Law and Ethics

Predict – Preempt – Protect

Karthikeyan Dhayalan

Categories of Law

Code Law

•Rule-based law not precedence based

• Focused on codified law – or written law

•Lower courts are not compelled to follow the decisions made by the higher courts

•Most widespread legal system in the world and most common in Europe

Common Law

• It is based on previous interpretations of law

•Developed in England

•It reflects the community’s morals and expectations

•Uses judges and juries of peers

•Broken down into civil, criminal, and administrative

Criminal Law

• It is based on common law

• Addresses behavior harmful to society

• Punishment involves a loss of freedom, monetary fines, community service

• Responsibility is on the prosecution to prove guilt

• Govt, through law enforcement agencies, brings about charges against the individual/organization that is accused of violation

• Penalties include, jail term, community service, monetary fines

Civil/Tort Law

• It is based on common law

•Defendant owes a legal duty to the victim

•Designed to provide for an orderly society and govern matters that are not crimes

• Incumbent on the person wronged to file a law suit

•Damages can be financial penalties

Administrative Law

•Policies, procedures and regulations that govern the daily operations of the agency

•Administrative law does not require an act of legislation but must comply with all existing civil and criminal laws

Customary Law

•Deals mainly with personal conduct and patterns of behavior

•Based on traditions and customs of the region

•Mainly used in regions that have mixed law system

•Penalty include monetary fine or service

Religious Law

•Based on religious beliefs of the region

•Covers all aspects of human life

•Knowledge and rules are defined by god

•Scholars attempt to discover truth of law

Mixed Law

•2 or more legal systems are used together

•Consists of civil and common law

Computer specific Law

• Exclusively covers computer crimes that crosses state boundaries

• It is a crime to perform the following

• Unauthorized access of classified information in a federal system

• Unauthorized access to a federal government system

• Causing malicious damage to the federal system

Computer Fraud and Abuse Act

• Mandates baseline security requirement for all federal agencies

• 4 main purposes of the Act

• Provide NIST responsibility for developing standards and guidelines for federal computer systems

• Provide for enactment of such standard and guidelines

• Require establishment of security plans by all operators

• Require mandatory periodic training for all people

Computer Security Act of 1987

• Provides punishment guidelines to help federal judges to interpret computer crime laws

• 3 Major provisions of the law are

• Prudent man rule – requires senior executives to take personal responsibility for ensuring due care

• Allowed executives and organizations to reduce punishment by demonstrating that they used due diligence in the conduct of their information security duties

• Outlines 3 burdens of proof for negligence

• Person accused of negligence must have legally recognized obligation

• Person must have failed to comply with recognized standard

• There must be casual relationship between the act of negligence and subsequent damages – proximate causation

Federal Sentencing Guidelines

• Provide comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support federal operations

• Places burden of maintaining security and integrity of government systems on individual agency leaders

• Established mission-critical system category

• Provides specific evaluation and auditing authority for mission-critical systems to the secretary of defense and the director of CIA

Government Information Security Reform Act

• FISMA requires agencies implement an information security program that covers the agencies operations

• Requires contractors are also included part of the scope

• NIST is responsible for building FISMA guidelines

Federal Information Security Management Act

• Provides a framework and guideline to ensure security, integrity and privacy when handling confidential medical records

• It outlines how security should be managed for any facility that creates, accesses, shares or destroys medical information

• Mandates steep penalties for noncompliance

HIPAA

• Mandates financial institution develop privacy notices and give customers option to prohibit sharing their information with non-affiliated parties

• BoD is responsible, all employee should be trained and security controls should be tested

• Major components

• Financial privacy rule: provide each customer with privacy notice. Provide opt-out clause

• Safeguards rule: develop written information security plan

• Pretexting Protection: Implement safeguards against social engineering

Gramm-Leach-Bliley Act (GLBA)

• Canadian law that deals with protection of personal information

• Oversees how private sector collect, use, disclose PII

• Some requirements of the law

• Obtain consent when they collect PII

• Collect information in fair and lawful means

• Have personal information policies that are clear, understandable and readily available

Personal Information Protection and Electronic Documents Act

• Applies to any entity that processes, stores, transmits or accepts credit card data

• It is a private industry initiative, it is not a law.

