Note: Page numbers followed by f, or t, indicate materials in figures, or tables, respectively.
A
AAFS. See American Academy of Forensic Sciences
ABA. See American Bar Association
abuse and neglect, 152
ACA. See Affordable Care Act of 2010
acceptable use case study, 380–382
acceptable use policy (AUP), 368–372, 402
acceptance, 287, 289–291, 297–298
access contingency plans, 164
access control standard, 166–167
access to education record, 130–131
AccessData Certified Examiner (ACE), 425
accidental threats, 12
accountability principle, 44
ACE. See AccessData Certified Examiner
ACPA. See Anti-Cybersquatting Consumer Protection Act
Act of Congress, defined, 67
active data collection, 57
acts of God, 12
actus reus, 320
administrative procedure, 77
Administrative Procedures Act (APA), 208
administrative safeguards, 15, 17t, 162–164, 165t
Administrative Simplification provisions, 145
admissible evidence, 426, 439–442
advertising for service contracts, 307
adware, 45
affidavit, 264
affiliated party, 99
Affordable Care Act of 2010 (ACA), 145
agency information security programs, 204–206
AICPA. See American Institute of Certified Public Accountants
Alabama Court of Appeals, 259
A-I-C triad, 354
ALE. See annualized loss expectancy
ALI. See American Law Institute
A&M Records, Inc. v. Napster, 279
amendment of education records, 131
American Academy of Forensic Sciences (AAFS), 431
American Bar Association (ABA), 304, 425
American Institute of Certified Public Accountants (AICPA), 190
American Law Institute (ALI), 286
American legal system, 64–72, 74
Analyst Conflicts of Interest (Title V), 182
annual notification, 130
annual rate of occurrence (ARO), 398
annualized loss expectancy (ALE), 398
answer, 338
Anti-Cybersquatting Consumer Protection Act (ACPA), 267, 332
anti-harassment policies, 372–373, 380
antivirus programs, 422
APA. See Administrative Procedures Act
appeal, 70
appellate jurisdiction, 68, 69
appropriation of likeness or identity tort, 42
architectural works, 268
Arizona law, 238
ARO. See annual rate of occurrence
arraignment, 324
assigned security responsibility standard, 163
Assumption of Risk defense, 337
attendance, 129
audit committee, 195
audit controls standard, 167
Auditor Independence (Title II), 182
AUP. See acceptable use policy
Authors Guild, 280
B
backdoors, 22
backup site options, 411
balance, 354
balance sheet, 180
bank examiner, 95
Bank Secrecy Act of 1970, 89
BC. See business continuity plans
behavioral notes, 130
bench trials, 339
Berne Convention, 271
best evidence rule, 442
beyond a reasonable doubt, 76
BIA. See business impact analysis
biometric data, 34
BIS. See Bureau of Industry and Security
blog, 33
board of directors (BOD), 356–357, 360, 365, 366
BOD. See board of directors
boilerplate terms, 307
breach activities, 230
breach notification, 232
breach notification laws, 217, 226, 230–234
breach notification policy, 217
breach notification provisions, 160–161
breach notification regulations, 227–234
Brown v. Board of Education (1954), 78, 79
burden-of-proof hierarchy, 77f
Bureau of Industry and Security (BIS), 219
business associate contracts standard, 164
business associates, 147
business associate’s agreement, 307
business continuity (BC) plans, 205, 388, 407–412, 412f
business impact analysis (BIA), 409
business personnel, 391
business planning hierarchy, 355f
C
Cable Communications Policy Act (1984), 40
California Breach Notification Act, 228–230
California Consumer Privacy Act (CCPA), 238
California law, 230, 232, 238–239
California Office of Privacy Protection, 41
Cambridge Analytica, 51
capacity online, legal, 297
cardholder data, 107
case law, 38, 73. See also common law
causation, 320
CCE. See Certified Computer Examiner
CCFE. See Certified Computer Forensics Examiner
CCL. See Commerce Control List
CCPA. See California Consumer Privacy Act
CCPA. See California Consumer Privacy Act
censorship, 118
Census Confidentiality law (1952), 39–40
central incident response center, 211–212
certification under SOX, 187–191
Certified Computer Examiner (CCE), 424
Certified Computer Forensics Examiner (CCFE), 424
Certified Forensic Computer Examiner (CFCE), 424
certified public accountants (CPAs), 184
CFAA. See Computer Fraud and Abuse Act (CFAA) in 1984
CFCE. See Certified Forensic Computer Examiner
CFPB. See Consumer Financial Protection Bureau
chain of custody, 427
checklist test, 413
checksum, 430
chief information officer (CIO), 357
chief information security officer (CISO), 206, 357
chief technology officer (CTO), 357
Child Online Protection Act (COPA), 120
child privacy, 119
children on the Internet, 116–119
Children’s Internet Protection Act (CIPA), 27t, 115, 124–128
Children’s Online Privacy Protection Act (COPPA), 27t, 115, 119–124, 297
