ISOL 633 LEGAL REGULATIONS,
INVESTIGATION, AND
COMPLIANCE
Chapter 8
Federal Government Information
Security and Privacy Regulations
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
KEY CONCEPTS
• Security challenges facing the federal government
• Federal government information security and privacy
regulation
• Federal Information Security Management Act
(FISMA)
• Office of Management and Budget (OMB)
• Other federal agency responsibilities
• Import and export laws for information technology
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
INFORMATION SECURITY
CHALLENGES FACING THE
FEDERAL GOVERNMENT
• Federal government is largest producer and user of information in U.S.
• Government computer systems hold:
• Data critical for government operations
• Employment, tax, and citizenship data
• Data on businesses operating in the U.S.
• Data that’s used to protect the U.S. from threats
• Federal IT systems and data in them are attractive targets for criminals
• Examples: Pentagon Fighter Jet Blueprints
• USAJOBS
• IRS
• Passports, Green cards, Visas
• National Security Information
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
A LITTLE HISTORY…LAWS
GOVERNING INFORMATION
SECURITY AND PRIVACY
• 1987 Computer Security Act (CSA)
• 2002 E-Government Act
• Title III - Federal Information Security Management
Act (FISMA)
• 2009 Cyberspace Policy Review
• 2013 Obama’s Executive Order on Cybersecurity
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL INFORMATION
SECURITY MANAGEMENT ACT
(FISMA)
▪ Who must follow?
▪ What is definition of Information Security?
▪ Components:
▪
▪
▪
▪
▪
▪
Determine govt agency info security responsibilities
Require annual independent review
Authorize IST to devp info security standards
OMB Oversight – Now shared with DHS
Requires risk based approach for NSS
Created Federal Security Incident Response Center
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL INFORMATION
SECURITY MANAGEMENT ACT
(FISMA) (CONTINUED)
•
•
•
•
•
•
•
•
•
Risk Assessment
Inventory IT system/Update System
Implement policies and procedures designed to reduce risk
Implement plan for subsystems to support larger information
security program
Provide training for employees and subcontractors
Annual testing
Implement contingency plan for repairing weaknesses
Implement procedure for responding to incidents of breach
Implement business continuity plan
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL INFORMATION
SECURITY MANAGEMENT ACT
(FISMA)
▪ Testing and Annual Review
▪ National Institute for Standards and
Technology
▪ Chief Information Security Officer (CISO)
Required for insuring compliance
▪ CyberScope
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL INFORMATION
SECURITY MANAGEMENT ACT
(FISMA)
▪ Who receives Agency Annual Report and Review Evaluation?
▪
▪
▪
▪
▪
▪
House of Representatives Oversight Committee
House of Representatives Science and Technology Committee
Senate Committee on Governmental Affairs
Senate Committee on Commerce, Science and Technology
Government Accounting Office
Congressional Subcommittee authorizing Agency existence
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
INSPECTOR GENERAL (IG)
▪ Inspector General Act of 1978
▪ Different IG for each Federal Government Agency
▪ Independent Audits
▪ Reports to Congress
▪ Reviews actions and ensure efficient operation and
good practices
▪ Appointed either by President or by Agency Head
depending on size of agency
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NATIONAL INSTITUTE OF
STANDARDS AND
TECHNOLOGY (NIST)
▪ Within the Department of Commerce
▪ Creates Standards for ALL Federal Agencies
who DO NOT have NSS
▪ Categorize data and systems
▪ Guidelines for systems depending on category
▪ Creates minimum information security controls
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NITS DOCUMENTS
▪ Federal Information Processing Standards
(FIPS)
▪ Special Publications (SPs)
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FISMA IMPLEMENTATION
PROJECT
Develop and update security
Standards so comply with FISMA
Provide security reference
materials to support the Risk
Management Framework (RMF)
Apply risk management-based
approach to security controls
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NIST RISK MANAGEMENT
FRAMEWORK PROCESS
Categorize IT
systems
Select security
controls
Implement
security
controls
Assess security
controls
Authorize IT
systems
Continuously
monitor security
controls
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NIST RISK MANAGEMENT
FRAMEWORK PROCESS
Categorize IT
systems
Select security
controls
Implement
security
controls
Assess security
controls
Authorize IT
systems
Continuously
monitor security
controls
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FIPS 199 STANDARDS FOR CATEGORIZING
FEDERAL INFORMATION AND
INFORMATION SYSTEMS
LOW
• Loss of CIA has limited adverse
affect on agency, its information
and assets. Minor damage.
