This is the second part of a four-part series looking at U.S. information security laws and the way those laws affect security professionals. In the first part of this series, we looked at the legal framework for protection of information systems . . .
This is the second part of a four-part series looking at U.S. information security laws and the way those laws affect security professionals. In the first part of this series, we looked at the legal framework for protection of information systems and the role of information security professionals in the creation of trade secret interests. In this installment, we will look at the legal framework for security of an enterprise's working environment from the perspective of information security professionals, with particular emphasis on the protection of communications.

Of course, protecting communications necessarily depends on the security of the systems used to transmit and store them. Drawing a rigid line between protecting systems and protecting communications might not always be useful or possible. That said, for our discussion, treating the protection of communications separately from the protection of systems illustrates how the Computer Fraud and Abuse Act, 18 U.S.C.§ 1030 (the "CFAA"), and the Electronic Communications Protection Act, 18 U.S.C. §§ 2510-22 and §§ 2701-12 (the "ECPA"), two critically important federal information security statutes, work together.

As discussed in the first article in this series, the primary thrust of the CFAA, with respect to private sector systems, is to prohibit access to protected computers without authorization or exceeding authorization, whether to obtain something of value or to damage systems or data. The primary concern of the ECPA is related, but distinct. The ECPA prohibits the unauthorized and unjustified interception, disclosure, or use of communications, including electronic communications[1]. In a situation in which a bad actor hacks into a corporate network and obtains access to sensitive email, the CFAA and the ECPA are both violated. But having discussed the CFAA in Article 1, our discussion of the legal framework for protecting communications will focus on the ECPA.

The link for this article located at SecurityFocus is no longer available.