ChoicePoint data breach, 226–227
choreographic works, 268
CIO. See chief information officer
CIPA. See Children’s Internet Protection Act
circuit court, 136
“Circumvention of Technological Protection Measures”, 275
CISO. See chief information security officer
City of Ontario v. Quon, 56
civil law, 238
claim, 257
cloud computing, 308–309, 308f
CNSS. See Committee on National Security Systems
COBIT. See Control Objectives for Information and related Technology
COBRA. See Consolidated Omnibus Budget Reconciliation Act of 1986
code analysis, 422
code law, 74
Code of Federal Regulations, 218
cold site, 411
collection limitation principle, 43
collection step of investigation, 427–429
Colorado law, 232
Commerce Control List (CCL), 219
commerce, use of trademark in, 262
Commission Resources and Authority (Title VI), 182
Committee of Sponsoring Organizations (COSO), 188–190
Committee on National Security Systems (CNSS), 213
communicable diseases, vital statistics and, 151–152
communication, information and, 189
communications constitute, 290
Communications Decency Act (1996), 342
communications laws, interception of, 330
comparative negligence defense, 337
compensatory damages, 293, 337
competitive edge, 25
complaint, 338
complete performance, 292
compliance, 80–81, 366, 414, 414t
compliance risks, 14
composition of matter, 253
computer crimes. See cyber crimes
computer forensic examiner, 423–425
computer forensics, 420–422, 422f
Computer Fraud and Abuse Act (CFAA) in 1984, 326–327, 328t
computer-generated records, 439
Computer Maintenance Competition Assurance Act, 274, 277
Computer Security Act (CSA), 194, 203
computer systems, 421
computer use monitoring, 54–55
computer worm, 21
concurrent jurisdiction, 68, 69
conduit defense, 276
conference committee, 66
confidential documents as confetti, 244
conflicts of interest, 195, 392
congress, 65
Congressional Research Service, 235
consent, 433
consent exception, 437
consequential damages, 293
Consolidated Omnibus Budget Reconciliation Act of 1986 (COBRA), 144
consumer, 98
consumer compliance task force, 95
consumer financial information, 87, 90
Consumer Financial Protection Bureau (CFPB), 96
consumer goods, 90
consumer services, 90
contingency planning, 164, 388, 401–414, 414t
continuity of operations, 205
continuous monitoring, 390, 401
contract law issues, emerging, 307–311
contract legality, 288
contract of adhesion, 301
contract repudiation, 294
contract types in cyberspace, 301–306
contracting parties, 307
contracting principles, 286–294
contracts, 23–24, 286, 310, 311
contracts as regulators of behavior, 306–307
contractual capacity, 287
contractual performance, 292–294
contributory negligence defense, 337
control activities, 189
control documentation, 398–400
control environment, 189
Control Objectives for Information and related Technology (COBIT), 192
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, 330–331, 346
controls, 15
COPA. See Child Online Protection Act
COPPA. See Children’s Online Privacy Protection Act
Corporate and Criminal Fraud Accountability (Title VIII), 182
Corporate Fraud and Accountability (Title XI), 182
corporate fraud at Enron, 176–179
corporate information privacy issues, 195–196
corporate responsibility (Title III), 182
Corporate Tax Returns (Title X), 182
corrective safeguards, 17
COSO. See Committee of Sponsoring Organizations
counteroffers, 289
county recorder’s office, 236, 237
“court of last resort”, 69
covered accounts, 103
covered entities, 145–146, 147
CPAs. See certified public accountants
credit unions, 93
crime reporting, 415
criminal history data, 34
criminal laws in cyberspace, 326–334
criminal procedure, 76–77, 323–325
critical business processes, 409, 410
criticism for service contracts, 307
cryptographic key management practices, 242
cryptography, 5
CSA. See Computer Security Act
CTO. See chief technology officer
customer, distinct from consumer, 98
CVS pharmacies, 169
Cyber Monday, 374
cybercrimes, 318, 326, 333–334
CyberScope, 206
cyberspace, contracts types in, 301–306
cyberwar, 203
D
data breach law, 217
data centers, 23
data definition and use, 310
data destruction policies, 374–375
data disposal regulations, 242–244
data privacy, 214
data protection standard, 239–241
data protection terms, 310–311
data quality principle, 43
data recovery, 411
data recovery firms, 421
data retention policies, 375–376
Data Security Standard (DSS), 107–108, 109t, 234–236
data-specific security and privacy regulations, 234–239
data storage devices, 242
data use, 306
DDoS. See distributed denial of service attack
Deal v. Spears (1992), 53
deceptive trade practices, 96
decision tree, breach notification, 234f
defamation, 42, 341–342, 346–347
deliberate threats, 13
denial of service (DoS) attack, 9, 22–23
