COSC3325 3/24/2005. Summary of Computer-related Federal Laws Three catagories: 1. Against Computer Fraud, Hacking and viruses. 2. Protecting privacy and access to Information. 3. Intellectual Property protection. 1. Computer Fraud/Hacking/Viruses A. Small Business Security and Education Act of 1984. 1. Amended the Small Business Act (Title 15, US Code) to establish a computer security and education program for small businesses assisted by the Small Business Administration. 2. Mandates the formation of the Small Business Computer Security and Education Avisory Council. 3. This Council advises the Small Business Administration on The nature and scope of computer crimes committed against small business concerns The effectiveness of laws and technology in deterring and securing against computer-related crimes. The development of guidelines to enhance computer security. 4. This Council also prepares educational programs for information and training on security techniques for small businesses. 5. The simple and broad definition of computer crime in the Act: (a) Any crime committed against a small business concern by means of the use of a computer, and (b) Any crime involving the illegal use of a computer, or tampering with, a computer owned or utilized by a small business concern. B. Computer Fraud and Abuse Act of 1986. (Title-18, USC: Crimes and Criminal Procedure) 1. Between 1984 and 1986, at least 22 computer crime bills were proposed in Congress. 2. Amended 1984 Counterfeit Access Device and Computer Fraud and Abuse Act for ambiguity, inconsistency, and insufficient penalties. Subsequently modified by the National Information Infrastructure Protection Act of 1996. 3. To provide additional penalties for fraud and related activities in connection with access device and computers, for other purposes. 4. Heavy penalty of up to 20 years imprisonment for repeated offenses. 5. The Act criminalizes anyone who: (a) Knowingly accesses a computer w/o authorization or exceeds authorized access, and by means of such conduct obtains info protected against unauthorized discolusure for reasons of national defense or foreign relations, or any restricted data, with the intent to use to the injury of the US or to the advantage of any foreign nation. (b) Intentionally accesses a computer w/o authorization or exceeds authorized access and thereby obtains information contained in a financial record of a financial institution or of a card issuer, or of a consumer reporting agency on a consumer. (c) Intentionally, w/o authorization to access any computer of a department or agency of the US, access such a computer of that department or agency that is exclu- sively for the use of the Government of US or, in the case of a computer not exclusively for such use, is used by or for the Government of the US and such conduct affects the use of the government's operation of such computer. (d) Knowingly and with intent to defraud, accesses a federal interest computer w/o authorization, or exceeds autho- rized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists of the use of the computer. (e) Intentionally accesses a federal interest computer w/o authorization, and by means of one or more instances of such conduct alters, damages, or destroys info in any such federal interest computer, or prevents autho- rized use of any such computer or info, and thereby: (i) causes loss to one or more others of a value aggregating $1,000 or more during any one year period; or (ii)modifies or impairs, or potentially modifies or impairs the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals. (f) Knowingly and with intent to defraud traffics... in any password or similar info throuh which a computer may be accessed w/o authorization, if (i) such trafficking affects interstate or foreign commerce; or (ii)such computer is used by or for the Government of the United States. 6. Federal Interest Computer is any computer (a) exclusively for the use of a financial institution or exclusively for the use of the united States Government, or those used by or for a financial institution or the United States Government and the conduct constituting the offense affects the use of the financial institution's operation of such computer; or (b) which is one of two or more computers used in commit- ting the offense, not all of which are located in the same state. C. The National Information Infrastructure Protection Act of 1996 1. "Protected Computers" replaced "Federal Interest Computers" which now include: a. a computer exclusively for the use of a financial institution or the United States Government, or in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government, or b. a computer which is used in interstate or foreign commerce or communications. 2. Provision of an additional offense: 1030(a)7 Protection against the interstate or international transmission of threats to cause damage to Protected Computer(s) with intent to extort any money or anything of value from any body or any organization. 3. Narrowing the definition of the offense of illegally obtaining national security information. 1030(a)1 It now requires: "willfully communicates, delivers, transmits, or caused to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it or willfully retains the same and fails to deliver it to the officer or an employee of the United States entitled to receive it." 4. Extension of protection from unauthorized information access. 1030(a)2 Now the protection is provided not just for the financial institutions' information But also for that from "Any United States Government department or agency and Also for that from any Protected computers if the conduct involved an interstate or Foreign communications. 