Ch. 4- Laws, Regulations, and Compliance
Copyrights protect original works of authorship, such as books, articles, poems, and songs. Trademarks are names, slogans, and logos that identify a company, product, or service. Patents provide protection to the creators of new inventions. Trade secret law protects the operating secrets of a firm.
Know the differences among copyrights, trademarks, patents, and trade secrets.
National Cybersecurity Protection Act
This law charged the Department of Homeland Security with establishing a national cybersecurity and communications integration center. The role of this center is to serve as the interface between federal agencies and civilian organizations for sharing cybersecurity risks, incidents, analysis, and warnings.
Copyright
This law guarantees the creators of "original works of authorship" protection against the unauthorized duplication of their work.
Most organizations are subject to a wide variety of legal and regulatory requirements related to information security. Building a compliance program ensures that you become and remain compliant with these often overlapping requirements.
Explain the importance of a well-rounded compliance program.
EU Privacy Law
In 1995, the European Union (EU) Parliament passed a sweeping directive outlining privacy measures that must be in place for protecting personal data processed by information systems. The directive went into effect three years later in October 1998. The directive requires that all processing of personal data meet one of the following criteria: Consent, Contract, Legal obligation, Vital interest of the data subject, Balance between the interests of the data holder and the interests of the data subject The directive also outlines key rights of individuals about whom data is held and/or processed: Right to access the data, Right to know the data's source, Right to correct inaccurate data, Right to withhold consent to process data in some situations, Right of legal action should these rights be violated
Identity Theft and Assumption Deterrence Act
In 1998, the president signed this act into law. In the past, the only legal victims of identity theft were the creditors who were defrauded. This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law.
B. The Fourth Amendment to the U.S. Constitution sets the "probable cause" standard that law enforcement officers must follow when conducting searches and/or seizures of private property. It also states that those officers must obtain a warrant before gaining involuntary access to such property.
What law protects the right of citizens to privacy by placing restrictions on the authority granted to government agencies to search private residences and facilities? A. Privacy Act B. Fourth Amendment C. Second Amendment D. Gramm-Leach-Bliley Act
D. Administrative laws do not require an act of the legislative branch to implement at the federal level. Administrative laws consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government. Although they do not require an act of Congress, these laws are subject to judicial review and must comply with criminal and civil laws enacted by the legislative branch.
What type of law does not require an act of Congress to implement at the federal level but rather is enacted by the executive branch in the form of regulations, policies, and procedures? A. Criminal law B. Common law C. Civil law D. Administrative law
C. The Computer Fraud and Abuse Act, as amended, provides criminal and civil penalties for individuals convicted of using viruses, worms, Trojan horses, and other types of malicious code to cause damage to computer systems.
Which criminal law was the first to implement penalties for the creators of viruses, worms, and other types of malicious code that cause harm to computer systems? A. Computer Security Act B. National Infrastructure Protection Act C. Computer Fraud and Abuse Act D. Electronic Communications Privacy Act
C. The National Institute of Standards and Technology (NIST) is charged with the security management of all federal government computer systems that are not used to process sensitive national security information. The National Security Agency (part of the Department of Defense) is responsible for managing systems that do process classified and/or sensitive information.
Which federal government agency has responsibility for ensuring the security of government computer systems that are not used to process sensitive and/or classified information? A. National Security Agency B. Federal Bureau of Investigation C. National Institute of Standards and Technology D. Secret Service
Computer Fraud and Abuse Act
Which law does this describe? - Access classified information or financial information in a federal system without authorization or in excess of authorized privileges - Access a computer used exclusively by the U.S. government without authorization - Access a computer used exclusively by a financial institution without authorization - Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to gain use of the computer itself) - Any computer used by the government or a financial institution when the offense impedes the ability of the government or institution to use that system - Cause malicious damage to a federal computer system in excess of $5,000 - Modify medical records in a computer when doing so impairs or may impair the examination, diagnosis, treatment, or medical care of an individual - Traffic in computer passwords if the trafficking affects interstate commerce or involves a federal computer system - Any combination of computers used to commit an offense when they are not all located in the same state
A. The Federal Information Security Management Act (FISMA) includes provisions regulating information security at federal agencies. It places authority for classified systems in the hands of the National Security Agency (NSA) and authority for all other systems with the National Institute for Standards and Technology (NIST).
