As you can see from the table, the concept of what constitutes a crime varies from state to state. Some states require that there must be an intent to permanently deprive the owner of access to information for computer theft to occur. Other states require that the owner of the information must actually be deprived of the information (so a backup of the information might negate the violation of the law). There is also a big difference when it comes to accessing systems. Some states require that the system must actually be accessed for the crime to occur. Other states make the unauthorized attempt to be the crime. Texas goes so far as to require the perpetrator to know that a security system is in place to prevent unauthorized access for there to be a crime. Finally, some states make the modifying or forging of e-mail headers to be a crime. This type of statute is directed at bulk e-mail or spam. No matter what state your organization is in, check with local law enforcement and with your organization’s general counsel so that you understand the ramifications of the local laws. This will directly impact when you may choose to notify law enforcement of a computer incident. EXAMPLES OF LAWS IN OTHER COUNTRIES Computer crime laws in the United States vary from state to state. Internationally, laws vary from country to country. Many countries have no computer crime laws at all. For ex - ample, when the ILOVEYOU virus was traced to an individual who lived in the Philip - pines, he could not be prosecuted because the Philippines did not have a law that made it a crime to write and distribute a computer virus. Computer crime laws in other countries may have an effect on computer crime inves - tigations in the United States as well. If an investigation shows that the attack came from a computer system in another country, the FBI will attempt to get assistance from the law enforcement organizations in that country. If the other country has no computer crime laws, it is unlikely that they will assist in the investigation. The following sections provide brief discussions of computer crime laws in three other countries. More specific information can be found by asking representatives of the foreign government (at an embassy or consulate) or by contacting the FBI. 50 Network Security: A Beginners‘s Guide State Specific Computer Crimes Notes Wisconsin Offenses against computer data and programs; offenses against computers, computer equipment, or supplies Copying of information is a crime. Table 4-1. Summary of State Computer Crime Laws (continued) TEAMFLY Team-Fly ® Chapter 4: Legal Issues in Information Security 51 Australia Australian federal law specifies that unauthorized access to data in computers is a crime punishable by six months in jail (see Commonwealth Laws, Crimes Act 1914, Part VIA— Offences Relating to Computers). The punishment goes up to two years if the intent was to defraud or if the information was government-sensitive, financial, or trade secrets. It is also against the law for someone to gain unauthorized access to computers across facilities pro - vided by the Commonwealth or by a carrier. No minimum damage amounts are specified. The punishment is based on the type of information that is accessed. The Netherlands Criminal Code Article 138a defines a crime called a breach of computer peace. A person found guilty of this crime can be sent to prison for up to six months or receive a fine of 10,000 guilders. To be guilty of the crime, the perpetrator must break into a system or impersonate an authorized user. The punishment does not change based on the damage to the system or the type of information that is accessed. United Kingdom Computer crime statues for the United Kingdom can be found in the Computer Misuse Act 1990, Chapter 18. The law defines unauthorized access to computer material as a crime. This access has to have intent and the individual who performs the act must know that the access is unauthorized. It is also a crime to cause unauthorized modifications or to cause a denial-of-service condition. The penalties for any modification or denial of ser- vice do not change based on whether the attack is temporary or permanent. For a summary conviction, the penalties are up to six months in prison or a fine. If the individual is convicted on an indictment, the prison term may not exceed five years and there may also be a fine. PROSECUTION If your organization is the victim of computer crime, your organization might choose to contact law enforcement in order to prosecute the offenders. This choice should not be made in the heat of the incident. Rather, detailed discussion of the options and how the organization may choose to proceed should be discussed during the development of the organization’s incident response procedure (see Chapter 5). During the development of this procedure, your organization should involve legal counsel and also seek advice from local law enforcement. Your discussion with local law enforcement will provide information on their capabilities, their interest in computer crimes, and the type of dam - age that must be done before a crime actually occurs (remember 18 US Code 1030 requires a minimum of $5,000 in damage). As the incident occurs, your organization’s general counsel should be consulted before law enforcement is contacted. 