denial of service (DoS) category, 405
Department of Health and Human Services (HHS), 147, 151, 167, 170
depositor, 92
derivative work, 269
descriptive trademarks, 264
design patents, 253
detective controls, 17
device and media controls standard, 166
dictionary attacks, 378
digital collections, 280
digital evidence, 421, 425–431
Digital Millennium Copyright Act (DMCA), 274–278
digital rights management (DRM), 274
digital signature, 301
Digital Wild West, 250
digitized signature, 301
dilution case, trademark, 266
directory information, 132
disaster, 407
disaster recovery (DR) plans, 388, 407–412, 412f
discharged, 292
disclosure, 132–133, 148, 154–155
disclosure controls, 187, 188f
disclosure of education records, 131–132
distinctive trademark, 261, 264
distributed denial of service (DDoS) attack, 22
district courts, 69
diversity of citizenship jurisdiction, 69
dividends, 177
DMCA. See Digital Millennium Copyright Act
docket, 35
doctrine of precedent, 78
document retention under SOX, 185–187
documentation of controls, 398–400
domain name registrars, 267
DoS. See denial of service attack
DoS. See denial of service category
Dow Chemical Co., 373
DR. See disaster recovery plans
dramatic works, 268
drawings for patent, 256
Driver’s Privacy Protection Act (1994), 40
DRM. See digital rights management
DSS. See Data Security Standard
dumpster diving, 49
duty of due care, 335
duty to mitigate, 293
E
ECPA. See Electronic Communications Privacy Act 1986
ED. See U.S. Department of Education
EDGAR. See Electronic Data Gathering and Retrieval database
education records, 129, 130–132
educational purposes, fair use for, 273
E-Government Act of 2002, 39, 215–217
EHR. See electronic health record
Electronic Communications Privacy Act 1986 (ECPA), 39, 330, 432, 436
electronic contracts, 295, 296
electronic data, 340
electronic data collection, 435–439
Electronic Data Gathering and Retrieval (EDGAR) database, 196–197
electronic discovery, 340
electronic health record (EHR), 156, 161
electronic protected health information (EPHI), 161
electronic record, 296
electronic signature, 301
Electronic Signatures in Global and National Commerce (E-SIGN) Act, 296
electronically stored information (ESI), 340
email communications, 298
email via contract formation, 312–313
employee environment support, 411
employee privacy rights, 56–57
employee’s personal computer, monitoring, 55
EnCase Certified Examiner (EnCE), 424
EnCE. See EnCase Certified Examiner
encryption, 6
encryption keys, 232, 241, 242, 428–429
encryption regulations (states), 239–242
encryption requirements, 232, 241
end user license agreement (EULA), 302
enforcement, 300
Enhanced Financial Disclosures (Title IV), 182
Entertainment Software Rating Board (ESRB), 117
E-passport, 47
EPHI. See electronic protected health information
equitable remedy, 293
E-Rate program, 125
ESI. See electronically stored information
ESRB. See Entertainment Software Rating Board
E.U. See The European Union’s
EULA. See end user license agreement
The European Union’s (E.U.), 59
evaluation standard, 164
evidence silver platter doctrine, 433
examination of a bank, 95
examination step of investigation, 429–430
examiner education task force, 95
exculpatory evidence, 439
executive branch, 67
executive management, 392, 398, 401
Executive Order, 212
exigent circumstances, 435
existence, 300
exploits, 11
export control regulations, types of, 218
exposure factor, 395
external attackers, 8
F
facilities recovery, 410
facility access controls standard, 164
FACTA. See Fair and Accurate Credit Transaction Act of 2003
failure to notify penalties, 232–233
Fair and Accurate Credit Transaction Act of 2003 (FACTA), 103
Fair Credit Reporting Act of 1970 (FCRA), 99
fair information practice principles, 43
Family Educational Rights and Privacy Act (FERPA), 27t, 115, 128–134
Family Policy Compliance Office (FPCO), 133
FCC. See Federal Communications Commission
FCRA. See Fair Credit Reporting Act of 1970
FDIC. See Federal Deposit Insurance Corporation
federal agency employee, 215
federal and state judicial systems, comparison of, 72t
federal banking regulatory agencies, 91t
federal breach notification law, 217, 234
federal circuit, 69
Federal Communications Commission (FCC), 48, 126, 128
Federal Deposit Insurance Corporation (FDIC), 91t, 92
Federal Financial Institutions Examination Council (FFIEC), 95
federal government, 64–70, 358–359
Federal incident response (IR) center, 212
Federal Information Processing Standards (FIPS), 207, 242
Federal Information Security Management Act (FISMA), 194, 358, 380
Federal Information Security Modernization Act (FISMA), 204–213, 391
federal information systems, 214–219
Federal Information Systems Management Act, 27t, 414t