Which law governs information security operations at federal agencies? A. FISMA B. FERPA C. CFAA D. ECPA
A. The Digital Millennium Copyright Act does not include any geographical location requirements for protection under the "transitory activities" exemption. The other options are three of the five mandatory requirements. The other two requirements are that the service provider must not determine the recipients of the material and the material must be transmitted with no modification to its content.
Which one of the following is not a requirement that Internet service providers must satisfy in order to gain protection under the "transitory activities" clause of the Digital Millennium Copyright Act? A. The service provider and the originator of the message must be located in different states. B. The transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by the service provider. C. Any intermediate copies must not ordinarily be accessible to anyone other than anticipated recipients and must not be retained for longer than reasonably necessary. D. The transmission must be originated by a person other than the provider.
C. The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that protects personal information of EU residents worldwide. The law is scheduled to go into effect in 2018.
Which one of the following is the comprehensive EU law that governs data privacy that was passed in 2016 and goes into effect in 2018? A. DPD B. GLBA C. GDPR D. SOX
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
This law made numerous changes to the laws governing health insurance and health maintenance organizations (HMOs). Among the provisions of this law are privacy and security regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals. It also clearly defines the rights of individuals who are the subject of medical records and requires organizations that maintain such records to disclose these rights in writing.
Federal Information Systems Modernization Act of 2014 (FISMA)
This law modified the rules of the 2002 FISMA by centralizing federal cybersecurity responsibility with the Department of Homeland Security. There are two exceptions to this centralization: defense-related cybersecurity issues remain the responsibility of the Secretary of Defense, while the Director of National Intelligence bears responsibility for intelligence-related issues.
Federal Information Security Management Act of 2002 (FISMA)
This law requires that federal agencies implement an information security program that covers the agency's operations. It also requires that government agencies include the activities of contractors in their security management programs. It repealed and replaced two earlier laws: the Computer Security Act of 1987 and the Government Information Security Reform Act of 2000.
California's SB 1386 implemented the first statewide requirement to notify individuals of a breach of their personal information. All but three states eventually followed suit with similar laws. Currently, federal law only requires the notification of individuals when a HIPAA-covered entity breaches their protected health information.
Understand the notification requirements placed on organizations that experience a data breach.
Contractual license agreements are written agreements between a software vendor and user. Shrink-wrap agreements are written on software packaging and take effect when a user opens the package. Click-wrap agreements are included in a package but require the user to accept the terms during the software installation process.
Understand the various types of software license agreements.
A. The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 amended the privacy and security requirements of HIPAA.
What act updated the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA)? A. HITECH B. CALEA C. CFAA D. CCCA
1. Copyrights 2. Trademarks 3. Patents 4. Trade Secrets
What are the four major type of intellectual property?
1. Criminal Law 2. Civil Law 3. Administrative Law
What are the three main categories of laws?
C. The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations involved in storing, transmitting, and processing credit card information.
What compliance obligation relates to the processing of credit card information? A. SOX B. HIPAA C. PCI DSS D. FERPA
B. The Privacy Shield framework, governed by the U.S. Department of Commerce and Federal Trade Commission, allows U.S. companies to certify compliance with EU data protection law.
What framework allows U.S. companies to certify compliance with EU privacy laws? A. COBiT B. Privacy Shield C. Privacy Lock D. EuroLock
B. The Gramm-Leach-Bliley Act provides, among other things, regulations regarding the way financial institutions can handle private information belonging to their customers.
What industry is most directly impacted by the provisions of the Gramm-Leach-Bliley Act? A. Healthcare B. Banking C. Law enforcement D. Defense contractors
PCI DSS
What is an excellent example of a compliance requirement that is not directed by law but by contractual obligation?
C. The original Computer Fraud and Abuse Act of 1984 covered only systems used by the government and financial institutions. The act was broadened in 1986 to include all federal interest systems. The Computer Abuse Amendments Act of 1994 further amended the CFAA to cover all systems that are used in interstate commerce, including a large portion (but not all) of the computer systems in the United States.