MODERATE
• Loss of CIA has serious adverse
effect with significant damage to
assets.
HIGH
• Loss of CIA has severe or
catastrophic adverse effect with
major damage to assets.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NIST DOCUMENTS
▪ FIPS 200 Minimum Security Requirements
for Federal Information and Information
Systems
▪ SP 800-53-Revision 4 Recommended
Security and Privacy Controls
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
CENTRAL INCIDENT
RESPONSE CENTER
▪ 1996 under direction of OMB/DHS
▪ Requirements:
▪ Give Tech Support
▪ Share info about security incidents
▪ Inform agencies about potential threats
▪ Consult with NIST and with agencies with NSS
about security incidents
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
CENTRAL INCIDENT
RESPONSE CENTER
•
•
Reporting depending on category
Categories 0 -6
•
•
•
•
•
•
•
0 – Network testing
1 – Unauthorized Access
2 – Denial of Services
3 – Malicious Code
4 – Improper Use
5 – Scan, Probes and attempted access
6 - Investigations
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
NATIONAL SECURITY
SYSTEMS
•
•
NSS – Those systems used for Intelligence activities,
command and control of military forces, weapons
and weapon control equipment, cryptography to
protect national security, military and military
intelligence, classified for defense and foreign policy
Oversight – Committee on National Security Systems
(CNSS)
•
21 voting members
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
ACCESS CONTROL MODELS
Discretionary
Access Control
(DAC)
• Discretion of the
owner
Mandatory
Access Control
(MAC)
• Security labels and
classifications
Role-Based
Access Control
(RBAC)
• Job function or role
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL PRIVACY LAWS
• Privacy Act of 1974
• Applies to Federal Government but not
State and local governments
• Definition of Record under this act
• Exemptions (12)
• SORN
• OMB Oversight
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL PRIVACY LAWS
• E-Government Act of 2002
• Review IT systems for privacy risks
• Post privacy policies on website
• Post machine readable privacy policies
• Report privacy activities to OMB
• PIA
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OMB REQUIREMENTS FOR
BREACH NOTIFICATION
• Review and reduce the volume of personally
identifiable information store
• Eliminate unnecessary use of SSNs
• Explore alternatives to using SSN as a personal
identifier
• Develop policies and procedures for individuals
who are authorized to access personally
identifiable information
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OMB BREACH NOTIFICATION
Breach Notification Plan
Determine
Source of
Time for
if breach
the
notification notification
notification
required
Legal Issues in Information Security
Contents
of the
notice
Means of
providing
the notice
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Who gets
the notice
REGULATORY REQUIREMENTS FOR THE
IMPORT AND EXPORT OF INFORMATION
TECHNOLOGY
▪ Department of Commerce
▪ Export Administration Regulations (EAR)
▪ Export Administration Act of 1979
▪ Bureau of Industry and Security
▪ Commerce Control List (CCL)
▪ Department of State
▪ International Traffic in Arms Regulations (ITAR)
▪ Treasury Department
▪ Office of Foreign Asset Control (OFAC)
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
REGULATORY REQUIREMENTS FOR
THE IMPORT AND EXPORT OF
INFORMATION TECHNOLOGY
▪ Export of Technology or Software
▪ Release of technology or software subject to the EAR
in a foreign country
▪ Release of technology or source code subject to the
EAR to a foreign national within the United States or
outside.
▪ Transfer of source code
▪ Inspection or oral communication of code
▪ Violations subject to civil penalties or denial of
export privileges
▪ Willful violations subject to criminal penalties
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
THANK YOU
For Questions:
Email: Leslie.Stovall@ucumberlands.edu
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Legal Issues in
Information Security
Lesson 1
Information Security Overview
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Recognize fundamental concepts of
information systems security (ISS).
Begin to think about the legal implications of ISS concept
and issues
Definitions and general terms
Concepts
Classifications or types of information security
Different levels of protection for various types of
information
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
What is Information Security?
Practice of protecting information
What is the primary goal of Information Security?
To protect 3 aspects of information
• Confidentiality
• Integrity
• Availability
What is a Triad?
Grouping of three things we generally think about together as a unit
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
Key Concepts
Confidentiality, integrity, and availability
(C-I-A triad)
Basic information system security concepts
Risk analysis and mitigation
Mechanisms for organizational information
security
Data classifications requiring specialized
legal consideration
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
WHAT IS CONFIDENTIALITY?
Preventing people who should not have access to data from obtaining it.
Important at all phases
• Creation of data
• Manipulation, summarization, use
• Analysis
• Transmission
• Destroy
Breaches
• Intentional
• Accidential
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
WHAT IS INTEGRITY?