52 Network Security: A Beginner’s Guide Evidence Collection Whether your organization chooses to prosecute or not, there are a number of things that can be done while the incident is investigated and the systems are returned to operation. First, we should dispel one myth that is prevalent in the security industry. The myth is that special precautions must be taken to preserve “evidence” if the perpetrator is to be prosecuted and if any of the information from the victim can be used in the prosecution. There are actually two parts to the correct information regarding this situation. First, if normal business procedures are followed, any information can be used to prose - cute the perpetrator. This means that if you normally make backups of your systems and those backups contain information that shows where the attack came from or what was done, this information can be used. In this case, no special precautions need to be taken to safeguard the information as “evidence.” That is not to say that making extra copies before system administrators do anything to fix the system is not a good idea. However, it is not necessary. The second point is a little more tricky. If your organization takes actions such as call - ing an outside consultant to perform a forensic examination of the system, you are now taking actions that are not part of normal business practices. In this case, your organiza- tion should take appropriate precautions. These may include ▼ Making at least two image copies of the computer’s hard drives ■ Limiting access to one of the copies and bagging it so that any attempts to tamper with it can be identified ▲ Making secure checksums of the information on the disks so that changes to the information can be identified In any case, the procedure to be followed should be developed prior to the event and should be created with the advice of organization counsel and law enforcement. One other point to consider is that information on the victim computer system may not be the only location for information about the attack. Log files from network equip - ment or network monitoring systems may also provide information about the attack. Since the organization is the owner and operator of the computer network, this informa - tion can be gathered without violating the wire tap laws (18 US Code 2511 and 2701). Contacting Law Enforcement You should get your organization general counsel involved before law enforcement is contacted. The general counsel should be available to speak with law enforcement when they come on-site. Once law enforcement is contacted and comes on-site to investigate, the rules change. Law enforcement will be acting as officers of the court and as such are bound by rules that must be followed in order to allow information that is gathered to be used as evidence. When law enforcement takes possession of backup copies or information from a system, they will control access to it and protect it as evidence according to their procedures. Likewise, if further information is to be gathered from the network, law enforcement will have to get a subpoena or a warrant to gather more information. This document will either allow them to request logs from a service provider or to install monitoring equip - ment of their own. Without the warrant they will not be able to gather information off the network. Here again, they will follow their own procedures. NOTE: Law enforcement does not require a warrant if the information is provided willingly (by the or - ganization, for example). However, if law enforcement wants information from your site, it may be more appropriate for your organization to require a subpoena as this may protect you from some liability, for example, if you are an ISP and law enforcement wants your logs of an activity that traversed your net - work. In any case, a request for tapes or logs from law enforcement should be run through your organi - zation’s legal office. CIVIL ISSUES Anyone can file a civil lawsuit against anyone for anything. That said, there is the potential for civil lawsuits when it comes to computers and the information they store. In this section of the chapter, I will be identifying some of the potential exposures that organizations may encounter. However, none of the following is intended to provide legal advice. For all legal advice, you should see your own attorney or the organization’s general counsel. Employee Issues Computers and computer networks are provided by an organization for the business use of employees. This simple concept should be spelled out to all employees (see Chapter 5 for a discussion of computer use policies). This means that the organization owns the sys- tems and the network and any information on the systems may be accessed by the organi - zation at any time and so any employees should have no expectation of privacy. To make sure that your policy on this matter complies with applicable laws, make sure that the or - ganization’s general counsel is involved in the drafting of the policy. Privacy laws do dif - fer from state to state. Internal Monitoring As the provider of the network and computer services, the organization is permitted to monitor information on the network and how the network is used (this is an exception to the wire tap laws). Employees should be informed that such activity may occur and this should be communicated to them via policy and via a login banner. A banner such as this may be appropriate: This system is owned by <organization name> and provided for the use of authorized individuals. All actions on this computer or network may be monitored. Anyone using this system consents to this monitoring. There is no expectation of privacy on this system. All information on this or any organization computer system is the property of Chapter 4: Legal Issues in Information Security 53 <organization name>. Evidence of illegal activities may be turned over to the proper law enforcement authorities. A second point that should be made in the banner and in policies is that there is no ex - pectation of privacy when using an organization computer system. The employee should be made aware of the fact that monitoring may and will happen and that files may and will be examined during the normal course of administration duties. The employee should have no expectation of privacy when using the organization’s computers or networks. Policy Issues