What is the broadest category of computer systems protected by the Computer Fraud and Abuse Act, as amended? A. Government-owned systems B. Federal interest systems C. Systems used in interstate commerce D. Systems located in the United States
C. U.S. patent law provides for an exclusivity period of 20 years beginning at the time the patent application is submitted to the Patent and Trademark Office.
What is the standard duration of patent protection in the United States? A. 14 years from the application date B. 14 years from the date the patent is granted C. 20 years from the application date D. 20 years from the date the patent is granted
A. The Privacy Act of 1974 limits the ways government agencies may use information that private citizens disclose to them under certain circumstances.
What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances? A. Privacy Act B. Electronic Communications Privacy Act C. Health Insurance Portability and Accountability Act D. Gramm-Leach-Bliley Act
A. The Children's Online Privacy Protection Act (COPPA) provides severe penalties for companies that collect information from young children without parental consent. COPPA states that this consent must be obtained from the parents of children younger than the age of 13 before any information is collected (other than basic information required to obtain that consent).
The Children's Online Privacy Protection Act (COPPA) was designed to protect the privacy of children using the internet. What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent? A. 13 B. 14 C. 15 D. 16
Click-Through
These license agreements are becoming more commonplace than shrink-wrap agreements. In this type of agreement, the contract terms are either written on the software box or included in the software documentation. During the installation process, you are required to click a button indicating that you have read the terms of the agreement and agree to abide by them. This adds an active consent to the process, ensuring that the individual is aware of the agreement's existence prior to installation.
Shrink-wrap
These license agreements are written on the outside of the software packaging. They commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package.
D. Mary and Joe should treat their oil formula as a trade secret. As long as they do not publicly disclose the formula, they can keep it a company secret indefinitely.
Mary is the co-founder of Acme Widgets, a manufacturing firm. Together with her partner, Joe, she has developed a special oil that will dramatically improve the widget manufacturing process. To keep the formula secret, Mary and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property protection best suits their needs? A. Copyright B. Trademark C. Patent D. Trade secret
Cloud Services
These license agreements take click-through agreements to the extreme. Most cloud services do not require any form of written agreement and simply flash legal terms on the screen for review. In some cases, they may simply provide a link to legal terms and a check box for users to confirm that they read and agree to the terms. Most users, in their excitement to access a new service, simply click their way through the agreement without reading it and may unwittingly bind their entire organization to onerous terms and conditions.
Contractual
These license agreements use a written contract between the software vendor and the customer, outlining the responsibilities of each. These agreements are commonly found for high-priced and/or highly specialized software packages.
C. The USA PATRIOT Act was adopted in the wake of the September 11, 2001, terrorist attacks. It broadens the powers of the government to monitor communications between private citizens and therefore actually weakens the privacy rights of consumers and internet users. The other laws mentioned all contain provisions designed to enhance individual privacy rights.
Which one of the following laws is not designed to protect the privacy rights of consumers and internet users? A. Health Insurance Portability and Accountability Act B. Identity Theft Assumption and Deterrence Act C. USA PATRIOT Act D. Gramm-Leach-Bliley Act
Computer Abuse Amendments Act of 1994
- This outlawed the creation of any type of malicious code that might cause damage to a computer system. - Modified the CFAA to cover any computer used in interstate commerce rather than just "federal interest" computer systems. - Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage - Provided legal authority for the victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages
Digital Millennium Copyright Act of 1998
1. The first major provision of this is the prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder. This clause was designed to protect copy-prevention mechanisms placed on digital media such as compact discs (CDs) and digital versatile discs (DVDs). The DMCA provides for penalties of up to $1,000,000 and 10 years in prison for repeat offenders. Nonprofit institutions such as libraries and schools are exempted from this provision. 2. It also limits the liability of Internet service providers (ISP) when their circuits are used by criminals violating the copyright law. It recognizes that ISPs have a legal status similar to the "common carrier" status of telephone companies and does not hold them liable for the "transitory activities" of their users.