Means systems and their data are accurate.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
WHAT IS AVAILABILITY?
Making sure the systems operate reliably and that
data is accessible by people with permission
when they need it.
Insures no bottlenecks or slowdowns and that
data is available at peak times.
• Single point failure –Single piece of hardware
or software critical to the entire system.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
C-I-A Triad
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Seven Domains of a Typical IT
Infrastructure
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Basic Risk Management Concepts
Vulnerability ~ asset weaknesses
Threats – Anything that has the potential to harm the system
Threat Agents – Hackers and Malware
Exploitation – Threats that are carried out
Mitigation ~ safeguard assets
Risks ~ The likelihood that a threat will be exploited. Some can
be minimized by asset owner
Safeguards ~ Implemented by an organization as controls used
to reduce harm caused by vulnerability and threats.
Referred to as “risk mitigation”
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Risk Management Process
Organization
Safeguard
Vulnerability
Threat
Agent
Risk
Threat
Legal Issues in Information Security
Asset
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Roles in Risk Management
Senior Management
Chief Information Security
Officer
Information
Technology
Department
Legal Issues in Information Security
Legal Department
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Information Security Common
Concerns
Shoulder Surfing
Social Engineering
Phishing and Targeted Phishing Scams
Malware
Spyware and Keystroke Loggers
Logic Bombs
Back Doors
Denial of Service Attacks
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Information Security in Different
Contexts
Private-Harmful to
organization if
disclosed
• High interest in
confidentiality
Public-No harm to
organization
through disclosure
• High interest in
availability
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Data Classification
Governmental
Classification
General Corporate
Classification
Secret
Corporate
Confidential
Client Confidential
Confidential
Proprietary
Top Secret
Restricted
Unclassified
Legal Issues in Information Security
Public
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Mechanisms for Ensuring
Information Security
Legal Issues in Information Security
Laws and
Legal Duties
Contracts
Governance
Voluntary
Organizations
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Legal Mechanisms to Ensure
Information Security
Laws
• Gramm-Leach-Bliley Act, HIPAA,
COPP, FERPA and Many others
Information Regulations
• Financial, credit card, health, etc.
Agencies
• FTC, Banks, DHHS, SEC, DOE, etc.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Thank you!
Please email questions and/or
comments to
Dr. Les Stovall
Leslie.Stovall@ucumberlands.edu
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
ISOL 633 Legal
Regulations,
Investigations and
Compliance
Chapter 2 – Lecture 2
Privacy Overview
Learning Objectives/Key Concepts
Examine the concept of privacy and its
legal protections.
Basic
privacy principles
Explain
the difference between
Information Security and Privacy
Describes
Legal Issues in Information Security
threats to privacy
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objectives/Key
Concepts Continued
Explain important issues regarding
workplace privacy
General principles for privacy protection
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What Is Privacy?
A person has control of his or her
personal data
Control = a person can specify the
collection, use, and sharing of their
data
Government’s power to interfere in the
privacy of its citizens is limited
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Examples of Private Information
Financial
information
Health
information
Biometric
data
Personal Id.
Information
Other
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Not All Information is private
We would like to control every aspect of
our life in terms of who has access to it.
Not all information is private
Public records
Minutes of government meetings
Sex Offender Registration
Criminal records
Court Dockets
Pleadings
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Security and Privacy
Privacy
is an individual’s right to control
the use and disclosure of his or her own
personal information
Information
security is a process used to
keep data private.
Security
is the process and privacy is the
result of the security process
Privacy
Legal Issues in Information Security
rights are individual rights
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Sources of Privacy Law
Constitutional Law
Federal Laws
State Laws
Common Laws
Intrusion
into Seclusion
Portrayal
in a False Light
Appropriation
Public
of Likeness or Identity
Disclosure of Private Facts
Voluntary Agreements
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Federal Privacy Laws
Census Confidentiality (1952)
Freedom of Information Act (1966)
Wiretap Act (1968, amended)
Mail Privacy Statute (1971)
Privacy Act (1974)
Cable Communications Policy Act (1984)
Electronic Communications Privacy Act (1986)
U.S.A. PATRIOT Act (2001)
Driver’s Privacy Protection Act (1994)
E-Government Act (2002)
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
State Privacy Laws
Ten
state constitutions recognize a right to
privacy: Alaska, Arizona, California, Florida,
Hawaii, Illinois, Louisiana, Montana, South
Carolina, and Washington
State of New York was first state to write a
right of privacy into its statutes
Other states have recognized a right of
privacy through case law
Statutory or codified law and common (case)
law
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Threats to Personal Data
Privacy: Technology-Based
Spyware, Keystroke Loggers, and Adware
Cookies, Web Beacons, and Clickstreams
RFID and GPS Technologies
Security Breaches
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Threats to Personal Data
Privacy: People-Based
Phishing
Social Engineering, Shoulder Surfing, and Dumpster
Diving
Social Networking Sites
Online Data Gathering
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Workplace Privacy and Monitoring
Legal Issues in Information Security
Telephone
and Voice
Mail
Video
Surveillance
Computer
and Internet
Use
E-mail
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
GOOD
General Principles for Privacy Protection in
Information Systems
Active
data
collection
Passive
Data
Collection
AVOID
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
People
no longer take privacy for granted
People
want control
Complications
caused by electronic
communications
Threats
to privacy in the information age
Organizations
must respect a person’s
individual right to privacy
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Thank You for your interest and
participation.