federal information technology (IT) systems, 202
federal legislation, 235
federal question jurisdiction, 69
federal registration symbol, 261
Federal Rules of Criminal Procedure, 76
Federal Rules of Evidence (FRE), 439
Federal Trade Commission (FTC), 51, 80, 96–97, 102, 109–110, 116, 119, 124, 135, 169–170, 227, 297, 329, 346
Federal Trade Commission Red Flags Rule, 103–106, 106t
federalism, 65
fees for service contracts, 306
felonies, 319
FERPA. See Family Educational Rights and Privacy Act
FFIEC. See Federal Financial Institutions Examination Council
Fifth Amendment (U.S. Constitution), 37
filing fees for patent, 256
financial information, 34
financial risks, 14
FIPS. See Federal Information Processing Standards
First Amendment (U.S. Constitution), 36, 118
first-party cookies, 45
“first to invent” rule, 252
FISMA. See Federal Information Security Management Act
FISMA. See Federal Information Security Modernization Act
flaming, 341
FOIA. See Freedom of Information Act 1966
forensic duplicate image, 429–430
forensic examination ethical principles, 431
Forensic Toolkit, 424
forensics, 421
form of offer, 288–289, 297–299
Fourth Amendment (U.S. Constitution), 37, 432–435
FPCO. See Family Policy Compliance Office
FRE. See Federal Rules of Evidence
Free Enterprise Fund, 186
Freedom of Information Act 1966 (FOIA), 35, 38
fruit of the poisonous tree doctrine, 439
FTC. See Federal Trade Commission
full interruption test, 414
futures contract, 178
G
GAAP. See generally accepted accounting principles
GAIT. See “Guide to the Assessment of IT Risk”
GAO. See Government Accountability Office
GAO high-risk web site, 359
Gartner, Inc., 309
GCFA. See GIAC Certified Forensic Analyst
GDPR. See General Data Protection Regulation
GDPR. See General Data Protection Regulation
General Data Protection Regulation (GDPR), 59
generally accepted accounting principles (GAAP), 178, 185
Genetic Information Nondiscrimination Act of 2008, 145
genetic testing, 145
GIAC. See Global Information Assurance Certification
GIAC Certified Forensic Analyst (GCFA), 424
Gideon v. Wainwright (1963), 325
GIF. See Graphics Interchange Format
GLBA. See Gramm-Leach-Bliley Act
GLBA. See Gramm-Leach-Bliley Act Safeguards Rule
Global Information Assurance Certification (GIAC), 336
global positioning system (GPS) technology, 48–49
good faith, 262
Government Accountability Office (GAO), 359
GPS. See global positioning system technology
Gramm-Leach-Bliley Act (GLBA), 26, 27t, 97–103, 196, 231, 307, 376, 414t
Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, 240, 243
grand jury, 324
Graphics Interchange Format (GIF), 46
Griswold v. Connecticut (1965), 37
“Guide to the Assessment of IT Risk” (GAIT), 190, 192–193
H
Hammer v. Amazon.com (2005), 341
harmful content, 118
hash, 430
HathiTrust, 280
health information, 34, 141–143
Health Information Technology for Economic and Clinical Health Act (HITECH), 144, 147, 156
Health Insurance Portability and Accountability Act (HIPAA), 26, 27t, 143–170, 196, 217, 231, 307, 375, 414t
health plan, 146
healthcare operations, 149–150
healthcare provider, 146
hearsay rule, 441
HHS. See Department of Health and Human Services
high-impact system controls, 211t
high-level policies, 360
high security category, 210
HIPAA. See Health Insurance Portability and Accountability Act
Hippocratic Oath, 141
HITECH. See Health Information Technology for Economic and Clinical Health Act
hot site, 411
human resources personnel, 392
human threats, 12
hung jury, 325
I
IACIS. See International Association of Computer Investigative Specialists
ICANN. See Internet Corporation for Assigned Names and Numbers
ICFR. See internal controls over financial reporting
identification number, 34
identification of children, 117
identity theft, 49, 81, 87, 329
Identity Theft Prevention Program, 104
IEC. See International Electrotechnical Commission
IFRS. See International Financial Reporting Standards
IG. See inspector general
IIED. See intentional infliction of emotional distress
illegal contract, 288
“I Love You” worm, 369
IM. See instant messaging
implementation specifications, 162–168
improper use category, 405
inadmissible evidence, 426
inadvertent disclosures, 158
incident handlers, 404
incident reporter, 404
incident response (IR), 205, 388, 402–407, 407f
incidental disclosures, 158
incomplete performance, 292
inculpatory evidence, 439
independent directors, 195
Indiana law, 232
indictment, 324
individual participation principle, 44
individual rights under the Privacy Rule, 155–156
industry sector, 23
information access management standard, 163
information security, 3–27, 35, 81–82
information security governance (ISG), 353–382, 358t
information security governance (ISG) documents, 359–367
information security management (ISM), 357, 358t
