COSC3325 3/24/2005.
Summary of Computer-related Federal Laws
Three catagories:
1. Against Computer Fraud, Hacking and viruses.
2. Protecting privacy and access to Information.
3. Intellectual Property protection.
1. Computer Fraud/Hacking/Viruses
A. Small Business Security and Education Act of 1984.
1. Amended the Small Business Act (Title 15, US Code) to establish
a computer security and education program for small businesses
assisted by the Small Business Administration.
2. Mandates the formation of the Small Business Computer Security
and Education Avisory Council.
3. This Council advises the Small Business Administration on
The nature and scope of computer crimes committed against
small business concerns
The effectiveness of laws and technology in deterring
and securing against computer-related crimes.
The development of guidelines to enhance computer security.
4. This Council also prepares educational programs for information
and training on security techniques for small businesses.
5. The simple and broad definition of computer crime in the Act:
(a) Any crime committed against a small business concern
by means of the use of a computer, and
(b) Any crime involving the illegal use of a computer,
or tampering with, a computer owned or utilized by
a small business concern.
B. Computer Fraud and Abuse Act of 1986. (Title-18, USC: Crimes and
Criminal Procedure)
1. Between 1984 and 1986, at least 22 computer crime bills were
proposed in Congress.
2. Amended 1984 Counterfeit Access Device and Computer Fraud and
Abuse Act for ambiguity, inconsistency, and insufficient
penalties.
Subsequently modified by the National Information Infrastructure
Protection Act of 1996.
3. To provide additional penalties for fraud and related
activities in connection with access device and computers,
for other purposes.
4. Heavy penalty of up to 20 years imprisonment for repeated
offenses.
5. The Act criminalizes anyone who:
(a) Knowingly accesses a computer w/o authorization or
exceeds authorized access, and by means of such
conduct obtains info protected against unauthorized
discolusure for reasons of national defense or
foreign relations, or any restricted data, with the
intent to use to the injury of the US or to the
advantage of any foreign nation.
(b) Intentionally accesses a computer w/o authorization or
exceeds authorized access and thereby obtains information
contained in a financial record of a financial institution
or of a card issuer, or of a consumer reporting
agency on a consumer.
(c) Intentionally, w/o authorization to access any computer
of a department or agency of the US, access such a
computer of that department or agency that is exclu-
sively for the use of the Government of US or, in the
case of a computer not exclusively for such use, is
used by or for the Government of the US and such conduct
affects the use of the government's operation of such
computer.
(d) Knowingly and with intent to defraud, accesses a federal
interest computer w/o authorization, or exceeds autho-
rized access, and by means of such conduct furthers
the intended fraud and obtains anything of value,
unless the object of the fraud and the thing obtained
consists of the use of the computer.
(e) Intentionally accesses a federal interest computer
w/o authorization, and by means of one or more instances
of such conduct alters, damages, or destroys info in
any such federal interest computer, or prevents autho-
rized use of any such computer or info, and thereby:
(i) causes loss to one or more others of a value
aggregating $1,000 or more during any one year
period; or
(ii)modifies or impairs, or potentially modifies or
impairs the medical examination, medical diagnosis,
medical treatment, or medical care of one or more
individuals.
(f) Knowingly and with intent to defraud traffics...
in any password or similar info throuh which a computer
may be accessed w/o authorization, if
(i) such trafficking affects interstate or foreign
commerce; or
(ii)such computer is used by or for the Government
of the United States.
6. Federal Interest Computer is any computer
(a) exclusively for the use of a financial institution
or exclusively for the use of the united States
Government, or those used by or for a
financial institution or the United States Government
and the conduct constituting the offense affects the use
of the financial institution's operation of such computer;
or
(b) which is one of two or more computers used in commit-
ting the offense, not all of which are located in the
same state.
C. The National Information Infrastructure Protection Act of 1996
1. "Protected Computers" replaced "Federal Interest Computers" which
now include:
a. a computer exclusively for the use of a financial institution
or the United States Government, or in the case of a computer
not exclusively for such use, used by or for a financial
institution or the United States Government and
the conduct constituting the offense affects that use by or
for the financial institution or the Government, or
b. a computer which is used in interstate or foreign commerce
or communications.
2. Provision of an additional offense: 1030(a)7
Protection against the interstate or international transmission of
threats to cause damage to Protected Computer(s) with intent to
extort any money or anything of value from any body or any organization.
3. Narrowing the definition of the offense of illegally obtaining
national security information.