The Digital Millennium Copyright Act prohibits the circumvention of copy protection mechanisms placed in digital media and limits the liability of Internet service providers for the activities of their users.
Be able to explain the basic provisions of the Digital Millennium Copyright Act of 1998.
The Computer Fraud and Abuse Act (as amended) protects computers used by the government or in interstate commerce from a variety of abuses. The Electronic Communications Privacy Act (ECPA) makes it a crime to invade the electronic privacy of an individual.
Be able to explain the basic provisions of the major laws designed to protect society against computer crime.
NIST SP 800-171: Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations
Compliance with this standard's security controls (which are quite similar to those found in NIST 800-53) is often included as a contractual requirement by government agencies. Federal contractors must often comply with this standard.
National Information Infrastructure Protection Act of 1996
Congress passed yet another set of amendments to the Computer Fraud and Abuse Act designed to further extend the protection it provides. - Broadens CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce - Extends similar protections to portions of the national infrastructure other than computing systems, such as railroads, gas pipelines, electric power grids, and telecommunications circuits - Treats any intentional or reckless act that causes damage to critical portions of the national infrastructure as a felony
10 years
In the US, trademarks are granted for how many years initially?
True
T or F: Organizations that are not merchants but store, process, or transmit credit card information on behalf of merchants must also comply with PCI DSS.
wiretapping and privacy
The courts have expanded their interpretation of the Fourth Amendment to include protections against ____________ and other invasions of __________.
Fourth Amendment, U.S. Constitution
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Trade Secrets
These are intellectual property that is absolutely critical to their business, and significant damage would result if it were disclosed to competitors and/or the public
NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
This standard is required for use in federal computing systems and is also commonly used as an industry cybersecurity benchmark.
The Economic Espionage Act provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties apply when the individual knows that the information will benefit a foreign government.
Know the basic provisions of the Economic Espionage Act of 1996.
70 years
Current copyright law provides for a lengthy period of protection. Works by one or more authors are protected until how many years after the death of the last surviving author?
Children's Online Privacy Protection Act of 1998 (COPPA)
In April 2000, provisions of this became the law of the land in the United States. It makes a series of demands on websites that cater to children or knowingly collect information from children. - Websites must have a privacy notice that clearly states the types of information they collect and what it's used for, including whether any information is disclosed to third parties. The privacy notice must also include contact information for the operators of the site. - Parents must be provided with the opportunity to review any information collected from their children and permanently delete it from the site's records. - Parents must give verifiable consent to the collection of information about children younger than the age of 13 prior to any such collection. Exceptions in the law allow websites to collect minimal information solely for the purpose of obtaining such parental consent.
The expanded use of cloud services by many organizations requires added attention to conducting reviews of information security controls during the vendor selection process and as part of ongoing vendor governance.
Know how to incorporate security into the procurement and vendor governance process.
A. Copyright law is the only type of intellectual property protection available to Matthew. It covers only the specific software code that Matthew used. It does not cover the process or ideas behind the software. Trademark protection is not appropriate for this type of situation. Patent protection does not apply to mathematical algorithms. Matthew can't seek trade secret protection because he plans to publish the algorithm in a public technical journal.
Matthew recently authored an innovative algorithm for solving a mathematical problem, and he wants to share it with the world. However, prior to publishing the software code in a technical journal, he wants to obtain some sort of intellectual property protection. Which type of protection is best suited to his needs? A. Copyright B. Trademark C. Patent D. Trade secret
C. Richard's product name should be protected under trademark law. Until his registration is granted, he can use the ™ symbol next to it to inform others that it is protected under trademark law. Once his application is approved, the name becomes a registered trademark, and Richard can begin using the ® symbol.
Richard recently developed a great name for a new product that he plans to begin using immediately. He spoke with his attorney and filed the appropriate application to protect his product name but has not yet received a response from the government regarding his application. He wants to begin using the name immediately. What symbol should he use next to the name to indicate its protected status? A. © B. ® (R) C. ™ D. †
The United States has a number of privacy laws that affect the government's use of information as well as the use of information by specific industries, such as financial services companies and healthcare organizations that handle sensitive information. The EU has a more comprehensive General Data Protection Regulation that governs the use and exchange of personal information.
