As you can see from the table, the concept of what constitutes a crime varies from
state to state. Some states require that there must be an intent to permanently deprive the
owner of access to information for computer theft to occur. Other states require that
the owner of the information must actually be deprived of the information (so a backup
of the information might negate the violation of the law).
There is also a big difference when it comes to accessing systems. Some states require
that the system must actually be accessed for the crime to occur. Other states make the
unauthorized attempt to be the crime. Texas goes so far as to require the perpetrator to
know that a security system is in place to prevent unauthorized access for there to be a crime.
Finally, some states make the modifying or forging of e-mail headers to be a crime.
This type of statute is directed at bulk e-mail or spam.
No matter what state your organization is in, check with local law enforcement and
with your organization’s general counsel so that you understand the ramifications of the
local laws. This will directly impact when you may choose to notify law enforcement of a
computer incident.
EXAMPLES OF LAWS IN OTHER COUNTRIES
Computer crime laws in the United States vary from state to state. Internationally, laws
vary from country to country. Many countries have no computer crime laws at all. For ex
-
ample, when the ILOVEYOU virus was traced to an individual who lived in the Philip
-
pines, he could not be prosecuted because the Philippines did not have a law that made it
a crime to write and distribute a computer virus.
Computer crime laws in other countries may have an effect on computer crime inves
-
tigations in the United States as well. If an investigation shows that the attack came from a
computer system in another country, the FBI will attempt to get assistance from the law
enforcement organizations in that country. If the other country has no computer crime
laws, it is unlikely that they will assist in the investigation.
The following sections provide brief discussions of computer crime laws in three
other countries. More specific information can be found by asking representatives of the

foreign government (at an embassy or consulate) or by contacting the FBI.
50
Network Security: A Beginners‘s Guide
State Specific Computer Crimes Notes
Wisconsin Offenses against computer data
and programs; offenses against
computers, computer equipment,
or supplies
Copying of information
is a crime.
Table 4-1.
Summary of State Computer Crime Laws
(continued)
TEAMFLY























































Team-Fly
®

Chapter 4: Legal Issues in Information Security
51
Australia
Australian federal law specifies that unauthorized access to data in computers is a crime
punishable by six months in jail (see Commonwealth Laws, Crimes Act 1914, Part VIA—
Offences Relating to Computers). The punishment goes up to two years if the intent was to
defraud or if the information was government-sensitive, financial, or trade secrets. It is also
against the law for someone to gain unauthorized access to computers across facilities pro
-
vided by the Commonwealth or by a carrier. No minimum damage amounts are specified.
The punishment is based on the type of information that is accessed.
The Netherlands
Criminal Code Article 138a defines a crime called a breach of computer peace. A person
found guilty of this crime can be sent to prison for up to six months or receive a fine of
10,000 guilders. To be guilty of the crime, the perpetrator must break into a system or
impersonate an authorized user.
The punishment does not change based on the damage to the system or the type of
information that is accessed.
United Kingdom
Computer crime statues for the United Kingdom can be found in the Computer Misuse

Act 1990, Chapter 18. The law defines unauthorized access to computer material as a
crime. This access has to have intent and the individual who performs the act must know
that the access is unauthorized. It is also a crime to cause unauthorized modifications or
to cause a denial-of-service condition. The penalties for any modification or denial of ser-
vice do not change based on whether the attack is temporary or permanent.
For a summary conviction, the penalties are up to six months in prison or a fine. If the
individual is convicted on an indictment, the prison term may not exceed five years and
there may also be a fine.
PROSECUTION
If your organization is the victim of computer crime, your organization might choose to
contact law enforcement in order to prosecute the offenders. This choice should not be
made in the heat of the incident. Rather, detailed discussion of the options and how the
organization may choose to proceed should be discussed during the development of
the organization’s incident response procedure (see Chapter 5). During the development
of this procedure, your organization should involve legal counsel and also seek advice
from local law enforcement. Your discussion with local law enforcement will provide
information on their capabilities, their interest in computer crimes, and the type of dam
-
age that must be done before a crime actually occurs (remember 18 US Code 1030 requires
a minimum of $5,000 in damage). As the incident occurs, your organization’s general
counsel should be consulted before law enforcement is contacted.
52
Network Security: A Beginner’s Guide
Evidence Collection
Whether your organization chooses to prosecute or not, there are a number of things that
can be done while the incident is investigated and the systems are returned to operation.
First, we should dispel one myth that is prevalent in the security industry. The myth is
that special precautions must be taken to preserve “evidence” if the perpetrator is to be
prosecuted and if any of the information from the victim can be used in the prosecution.
There are actually two parts to the correct information regarding this situation.