1030(a)1
It now requires: "willfully communicates, delivers, transmits, or
caused to be communicated, delivered, or transmitted, or
attempts to communicate, deliver, transmit or cause to be
communicated, delivered, or transmitted the same to any person not
entitled to receive it or willfully retains the same and fails to
deliver it to the officer or an employee of the United States entitled to receive it."
4. Extension of protection from unauthorized information access. 1030(a)2
Now the protection is provided not just for the financial institutions' information
But also for that from "Any United States Government department or agency and
Also for that from any Protected computers if the conduct involved an interstate or
Foreign communications.
5. Narrowing the definition of Defrauding Protected computers. 1030(a)4
Unauthorized use of a Protected computer must total at least
$5,000 for a year.
2. Federal laws for Privacy and Access to Information
A. Freedom of Information Act of 1966. (Section 552,Title-5, Government Organization and Employees)
Goal: Insure the free flow of information between Government and people
1. Guaranteed the right of people to know about the business
of their government, and allowed everyone to obtain
reasoonably identifiable information from federal agencies.
2. The Government has to disclose required info upon request.
3. The Government has 10 days to either disclose the info or inform
the person requesting it that it does not intend to comply with
the request.
The agency must tell the person the reasons for such refusal.
4. Exemptions.
a. Matters established by an Executive Order to be kept secret
in the interest of national defense or foreign policy.
(Matters of National Security)
b. Matters solely related to the internal personnel procedures of
a government agency
(Internal Personnel Procedure)
c. Matters exempted from disclure by statutes.
(Statutory Exemptions)
d. Trade secrets and privileged financial information.
(Trade Secret)
e. Inter- or intra-agency "memorandums or letters which would
not be available by law to a party other than an agency in litigation
with the agency"
(Inter-/intra-agency memorandum)
f. Personnel or medical files.
(Medical Files)
g. Investigatoin records compiled for law enforcement purposes,
but only to the extent that the disclosure would interfere
with the enforcement proceedings or a fair trial, or constitute
an unwarranted invasion of privacy, or disclose the identity
of a confidential source or investigative techniques, or
threaten the physical safety of law enforcement personnel.
(Investigation Record)
h. Matters contained in or related to examinatoin, operation,
or condition reports prepard by, on behalf of, or for the use
of an agency responsible for the regulation or supervision
of financial institutions.
(Financial Institution Reports)
i. Geological and Geophysical information.
5. People have often complained that government agencies refuse to
release info on the pretense of national security or foreign
policy secrecy.
Electronic Freedom of Information Act Amendments of 1996 - Amends the Freedom of
Information Act (FOIA) to define "record" to mean information maintained by an
agency, as a required agency record, in any format, including an electronic
format.
Major changes include:
1. broadening the definition of government records to include those maintained in
electronic format.
2. extending the legal response period from ten days to twenty days.
3. establishing procedures for a government agency to discuss with requesters ways of
tailoring large requests to improve responsiveness, and
4. broadening public access to government information by placing more material on-line.
See "www.epic.org/open_gov/foia/us_foia_act.html" for details.
(Sec. 4) Revises provisions which permit an agency to delete identifying details
when it makes available or publishes specified information so as to permit such
deletions in copies of all records. Requires that the extent of such deletion
shall be indicated on the portion of the record which is made available or
published, unless including that indication would harm an interest protected by
the current exemptions (concerning exemptions relating to national security,
trade secrets, personal medical files, and etc.) under which the deletion is
made. Requires an agency to make available for public inspection and copying:
(1) copies of all records, regardless of form or format, which have been
released to an individual and which, because of the nature of their subject
matter, have become or are likely to become the subject of subsequent requests
for substantially the same records; (2) a general index of such records, which
shall be made available electronically by December 31, 1999; and (3) within one
year after November 1, 1996, by computer telecommunications or other electronic
means, those records created on or after November 1, 1996.
(Sec. 5) Requires that an agency in responding to a request for records shall
make reasonable efforts to search for the records in electronic form or format,
except when such efforts would significantly interfere with the operation of the
agency's automated information system.
(Sec. 6) Provides that, respecting a standard for judicial review, in addition
to any other matters to which a court accords substantial weight, a court shall
accord substantial weight to an affidavit of an agency concerning the agency's
determination as to technical feasibility and reproducibility.
(Sec. 7) Authorizes each agency to promulgate regulations, pursuant to notice
and receipt of public comment, providing for: (1) multitrack processing of
requests for records based on the amount of work or time (or both) involved in
processing requests; and (2) an opportunity for an individual making a request
that does not qualify for the fastest multitrack processing to limit the scope
of the request in order to qualify for faster processing.