Organization policy defines the appropriate operation of systems and behavior of em - ployees. If employees violate organization policy, they may be disciplined or terminated. To alleviate some potential legal issues, all employees should be provided copies of orga - nization policies (including information and security policies) and asked to sign that they have received and understood the policies. This procedure should reoccur periodically (every year) so that the employee is reminded of the existing policies. These policies should restate the information in the login banner (no expectation of privacy, monitoring will happen, and so on). Some employees may be sensitive to signing such documents. This activity should be coordinated with the Human Resources Department and with the organization’s gen- eral counsel. Downstream Liability A risk that should be taken into account when performing a risk assessment of an organiza- tion is the potential for downstream liability. The concept is that if an organization (Organization A) does not perform appropriate security measures and one of their systems is successfully penetrated, this system might then be used to attack another organization (Organization B). In this case, Organization A might be held liable by Organization B (see Figure 4-2). The question will be whether Organization A took reasonable care and appro - priate measures to prevent this from occurring. Reasonable care and appropriate measures will be determined by existing standards (such as the proposed ISO 17799) and best business practices (see Chapter 8). Once again, the information security staff of the organization should discuss this issue with the orga - nization’s general counsel. PRIVACY ISSUES Privacy issues on the Internet are becoming a hot topic. We have already touched on the privacy issues when dealing with employees. This is not the only privacy issue that needs to be examined and handled properly. It is very possible that there will be legislation in the near future that defines how organizations should handle customer information and there will soon be detailed regulations on the handling of health information. 54 Network Security: A Beginner’s Guide Chapter 4: Legal Issues in Information Security 55 Customer Information Customer information does not belong to you or your organization. Customer informa - tion belongs to the customer. Therefore, the organization should take appropriate steps to safeguard customer information from unauthorized disclosure. This is not to say that customer information cannot be used, but care must be taken to make sure that customer information is used appropriately. This is one reason why many Internet sites notify the customer that some information may be used in mailing lists. Customers may also be given the option to keep their information from being used in this manner. The issue that I wish to raise here is the issue of customer information being disclosed if the security of an organization is compromised. How can an organization decide if they have taken appropriate steps to prevent this type of disclosure? As with liability, the information security staff must work with the organization’s general counsel to under - stand the issues involved and to identify the appropriate measures to take. Figure 4-2. Downstream liability Health Information On August 21, 1996, the Health Insurance Portability and Accountability Act (HIPAA) became law. This law places the responsibility for creating and enforcing the standards for the protection of health information under the Department of Health and Human Services. The act calls for the standardization of patient health information, unique identifiers for individuals, and most importantly, security standards for protecting the confidentiality and integrity of patient health information. All healthcare organizations such as insurance companies, billing agencies, hospitals, doctors, employers, and any other organization that handles patient health information will be affected by these regulations. Violations may be punishable by civil and criminal penalties including fines up to $250,000 and imprisonment of up to ten years for know - ingly misusing patient health information. At this time, it is expected that compliance will be required by 2003 depending on when the regulations are actually published. The regulations require compliance in the following areas: ▼ Administrative procedures ■ Physical safeguards ■ Technical security services ▲ Technical security mechanisms It is expected that the regulations will specify appropriate mechanisms for everything from encryption of information to authentication. The need for procedures to safeguard the privacy of the information is also noted and defined. Any organization that handles health care information should examine the regula- tions in detail to learn what must be done to be in compliance with the regulations. It is expected that health care organizations will expend significant resources in bringing their systems and procedures up to the regulations. The information security staff will need to work with the HIPAA compliance officer and the organization’s general counsel to make sure the organization meets the requirements. 56 Network Security: A Beginner’s Guide . in computers is a crime punishable by six months in jail (see Commonwealth Laws, Crimes Act 191 4, Part VIA— Offences Relating to Computers). The punishment goes up to two years if the intent. Kingdom Computer crime statues for the United Kingdom can be found in the Computer Misuse Act 199 0, Chapter 18. The law defines unauthorized access to computer material as a crime. This access. and appropriate measures will be determined by existing standards (such as the proposed ISO 17 799 ) and best business practices (see Chapter 8). Once again, the information security staff of the