First, if normal business procedures are followed, any information can be used to prose
-
cute the perpetrator. This means that if you normally make backups of your systems
and those backups contain information that shows where the attack came from or what
was done, this information can be used. In this case, no special precautions need to be
taken to safeguard the information as “evidence.” That is not to say that making extra
copies before system administrators do anything to fix the system is not a good idea.
However, it is not necessary.
The second point is a little more tricky. If your organization takes actions such as call
-
ing an outside consultant to perform a forensic examination of the system, you are now
taking actions that are not part of normal business practices. In this case, your organiza-
tion should take appropriate precautions. These may include
▼ Making at least two image copies of the computer’s hard drives
■ Limiting access to one of the copies and bagging it so that any attempts to
tamper with it can be identified
▲ Making secure checksums of the information on the disks so that changes to
the information can be identified
In any case, the procedure to be followed should be developed prior to the event and
should be created with the advice of organization counsel and law enforcement.
One other point to consider is that information on the victim computer system may
not be the only location for information about the attack. Log files from network equip
-
ment or network monitoring systems may also provide information about the attack.
Since the organization is the owner and operator of the computer network, this informa
-
tion can be gathered without violating the wire tap laws (18 US Code 2511 and 2701).
Contacting Law Enforcement
You should get your organization general counsel involved before law enforcement is
contacted. The general counsel should be available to speak with law enforcement when

they come on-site.
Once law enforcement is contacted and comes on-site to investigate, the rules change.
Law enforcement will be acting as officers of the court and as such are bound by rules that
must be followed in order to allow information that is gathered to be used as evidence.
When law enforcement takes possession of backup copies or information from a system,
they will control access to it and protect it as evidence according to their procedures.
Likewise, if further information is to be gathered from the network, law enforcement
will have to get a subpoena or a warrant to gather more information. This document will
either allow them to request logs from a service provider or to install monitoring equip
-
ment of their own. Without the warrant they will not be able to gather information off the
network. Here again, they will follow their own procedures.
NOTE:
Law enforcement does not require a warrant if the information is provided willingly (by the or
-
ganization, for example). However, if law enforcement wants information from your site, it may be more
appropriate for your organization to require a subpoena as this may protect you from some liability, for
example, if you are an ISP and law enforcement wants your logs of an activity that traversed your net
-
work. In any case, a request for tapes or logs from law enforcement should be run through your organi
-
zation’s legal office.
CIVIL ISSUES
Anyone can file a civil lawsuit against anyone for anything. That said, there is the potential
for civil lawsuits when it comes to computers and the information they store. In this section
of the chapter, I will be identifying some of the potential exposures that organizations may
encounter. However, none of the following is intended to provide legal advice. For all legal
advice, you should see your own attorney or the organization’s general counsel.
Employee Issues
Computers and computer networks are provided by an organization for the business use

of employees. This simple concept should be spelled out to all employees (see Chapter 5
for a discussion of computer use policies). This means that the organization owns the sys-
tems and the network and any information on the systems may be accessed by the organi
-
zation at any time and so any employees should have no expectation of privacy. To make
sure that your policy on this matter complies with applicable laws, make sure that the or
-
ganization’s general counsel is involved in the drafting of the policy. Privacy laws do dif
-
fer from state to state.
Internal Monitoring
As the provider of the network and computer services, the organization is permitted to
monitor information on the network and how the network is used (this is an exception
to the wire tap laws). Employees should be informed that such activity may occur and
this should be communicated to them via policy and via a login banner. A banner such
as this may be appropriate:
This system is owned by <organization name> and provided for the use of authorized
individuals. All actions on this computer or network may be monitored. Anyone using
this system consents to this monitoring. There is no expectation of privacy on this system.
All information on this or any organization computer system is the property of
Chapter 4: Legal Issues in Information Security
53
<organization name>. Evidence of illegal activities may be turned over to the proper
law enforcement authorities.
A second point that should be made in the banner and in policies is that there is no ex
-
pectation of privacy when using an organization computer system. The employee should
be made aware of the fact that monitoring may and will happen and that files may and will
be examined during the normal course of administration duties. The employee should
have no expectation of privacy when using the organization’s computers or networks.