Directs that the agency, with respect to a request for which a written notice in
the case of unusual circumstances extends the time limits prescribed, shall: (1)
notify the requestor if the request cannot be processed within the time limit;
and (2) provide the requestor an opportunity to limit the scope of the request
so that it may be processed within that time limit or to arrange with the agency
an alternative time frame for processing the request or a modified request.
Authorizes each agency to promulgate regulations, pursuant to notice and receipt
of public comment, providing for the aggregation of certain requests by the same
requestor, or by a group of requestors acting in concert, if the agency
reasonably believes that such requests actually constitute a single request
(which would otherwise satisfy requirements for unusual circumstances) and the
requests involve clearly related matters. Prohibits the aggregation of multiple
requests involving unrelated matters.
Prohibits including a delay that results from a predictable agency workload of
requests as an exceptional circumstance, unless the agency demonstrates
reasonable progress in reducing its backlog of pending requests. Considers as a
factor in determining whether exceptional circumstances exist the refusal by an
individual to modify the scope of a request or arrange an alternative time frame
for processing a request after being given an opportunity to do so by the
agency.
(Sec. 8) Directs each agency to promulgate regulations, pursuant to notice and
receipt of public comment, providing for expedited processing of requests for
records.
Extends the general period for determining whether to comply with a request from
ten to 20 days.
(Sec. 9) Requires deletions to be indicated, if technically feasible, on the
released portion of the record, unless including that indication would harm an
interest protected by the exemption under which the deletion is made.
(Sec. 10) Revises FOIA reporting requirements.
(Sec. 11) Directs each agency head to make publicly available, upon request,
reference material or a guide for requesting records or information from the
agency, including: (1) an index of all major information systems of the agency;
(2) a description of major information and record locator systems maintained by
the agency; and (3) a handbook for obtaining various types and categories of
public information from the agency.
B. Fair Credit Reporting Act of 1970
(Title 15, United States Code sections 1681-1681t)
1. Controls the propagation of personal credit information
by restricting the dissemination by credit bureaus and
similar institutions of "written, oral, or other communication
of any information ...bearing on a consumer's credit worthi-
ness for credit or insurance to be used primarily for
personal, family, or household purposes"
2. Provides standards for the collection and maintenance of
credit information and gives consumers the right to have
access to correct their records.
3. Credit bureaus have to use reasonable procedures for meeting
the commercial need for information in a manner that is fair
and equitable to the consumer.
4. Distinguishes between "a depository institution" like banks
and "a consumer reporting agency"
The former can furnish to others info that reflects its
direct experience with he consumer.
The latter is one that collects and furnishes to others
info reflecting business with other organizations and
individuals.
5. A consumer reporting agency must prepare a consumer report
(i) in reply to a court order.
(ii) in accordance with a consumer's written instruction.
(iii) For one of the permissible purposes:
(a) intends to use the info in connection with a credit
transaction involving the consumer on whom the info
is to be furnished and involving the extension of
credit to, or
(b) intends to use the info for employment purposes, or
(c) intends to use the info in connection with under-
writing of insurance involving the consumer, or
(d) intends to use the info in connection with a deter-
mination of the consumer's eligibility for a license
or other benefit granted by a government instrumentality
required by law to consider an applicant's financial
responsibility or status, or
(e) otherwise has a legitimate business need for the info
in connection with a business transaction with the
consumer.
6. It is technically very easy for a bank or an insurance
company to obtain info from a credit report firm.
Therefore, it is extremely important that the ease of access
not be abused, and that the above restrictions be observed.
C. Privacy Act of 1974
(Section 552a of Title 5, United States Code)
1. Protects individual privacy interest from government misuse
of federal records containing personal information.
2. Applies to federal agencies and their contractors who hold
info traceable to individuals.
3. Provides that:
a. agencies are allowed to collect and maintain only data
that required and relevant.
b. each agency has to specify what routine uses of info
wll be made by other agencies.
c. an individual has the right to scrutinize data referring
to the individual and request deletions or corrections,
following a formal process.
d. any use of info other than the specified routine use
requires the consent of the involved individual.
e. every use of the info has to be accounted.
f. an individual may sue to force an amendment to a record.
g. an agency or an individual who willfully disclose personally
identifiable info, or maintain a system of records in vio-
lation of this Act, may be fined.
h. law enforcement, investigatory, and national security files
are exempted from this Act.
i. individuals may refuse to reveal their SSN unless required
by statute or un;ess they were used in the file system before
1975.
4. Makes it unlawful for any federal, state, or local government
agency to deny to any individual any right, benefit, or pri-
vilege provided by law because of the individual's refusal
to disclose her/his SSN.