For questions email
Dr. Les Stovall
Leslie.stovall@ucumberlands.edu
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
ISOL 633
Legal Regulations,
Investigations and
Compliance
Chapter 3
The American Legal System
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Identify the basic components of the American
legal system.
Explain different sources of law
Explain what precedent is and its role
Explain what is meant by regulatory authority
Explain the difference between compliance and
audit
Describe how security, privacy and compliance
work together
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Components of the American
Legal System
Federal Government
Legislative
Executive
Judicial
State Government
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
Bill of Rights
• Ratification of the United States Constitution
• Supreme law of the land
• All statutes measured against this document
1789
1791
• Discovered concepts missing from early
documents
• Modifications to the U.S. Constitution
• Bill of Rights – first amendments to
Constitution
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Federal Government
Executive
Branch
Legislative
Branch
Judicial
Branch
Federal
Government
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
LEGISLATIVE BRANCH OF
FEDERAL GOVERNMENT
(Article I, Section 8)
Congress
Senate (100 total – two from each state)
35 years of age, citizen 9 years, resident of state represented
House of Representatives (435 total)
25 years of age, citizen 7 years, resident of congressional district represented
Congressional districts redrawn every 10 years
Powers
Declare War
Maintain Armed Forces
Print money
Regulate Commerce between states
Other
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
LAW MAKING
HOW A BILL BECOMES LAW
Drafted in either House or Senate
Introduced to that Chamber (House or Senate)
Special Committee reviews
• Determines if needed
• Votes and decides whether to send to full body for vote
Passed in that chamber (either house or senate)
Once a version is passed in both chambers (House and Senate), reviewed
and compromise
Returned to each chamber for further revision and review
Signed by Head of House – Speaker and by Head of Senate – President of
Senate
Goes to President – 10 days to sign or veto.
• If he does neither in 10 days Bill passes as if he had signed
If signed becomes “Act of Congress” or a Federal Law
If vetoed by president still becomes law with 2/3 vote of both houses
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
EXECUTIVE BRANCH OF
FEDERAL GOVERNMENT
(Article II)
Headed by President of United States
Natural Born Citizen, at least 35 years of age, resident of the United States for 14
years before date of election
Powers
Enforce law of US
Responsible for maintaining day to day operations of county
Appoints Federal judicial, executive and administrative officers
Appoints Cabinet members
Negotiate and enter into treaties with other countries (ratified by Senate)
Other
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
JUDICIAL BRANCH OF FEDERAL
GOVERNMENT
(Article III)
US SUPREME COURT – HIGHEST
COURT IN LAND
9 MEMBERS OF US SUPREME COURT
Nominated by President, confirmed by Senate
First Woman, 1981, Sandra Day O’Conner, nominated by President Regan, served until
2006
Term - Life
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
STRUCTURE OF FEDERAL
COURTS
COURTS OF LIMITED JURISDICTION
• Cases/Disputes with Issues of Federal Law
• Constitutional Law
• Complete Diversity (citizens of different states) and
amount in controversy exceeds $75,000.00
TYPES OF JURISDICTION
• Original Jurisdiction
• Concurrent Jurisdiction
• Appellate Jurisdiction
Can be “Remanded” to State Courts under certain conditions
Can be “Removed” to Federal Court if wrongly filed in State Court
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
UNITED STATES
SUPREME COURT
APPELLATE
COURTS
US DISTRICT
COURTS
…13 APPELLATE COURTS…
…94 US DISTRICT COURTS…
APPELLATE
COURTS
US DISTRICT
COURTS
FEDERAL COURT SYSTEM IN THE UNITED STATES
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
STATE COURTS
• Articles of Confederation – after American Revolution
– DID NOT WORK!