information security managers, 392
information security policies, 363–380
information security professionals, 183
information security program, 101, 240
information security terms, contracts, 309–311
information sharing, 50
information sharing task force, 95
informed consent, 154
infringement of copyright, 271–272, 276–277
infringement of patent, 257–258
infringement of trademarks, 265–266
initial hearing, 324
injunction, 45
inspector general (IG), 206, 207
Inspector General Act of 1978, 207
instant messaging (IM), 298
integrity controls standard, 167
intellectual property (IP), 250–251, 377
intentional infliction of emotional distress (IIED), 343–344
interception of communications laws, 330
internal attackers, 13
internal controls over financial reporting (ICFR), 188, 190
internal controls under SOX, 188–191, 188f, 190t
International Association of Computer Investigative Specialists (IACIS), 423
International Electrotechnical Commission (IEC), 18, 193–194, 358
International Financial Reporting Standards (IFRS), 185
International Information Systems Security Certification Consortium (ISC), 2, 336
International Organization for Standardization (ISO), 18, 193–194, 358
International Organization on Computer Evidence (IOCE), 423, 431
international patents, 255
international privacy laws, 59
International Traffic in Arms Regulation (ITAR), 218
Internet browsers, 46
Internet Corporation for Assigned Names and Numbers (ICANN), 267
Internet Crime Complaint Center (IC3), 326
Internet defamation, 341
Internet e-commerce, 261
Internet of Things (IoT), 250
Internet safety policy, 127
Internet Service Provider Liability for Torts, 342–343
Internet service providers (ISPs), 33, 126, 274, 276, 343, 436
Interstate Communications Act, 333
Interstate Stalking and Prevention Act, 333
intoxicated person, 288
intrusion, 329
inventory search, 435
investigation category, 405
investigative process, 426–431
IOCE. See International Organization on Computer Evidence
IoT. See Internet of Things
IP. See intellectual property
IP interest, 251
IR. See Federal incident response center
IR. See incident response
ISC. See International Information Systems Security Certification Consortium
ISG. See information security governance
ISG. See information security governance documents
ISM. See information security management
ISO. See International Organization for Standardization
ISPs. See Internet service providers
IT. See federal information technology systems
IT operations, 411
IT personnel, 392
ITAR. See International Traffic in Arms Regulation
J
job lock, 143
judicial branch, 67
judicial review, 70
jurisdiction, 67, 295, 321–323
K
Katz v. United States (1967), 37
keys, 242
Kundra, Vivek, 202
L
landmark court decision, 78
Lanham Act, 261
law enforcement, 229
least privilege, 16
legal capacity online, 297
legal duties, 23
legal entities, 251
legal requirements, contract, 311
legalese vs. plain language, 364
legislative history, 237
libel, 341
Library of Congress, 275
likelihood, 394–398. See also exposure factor
limited jurisdiction, 68
liquidated damages, 293
literary works, 268
loathsome diseases, 342
Locard’s exchange principle, 423
logical safeguards. See technical safeguards
“long arm jurisdiction” tests, 343
“Love Bug” worm, 369
low-impact system controls, 211t
low security category, 210
M
machine, 252
machine-readable privacy policy, 216–217
Mail Privacy Statute (1971), 40
mailbox rule, 290
Mala in se, 319
Mala prohibita, 319
malicious code category, 405
malicious information security acts, 332–333
manufactured products, 252–253
MAO. See maximum acceptable outage
Massachusetts data protection laws, 239–241
material change, 159
material term, 290
maximum acceptable outage (MAO), 410
maximum tolerable downtime (MTD), 410
media analysis, 422
medical identity theft, 140–141
meeting of the minds, 291
Melissa virus, 333
mens rea, 320
MIB Group, Inc., 142
military uses, 420
Miller test, 119
minimum necessary rule, 155
Minnesota Credit Union Network, 236
Minnesota law, 235
Minnesota Plastic Card Security Act, 236
minor child, 148
mirror image rule, 289
mirrored site, 411
misdemeanors, 319
Model Privacy Notice Form, 100–101f
moderate-impact controls, 211t
moderate security category, 210
motion picture and audiovisual works, 268
MTD. See maximum tolerable downtime
musical works, 268
mutual agreement, 291
MyDoom computer worm, 22
N
NASA v. Nelson (2011), 38
National Conference of Commissioners on Uniform State Laws (NCCUSL), 286, 296
National Credit Union Administration (NCUA), 91t, 93–94
National Credit Union Share Insurance Fund (NCUSIF), 93
National Cybersecurity and Communications Integration Center (NCCIC), 212
National Institute of Standards and Technology (NIST), 18, 25, 194, 204, 207–211, 213, 242, 380