D. Right to Financial Privacy Act of 1978.
(Title 12, United States Code sections 3401-3422)
1. The increasing use of computerized databases in financial
institutions turns them into huge repositories of sensitive
personal information.
This Act is to control government access to these personal
financial records.
2. Provides that ".. no government authority may have access to,
or obtain copies of, the information contained in the finan-
cial records of any customer from a financial institution..."
3. (Exemptions)
a. If the customer authorized the disclosure, or
b. If in response to an administrative subpoena or summons, or
c. If in response to a search warrant, a judicial subpoena, or
to a formal written request which meets certain requirements
of the Act.
The most important requirements are that:
(i) the agency requesting the info notify the individual
no later than the time it contacts the financial ins-
titute, and
(ii) this notification clearly gives the individual
involved an option to deny such government access.
4. It might have been a legislative accomplishment for the 1970's,
but, it is a little bit outmoded.
does not apply to state agencies or local law enforcement
agencies.
there now exist many other usch sources of personal records
such as medical records, insurance files, credit card and
phone bills, court proceedings.
E. Electronic Funds Transfer Act of 1980.
1. Provides a framework establishing the rights, liabilities,
and responsibilities of participants in electronic funds
transfer systems.
The primary goal is to protect the rights of individual
customers.
2. Provides:
a. the terms and conditions of EFT are disclosed to the cus-
tomer prior to contracting for the service.
b. the financial institution has to tell the client what
his/her liabilities are in case of an unauthorized
transfer, to inform the client of his/her right to receive
documentation involving transfers and the right to stop
payments of preauthorized EFT.
c. customers' right for compensation for damages because
of errors. Such errors include an unauthorized EFT,
an incorrect transfer from or to a customer's account,
anda computational error by the financial instituion.
The burden of proof is upon the financial institution
to show that such mishaps did not occur because of its
negligence.
d. Penalties for the abuse of "debit instruments" to frau-
dulently transfer funds electronically.
A debit instrument includes a card, code, or other device,
other than a check or a draft, or similar paper instrument
by the use of which a person may initiate an EFT.
F. Debt Collection Act of 1982.
1. The federal government operates some 400 loan programs through
some 24 agencies and departments.
Many of the loans are never paid back due to
a. lack of motivations, resources, or tools to collect
delinquent debts.
b. lack of tools to screen applications because of Privacy
Act and other rstrictions.
2. Amended section 2 of 1974 Privacy Act and other laws to
"increase the efficiency of government-wide efforts to collect
debts owed the United States and to provide additional pro-
cedures for the collection of debts owed the United States."
3. Allows the federal government to
a. refer delinquent debtors to credit bureaus while providing
those debtors the same protection afforded the private
debtors under the Fair Crdit Reporting Act,
b. require individuals to supply their SSN when applying for
credit or financial assistance that would result in
indebtedness to the government.
c. determine delinquent tax liability and seeking its reso-
lution before extending federal credit.
d. disclose mailing addresses obtained from IRS on delinquent
debtors to private contractors for debt collection purposes, and
e. contract with private collection agencies for collection
services.
G. Cable Communications Policy Act of 1984.
1.Provides the overall framework for the regulation of the commu-
nications industry in the U.S.
2.It does:
a. establish a national policy concerning cable communications,
b. establish franchise procedurs and standards which encourage
the growth and development of cable systems and which assure
that cable systems are responsive to the needs and interests
of the local community,
c. establish guidelines for the exercise of Federal, State,
and local authority with respect to the regulation of
cable systems,
d. assure that cable communications provide diversity of info
sources and services,
e. establish the orderly process for franchise renewal which
protects cable operators against unfair denial of renewal
where the operator's past performance and proposal for future
performance meet the standards established by this Act, and
f. promote competition in cable communications and minimize
unnecessary regulation that would impose an undue economic
burden on cable systems.
3.A landlord cannot deny the tenants access to the cable service.
4.To address the concerns of subscriber's privacy, the Act
mandates:
At the time of entering into an initial agreement to
provide any cable service and at least once a year thereafter,
a cable operator shall provide notice in the form of a
separate, written statement to inform the subscriber of
(a) The nature of personally identifiable info collected or
to be collected and the nature of the use of such info,
(b) The nature, frequency, and purpose of any disclosure,
including the types of persons to whom the disclosure
may be made,
(c) The period during which such info will be maintained,
(d) The times and place at which the subscriber may have
access to such info, and
(e) The limitations provided by this section w.r.t. the
collection and disclosure of info by a cable operator
and the right of the subscriber... to enforce such
limitations.