

such as scanning the competitor’s system(s), a vice that was performed by BI Unit’s employees

such as Sarah Miller and Jack Hudson. The creation of dummy accounts and having unlimited

access not only falls foul of CFAA standards but would be considered corporate espionage

particularly with the aim of using this data for competitive advantage.

B1b. Cybersecurity Policies & Procedures for Criminal Activity

The Data Access Control Policy restricts data access according to the job description,

thus restricting the information that can be accessed within an organization to only that which is

relevant to the employee’s position. The procedure for this policy would include setting up role-

based permissions for employees based on the work they are doing with access levels checked

and changed periodically based on changes in an employee’s position, promotion or discharge.

In TechFite, the policy could have helped to address criminal activities.

factor for authentication in addition to a password when accessing systems or data containing

sensitive information (Pureti, 2020). The process that would accompany this policy would be to

start enrolling MFA for all systems which include sensitive data. In setting up this policy at

TechFite, this policy could have hindered situations where some employees were accessing some

limited information with a single pass word which can be sold or taken by any member.

B2/B2a. Evidence of Negligent Activity, Actors and Victims

Senior management’s failure to act, breached the legal and ethical duty of care owed to

clients and stakeholders. As clients, both Orange Leaf Software and Union City Electronic

Ventures are the direct victims whose information was exploited without permission. This

negligence cannot only be an open invitation for potential lawsuits but may also harm such

organisations and businesses irreparably, due to reputation damage.

B2b. Cybersecurity Policies & procedures for Negligent Activity

Proper data governance can help avoiding such careless actions and promoting data

quality. Also, going forward, access restrictions adopted by TechFite and periodic enforcement

of audits could improve internal controls and prevent a recurrence of the problem.

C. Legal Compliance Summary for Management

In order to protect TechFite from further legal complications and reputational damage,

the company should enhance data access controls, the data loss prevention and auditing, SOC

reporting and establishment of formal ethical codes. To begin with, the development of a more

structured privilege management system should be integrated. This would restrict data access

according to the roles required by certain individuals thereby protecting clients information by

preventing the sharing of information by unauthorized people.

help the company to monitor the data handling practices in real time. Omutunde and Ahmed

(2023) proposed regular audits of the system, with a focus on areas that might be most

vulnerable to abuse, would be sufficient to identify and prevent such activity.

Lastly, it is important for TechFite to keep correct financial records, to ensure that all its

books of account meet the SOX standards. Implementing strict checks and balances to all the

sales figures, particularly the ones involving ‘paper’ accounts eliminates chances of SOX

violation.

Conclusion

In sum, TechFite’s Applications Division shows the need to improve compliance with the

law and ethical standards. By increasing its compliance to the best practices of data governance,

and by focusing on ethical behaviour, TechFite can manage its current issues efficiently. It will

be important to implement change now to ensure that clients are gained and that long-term

profitability is achieved in the context of competition.

Denga, M. (2023). Paradigms of Business Consulting Agreements. European Review of

Contract Law, 19(2), 103-135.

Hoffman, L. (2022). The Doctrine of Inevitable Disclosure, its Logic, and Effects: The Potential

Solution to an Inevitable Problem. Available at SSRN 4020576.

Lashway, S. T., & Stein, M. M. (2022). Signs Inscribed on a Gate: The Impact of Van Buren v.

United States on Civil Claims under the Computer Fraud and Abuse Act. W. New Eng. L.

Rev., 44, 109.

Mali, A. P. (2021). consent in privacy laws: Analysis of India’s PDPB, ECPA of USA and

GDPR of EU. International Journal of Law, 7(2), 142-152.

Omotunde, H., & Ahmed, M. (2023). A comprehensive review of security measures in database

systems: Assessing authentication, access control, and beyond. Mesopotamian Journal of

CyberSecurity, 2023, 115-133.

Pureti, N. (2020). Implementing Multi-Factor Authentication (MFA) to Enhance

Security. International Journal of Machine Learning Research in Cybersecurity and

Artificial Intelligence, 11(1), 15-29.

Sebastian, G. (2022). Could incorporating cybersecurity reporting into SOX have prevented most

data breaches at US publicly traded companies? An exploratory study. International

Cybersecurity Law Review, 3(2), 367-383.