Predict Preempt Protect

Law and Ethics

Karthikeyan Dhayalan
Categories of Law

Code Law
Rule-based law not precedence based
Focused on codified law or written law
Lower courts are not compelled to follow
the decisions made by the higher courts
Most widespread legal system in the world
and most common in Europe
Common Law
It is based on previous interpretations of law
Developed in England
It reflects the communitys morals and
expectations
Uses judges and juries of peers
Broken down into civil, criminal, and
administrative
Criminal Law
It is based on common law
Addresses behavior harmful to society
Punishment involves a loss of freedom, monetary fines,
community service
Responsibility is on the prosecution to prove guilt
Govt, through law enforcement agencies, brings about charges
against the individual/organization that is accused of violation
Penalties include, jail term, community service, monetary fines
Civil/Tort Law
It is based on common law
Defendant owes a legal duty to the victim
Designed to provide for an orderly society and
govern matters that are not crimes
Incumbent on the person wronged to file a law
suit
Damages can be financial penalties
Administrative Law
Policies, procedures and regulations
that govern the daily operations of
the agency
Administrative law does not require
an act of legislation but must comply
with all existing civil and criminal laws
Customary Law
Deals mainly with personal conduct and
patterns of behavior
Based on traditions and customs of the
region
Mainly used in regions that have mixed
law system
Penalty include monetary fine or service
Religious Law
Based on religious beliefs of the region
Covers all aspects of human life
Knowledge and rules are defined by
god
Scholars attempt to discover truth of
law
Mixed Law
2 or more legal systems are used
together
Consists of civil and common law
Computer specific Law
Computer Fraud and Abuse Act

Exclusively covers computer crimes that crosses

state boundaries
It is a crime to perform the following
Unauthorized access of classified information in
a federal system
Unauthorized access to a federal government
system
Causing malicious damage to the federal system
Computer Security Act of 1987

Mandates baseline security requirement for all federal

agencies
4 main purposes of the Act
Provide NIST responsibility for developing standards
and guidelines for federal computer systems
Provide for enactment of such standard and
guidelines
Require establishment of security plans by all
operators
Require mandatory periodic training for all people
Federal Sentencing Guidelines

Provides punishment guidelines to help federal judges to interpret

computer crime laws
3 Major provisions of the law are
Prudent man rule requires senior executives to take personal
responsibility for ensuring due care
Allowed executives and organizations to reduce punishment by
demonstrating that they used due diligence in the conduct of their
information security duties
Outlines 3 burdens of proof for negligence
Person accused of negligence must have legally recognized obligation
Person must have failed to comply with recognized standard
There must be casual relationship between the act of negligence and
subsequent damages proximate causation
Government Information Security Reform Act

Provide comprehensive framework for establishing and

ensuring the effectiveness of controls over information
resources that support federal operations
Places burden of maintaining security and integrity of
government systems on individual agency leaders
Established mission-critical system category
Provides specific evaluation and auditing authority for
mission-critical systems to the secretary of defense and
the director of CIA
Federal Information Security Management Act

FISMA requires agencies implement an information security

program that covers the agencies operations
Requires contractors are also included part of the scope
NIST is responsible for building FISMA guidelines
HIPAA

Provides a framework and guideline to

ensure security, integrity and privacy when
handling confidential medical records
It outlines how security should be managed
for any facility that creates, accesses, shares
or destroys medical information
Mandates steep penalties for noncompliance
Gramm-Leach-Bliley Act (GLBA)

Mandates financial institution develop privacy notices and

give customers option to prohibit sharing their information
with non-affiliated parties
BoD is responsible, all employee should be trained and
security controls should be tested
Major components
Financial privacy rule: provide each customer with privacy
notice. Provide opt-out clause
Safeguards rule: develop written information security
plan
Pretexting Protection: Implement safeguards against
social engineering
Personal Information Protection and Electronic
Documents Act

Canadian law that deals with protection of personal

information
Oversees how private sector collect, use, disclose PII
Some requirements of the law
Obtain consent when they collect PII
Collect information in fair and lawful means
Have personal information policies that are clear,
understandable and readily available
Payment card industry Data Security Standard (PCI DSS)

