CHAPTER
4
Legal Issues in
Information Security
41
Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
T
here are many legal issues with regard to information security. The most obvious
issue is that breaking into computers is against the law—well, most of the time it is.
Depending on where you are in the world, the definition of a computer crime dif
-
fers as does the punishment for engaging in such activity. No matter how the activity is
defined, if the perpetrators of the crime are to be punished, information security profes
-
sionals must understand how to gather the information necessary to assist law enforce
-
ment in the capture and prosecution of the individuals responsible.
However, computer crime is not the only issue that must be dealt with by information
security professionals. There are also the civil issues of liability and privacy that must be
examined. Organizations must understand their risks with regard to employees and
other organizations on the network if internal security is lax. New laws are being passed
that address customer and medical privacy. Violations of these laws may pose a signifi
-
cant risk to an organization, including criminal penalties. All of these issues must be
understood and examined by information security professionals in conjunction with the
legal advisors of the organization.
NOTE:
I am not an attorney and this chapter is not meant to be legal advice. The purpose of this chap-
ter is to highlight some of the legal issues surrounding information security. Legal issues may and do
change over time and thus it is best to consult your organization’s general counsel on all legal issues.
U.S. CRIMINAL LAW

age that is done does not exceed $5,000. Other activity that is commonly performed by
intruders may not be illegal. For example, it was recently ruled in Georgia (see Moulton v.
VC3, N.D. Ga., Civil Action File No. 1:00-CV-434-TWT, 11/7/00) that scanning a system
did not cause damage and thus could not be punished under federal or Georgia state law.
Credit Card Fraud (18 US Code 1029)
Many computer crimes involve the stealing of credit card numbers. In this case, 18 US
Code 1029 can be used to charge the individual with a federal crime. The statute makes it
a crime to possess 15 or more counterfeit credit cards.
An attack on a computer system that allows the intruder to gain access to a large num-
ber of credit card numbers to which he does not have authorized access is a violation of
this statute. The attack will be a violation even if the attack itself did not cause $5,000 in
damage (as specified in 18 US Code 1030) if the attacker gains access to 15 or more credit
card numbers.
Copyrights (18 US Code 2319)
18 US Code 2319 defines the criminal punishments for copyright violations where an
individual is found to be reproducing or distributing copyrighted material where at least
ten copies have been made of one or more works and the total retail value of the copies
exceeds $1,000 ($2,500 for harsher penalties). If a computer system has been compro
-
mised and used as a distribution point for copyrighted software, the individual who is
providing the software for distribution is likely in violation of this statute. Again, this
is regardless of whether the cost of the compromise exceeded $5,000.
It should be noted, however, that the victim of this crime is not the owner of the sys
-
tem that was compromised but the holder of the copyright.
Interception (18 US Code 2511)
18 US Code 2511 is the wire tap statute. This statute outlaws the interception of telephone
calls and other types of electronic communication and prevents law enforcement from
using wire taps without a warrant.
An intruder into a computer system that places a “sniffer” on the system is likely to be

Network Security: A Beginner’s Guide
Child Pornography
Many computer crime cases involve child pornography. This may be due to the way
the Internet allows such material to be circulated. Whatever the reason, since the use
of the Internet has allowed child pornography to expand and reach new audiences,
law enforcement is actively involved in tracking such individuals across the Internet.
If computers belonging to an organization are being used to store or examine
child pornography, the organization itself may suffer harm as a result. This may
range from bad publicity to confiscation of the organization’s equipment by law
enforcement. This may include any system on which the individual in question
was able to store files or print images. While this activity by law enforcement is not
supposed to inappropriately impact business, if the organization knew about the
activity and did nothing about it, additional systems may be confiscated or the
organization may be shut down.
STATE LAWS
In addition to federal computer crime statutes, many states have also developed their
own computer crime laws (see Figure 4-1). These laws differ from the federal laws with
regard to what constitutes a crime (many do not have any minimum damage amount)
and how the crime may be punished. Depending on where the crime occurred, local law
enforcement may have more interest in the case than the federal authorities. Be sure to
speak with your local law enforcement organization to understand their interest in and
their capabilities to investigate computer crime.
Table 4-1 provides a summary of the state laws. Keep in mind that state laws may
change frequently and computer crime is an area of continued research and develop
-
ment. If you have specific questions about a particular statute, consult your organiza
-
tion’s general counsel or local law enforcement.
Chapter 4: Legal Issues in Information Security
45