• 1789 – US Constitution
• 1791 – Bill of Rights – First 10 Amendments to
Constitution
• Branches of State Government – similar to Federal
• Executive – Governor
• Legislative – House of Representatives and Senate
• Judicial
• Supremacy Clause in US Constitution
• Conflicting Federal Law trumps State Law
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
STATE SUPREME
COURT
STATE
APPELLATE
COURT
CIRCUIT COURTS…(number varies by state)
(exact name varies by state)
STATE DISTRICT COURTS…(number varies by state)
(exact name varies by state)
STATE COURT SYSTEM IN THE UNITED STATES
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
AMERICAN LEGAL SYSTEM
Federal Courts
• US District Courts
• Appeals Courts
• United States Supreme Court
State Courts
• District Courts
• Circuit Courts
• Court of Appeals
• State Supreme Courts
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Different Types of Laws
Law
Description
Common Law
Values and customs
Code Law
Written by Legislature
Constitutional Law
Highest authority
Civil Law
Individual complaints
Criminal Law
Wrongs to society
Administrative Law
Agency regulations
Legal Precedent
Guidance from past
Code – lex scripta; common – lex non scripta
Statutory Construction
How is Louisiana State Law Different?
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
TYPES OF LAWS
SUBSTANTIVE LAWS-subject matter
PROCEDURAL LAWS – rules of the courts
• Rules of Criminal Procedure (Fed and State)
• Rules of Civil Procedure (Fed and State)
• Family Court Rules of Practice and Procedure (State)
• Supreme Court Rules (State)
ADMINISTRATIVE LAWS
• Follow Administrative procedures
Burdens of Proof – Different depending on nature
of case
• Beyond a Reasonable Doubt
• Clear and Convincing
• Preponderance of Evidence
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
The Role of Precedent
Doctrine of precedent
Courts look at decisions made in prior cases to
determine appropriate resolution for new cases
Also referred to as the doctrine of stare decisis
"To stand by things decided”
Plessy v. Ferguson (1896)
Brown v. Board of Education (1954)
Payne v. Tennessee (1991)
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Regulatory Authorities
Federal government delegates some regulatory
and enforcement functions to administrative
agencies
“Agency” is any governmental authority besides
Congress and the courts
President usually has responsibility for
overseeing federal agencies
Congress can create independent agencies that
report directly to it
Example: Federal Trade Commission (FTC)
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Difference Between Compliance
and Audit
Compliance is the
action of following
applicable laws and
rules
Compliance
Audit
Audit is an
evaluation and
verification that
certain objectives
are met.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
HOW DO SECURITY,
PRIVACY AND COMPLIANCE
FIT TOGETHER?
Security – Practice of protecting information that insured
CIA Triad
Privacy – Individual’s right to control how his personal
data is collected, used and shared
Information Security – Makes sure personal privacy rights
are protected
No comprehensive laws to protect privacy in all areas.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
The End!
Questions?
Dr. Les Stovall
leslie.stovall@ucumberlands.edu
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
ISOL 633 - Legal Regulations,
Investigations and
Compliance
Lesson 4 – Chapter 4
Security and Privacy of
Consumer Financial Information
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
▪ Describe legal compliance laws addressing
how financial institutions protect the
security and privacy of consumer financial
information.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
• Financial institutions and the protection of
information they collect
• Financial regulatory laws and government
regulatory bodies
• The Gramm-Leach-Bliley Act and financial
institutions
• The Federal Trade Commission Red Flags
Rule
• Payment Card Industry Standards
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Business Challenges Facing
Financial Institutions
• Bear cost of consumer identity theft
• Company names and logos used in phishing
scams
• Targets of hackers
• Must follow regulations designed to
protect security and privacy of data they
collect and use; rules place compliance
burden on financial institutions
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Types of Financial Institutions
Savings and loan associations
Finance companies
Insurance companies
Investment companies
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Examples of
Regulation/Definitions
• National Banking Act
of 1864
• Bank Secrecy Act of
1970
• Bank Holding
Company Act of 1956
• Gramm-Leach-Bliley
Act
Legal Issues in Information Security
Definitions:
Consumer
Consumer Information
Consumer Goods
Consumer Services
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Consumer Financial Information
Name
Social
Security
number
Address/
telephone
number
Legal Issues in Information Security
Driver’s
license
number
Work history
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Who Regulates Financial
Institutions?
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Federal Reserve System
•
•
•
•
•
•
Created by Congress in 1913
Central Bank of the US
Bank for other banks
Bank for Government
Responsibilities?