Applies to any entity that processes, stores, transmits or accepts credit

card data
It is a private industry initiative, it is not a law.
Made up of 12 main requirements broken into 6 major categories
Non-compliance may result in financial penalties or possible revocation of
merchant status within the credit card industry
 Intellectual Property Rights
Intellectual property (IP) refers to creations of the mind, such as inventions;
literary and artistic works; designs; and symbols, names and images used in
commerce.
Types of intellectual property
Copyright
Patent
Trade secret
Trade mark
Industrial design
Geographical Identification
 Copyright
Copyright (or authors right) is a legal term used to describe the rights that creators have over their
literary and artistic works
Works covered by copyright range from books, music, paintings, sculpture, and films, to
computer programs, databases, advertisements, maps, and technical drawings.
Copyright protection extends only to expressions, and not to ideas, procedures, methods of
operation or mathematical concepts as such.
There are two types of rights under copyright:
economic rights, which allow the rights owner to derive financial reward from the use of his
works by others; and
moral rights, which protect the non-economic interests of the author
Copyright protection is obtained automatically without the need for registration or other
formalities
Works by one or more authors are protected until 70 years after the death of the last surviving
author
Work for hire and anonymous works are provided protection for 95 years from the date of first
publishing or 120 years from the date of creation, whichever is shorter
 Digital Millennium Copyright Act (DMCA)
The Digital Millennium Copyright Act (DMCA) is a controversial United
States digital rights management ( DRM ) law. The intent behind DMCA
was to create an updated version of copyright laws to deal with the
special challenges of regulating digital material.
It prohibits attempts to circumvent copyright protection mechanisms
Non-profit organizations are exempted from this Act
A DMCA takedown notice is a notification to a company, usually a web
host or a search engine, that they are either hosting or linking to
copyright-infringing material. It provides them notice to remove the
copyrighted works.
Patent
A patent is an exclusive right granted for an invention
To get a patent, technical information about the invention must be disclosed to the
public in a patent application.
3 requirements to be satisfied are:
The invention should be new and original idea
The invention must be useful
The invention must not be obvious.
The patent owner has the exclusive right to prevent or stop others from
commercially exploiting the patented invention
The exclusive rights are only applicable in the country or region in which a patent has
been filed and granted, in accordance with the law of that country or region.
The protection is granted for a limited period, generally 20 years from the filing date
of the application.
 Trademark
A trademark is a sign capable of distinguishing the goods or services of one
enterprise from those of other enterprises. Trademarks are protected by
intellectual property rights.
The main objective is to avoid confusion in the marketplace of a product or
service
Trademarks are generally not needed to be official registered to gain protection
under law
Acceptance of Trademark registration in US has two major considerations
The trademark must not be similar to another trademark
The trademark should not be descriptive of the goods or service that you will
offer
In US Trademarks are provided for 10 years with renewals for unlimited
successive 10-year period
 Trade Secret
Any confidential business information which provides an enterprise a
competitive edge may be considered a trade secret
Trade secrets encompass manufacturing or industrial secrets and
commercial secrets
Trade secrets are protected without registration
Conditions for the information to be considered a trade secret
The information must be secret
It must have commercial value because it is a secret
It must have been subject to reasonable steps by the rightful holder of
the information to keep it secret
 Industrial Design
An industrial design constitutes the ornamental or aesthetic aspect of an article
may consist of three dimensional features, such as the shape of an article, or two
dimensional features, such as patterns, lines or colour
the owner of a registered industrial design or of a design patent has the right to
prevent third parties from making, selling or importing articles bearing or embodying
a design which is a copy, or substantially a copy, of the protected design, when such
acts are undertaken for commercial purposes.
Industrial designs are applied to a wide variety of products of industry and handicraft
items: from packages and containers to furnishing and household goods, from
lighting equipment to jewelry, and from electronic devices to textiles.
an industrial design needs to be registered in order to be protected under industrial
design law as a registered design
 Geographical Indications
A geographical indication (GI) is a sign used on products that have a specific
geographical origin and possess qualities or a reputation that are due to that origin.
There is a clear link between the product and its original place of production
A geographical indication right enables those who have the right to use the
indication to prevent its use by a third party whose product does not conform to the
applicable standards.
A protected geographical indication does not enable the holder to prevent someone
from making a product using the same techniques as those set out in the standards
for that indication.
Geographical indications are typically used for agricultural products, foodstuffs, wine
and spirit drinks, handicrafts, and industrial products.
Licensing
4 major types of license requirements
Contractual license agreement: written contract between the software
vendor and the customer
Shrink-wrap License: A shrink wrap license is an end user agreement
(EULA) that is enclosed with software in plastic-wrapped packaging.
Once the end user opens the packaging, the EULA is considered to be in
effect.
Clickwrap License: Type of agreement often used in connection with
software licenses. Most clickwrap agreements require the end-user to
manifest his or her assent by clicking an "ok" or "agree" button on a
dialog box or pop-up window.
Cloud services license agreement: similar to Clickwrap agreement,
mainly concentrated on the services provided by cloud vendors
Karthikeyan Dhayalan