Understand the major laws that govern privacy of personal information in both the United States and the European Union.
EU General Data Protection Regulation (GDPR)
The European Union passed a new, comprehensive law covering the protection of personal information in 2016. It went into effect on May 25, 2018, and replaced the older data protection directives on that date. The main purpose of this law is to provide a single, harmonized law that covers data throughout the European Union.
Administrative Law
These are laws, in the form of policies, procedures, and regulations that govern the daily operations of an agency. This covers topics as mundane as the procedures to be used within a federal agency to obtain a desk telephone to more substantial issues such as the immigration policies that will be used to enforce the laws passed by Congress. These laws are published in the Code of Federal Regulations, often referred to as the CFR.
Civil Laws
These form the bulk of our body of laws. They are designed to provide for an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations. Examples of these include contract disputes, real estate transactions, employment matters, and estate/probate procedures. They are also used to create the framework of government that the executive branch uses to carry out its responsibilities. These laws provide budgets for governmental activities and lay out the authority granted to the executive branch to create administrative laws
Federal Sentencing Guidelines
These released in 1991 provided punishment guidelines to help federal judges interpret computer crime laws. Three major provisions of these guidelines have had a lasting impact on the information security community. - The guidelines formalized the prudent man rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. This rule, developed in the realm of fiscal responsibility, now applies to information security as well. - The guidelines allowed organizations and executives to minimize punishment for infractions by demonstrating that they used due diligence in the conduct of their information security duties. - The guidelines outlined three burdens of proof for negligence. First, the person accused of negligence must have a legally recognized obligation. Second, the person must have failed to comply with recognized standards. Finally, there must be a causal relationship between the act of negligence and subsequent damages.
Communications Assistance for Law Enforcement Act (CALEA) of 1994
This amended the Electronic Communications Privacy Act of 1986. It requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.
Economic Espionage Act of 1996
This extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage. This changed the legal definition of theft so that it was no longer restricted by physical constraints.
Criminal Law
This forms the bedrock of the body of laws that preserve the peace and keep our society safe. These are the laws that the police and other law enforcement agencies concern themselves with. They contain prohibitions against acts such as murder, assault, robbery, and arson. Penalties for violating these statutes fall in a range that includes mandatory hours of community service, monetary penalties in the form of fines (small and large), and deprivation of civil liberties in the form of prison sentences.
Payment Card Industry Data Security Standard (PCI DSS)
This governs the security of credit card information and is enforced through the terms of a merchant agreement between a business that accepts credit cards and the bank that processes the business's transactions.
NIST Cybersecurity Framework (CSF)
This is a set of standards designed to serve as a voluntary risk-based framework for securing information and systems.
Family Educational Rights and Privacy Act (FERPA)
This is another specialized privacy bill that affects any educational institution that accepts any form of funding from the federal government. It grants certain privacy rights to students older than 18 and the parents of minor students. Specific protections include the following: - Parents/students have the right to inspect any educational records maintained by the institution on the student. - Parents/students have the right to request correction of records they think are erroneous and the right to include a statement in the records contesting anything that is not corrected. - Schools may not release personal information from student records without written consent, except under certain circumstances.
Privacy Act of 1974
This is perhaps the most significant piece of privacy legislation restricting the way the federal government may deal with private information about individual citizens. It severely limits the ability of federal government agencies to disclose private information to other people or agencies without the prior written consent of the affected individuals. It does provide for exceptions involving the census, law enforcement, the National Archives, health and safety, and court orders. It also mandates that agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed for a legitimate function of government. It provides a formal procedure for individuals to gain access to records the government maintains about them and to request that incorrect records be amended.
Economic Espionage Act of 1996
This law has these two major provisions: - Anyone found guilty of stealing trade secrets from a U.S. corporation with the intention of benefiting a foreign government or agent may be fined up to $500,000 and imprisoned for up to 15 years. - Anyone found guilty of stealing trade secrets under other circumstances may be fined up to $250,000 and imprisoned for up to 10 years.
Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
This law updated many of HIPAA's privacy and security requirements and was implemented through the HIPAA Omnibus Rule in 2013. One of the changes mandated by the new regulations is a change in the way the law treats business associates, which are organizations that handle protected health information (PHI) on behalf of a HIPAA covered entity. Any relationship between a covered entity and a business associate must be governed by a written contract known as a business associate agreement (BAA). Under the new regulation, business associates are directly subject to HIPAA and HIPAA enforcement actions in the same manner as a covered entity. This also introduced new data breach notification requirements. Under this law's Breach Notification Rule, HIPAA-covered entities that experience a data breach must notify affected individuals of the breach and must also notify both the Secretary of Health and Human Services and the media when the breach affects more than 500 individuals.
USA PATRIOT ACT of 2001
This law was created in direct response to the September 11, 2001, terrorist attacks in New York City and Washington, DC. The PATRIOT Act greatly broadened the powers of law enforcement organizations and intelligence agencies across a number of areas, including when monitoring electronic communications.
Cybersecurity Enhancement Act
This law which charges the NIST with responsibility for coordinating nationwide work on voluntary cybersecurity standards. NIST produces the 800 series of Special Publications related to computer security in the federal government.
Electronic Communications Privacy Act of 1986
This makes it a crime to invade the electronic privacy of an individual. This act broadened the Federal Wiretap Act, which previously covered communications traveling via a physical wire, to apply to any illegal interception of electronic communications or to the intentional, unauthorized access of electronically stored data. It prohibits the interception or disclosure of electronic communication and defines those situations in which disclosure is legal. It protects against the monitoring of email and voicemail communications and prevents providers of those services from making unauthorized disclosures of their content.
Patent
This protects the intellectual property rights of inventors. They provide a period of 20 years during which the inventor is granted exclusive rights to use the invention (whether directly or via licensing agreements). At the end of the exclusivity period, the invention is in the public domain available for anyone to use.
The International Traffic in Arms Regulations (ITAR)
This regulation controls the export of items that are specifically designated as military and defense items, including technical information related to those items. The items covered under this regulation appear on a list called the United States Munitions List (USML), maintained in 22 CFR 121.
The Export Administration Regulations (EAR)
This regulation covers a broader set of items that are designed for commercial use but may have military applications. Items covered by this appear on the Commerce Control List (CCL) maintained by the U.S. Department of Commerce.
Gramm-Leach-Bliley Act of 1999
This somewhat relaxed the regulations concerning the services financial institutions could provide to eachother. When Congress passed this law, it realized that this increased latitude could have far-reaching privacy implications. Because of this concern, it included a number of limitations on the types of information that could be exchanged even among subsidiaries of the same corporation and required financial institutions to provide written privacy policies to all their customers by July 1, 2001.
The Computer Fraud and Abuse Act (CFAA)
This was the first major piece of cybercrime-specific legislation in the United States. Congress had earlier enacted computer crime law as part of the Comprehensive Crime Control Act (CCCA) of 1984, but this was carefully written to exclusively cover computer crimes that crossed state boundaries to avoid infringing on states' rights and treading on thin constitutional ice.
Criminal law protects society against acts that violate the basic principles we believe in. Violations of criminal law are prosecuted by federal and state governments. Civil law provides the framework for the transaction of business between people and organizations. Violations of civil law are brought to the court and argued by the two affected parties. Administrative law is used by government agencies to effectively carry out their day-to-day business.
Understand the differences between criminal law, civil law, and administrative law.
B. Shrink-wrap license agreements become effective when the user opens a software package. Click-wrap agreements require the user to click a button during the installation process to accept the terms of the license agreement. Standard license agreements require that the user sign a written agreement prior to using the software. Verbal agreements are not normally used for software licensing but also require some active degree of participation by the software user.
Which one of the following types of licensing agreements does not require that the user acknowledge that they have read the agreement prior to executing it? A. Standard license agreement B. Shrink-wrap agreement C. Click-wrap agreement D. Verbal agreement
Trademarks
Words, slogans, and logos used to identify a company and its products or services.
95 and 120
Works for hire and anonymous works are provided protection for _________ years from the date of first publication or __________ years from the date of creation, whichever is shorter.