5. Narrowing the definition of Defrauding Protected computers. 1030(a)4 Unauthorized use of a Protected computer must total at least $5,000 for a year. 2. Federal laws for Privacy and Access to Information A. Freedom of Information Act of 1966. (Section 552,Title-5, Government Organization and Employees) Goal: Insure the free flow of information between Government and people 1. Guaranteed the right of people to know about the business of their government, and allowed everyone to obtain reasoonably identifiable information from federal agencies. 2. The Government has to disclose required info upon request. 3. The Government has 10 days to either disclose the info or inform the person requesting it that it does not intend to comply with the request. The agency must tell the person the reasons for such refusal. 4. Exemptions. a. Matters established by an Executive Order to be kept secret in the interest of national defense or foreign policy. (Matters of National Security) b. Matters solely related to the internal personnel procedures of a government agency (Internal Personnel Procedure) c. Matters exempted from disclure by statutes. (Statutory Exemptions) d. Trade secrets and privileged financial information. (Trade Secret) e. Inter- or intra-agency "memorandums or letters which would not be available by law to a party other than an agency in litigation with the agency" (Inter-/intra-agency memorandum) f. Personnel or medical files. (Medical Files) g. Investigatoin records compiled for law enforcement purposes, but only to the extent that the disclosure would interfere with the enforcement proceedings or a fair trial, or constitute an unwarranted invasion of privacy, or disclose the identity of a confidential source or investigative techniques, or threaten the physical safety of law enforcement personnel. (Investigation Record) h. Matters contained in or related to examinatoin, operation, or condition reports prepard by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions. (Financial Institution Reports) i. Geological and Geophysical information. 5. People have often complained that government agencies refuse to release info on the pretense of national security or foreign policy secrecy. Electronic Freedom of Information Act Amendments of 1996 - Amends the Freedom of Information Act (FOIA) to define "record" to mean information maintained by an agency, as a required agency record, in any format, including an electronic format. Major changes include: 1. broadening the definition of government records to include those maintained in electronic format. 2. extending the legal response period from ten days to twenty days. 3. establishing procedures for a government agency to discuss with requesters ways of tailoring large requests to improve responsiveness, and 4. broadening public access to government information by placing more material on-line. See "www.epic.org/open_gov/foia/us_foia_act.html" for details. (Sec. 4) Revises provisions which permit an agency to delete identifying details when it makes available or publishes specified information so as to permit such deletions in copies of all records. Requires that the extent of such deletion shall be indicated on the portion of the record which is made available or published, unless including that indication would harm an interest protected by the current exemptions (concerning exemptions relating to national security, trade secrets, personal medical files, and etc.) under which the deletion is made. Requires an agency to make available for public inspection and copying: (1) copies of all records, regardless of form or format, which have been released to an individual and which, because of the nature of their subject matter, have become or are likely to become the subject of subsequent requests for substantially the same records; (2) a general index of such records, which shall be made available electronically by December 31, 1999; and (3) within one year after November 1, 1996, by computer telecommunications or other electronic means, those records created on or after November 1, 1996. (Sec. 5) Requires that an agency in responding to a request for records shall make reasonable efforts to search for the records in electronic form or format, except when such efforts would significantly interfere with the operation of the agency's automated information system. (Sec. 6) Provides that, respecting a standard for judicial review, in addition to any other matters to which a court accords substantial weight, a court shall accord substantial weight to an affidavit of an agency concerning the agency's determination as to technical feasibility and reproducibility. (Sec. 7) Authorizes each agency to promulgate regulations, pursuant to notice and receipt of public comment, providing for: (1) multitrack processing of requests for records based on the amount of work or time (or both) involved in processing requests; and (2) an opportunity for an individual making a request that does not qualify for the fastest multitrack processing to limit the scope of the request in order to qualify for faster processing. Directs that the agency, with respect to a request for which a written notice in the case of unusual circumstances extends the time limits prescribed, shall: (1) notify the requestor if the request cannot be processed within the time limit; and (2) provide the requestor an opportunity to limit the scope of the request so that it may be processed within that time limit or to arrange with the agency an alternative time