The American legal system, along with many of its counterparts around the globe, is only beginning to grapple with the legal challenges of the knowledge age. The past decade has witnessed a multitude of new laws and regulations seeking to address these challenges and provide a common framework for the legal and technical professions. Those charged with information security responsibilities face a myriad of complex and often vague requirements. In this article, we establish a four-level taxonomy for information security laws and explore the major components of each level.
Mohamed Chawki, in a study of computer crime law, points out that the traditional definition of a computer crime as any crime that involves “the knowledge of computer technology for its perpetration, investigation, or prosecution” is far too broad for practical application (Chawki, 2005, p. 7). Virtually every crime involves computer technology at some point in the investigative process. For example, a common burglary should not be considered a computer crime merely because the booking officer entered data on the crime into a department information system. Similarly, the fact that the criminal looked up driving directions on the Internet should not make a bank robbery a computer crime.
We seek to clarify these issues by creating a general taxonomy of information security laws. Our taxonomy includes the following four levels:
Intellectual property laws protect the rights of authors, inventors and creators of other intellectual works.
Computer-focused crime laws define transgressions and applicable punishments for offenses where the use of a computer is intrinsic to the crime.
Computer-related crime laws are those laws that involve the use of a computer but where the criminal activity is not defined by the use of a computer. This category also includes those laws that require the use of computers to assist in the investigation of a crime.
Industry-specific laws do not apply to society as a whole but, rather, govern particular industries and are typically focused on protecting the confidentiality, integrity and/or availability of personal information.
It is also important to note that many information security crimes are prosecuted under traditional laws, rather than the specific laws presented in this taxonomy. Smith (2005) points out two examples of this: the charging of an individual with a felony offense for accessing an unprotected wireless network and a school district’s charge of criminal trespass against 13 students who accessed laptops issued to them with an administrative password that was taped to the bottom of the machines.
In the remainder of this chapter, we seek to explore this taxonomy in further detail. While the taxonomy may be applied to any body of law, due to space constraints, this article limits the discussion to federal laws in the United States. A myriad of state and local laws, as well as the laws of other nations, may also be classified under this taxonomy.Top
Intellectual Property Law
The legal principles protecting the rights of owners of creative works date back several centuries. As our society shifts from an industrial economy to a knowledge economy, these laws become increasingly important, as they protect the very essence of our economic engine. These intellectual property laws are critical to any information security program, as they provide the legal basis for protecting the intellectual property rights of individuals and organizations.
Copyrights protect any original work of authorship from unauthorized duplication or distribution. The Copyright Act defines eight categories that constitute covered works (Copyright Act, 1976). One of these categories, literary works, is broadly interpreted to include almost any written work. This category has traditionally been used to include computer software, web content and a variety of other works of direct interest to information security professionals.
Copyright protection is automatic upon the creation of a work. For works created after 1978, copyright protection lasts for 70 years after the death of the last surviving author.