Information compromise or security breach that could lead to civil or criminal liability on the part of an organization will be grouped under legal and regulatory issues. For example, if a hacker intrudes into a system, obtains Personally Identifiable Information (PII), and publishes the same in an Internet portal, then the liability for failure to protect such information falls on the organization.
The following list of issues may have legal or regulatory ramifications.
A computer crime is a fraudulent activity that is perpetrated against computer or IT systems. The motivation could be for financial gain, competitive gain, popularity, fame, or adventure.
In computer crime, the term computer refers to the role it plays in different scenarios. Whether the crime is committed against a computer, whether the crime is committed using the computer, whether the computer is incidental in the crime, or a combination of all the three.
The following paragraphs provide some of the common computer crimes. Remember, CIA compromise or breach will be the end result of a crime.
Manipulation of computer records, such as data diddling, salami slicing, or any other techniques, or a deliberate circumvention of computer security systems, such as cracking or unethical hacking for monitory gain, is termed as fraud.
Data diddling is a malicious activity to change the data during input or processing stage of a software program to obtain financial gain. Salami slicing, also known as penny shaving, is a fraudulent activity to regularly siphon extremely small quantity of money so as to prevent from being observed or caught.
Hacking refers to the discovery of vulnerabilities, holes, or weaknesses in computer software and associated IT systems either to exploit the same for improvising the security or to prevent intentional fraud. Hackers are persons who do hacking. However, hacking is classified with different names to distinguish the objective:
Identity theft is to steal someone's identity. The intention is to pretend to be someone else to commit fraud. Stealing passwords, login credentials, and credit card information are examples of identity theft.
Intellectual property theft is stealing software code or designs for financial gain.
A malware is malicious software that is designed to compromise, damage, or affect the general functioning of computers, gain unauthorized access, collect private, and sensitive information and/or corrupt the data.
Writing or spreading malware is a computer crime. Viruses, worms, Trojan horses, spyware, such as Key logger, and so on are examples of malware and are explained as follows:
Social engineering is a type of nonintrusive attack in which humans are tricked into circumventing security controls. Some of the attacks, such as phishing and Cross Site Request Forgery (CSRF), use social engineering techniques. More details about CSRF are covered in Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models and Vulnerability Mitigation.
Criminal activities that are perpetrated using communication networks, such as the Internet, telephone, wireless, satellite, and mobile networks, are called as cyber crimes:
More details about botnets are covered in Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models and Vulnerability Mitigation.
Making and digitally distributing child pornography is a cyber crime.
Digitally distributing and storing copyrighted materials of others without the copyright owner's explicit permission is a cyber crime.
Using e-mail communication to disrupt or send unsolicited commercial e-mails or induce the user to perform certain actions to steal information or money fall under cyber crime.
Following are examples of such crimes:
Many countries have import and export restrictions pertaining to the encryption of data. For example, encryption items specifically designed, developed, configured, adapted, or modified for military applications, command, control, and intelligence applications are generally controlled based on munitions lists.
The transfer of computerized data across national borders, states or political boundaries are termed as transborder data flow. Data can be personal, business, technical, and organizational. Legal issues that arise out of such data is related to ownership and the usage.
By definition, a data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. It can also be owing to unintentional information disclosure, data leak, or data spill.
Data breach can happen owing to hacking (unethical means), organized crimes, negligence in the disposal of media, and so on.
Data breach is a security incident, and hence, many jurisdictions have passed data breach notification laws.
In the United States, data breach-related laws are categorized as security breach laws. National Conference of State Legislatures in the United States defines the provisions of such laws as:
Security breach laws typically have provisions regarding who must comply with the law (e.g. businesses, data/ information brokers, government entities, and so on); definitions of "personal information" (e.g. name combined with SSN, drivers license or state ID, account numbers, and so on.); what constitutes a breach (e.g. unauthorized acquisition of data); requirements for notice (e.g. timing or method of notice, who must be notified); and exemptions (e.g. for encrypted information).