National Institutes of Health (NIH), 202
national security information, 25–26
national security systems (NSSs), 204, 212–213
National Vulnerability Database (NVD), 13
natural threats, 12
NCCIC. See National Cybersecurity and Communications Integration Center
NCCUSL. See National Conference of Commissioners on Uniform State Laws
NCUA. See National Credit Union Administration
NCUSIF. See National Credit Union Share Insurance Fund
Nebraska, 71
need to know, 15
negotiation process, 289
network analysis, 422
network banner, 437
networking equipment, 421
New York Court of Appeals, 71
New York law, 244
New York State data disposal law, 243–244
NIH. See National Institutes of Health
NIST. See National Institute of Standards and Technology
nolo contendere, 324
nominal damages, 293
non-breaching parties, 293
nonaffiliated party, 99
nonprofit organization, 195
nonpublic personal information (NPI), 97–98
“notice and takedown” letter, 277
Notice of Privacy Practices, 159
NPI. See nonpublic personal information
NSSs. See national security systems
NVD. See National Vulnerability Database
O
oath for patent, 256
Obama, Barack, 201
objection, 441
obscene material, 118
OCC. See Office of the Comptroller of the Currency
OCR. See Office for Civil Rights
OCTAVE. See Operationally Critical Threat, Asset, and Vulnerability Evaluation
OECD. See Organization for Economic Cooperation and Development
OFAC. See Office of Foreign Assets Control
off-duty computer monitoring, 55
offeror, 288
Office for Civil Rights (OCR), 168, 169
Office of Foreign Assets Control (OFAC), 219
Office of Management and Budget (OMB), 204, 206, 210, 213
Office of Personnel Management (OPM), 219–220
Office of the Comptroller of the Currency (OCC), 91t, 94
Official Gazette, 263
Ohio law, 230
Ohio Public Records Act, 135
OMB. See Office of Management and Budget
omission, 335
online bank websites, 90
Online Copyright Infringement Liability Limitation Act, 274, 276–277
online data gathering, 51
online profiling, 46
online service provider (OSP), 276
openness principle, 44
operational incident response team, 404
operational planning, 355
operational risks, 14
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), 399
operator contact information, 121
OPM. See Office of Personnel Management
Organization for Economic Cooperation and Development (OECD), 43
organizational governance, 24
original jurisdiction, 68
OSP. See online service provider
P
Palsgraf v. Long Island Railroad (1928), 336
pantomimes, 268
parallel test, 413
parental consent, 117, 122–123
parental controls, 117
parental rights, 122
Paris Convention for the Protection of Industrial Property (1883), 255
passive data collection, 58
passwords, 15, 377–379, 428–429
patch, 10
Patent Cooperation Treaty (PCT), 255
patent prosecution, 256
patent troll, 257
patient information directory, 150
Payment Card Industry (PCI), 234–236
Payment Card Industry (PCI) Standards, 27t, 106–109, 109t, 414t
payment in arrears, 104
Payne v. Tennessee (1991), 78
PCAOB. See Public Company Accounting Oversight Board
PCI. See Payment Card Industry
PCI. See Payment Card Industry Standards
PCT. See Patent Cooperation Treaty
Pen Register and Trap and Trace Statute, 330, 438–439
pen register devices, 438
people-based privacy concerns, 49–51
persistent data, 430
person, 251
personal health record (PHR), 161
personal identifying information, 243
personal information, 4, 227, 228–232
personal jurisdiction, 321–322
personal property interest, 251
personally identifiable information (PII), 39, 129, 131, 132, 133
person/entity authentication standard, 167
PHI. See protected health information
PHR. See personal health record
physical and environmental threats, 12
physical safeguards, 16, 17t, 164–166, 166t
PIAs. See privacy impact assessments
pictorial, graphic, and sculptural works, 268
PII. See personally identifiable information
piracy, 271
plain language vs. legalese, 364
plain view doctrine, 434
plaintiff, 334, 335, 336, 337–338
plant patents, 253
Plant Variety Protection Act, 254
Plastic Card Security Act, 236
plea, 324
pleadings, 35
Plessy v. Ferguson (1896), 78
policy development process, 363–367, 367f
poor man’s copyright, 270
pop-up advertisements, 45
portrayal in false light privacy tort, 42
potential sources, 421
Powers Report, 179
PR. See public relations
preemption, 66
preexisting condition, 143, 144, 145
preponderance of evidence, 76
presentation step of investigation, 430–431
preservation step of investigation, 426–427
preventive controls, safeguards, 17
primary handler, 404
“Principal Register”, 262, 264
prior art, 254
prior consideration, 292
Privacy Act (1974), 39, 214–215
privacy impact assessments (PIAs), 39, 216–218
privacy notices, 157
privacy policies laws, 58