Structure and Organization
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Structure of the Federal Reserve
Continued
• 12 Regional Banks
• Each with 24 Branches
• Each with 12 member Board of Directors
• Function:
• Distribute Currency and coin between regions
• Supervise and review National Member Banks for
Soundness
• Serve as bank for federal govenment
• Regulate State Chartered members banks
• Supervise Bank holding companies
• Supervise foreign banks operating in the US
• Supervise foreign activities of domestic member banks
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Federal Deposit Insurance
Corporation
• Banking Act of 1933
• Banking Act of 1935
• 5 member board of Directors
• 3 – Appt by President
• Comptroller of Currency
• Director of Consumer Financial Protection Bureau
•
•
•
•
No more than 3 from any one political party
8 Regional Offices
Purpose?
Members?
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
National Credit Union
Association
• Congress passed the Federal Credit Union Act of 1934
• Created Federally Chartered Credit Unions
• The NCUA was formed in 1970 to supervise and charter
Federal Credit Unions
• What is a Credit Union?
• Cooperative –So what is a cooperative?
• Affiliates (members) pool their money together to
make loans to each other
• Structure
• 3 member Board of Directors
• 5 regional offices
• NCUSIF
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Office of the Comptroller of
Currency (OCC)
• 1864- National Banking Act
• Under the Department of Treasury
• Charters and Supervises National Banks and
Federal Savings Associations (Thrifts)
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Consumer Financial Protection
Bureau (CFPB)
• 2010
• Focus is on Consumers
• Ensures that all consumers have access to financial
products and services
• Services offered in a fair and competitive manner
• Examines financial institutions to ensure
compliance
• Board of Directors
• 6 Divisions and number of advisory boards
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL TRADE COMMISSION
(FTC)
• Independent Federal Agency – Congress 1914
• Oversee compliance with more than 46
different laws
•
•
•
•
5 Commissioners – 7 year term
No More than 3 from any one political party
7 Regional offices
Function
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Federal Financial Institutions
Examination Counsel
• Established in 1979 – by act of Congress
• Reports to Congress Annually
• Established by:
• Financial Institutions Regulatory and Interest Rate
Control Act of 1978
• Composition of the Counsel:
•
•
•
•
•
•
•
This body has 6 members comprised of:
Chair of the FDIC
Chair of NCUA
Comptroller of the OCC
Director of the CFPB
Member of the Board of Governors of the FED
Chair of the FFIEC State Liaison Committee
• DOE NOTY REGULATE FINANCIAL INSTITUTIONS
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Federal Financial Institutions
Examination Council (FFIEC)
▪ Establish principles and standards for
examination of federal financial
institutions
▪ Develop uniform reporting system
▪ Conduct training for federal bank
examiners
▪ Make recommendations regarding bank
supervision matters
▪ Encourage adoption of uniform
principles and standards by federal
and state banks
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FFIEC Continued
• Task Forces – 6 Under the direction of the FFIEC
• Consumer Compliance – Promotes a uniform approach
to consumer protection laws
• Examiner Education – Oversees FFIEC examiner
training.
• Information Sharing – Sharing of information among its
members.
• Reports – Uniform financial reporting for members
• Supervision – Supervision and examination procedures
• Surveillance Systems – Develops Systems to Monitor the
financial condition and the performance of financial
institutions
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Gramm-Leach Bliley Act (GLBA)
▪ The Financial Modernization Act of 1999
▪ Protects personal financial information
held by financial institutions
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Impacts of GLBA
• Allows banks, securities, and
insurance companies to merge
• Financial activities include
borrowing, lending, providing
credit counseling, debt collection,
and other activities
• Protects nonpublic personal
information (NPI)
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Nonpublic Personal Information
(NPI)
Social Security numbers
Financial account numbers
Credit card numbers
Date of birth
Name, address, and phone numbers when
collected with financial data
• Details of any transactions or the fact that an
individual is a customer of a financial institution
•
•
•
•
•
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
GLBA―Principal Parts
GLBA
Privacy
Rule
Legal Issues in Information Security
Safeguards
Rule
Pretexting
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
GLBA Privacy Rule
• Financial institutions may not share NPI with
nonaffiliated third parties unless institution gives
notice to consumer
• The notice must tell consumers about types of data the
institution collects and how it uses that information
•
Called a notice of privacy practices
• Consumers have chance to opt out of some data
sharing
• Difference between Customer and Consumer
• Amended by Financial Services Regulatory Relief Act of
2006
•
April 2010 –Model Privacy Notice form
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
GLBA Safeguard Rule
• Each agency must establish standards
that:
• Protect the security and confidentiality
of customer information
• Protect against threats to the security
or integrity of customer information
• Protect against unauthorized access to
or use of customer information that
could result in harm to a customer
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
GLBA Pretexting Rule
• Pretexting
• Trying to gain access to customer information
without proper authority; also known as social
engineering
• Illegal to make false, fictitious, or
fraudulent statements to a financial
institution or its customers to get
customer information
• Illegal to use forged, counterfeit, lost, or
stolen documents to do the same thing
• Designed to stop identity theft
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Federal Trade Commission Red
Flags Rule
▪ Fair and Accurate Credit Transaction Act of 2003 (FACTA)
▪ Identify Theft Red Flags Rule
▪ Applies to financial institutions and creditors with covered
accounts
▪ What is a covered Account?
