Predict – Preempt – Protect

Law and Ethics

Karthikeyan Dhayalan
tes
• tes

Karthikeyan Dhayalan
Categories of Law

Code Law
• Rule-based law not precedence based
• Focused on codified law – or written law
• Lower courts are not compelled to follow
the decisions made by the higher courts
• Most widespread legal system in the world
and most common in Europe
Common Law
• It is based on previous interpretations of law
• Developed in England
• It reflects the community’s morals and
expectations
• Uses judges and juries of peers
• Broken down into civil, criminal, and
administrative
Criminal Law
• It is based on common law
• Addresses behavior harmful to society
• Punishment involves a loss of freedom, monetary fines,
community service
• Responsibility is on the prosecution to prove guilt
• Govt, through law enforcement agencies, brings about charges
against the individual/organization that is accused of violation
• Penalties include, jail term, community service, monetary fines
Civil/Tort Law
• It is based on common law
• Defendant owes a legal duty to the victim
• Designed to provide for an orderly society and
govern matters that are not crimes
• Incumbent on the person wronged to file a law
suit
• Damages can be financial penalties
Administrative Law
• Policies, procedures and regulations
that govern the daily operations of
the agency
• Administrative law does not require
an act of legislation but must comply
with all existing civil and criminal laws
Customary Law
• Deals mainly with personal conduct and
patterns of behavior
• Based on traditions and customs of the
region
• Mainly used in regions that have mixed
law system
• Penalty include monetary fine or service
Religious Law
• Based on religious beliefs of the region
• Covers all aspects of human life
• Knowledge and rules are defined by
god
• Scholars attempt to discover truth of
law
Mixed Law
• 2 or more legal systems are used
together
• Consists of civil and common law
Computer specific Law
Computer Fraud and Abuse Act

• Exclusively covers computer crimes that crosses

state boundaries
• It is a crime to perform the following
• Unauthorized access of classified information in
a federal system
• Unauthorized access to a federal government
system
• Causing malicious damage to the federal system
Computer Security Act of 1987

• Mandates baseline security requirement for all federal

agencies
• 4 main purposes of the Act
• Provide NIST responsibility for developing standards
and guidelines for federal computer systems
• Provide for enactment of such standard and
guidelines
• Require establishment of security plans by all
operators
• Require mandatory periodic training for all people
Federal Sentencing Guidelines

• Provides punishment guidelines to help federal judges to interpret

computer crime laws
• 3 Major provisions of the law are
• Prudent man rule – requires senior executives to take personal
responsibility for ensuring due care
• Allowed executives and organizations to reduce punishment by
demonstrating that they used due diligence in the conduct of their
information security duties
• Outlines 3 burdens of proof for negligence
• Person accused of negligence must have legally recognized obligation
• Person must have failed to comply with recognized standard
• There must be casual relationship between the act of negligence and
subsequent damages – proximate causation
Government Information Security Reform
Act
• Provide comprehensive framework for establishing and
ensuring the effectiveness of controls over information
resources that support federal operations
• Places burden of maintaining security and integrity of
government systems on individual agency leaders
• Established mission-critical system category
• Provides specific evaluation and auditing authority for
mission-critical systems to the secretary of defense and
the director of CIA
Federal Information Security Management Act

• FISMA requires agencies implement an information security

program that covers the agencies operations
• Requires contractors are also included part of the scope
• NIST is responsible for building FISMA guidelines
HIPAA

• Provides a framework and guideline to

ensure security, integrity and privacy when
handling confidential medical records
• It outlines how security should be managed
for any facility that creates, accesses, shares
or destroys medical information
• Mandates steep penalties for noncompliance
Gramm-Leach-Bliley Act (GLBA)

• Mandates financial institution develop privacy notices and

give customers option to prohibit sharing their information
with non-affiliated parties
• BoD is responsible, all employee should be trained and
security controls should be tested
• Major components
• Financial privacy rule: provide each customer with privacy
notice. Provide opt-out clause
• Safeguards rule: develop written information security plan
• Pretexting Protection: Implement safeguards against
social engineering
Personal Information Protection and
Electronic Documents Act

• Canadian law that deals with protection of personal

information
• Oversees how private sector collect, use, disclose PII
• Some requirements of the law
• Obtain consent when they collect PII
• Collect information in fair and lawful means
• Have personal information policies that are clear,
understandable and readily available
Payment card industry Data Security Standard (PCI DSS)