privacy protection, information systems, 57–59
Privacy Rule, 98–99, 100f, 101f, 147–161, 149, 150, 154–155
privacy violations, 345
private cause of action, 160, 233–234
private entities, 432
privately held company, 177
pro se, 312
probative evidence, 440
ProCD Inc. v. Zeidenberg (1996), 304
procedural law, 75
profit and loss statement, 181
property interest, 250
prospectus, 182
protected health information (PHI), 147–149, 150, 153–154, 155–156, 161
protective sweep exception, 435
Public Company Accounting Oversight Board (PCAOB), 182, 183–185
public company vs. private company, 177
public disclosure of private facts privacy tort, 42–43
public domain, 269
public employees, 56
public health, 162
public records and privacy, 35
public relations (PR), 415–416
purpose specification principle, 43
Q
qualitative risk analysis, 396, 399t
quantitative risk analysis, 398, 399t
R
RA. See risk assessment
Radio Frequency Identification (RFID), 47
ransomware, 21
real property interest, 251
reasonable information security professional, 336
reasonable person standard, 42, 334
records, 185–187, 214, 243, 439
recovery criticality, 409
Red Flags Rule, 27t, 81, 103–106, 106t
regulatory requirements, 311, 356
remedial actions, 205
remedies for copyright, 271–272
remedies for trademark, 265–266
remedy, 292
reports task force, 95
representations and warranties for service contracts, 307
repudiation, 294
reputational risks, 14
residual risk, 14
Restatement (Second) of the Law of Torts, 343
retaliation, 373
RFID. See Radio Frequency Identification
right to sue in federal court, 261
risk analysis, 163
risk assessment (RA), 189, 205, 390–400, 414t
risk level matrix, 397t
risk level outcomes, 398t
risk management (RM), 356, 387, 389–401, 390f
risk management framework (RMF), 208, 209f
RM. See risk management
RMF. See risk management framework
Robinson v. California (1962), 320
S
SaaS. See Software as a Service model
safe harbor, 229
safeguards, 15–17, 17t, 162–168
Safeguards Rule, 99–102, 109–110
sanctions, 373
SANS Institute, 360
Sarbanes-Oxley Act (SOX), 27t, 181–192, 194–195, 391, 414t
scans, probes, and attempted access category, 405
SDN. See specially designated nationals
seal program, 44
search, 432
search engine, 33
search incident to lawful arrest, 435
SEC. See Securities and Exchange Commission
seclusion privacy tort, intrusion into, 41
Second. See Restatement (Second) of the Law of Torts
secondary handlers, 404
secondary meaning, 264
securities, 177
Securities and Exchange Commission (SEC), 98, 177, 191–192
security awareness and training standard, 163, 205, 379–380, 401
security category, 210
security failures, 356
security incident procedures standard, 163–164
security management process standard, 163
security of social networking sites, 50–51
security-related certification, 336
security safeguards principle, 43
seizure, 433
self-representation, 325
separation of duties principle, 10, 407
service contracts, 306
service of process, 338
service provider, 102
service provider liability, 279
servicemark, 259
settlement agreement, 110
shrinkwrap contracts, 303
silver platter doctrine, 433
simulation test, 413
single loss expectancy (SLE), 395
single point of failure, 9
slack space, 427
slander, 341
SLE. See single loss expectancy
small public company, 182
Smith v. Maryland (1979), 38
social engineering, 6–7, 19, 49. See also pretexting
social networking sites, 50–51, 299
Social Security numbers (SSNs), 32, 34, 40, 49, 202, 206, 236–238
Software as a Service (SaaS) model, 308
SORN. See system of records notice
sound recordings, 268
SOX. See Sarbanes-Oxley Act
spear phishing, 20
special publications (SPs), 207
specially designated nationals (SDN), 219
specific performance, 293
specification for patent, 256
SPs. See special publications
SSNs. See Social Security numbers
stakeholders, 365
standard transaction, 147
standards, 361
Stare decisis, 78
state breach notification acts, 27t
state laws, 40–41, 169, 329, 375, 376
Statute of Frauds, 287
statute of limitations, 313, 338
statutory damages, 272
statutory law. See code law
storage devices, 421
stored communication exception, 53
Strassheim v. Daily, 322
strategic planning, 355
strategic risks, 14
strict liability, 257
strict liability torts, 334
strong trademarks, 264
Strunk v. United States (1973), 325
student, 129
student records, 133
students data, state laws protecting, 134
Studies and Reports (Title VII), 182
subject matter jurisdiction, 321
subject matter law. See substantive law
subordinate plans, 205
substantial performance, 292
substantive criminal law, 319
substantive law, 75
sunshine laws, 35
supervision task force, 95
“Supplemental Register”, 262, 264
supplies recovery, 410
Supremacy Clause, 71
Supreme Court, 70
surveillance systems task force, 95
