Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
29 Cards in this Set
- Front
- Back
3 categories of Law |
Criminal - Government makes the case Civil - Individual parties bring cases forward Administrative - Since civil and criminal law does not lay out rules for EVERY situation, the executive branch enact admin law in the form of policies, procedures and regulations. |
|
Comprehensive Crime Control Act (CCCA) |
- Enacted in 1984 - Predecessor to the CFAA - Made it criminal to: access classified information, Access a federal system without authorization, Use a federal system for fraud, Cause malicious damage to federal systems, Traffic in federal computer passwords |
|
Computer Fraud and Abuse Act (CFAA) |
- CCCA was amended by the CFAA in 1986 - Expanded application of the CCCA to: - Any computer used exclusively by the US government - Any computer used by a financial institution - Any computer used by the feds or finance that impacts government use of the system - Any set of computers used to commit crime that are not located in the same state |
|
CFAA 1994 Amendments |
Known as 'Computer Abuse Amendments Act of 1994' - Outlaws creation of malicious code that could damage a computer - Modified the CFAA to cover any computer used in interstate commerce (not just 'federal interest' systems) - Increases penalties for offenders by allowing imprisonment - Allows victims of computer crime to pursue civil action / compensation for damages |
|
Computer Security Act |
CSA was enacted in 1987 - Mandates baseline security requirements for federal agencies - Gives NIST responsibility to develop standards for federal systems - NSA retains responsibility for 'classified' systems - Requires security plans for all federal systems with sensitive data - Requires periodic training for users of systems that process federal data (like contractors) |
|
Federal Sentencing Guidelines |
Released in 1991, these guidelines help federal judges interpret computer crime laws. Includes: - 'prudent man' rule- requires execs to take personal responsibility for due care - Businesses and execs can minimize punishment by demonstrating 'due diligence' - Burden of proof for negligence: -- Legally recognized obligation -- Individual must have failed to comply with recognized standards -- Causal relationship between the negligent act and subsequent damages |
|
National Infrastructure Protection Act |
Enacted in 1996 - Amends the CFAA (again) - Broadens CFAA to cover systems used in international commerce - Extends protections to other parts of the national infrastructure (like gas lines, electric grids, telecom circuits) - Treats intentional or reckless acts that damage critical infrastructure as a felony |
|
Paperwork Reduction Act |
Enacted in 1995 - Requires agencies to get OMB approval before requesting most types of data from individuals - Things like forms, interviews, record keeping requirements and other things like that fall under this rule Amended by GISRA |
|
Government Information Security Reform Act |
Enacted in 2000 - Amends the Paperwork Reduction Act - Provides comprehensive framework for adding and ensuring effectiveness of controls - Ensure inter-agency interoperability is not adversely affected - Provide government-wide management and oversight for InfoSec risks - Specify minimum controls to protect systems - Improve oversight of agency InfoSec programs |
|
GISRA Mission Critical Systems |
GISRA (passed in 2000) creates a new category of coputer system: - Defined as a national security system by law - Protected by P&Ps around classified info - Loss, misuse, disclosure or unauthorized access to data a system posesses would have a debilitating impact on the mission of an agency |
|
Federal Information Security Management Act |
FISMA was enacted in 2002, mandates infosec: - Periodic assessments of risk - P&Ps that are based on risk assessments - Subordinate plans for networks, systems & facilities - Security Awareness training - Periodic testing of InfoSec policies - Process for planning, reporting and responding to security incidents - Plans and procedures for business continuity |
|
Copyright |
Protection is granted even if a copyright isn't formally registered Defaults to the creator of the work unless it is a 'work for hire' (created for an employer during normal course of employees workday) |
|
Trademark |
If you use a trademark for public activities, you are automatically protected and can use the (TM) symbol Registered trademarks use the (R) symbol. You can register trademarks that you aren't using at the moment but have an intention of using. |
|
Trade Secrets |
To preserve trade secret status, you must implement adequate protective controls within your organization. NDAs would be a part of this |
|
Espionage act of 1996 |
Anyone found guilty of stealing trade secrets from a US corporation with intention of benefiting a foreign power can be fined up to $500k and be jailed for 15 years Anyone found guilty of stealing trade secrets for other reasons can be fined up to $250k and jailed for up to 10 years |
|
Uniform Computer Information Transactions Act |
If passed: - gives legal backing to the questionable practice of shrink wrap licensing and click-wrap licensing I hope this doesn't pass! A contract should require an understanding between parties to be valid! |
|
Privacy Act of 1974 |
Severely limits the ability of federal agencies to disclose private information to other people or agencies without prior written consent of the affected individuals. Exceptions: - law enforcement - health and safety - court orders |
|
Electronic Communications Privacy Act |
Enacted in 1986 - Makes it a crime to invade the electronic privacy of an individual. - Broadened the federal wiretap act to apply to any illegal interception of electronic communications - Prevents providers of services from making unauthorized disclosures of data |
|
Communications Assistance for Law Enforcement (CALEA) of 1994 |
- Requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order |
|
Economic and Protection of Proprietary Information Act of 1996 |
-Extends the definition of 'property' to include information. - Changed the legal definition of theft so that it is no longer restricted by by 'physical constraints' |
|
Health Insurance Portability and Accountability Act of 1996 |
- Changed laws as pertain to health insurance and health maintenance organizations (HMOs) - Includes privacy and security regulations - Requires strict security measures for hospitals, physicians, insurance companies and other organizations that process or handle or store private medical information about individuals |
|
Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 |
- Updates HIPAA's privacy and security requirements - Requires a written agreement between healthcare organizations and 'business associates' - 'Business associates' are directly affected by HIPAA and their enforcement actions - Data breach notification requirements |
|
Children's Online Privacy Protection Act of 1998 |
- Websites must have clearly posted privacy notice - Parents must be able to review information collected about their children - Parents must consent to collection of data for children under 13 |
|
Gramm-Leach-Bliley Act of 1999 |
Relaxed regulations around services that financial institutions could provide Includes a number of limitations on the types of information that can be exchanged (even among subsidiaries) Requires written privacy policies |
|
Federal Educational Rigths and Privacy Act |
Affects any educational institution that accepts federal funding. - Grants privacy rights to students older than 18 and parents of minor students - Right to inspect any educational records - Right to request correction of records - Schools may not release PII without written consent in most circumstances |
|
Identity Theft and Assumption Deterrence Act |
Before this law, the only legal 'victims' of identity theft were the creditors who were defrauded. Identity theft is a crime against an individual and perpetrators could get a 15 year prison term and a fine of up to $250k |
|
European Union Privacy Law |
Before collection, requires: - Consent - Contract - Legal obligation - Vital interest of the data subject - Balance interests of data holder and subject Rights: - Right to access the data - Right to know the data's source - Right to correct inaccurate data - Right to withhold consent in some cases - Right of legal action should rights be violated |
|
Safe Harbor |
If a european company wants to use US based data processors, the US company can try for 'safe harbor' status. 7 requirements apply: - Notice (inform individuals of collection and use) - Choice (allow them to opt-out, or require optin) - Onward Transfer (has to be safe harbor) - Access (granted access to any records kept) - Security (proper controls in place) - Data Integrity - Enforcement (dispute resolution process must be made available) |
|
|
|