frame for processing the request or a modified request. Authorizes each agency to promulgate regulations, pursuant to notice and receipt of public comment, providing for the aggregation of certain requests by the same requestor, or by a group of requestors acting in concert, if the agency reasonably believes that such requests actually constitute a single request (which would otherwise satisfy requirements for unusual circumstances) and the requests involve clearly related matters. Prohibits the aggregation of multiple requests involving unrelated matters. Prohibits including a delay that results from a predictable agency workload of requests as an exceptional circumstance, unless the agency demonstrates reasonable progress in reducing its backlog of pending requests. Considers as a factor in determining whether exceptional circumstances exist the refusal by an individual to modify the scope of a request or arrange an alternative time frame for processing a request after being given an opportunity to do so by the agency. (Sec. 8) Directs each agency to promulgate regulations, pursuant to notice and receipt of public comment, providing for expedited processing of requests for records. Extends the general period for determining whether to comply with a request from ten to 20 days. (Sec. 9) Requires deletions to be indicated, if technically feasible, on the released portion of the record, unless including that indication would harm an interest protected by the exemption under which the deletion is made. (Sec. 10) Revises FOIA reporting requirements. (Sec. 11) Directs each agency head to make publicly available, upon request, reference material or a guide for requesting records or information from the agency, including: (1) an index of all major information systems of the agency; (2) a description of major information and record locator systems maintained by the agency; and (3) a handbook for obtaining various types and categories of public information from the agency. B. Fair Credit Reporting Act of 1970 (Title 15, United States Code sections 1681-1681t) 1. Controls the propagation of personal credit information by restricting the dissemination by credit bureaus and similar institutions of "written, oral, or other communication of any information ...bearing on a consumer's credit worthi- ness for credit or insurance to be used primarily for personal, family, or household purposes" 2. Provides standards for the collection and maintenance of credit information and gives consumers the right to have access to correct their records. 3. Credit bureaus have to use reasonable procedures for meeting the commercial need for information in a manner that is fair and equitable to the consumer. 4. Distinguishes between "a depository institution" like banks and "a consumer reporting agency" The former can furnish to others info that reflects its direct experience with he consumer. The latter is one that collects and furnishes to others info reflecting business with other organizations and individuals. 5. A consumer reporting agency must prepare a consumer report (i) in reply to a court order. (ii) in accordance with a consumer's written instruction. (iii) For one of the permissible purposes: (a) intends to use the info in connection with a credit transaction involving the consumer on whom the info is to be furnished and involving the extension of credit to, or (b) intends to use the info for employment purposes, or (c) intends to use the info in connection with under- writing of insurance involving the consumer, or (d) intends to use the info in connection with a deter- mination of the consumer's eligibility for a license or other benefit granted by a government instrumentality required by law to consider an applicant's financial responsibility or status, or (e) otherwise has a legitimate business need for the info in connection with a business transaction with the consumer. 6. It is technically very easy for a bank or an insurance company to obtain info from a credit report firm. Therefore, it is extremely important that the ease of access not be abused, and that the above restrictions be observed. C. Privacy Act of 1974 (Section 552a of Title 5, United States Code) 1. Protects individual privacy interest from government misuse of federal records containing personal information. 2. Applies to federal agencies and their contractors who hold info traceable to individuals. 3. Provides that: a. agencies are allowed to collect and maintain only data that required and relevant. b. each agency has to specify what routine uses of info wll be made by other agencies. c. an individual has the right to scrutinize data referring to the individual and request deletions or corrections, following a formal process. d. any use of info other than the specified routine use requires the consent of the involved individual. e. every use of the info has to be accounted. f. an individual may sue to force an amendment to a record. g. an agency or an individual who willfully disclose personally identifiable info, or maintain a system of records in vio- lation of this Act, may be fined. h. law enforcement, investigatory, and national security files are exempted from this Act. i. individuals may refuse to reveal their SSN unless required by statute or un;ess they were used in the file system before 1975. 4. Makes it unlawful for any federal, state, or local government agency to deny to any individual any right, benefit, or pri- vilege provided by law because of the individual's refusal to disclose her/his SSN. D. Right to Financial Privacy Act of 1978. (Title 12, United States Code sections 3401-3422) 1. The increasing use of computerized databases in financial institutions turns them into huge repositories of sensitive personal information. This Act is to control government access to these personal financial records. 