U.S. Information Security Law, Part Two: Protecting Private Sector Systems and Securing the Working

    Date02 Apr 2003
    CategoryGovernment
    2473
    Posted ByAnthony Pell
    This is the second part of a four-part series looking at U.S. information security laws and the way those laws affect security professionals. In the first part of this series, we looked at the legal framework for protection of information systems . . . This is the second part of a four-part series looking at U.S. information security laws and the way those laws affect security professionals. In the first part of this series, we looked at the legal framework for protection of information systems and the role of information security professionals in the creation of trade secret interests. In this installment, we will look at the legal framework for security of an enterprise's working environment from the perspective of information security professionals, with particular emphasis on the protection of communications.

    Of course, protecting communications necessarily depends on the security of the systems used to transmit and store them. Drawing a rigid line between protecting systems and protecting communications might not always be useful or possible. That said, for our discussion, treating the protection of communications separately from the protection of systems illustrates how the Computer Fraud and Abuse Act, 18 U.S.C.§ 1030 (the "CFAA"), and the Electronic Communications Protection Act, 18 U.S.C. §§ 2510-22 and §§ 2701-12 (the "ECPA"), two critically important federal information security statutes, work together.

    As discussed in the first article in this series, the primary thrust of the CFAA, with respect to private sector systems, is to prohibit access to protected computers without authorization or exceeding authorization, whether to obtain something of value or to damage systems or data. The primary concern of the ECPA is related, but distinct. The ECPA prohibits the unauthorized and unjustified interception, disclosure, or use of communications, including electronic communications[1]. In a situation in which a bad actor hacks into a corporate network and obtains access to sensitive email, the CFAA and the ECPA are both violated. But having discussed the CFAA in Article 1, our discussion of the legal framework for protecting communications will focus on the ECPA.

    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    12
    radio
    [{"id":"53","title":"Yes","votes":"4","type":"x","order":"1","pct":80,"resources":[]},{"id":"54","title":"No","votes":"1","type":"x","order":"2","pct":20,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.