• Made up of 12 main requirements broken into 6 major categories

• Non-compliance may result in financial penalties or possible revocation of merchant status within the credit card industry

Payment card industry Data Security Standard (PCI DSS)

Intellectual Property Rights

Intellectual property (IP) refers to creations of the mind, such as inventions; literary and artistic works; designs; and symbols, names and images used in commerce.Types of intellectual property• Copyright• Patent• Trade secret• Trade mark• Industrial design• Geographical Identification

Copyright• Copyright (or author’s right) is a legal term used to describe the rights that creators have over their

literary and artistic works• Works covered by copyright range from books, music, paintings, sculpture, and films, to

computer programs, databases, advertisements, maps, and technical drawings.• Copyright protection extends only to expressions, and not to ideas, procedures, methods of

operation or mathematical concepts as such. • There are two types of rights under copyright:

• economic rights, which allow the rights owner to derive financial reward from the use of his works by others; and

• moral rights, which protect the non-economic interests of the author• Copyright protection is obtained automatically without the need for registration or other

formalities• Works by one or more authors are protected until 70 years after the death of the last surviving

author• Work for hire and anonymous works are provided protection for 95 years from the date of first

publishing or 120 years from the date of creation, whichever is shorter

Digital Millennium Copyright Act (DMCA)

• The Digital Millennium Copyright Act (DMCA) is a controversial United States digital rights management ( DRM ) law. The intent behind DMCA was to create an updated version of copyright laws to deal with the special challenges of regulating digital material.

• It prohibits attempts to circumvent copyright protection mechanisms• Non-profit organizations are exempted from this Act• A DMCA takedown notice is a notification to a company, usually a web

host or a search engine, that they are either hosting or linking to copyright-infringing material. It provides them notice to remove the copyrighted works.

Patent

• A patent is an exclusive right granted for an invention• To get a patent, technical information about the invention must be disclosed to the

public in a patent application.• 3 requirements to be satisfied are:

• The invention should be new and original idea• The invention must be useful• The invention must not be obvious.

• The patent owner has the exclusive right to prevent or stop others from commercially exploiting the patented invention

• The exclusive rights are only applicable in the country or region in which a patent has been filed and granted, in accordance with the law of that country or region.

• The protection is granted for a limited period, generally 20 years from the filing date of the application.

Trademark

• A trademark is a sign capable of distinguishing the goods or services of one enterprise from those of other enterprises. Trademarks are protected by intellectual property rights.

• The main objective is to avoid confusion in the marketplace of a product or service

• Trademarks are generally not needed to be official registered to gain protection under law

• Acceptance of Trademark registration in US has two major considerations• The trademark must not be similar to another trademark• The trademark should not be descriptive of the goods or service that you will

offer• In US Trademarks are provided for 10 years with renewals for unlimited

successive 10-year period

Trade Secret

• Any confidential business information which provides an enterprise a competitive edge may be considered a trade secret

• Trade secrets encompass manufacturing or industrial secrets and commercial secrets

• Trade secrets are protected without registration• Conditions for the information to be considered a trade secret

• The information must be secret• It must have commercial value because it is a secret• It must have been subject to reasonable steps by the rightful holder of

the information to keep it secret

Industrial Design

• An industrial design constitutes the ornamental or aesthetic aspect of an article• may consist of three dimensional features, such as the shape of an article, or two

dimensional features, such as patterns, lines or colour• the owner of a registered industrial design or of a design patent has the right to

prevent third parties from making, selling or importing articles bearing or embodying a design which is a copy, or substantially a copy, of the protected design, when such acts are undertaken for commercial purposes.

• Industrial designs are applied to a wide variety of products of industry and handicraft items: from packages and containers to furnishing and household goods, from lighting equipment to jewelry, and from electronic devices to textiles.

• an industrial design needs to be registered in order to be protected under industrial design law as a “registered design”

Geographical Indications

• A geographical indication (GI) is a sign used on products that have a specific geographical origin and possess qualities or a reputation that are due to that origin.

• There is a clear link between the product and its original place of production• A geographical indication right enables those who have the right to use the

indication to prevent its use by a third party whose product does not conform to the applicable standards.

• A protected geographical indication does not enable the holder to prevent someone from making a product using the same techniques as those set out in the standards for that indication.

• Geographical indications are typically used for agricultural products, foodstuffs, wine and spirit drinks, handicrafts, and industrial products.

Licensing

• 4 major types of license requirements• Contractual license agreement: written contract between the software

vendor and the customer• Shrink-wrap License: A shrink wrap license is an end user agreement

(EULA) that is enclosed with software in plastic-wrapped packaging. Once the end user opens the packaging, the EULA is considered to be in effect.

• Clickwrap License: Type of agreement often used in connection with software licenses. Most clickwrap agreements require the end-user to manifest his or her assent by clicking an "ok" or "agree" button on a dialog box or pop-up window.

• Cloud services license agreement: similar to Clickwrap agreement, mainly concentrated on the services provided by cloud vendors

Karthikeyan Dhayalan