system of records notice (SORN), 215
system/service risks, 14
T
tabletop test, 413
tabletop walk-through test, 413
tactical planning, 355
target department store, 110–111
targeted advertising, 46
targeted phishing scams, 20
technical safeguards, 15–16, 17t, 166–167, 167t
technically feasible standard, 240
technological and operational threats, 12
technology-based privacy concerns, 44–48
technology protection measure (TPM), 125–126, 128, 274–275
telephone and voicemail monitoring, 52–53
Telephone Harassment Act, 333
Tenth Amendment, 70
termination and breach of service contracts, 307
terms in contract, 307
terms of service agreement, 302
terms of use agreement, 302
testing and evaluation, agency’s information security program, 205
text messaging, 298
Third Amendment (U.S. Constitution), 36
third-party, 122
third-party company, 126
third-party cookies, 45
thisisyourdigitallife, 51
thrifts, 94
Title II. See Auditor Independence
Title III. See corporate responsibility
Title IV. See Enhanced Financial Disclosures
Title IX. See White-Collar Crime Penalty Enhancements
Title V. See Analyst Conflicts of Interest
Title VI. See Commission Resources and Authority
Title VII. See Studies and Reports
Title VIII. See Corporate and Criminal Fraud Accountability
Title X. See Corporate Tax Returns
Title XI. See Corporate Fraud and Accountability
TM symbol, 262
top-level domain, 266
tort, 41
tort law actions in cyberspace, 341–345
tortfeasor, 334
tortious conduct, 334
tort of outrage. See intentional infliction of emotional distress
TPM. See technology protection measure
trade secret, 258–259, 278–279
trademark registration, 261, 263–264
traditional contracts, 295
training employees, 401
transitory communications safe harbor, 276
transmission security standard, 167
Transportation Security Administration (TSA), 7
trap and trace devices, 438
trap-door. See backdoors
treatment activities, 150
treble damages, 243
trespasser exception, 438
triage, 404
trial court objections, 441
Trojan horse, 21
TSA. See Transportation Security Administration
Twitter, 299
U
UCC. See Uniform Commercial Code
UDRP. See Uniform Domain Name Dispute Resolution Policy
UETA. See Uniform Electronic Transactions Act
unauthorized access category, 405
unconscionable contracts, 288
unfair trade practices, 96
unicameral legislature, 71
Uniform Commercial Code (UCC), 286, 294
Uniform Domain Name Dispute Resolution Policy (UDRP), 267
Uniform Electronic Transactions Act (UETA), 295, 296, 300
uniform resource locator (URL), 266
United States v. Barrows (2007), 55
United States v. White (1971), 38
unreasonable government search and seizure, 432
updates of service contracts, 307
URL. See uniform resource locator
U.S. Attorneys, 323
U.S. Constitution, 36–37, 65, 235, 318
U.S. Copyright Office, 272, 277
U.S. Courts of Appeals, 69
U.S. Department of Commerce, 219
U.S. Department of Education (ED), 128, 133, 135–136
U.S. Department of Justice, 216, 331, 333
U.S. Department of State, 218
U.S. Department of Veterans Affairs (VA), 244
U.S. federal court system, 70f
U.S. Federal Reserve System (the Fed), 91–92, 91t, 92f
U.S. National Security Information, 25–26
U.S. Patent and Trademark Office (USPTO), 252–265
U.S. state court system, 72f
U.S. Supreme Court, 37–38, 67, 68t, 78, 118, 119, 124, 135
U.S. v. Jones (2012), 48
U.S.A. PATRIOT Act (2001), 436
use, 148
use, as defined in service contracts, 306
use limitation principle, 43
user credentials, 378
user input, 117
USPTO. See U.S. Patent and Trademark Office
V
VA. See U.S. Department of Veterans Affairs
Vessel Hull Design Protection Act, 274
Veterans Affairs Information Security Act of 2006, 245
victim, 404
video surveillance monitoring, 55–56
viruses, 20
Visa and Mastercard, 111
vital statistics and communicable diseases, 151–152
volatile data, 430
voluntary organizations, 26
vulnerabilities, 10–12, 11f, 392–394, 394t
W
walk-through test, 413
warm site, 411
Washington State personal data disposal law, 242–243
weak trademarks, 264
Web bug, 46
WFH. See work made for hire
Whalen v. Roe (1977), 38
whaling, 20
Wheaten v. Peters (1834), 37
White-Collar Crime Penalty Enhancements (Title IX), 182
window of vulnerability, 11
WIPO. See World Intellectual Property Organization
wireless technology, 47
Wiretap Act (1968, amended), 39, 330, 437–438
work made for hire (WFH), 269
workforce security standard, 163
workplace harassment, 372
workplace monitoring, 52, 56–57
workplace privacy, 51–57, 373–374
workstation security standard, 165–166
workstation use standard, 165
World Intellectual Property Organization (WIPO), 255, 267, 274
World Wide Web (WWW), 250
writ of certiorari, 69
write blockers, 429
wrongful conduct, type of, 319
WWW. See World Wide Web
Z
zero-day vulnerability, 12