Cyber crime and data regulations
CFAA
The Computer Fraud and Abuse Act (CFAA) is a United States cybersecurity bill that was enacted in 1984 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. The law prohibits accessing a computer without authorization, or in excess of authorization. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.
The Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. With each amendment of the law, the types of conduct that fell within its reach were extended.
Protected computers
The only computers, in theory, covered by the CFAA are defined as "protected computers".
In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the inter-state nature of most internet communication.[7]
Utah Computer Crimes Act
76-6-701 Computer Crimes Act -- Short title. This part is known as the "Utah Computer Crimes Act."
Section 701 Computer Crimes Act -- Short title.
Section 702 Definitions.
Section 703 Computer crimes and penalties -- Interfering with critical infrastructure.
Section 704 Attorney general, county attorney, or district attorney to prosecute -- Conduct violating other statutes.
Section 705 Reporting violations.
General Data Protection Regulation - GDPR
The General Data Protection Regulation ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Controllers of personal data must put in place appropriate technical and organisational measuresto implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate), and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately.
Payment Card Industry Data Security Standard - PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually or quarterly, either by an external Qualified Security Assessor (QSA) or by a firm specific Internal Security Assessor (ISA) that creates a Report on Compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
The payment card industry consists of all the organizations which store, process and transmit cardholder data, most notably for debit cards and credit cards. The security standards are developed by the Payment Card Industry Security Standards Council which develops the Payment Card Industry Data Security Standards used throughout the industry.
The six control objectives are:
Category |
Requirements |
---|---|
Build and Maintain a Secure Network and Systems. |
1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. |
Protect Cardholder Data. |
3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. |
Maintain a Vulnerability Management Program. |
5. Protect all systems against malware and regularly update anti-virus .software or programs. 6. Develop and maintain secure systems and applications |
Implement Strong Access Control Measures. |
7. Restrict access to cardholder data by business need to know. 8. Identify and authenticate access to system components. 9. Restrict physical access to cardholder data. |
Regularly Monitor and Test Networks. |
10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. |
Maintain an Information Security Policy. |
12. Maintain a policy that addresses information security for all personnel. |