2. Provides that ".. no government authority may have access to, or obtain copies of, the information contained in the finan- cial records of any customer from a financial institution..." 3. (Exemptions) a. If the customer authorized the disclosure, or b. If in response to an administrative subpoena or summons, or c. If in response to a search warrant, a judicial subpoena, or to a formal written request which meets certain requirements of the Act. The most important requirements are that: (i) the agency requesting the info notify the individual no later than the time it contacts the financial ins- titute, and (ii) this notification clearly gives the individual involved an option to deny such government access. 4. It might have been a legislative accomplishment for the 1970's, but, it is a little bit outmoded. does not apply to state agencies or local law enforcement agencies. there now exist many other usch sources of personal records such as medical records, insurance files, credit card and phone bills, court proceedings. E. Electronic Funds Transfer Act of 1980. 1. Provides a framework establishing the rights, liabilities, and responsibilities of participants in electronic funds transfer systems. The primary goal is to protect the rights of individual customers. 2. Provides: a. the terms and conditions of EFT are disclosed to the cus- tomer prior to contracting for the service. b. the financial institution has to tell the client what his/her liabilities are in case of an unauthorized transfer, to inform the client of his/her right to receive documentation involving transfers and the right to stop payments of preauthorized EFT. c. customers' right for compensation for damages because of errors. Such errors include an unauthorized EFT, an incorrect transfer from or to a customer's account, anda computational error by the financial instituion. The burden of proof is upon the financial institution to show that such mishaps did not occur because of its negligence. d. Penalties for the abuse of "debit instruments" to frau- dulently transfer funds electronically. A debit instrument includes a card, code, or other device, other than a check or a draft, or similar paper instrument by the use of which a person may initiate an EFT. F. Debt Collection Act of 1982. 1. The federal government operates some 400 loan programs through some 24 agencies and departments. Many of the loans are never paid back due to a. lack of motivations, resources, or tools to collect delinquent debts. b. lack of tools to screen applications because of Privacy Act and other rstrictions. 2. Amended section 2 of 1974 Privacy Act and other laws to "increase the efficiency of government-wide efforts to collect debts owed the United States and to provide additional pro- cedures for the collection of debts owed the United States." 3. Allows the federal government to a. refer delinquent debtors to credit bureaus while providing those debtors the same protection afforded the private debtors under the Fair Crdit Reporting Act, b. require individuals to supply their SSN when applying for credit or financial assistance that would result in indebtedness to the government. c. determine delinquent tax liability and seeking its reso- lution before extending federal credit. d. disclose mailing addresses obtained from IRS on delinquent debtors to private contractors for debt collection purposes, and e. contract with private collection agencies for collection services. G. Cable Communications Policy Act of 1984. 1.Provides the overall framework for the regulation of the commu- nications industry in the U.S. 2.It does: a. establish a national policy concerning cable communications, b. establish franchise procedurs and standards which encourage the growth and development of cable systems and which assure that cable systems are responsive to the needs and interests of the local community, c. establish guidelines for the exercise of Federal, State, and local authority with respect to the regulation of cable systems, d. assure that cable communications provide diversity of info sources and services, e. establish the orderly process for franchise renewal which protects cable operators against unfair denial of renewal where the operator's past performance and proposal for future performance meet the standards established by this Act, and f. promote competition in cable communications and minimize unnecessary regulation that would impose an undue economic burden on cable systems. 3.A landlord cannot deny the tenants access to the cable service. 4.To address the concerns of subscriber's privacy, the Act mandates: At the time of entering into an initial agreement to provide any cable service and at least once a year thereafter, a cable operator shall provide notice in the form of a separate, written statement to inform the subscriber of (a) The nature of personally identifiable info collected or to be collected and the nature of the use of such info, (b) The nature, frequency, and purpose of any disclosure, including the types of persons to whom the disclosure may be made, (c) The period during which such info will be maintained, (d) The times and place at which the subscriber may have access to such info, and (e) The limitations provided by this section w.r.t. the collection and disclosure of info by a cable operator and the right of the subscriber... to enforce such limitations.