Policy Issues
Organization policy defines the appropriate operation of systems and behavior of em
-
ployees. If employees violate organization policy, they may be disciplined or terminated.
To alleviate some potential legal issues, all employees should be provided copies of orga
-
nization policies (including information and security policies) and asked to sign that they
have received and understood the policies. This procedure should reoccur periodically
(every year) so that the employee is reminded of the existing policies. These policies
should restate the information in the login banner (no expectation of privacy, monitoring
will happen, and so on).
Some employees may be sensitive to signing such documents. This activity should
be coordinated with the Human Resources Department and with the organization’s gen-
eral counsel.
Downstream Liability
A risk that should be taken into account when performing a risk assessment of an organiza-
tion is the potential for downstream liability. The concept is that if an organization
(Organization A) does not perform appropriate security measures and one of their systems
is successfully penetrated, this system might then be used to attack another organization
(Organization B). In this case, Organization A might be held liable by Organization B (see
Figure 4-2). The question will be whether Organization A took reasonable care and appro
-
priate measures to prevent this from occurring.
Reasonable care and appropriate measures will be determined by existing standards
(such as the proposed ISO 17799) and best business practices (see Chapter 8). Once again,
the information security staff of the organization should discuss this issue with the orga
-
nization’s general counsel.
PRIVACY ISSUES
Privacy issues on the Internet are becoming a hot topic. We have already touched on the

privacy issues when dealing with employees. This is not the only privacy issue that needs
to be examined and handled properly. It is very possible that there will be legislation in
the near future that defines how organizations should handle customer information and
there will soon be detailed regulations on the handling of health information.
54
Network Security: A Beginner’s Guide
Chapter 4: Legal Issues in Information Security
55
Customer Information
Customer information does not belong to you or your organization. Customer informa
-
tion belongs to the customer. Therefore, the organization should take appropriate steps
to safeguard customer information from unauthorized disclosure. This is not to say that
customer information cannot be used, but care must be taken to make sure that customer
information is used appropriately. This is one reason why many Internet sites notify the
customer that some information may be used in mailing lists. Customers may also be
given the option to keep their information from being used in this manner.
The issue that I wish to raise here is the issue of customer information being disclosed
if the security of an organization is compromised. How can an organization decide if they
have taken appropriate steps to prevent this type of disclosure? As with liability, the
information security staff must work with the organization’s general counsel to under
-
stand the issues involved and to identify the appropriate measures to take.
Figure 4-2.
Downstream liability
Health Information
On August 21, 1996, the Health Insurance Portability and Accountability Act (HIPAA)
became law. This law places the responsibility for creating and enforcing the standards for
the protection of health information under the Department of Health and Human Services.
The act calls for the standardization of patient health information, unique identifiers for

individuals, and most importantly, security standards for protecting the confidentiality
and integrity of patient health information.
All healthcare organizations such as insurance companies, billing agencies, hospitals,
doctors, employers, and any other organization that handles patient health information
will be affected by these regulations. Violations may be punishable by civil and criminal
penalties including fines up to $250,000 and imprisonment of up to ten years for know
-
ingly misusing patient health information. At this time, it is expected that compliance
will be required by 2003 depending on when the regulations are actually published.
The regulations require compliance in the following areas:
▼
Administrative procedures
■ Physical safeguards
■ Technical security services
▲ Technical security mechanisms
It is expected that the regulations will specify appropriate mechanisms for everything
from encryption of information to authentication. The need for procedures to safeguard
the privacy of the information is also noted and defined.
Any organization that handles health care information should examine the regula-
tions in detail to learn what must be done to be in compliance with the regulations. It is
expected that health care organizations will expend significant resources in bringing
their systems and procedures up to the regulations. The information security staff will
need to work with the HIPAA compliance officer and the organization’s general counsel
to make sure the organization meets the requirements.
56
Network Security: A Beginner’s Guide