▪ Requirements?
▪ Oversight?
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Red Flag Categories
Suspicious
Documents
Suspicious
Personal
Identifying
Information
Notice of
Identity Theft
Legal Issues in Information Security
Unusual Account
Activity
Credit Reporting
Agency Alerts
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Red Flag Rules Continued…
• Written Identity Theft Prevention Program
• Detect, prevent and mitigate identity theft.
• Employee training
• Oversight
• Federal Reserve System
• FDIC
• OCC
• Enforcement
• $2,500.00
• No private right of action
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Payment Card Industry (PCI) Data
Security Standards (DSS)
▪ Safeguards and protects credit card data
▪ All merchants accepting credit cards must
follow PCI DSS standards
▪ Single approach makes it easier for
merchants to accept all cards
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Payment Card Industry Security
Standards Counsel
• Since 2006
• Comprised of Major Credit Card Companies
•
•
•
•
•
•
•
•
•
•
MasterCard
Visa
American Express
JCB International (Chase)
Discovery
NOT a government agency
Purpose?
Scope?
Requirements?
Oversight?
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
PCI DSS Controls and Rules
▪ Build and maintain a secure network
▪ Protect cardholder data
▪ Maintain a vulnerability management program
▪ Implement strong access control measures
▪ Regularly monitor and test networks
▪ Maintain an information security policy
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
How Effective Have these
Measures Been?
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Examples of Breaches:
• FTC vs. Nationwide Mortgage Group under GLBA
• Target self reporting credit card data breaches
• TJX – self reporting of credit card data breaches
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
•Neiman Marcus (retail). Between July and October 2013, the credit card information of
350,000 individuals was stolen, and more than 9,000 of the credit cards have been used
fraudulently since the attack Sophisticated code written by the hackers allowed them to move
through company computers, undetected by company employees for months.
•Michaels (retail). Between May 2013 and January 2014, the payment cards of 2.6 million
Michaels customers were affected. Attackers targeted the Michaels POS system to gain access to
their systems.
•Yahoo! Mail (communications). The e-mail service for 273 million users was reportedly hacked
in January 2015, although the specific number of accounts affected was not released.
•Aaron Brothers (retail). The credit and debit card information for roughly 400,000 customers of
Aaron Brothers, a subsidiary of Michaels, was compromised by the same POS system malware.
•AT&T (communications). For two weeks 2015 AT&T was hacked from the inside by personnel
who accessed user information, including social security information.
•eBay (retail). Cyber attacks in late February and early March 2015 led to the compromise of
eBay employee log-ins, allowing access to the contact and log-in information for 233 million
eBay customers. eBay issued a statement asking all users to change their passwords.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
•Bartell Hotels (hotel). The information for up to 55,000 customers was reportedly stolen
between February and May, 2015.
•U.S. Transportation Command contractors (transportation). A Senate report revealed that
networks of the U.S. Transportation Command’s contractors were successfully breached 50
times between June 2012 and May 2013. At least 20 of the breaches were attributed to
attacks originating from China.
•J.P. Morgan Chase (financial). An attack in June was not noticed until August, 2015. The
contact information for 76 million households and 7 million small businesses was
compromised. The hackers may have originated in Russia and may have ties to the Russian
government.
•Dairy Queen International (restaurant). Credit and debit card information from 395 Dairy
Queen and Orange Julius stores was compromised by the Backoff malware 2015.
•Snapsave (communications). Reportedly, the photos of 200,000 users were hacked from
Snapsave, a third-party app for saving photos from Snapchat, an instant photo-sharing app
between 2014 and 2015
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
•U.S. Investigations Services (services). U.S. Investigations Services, a subcontractor
for federal employee background checks, suffered a data breach in August, 2015
which led to the theft of employee personnel information. Although no specific origin
of attack was reported, the company believes the attack was state-sponsored.