• Applies to any entity that processes, stores, transmits or accepts credit

card data
• It is a private industry initiative, it is not a law.
• Made up of 12 main requirements broken into 6 major categories
• Non-compliance may result in financial penalties or possible revocation of
merchant status within the credit card industry
 Intellectual Property Rights
Intellectual property (IP) refers to creations of the mind, such as inventions;
literary and artistic works; designs; and symbols, names and images used in
commerce.
Types of intellectual property
• Copyright
• Patent
• Trade secret
• Trade mark
• Industrial design
• Geographical Identification
 Copyright
• Copyright (or author’s right) is a legal term used to describe the rights that creators have over their
literary and artistic works
• Works covered by copyright range from books, music, paintings, sculpture, and films, to
computer programs, databases, advertisements, maps, and technical drawings.
• Copyright protection extends only to expressions, and not to ideas, procedures, methods of
operation or mathematical concepts as such.
• There are two types of rights under copyright:
• economic rights, which allow the rights owner to derive financial reward from the use of his
works by others; and
• moral rights, which protect the non-economic interests of the author
• Copyright protection is obtained automatically without the need for registration or other
formalities
• Works by one or more authors are protected until 70 years after the death of the last surviving
author
• Work for hire and anonymous works are provided protection for 95 years from the date of first
publishing or 120 years from the date of creation, whichever is shorter
 Digital Millennium Copyright Act (DMCA)
• The Digital Millennium Copyright Act (DMCA) is a controversial United
States digital rights management ( DRM ) law. The intent behind DMCA
was to create an updated version of copyright laws to deal with the
special challenges of regulating digital material.
• It prohibits attempts to circumvent copyright protection mechanisms
• Non-profit organizations are exempted from this Act
• A DMCA takedown notice is a notification to a company, usually a web
host or a search engine, that they are either hosting or linking to
copyright-infringing material. It provides them notice to remove the
copyrighted works.
Patent
• A patent is an exclusive right granted for an invention
• To get a patent, technical information about the invention must be disclosed to the
public in a patent application.
• 3 requirements to be satisfied are:
• The invention should be new and original idea
• The invention must be useful
• The invention must not be obvious.
• The patent owner has the exclusive right to prevent or stop others from
commercially exploiting the patented invention
• The exclusive rights are only applicable in the country or region in which a patent has
been filed and granted, in accordance with the law of that country or region.
• The protection is granted for a limited period, generally 20 years from the filing date
of the application.
 Trademark
• A trademark is a sign capable of distinguishing the goods or services of one
enterprise from those of other enterprises. Trademarks are protected by
intellectual property rights.
• The main objective is to avoid confusion in the marketplace of a product or
service
• Trademarks are generally not needed to be official registered to gain protection
under law
• Acceptance of Trademark registration in US has two major considerations
• The trademark must not be similar to another trademark
• The trademark should not be descriptive of the goods or service that you will
offer
• In US Trademarks are provided for 10 years with renewals for unlimited
successive 10-year period
 Trade Secret
• Any confidential business information which provides an enterprise a
competitive edge may be considered a trade secret
• Trade secrets encompass manufacturing or industrial secrets and
commercial secrets
• Trade secrets are protected without registration
• Conditions for the information to be considered a trade secret
• The information must be secret 
• It must have commercial value because it is a secret
• It must have been subject to reasonable steps by the rightful holder of
the information to keep it secret
 Industrial Design
• An industrial design constitutes the ornamental or aesthetic aspect of an article
• may consist of three dimensional features, such as the shape of an article, or two
dimensional features, such as patterns, lines or colour
• the owner of a registered industrial design or of a design patent has the right to
prevent third parties from making, selling or importing articles bearing or embodying
a design which is a copy, or substantially a copy, of the protected design, when such
acts are undertaken for commercial purposes.
• Industrial designs are applied to a wide variety of products of industry and handicraft
items: from packages and containers to furnishing and household goods, from
lighting equipment to jewelry, and from electronic devices to textiles.
• an industrial design needs to be registered in order to be protected under industrial
design law as a “registered design”
 Geographical Indications
• A geographical indication (GI) is a sign used on products that have a specific
geographical origin and possess qualities or a reputation that are due to that origin. 
• There is a clear link between the product and its original place of production
• A geographical indication right enables those who have the right to use the
indication to prevent its use by a third party whose product does not conform to the
applicable standards. 
• A protected geographical indication does not enable the holder to prevent someone
from making a product using the same techniques as those set out in the standards
for that indication.
• Geographical indications are typically used for agricultural products, foodstuffs, wine
and spirit drinks, handicrafts, and industrial products.
Licensing
• 4 major types of license requirements
• Contractual license agreement: written contract between the software
vendor and the customer
• Shrink-wrap License: A shrink wrap license is an end user agreement
(EULA) that is enclosed with software in plastic-wrapped packaging.
Once the end user opens the packaging, the EULA is considered to be in
effect.
• Clickwrap License: Type of agreement often used in connection with
software licenses. Most clickwrap agreements require the end-user to
manifest his or her assent by clicking an "ok" or "agree" button on a
dialog box or pop-up window.
• Cloud services license agreement: similar to Clickwrap agreement,
mainly concentrated on the services provided by cloud vendors
Karthikeyan Dhayalan