•Community Health Services (health care). At Community Health Service (CHS), the
personal data for 4.5 million patients were compromised between April and June,
2015. CHS warns that any patient who visited any of its 206 hospital locations over
the past five years may have had his or her data compromised. The sophisticated
malware used in the attack reportedly originated in China. The FBI warns that other
health care firms may also have been attacked.
•UPS (services). Between January and August, 2014 customer information from more
than 60 UPS stores was compromised, including financial data, reportedly as a result
of the Backoff malware attacks.
•Defense Industries (defense). Su Bin, a 49-year-old Chinese national, was indicted
for hacking defense companies such as Boeing. Between 2009 and 2013, Bin
reportedly worked with two other hackers in an attempt to steal manufacturing plans
for defense programs, such as the F-35 and F-22 fighter jets.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
•Home Depot (retail). In 2015 Cyber criminals reportedly used malware to compromise
the credit card information for roughly 56 million shoppers in Home Depot’s 2,000 U.S. and
Canadian outlets.
•Google (communications). Reportedly, 5 million Gmail usernames and passwords were
compromised. About 100,000 were released on a Russian forum site. 2014-2015.
•Apple iCloud (technology). Hackers reportedly used passwords hacked with brute-force
tactics and third-party applications to access Apple user’s online data storage, leading to
the subsequent posting of celebrities’ private photos online.[ It is uncertain whether users
or Apple were at fault for the attack.] 2014-2015
•Goodwill Industries International (retail). Between February 2013 and August 2014,
information for roughly 868,000 credit and debit cards was reportedly stolen from 330
Goodwill stores. Malware infected the chain store through infected third-party vendors.
•SuperValu (retail). SuperValu was attacked between June and July, and suffered another
malware attack between late August and September.The first theft included customer and
payment card information from some of its Cub Foods, Farm Fresh, Shop ‘n Save, and
Shoppers stores. The second attack reportedly involved only payment card data.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
•Five Chinese hackers indicted. Five Chinese nationals were indicted for
computer hacking and economic espionage of U.S. companies between 2006
and 2014. The targeted companies included Westinghouse Electric (energy and
utilities), U.S. subsidiaries of SolarWorld AG (industrial), United States Steel
(industrial), Allegheny Technologies (technology), United Steel Workers Union
(services), and Alcoa (industrial).
•Unnamed public works (energy and utilities). According to the Department of
Homeland Security, an unnamed public utility’s control systems were accessed
by hackers through a brute-force attack on employee’s log-in passwords. 2015
•Feedly (communications). 2015 Feedly’s 15 million users were temporarily
affected by three distributed denial-of-service attacks.
•Evernote (technology). 2015 In the same week as the Feedly cyber attack,
Evernote and its 100 million users faced a similar denial-of-service attack.
•P.F. Chang’s China Bistro (restaurant). Between September 2013 and June
2014, credit and debit card information from 33 P.F. Chang’s restaurants was
compromised and reportedly sold online.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What are the Odds?
• According to the Bureau of Justice Statistics 17.6 MILLION U.S. RESIDENTS
EXPERIENCED IDENTITY THEFT IN 2014
• That represents about 7 percent of U.S. residents age 16 or older, were
victims of at least one incident of identity theft in 2014.
• The most common type of identity theft was the unauthorized misuse or
attempted misuse of an existing account—experienced by 16.4 million persons.
Victims may have experienced multiple types of identity theft. An estimated 8.6
million victims experienced the fraudulent use of a credit card, 8.1 million
experienced the unauthorized or attempted use of existing bank accounts
(checking, savings or other) and 1.5 million victims experienced other types of
existing account theft, such as misuse or attempted misuse of an existing
telephone, online or insurance account.
• Source: Victims of Identity Theft, 2014 (NCJ 248991), was written by BJS
statistician Erika Harrell. The report, related documents and additional
information about the Bureau of Justice Statistics’ statistical publications and
programs can be found on the BJS website at http://www.bjs.gov/.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
WEB SITES
http://www.consumer.ftc.gov/article
s/pdf-0119-guide-assisting-id-theftvictims.pdf
https://www.consumer.ftc.gov/articl
es/pdf-0094-identity-theftaffidavit.pdf
https://www.consumer.ftc.gov/articl
es/pdf-0009-taking-charge.pdf
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
THANK YOU!
Please email your questions to
Dr. Les Stovall
Leslie.Stovall@UCumberlands.edu
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Purchase answer to see full
attachment