U.S. Computer Crime Statutes

The U.S. Federal Bureau of Investigation makes a distinction between crimes against computers and crimes involving computers. A crime against a computer, for example, is when an unauthorized person accesses a computer. A crime involving a computer might be a case of cyberstalking , in which the computer was only the tool used to commit the crime.

This is a valuable distinction when discussing legal aspects of computer crime. Many of the crimes people hear about are not crimes against computers at all. These typically are processed under other statutes such as fraud or theft. It is also possible for a crime to be a combination of the two. For example, if a hacker breaks into an e-commerce site and steals credit card information, he or she might have violated some computer crime statutes in the original break-in. Using the credit card numbers would then be a violation of other federal and state laws.

The Computer Fraud and Abuse Act

The standard statute covering computer crime per se in the United States is the Computer Fraud and Abuse Act of 1986 (updated in 1996). This act,Title 18, Section 1030, covers crimes against computers. The act is concerned with what it calls "federal interest computers." A federal interest computer is defined as a computer used by any financial institution or the U.S. government or one used in interstate or foreign commerce or communication (author's italics). This is an extremely loose definition and, given the widespread use of email, could technically apply to virtually any networked computer. Almost any business computer could be covered under one or more of the definitions in the code.

The act prohibits the intentional, unauthorized access of any protected computer if the attacker gains any government information. In addition, financial information (including credit card data) is specifically protected. Any information about the computer or the network is protected under the code if the computer is used in interstate or foreign commerce.

The 1996 revision added provisions against the damaging of computers. In particular, the law prohibits the transmission of programs specifically designed to damage computers or data. This section was specifically designed to deal with viruses. Unfortunately, denial-of-service attacks are not specifically covered (although other laws might apply).

The threshold of damage for invoking the Computer Fraud and Abuse Act is $5,000. Any violation with damages greater than $5,000 can be prosecuted under the act. Chapter 3,"A Methodology for Incident Response," discusses the importance of capturing all the data and costs associated with an incident. The costs of the investigation and recovery can be included in this calculation. Under these rules, establishing damages greater than $5,000 should be relatively simple. As part of the incident response program, a cost-tracking system should be in place to account for direct costs (such as hardware, software, and consultants ), indirect labor costs (such as overtime for incident response personnel), and opportunity costs (the downtime during the incident and recovery period).

As a matter of fact, however, most federal prosecutors will not be interested in pursuing a crime with damages of only $5,000. If the crime is especially egregious or involves large losses to one or more companies, the federal law enforcement agencies might be more willing to investigate. Small crimes are more likely to be handled either administratively by an organization or by local law enforcement.

Space obviously does not allow a complete discussion of local and state laws. Many states have enacted legislation that essentially mirrors the federal statutes, while others have even stricter regulations. In addition, other state laws might apply depending on the specifics. For example, illegally accessing a computer over a modem might violate some state telecommunications or wiretap laws.

Crimes involving computers are prosecuted under conventional statutes. For example, a person who breaks into a web server and steals credit card numbers can be prosecuted under the federal act because it specifically addresses credit card information. The person could also be prosecuted under fraud statutes if the card information is used to steal goods or services. Other laws prohibit money laundering or embezzling, regardless of the tools used.

Similarly, items such as copyright laws protect information that can be disseminated (or stolen) in digital form, such as books, music, or software. Many of these laws have been updated to address the challenges of digital piracy.

The U.S. fraud statutes (Title 18, section 1029) also cover the use of counterfeit access devices. These are defined as cards, codes, account numbers, passwords, personal identification numbers (PINs), or any other identifying instrument or information that can be used to obtain money or anything else of value. Trafficking in stolen passwords or password-stealing programs is therefore illegal under this section. ^[1]

^[1] This law was used in the prosecution of Robert T. Morris (see Chapter 13,"Future Directions," for more discussion of this subject).

Other laws protect data during transmission. The Electronic Communications Privacy Act prohibits the interception and disclosure of wire, oral, or electronic communications. There are, however, important exceptions to this law. First, the term "communication" under this statute covers aural (meaning sound) communications only.Voice over IP is probably covered, but email is not. For law enforcement to capture traffic, a warrant is required. A service provider can capture and monitor traffic, provided it is done for the purpose of improving or maintaining service quality only.

New Laws

Several industries have new regulations that might require additional or increased vigilance . For example, in 1996, the U.S. government enacted the Health Industry Portability and Accountability Act (usually referred to as HIPAA). The major focus of this act was to provide for portability of health insurance if employees change jobs. However, there are additional requirements on health care providers in the statute that are of interest to incident response teams .

Near the end of the HIPAA is a section describing safeguards required for health care information. The act requires all persons with access to this information to take reasonable care to protect the integrity and confidentiality of patient data. Full compliance with this section was to be phased in over time and is required in 2003. This section has been interpreted as requiring health care providers to implement appropriate security standards. Because it is included in an administrative section of the bill, the standards are not explicitly defined. Most insurers, however, are now implementing security postures, including risk assessments and security testing, to ensure the privacy of patients .

In a similar fashion, a law designed "to enhance competition in the financial services industry" ^[2] was passed in 1999. This law, known as the Gramm-Leach-Bliley Act after its sponsors, streamlined several processes and allowed more competition from insurance agencies, brokers , and banks.

^[2] Public Law 106-102, title.

As with HIPAA, near the end of the law is a short section concerned with privacy. This section states that Congress has a responsibility to ensure that financial institutions are taking proper steps to safeguard private customer information. It includes prohibitions against the release of any customer data without the prior consent of the customer.

Of more interest, the act also requires financial services institutions to protect customer data from unauthorized access. These include administrative, technical, and physical safeguards. Again, the details and specific requirements are not explicitly defined, but the language of the act does clearly place a new privacy obligation on financial services institutions.

As privacy becomes more important, it is likely that additional legislation on the protection and disclosure of personal data will occur. Especially considering constraints placed on U.S. companies doing business abroad (discussed in the next section), the pressure to implement privacy legislation is growing. One fundamental problem with privacy legislation is that the details are extremely difficult to reconcile . Most current privacy regulations in the United States protect the rights of the individual against government intrusiveness . Data held by companies is, for the most part, unregulated. In much of the rest of the world, however, privacy regulations cover data held by companies and private organizations, while governments are all but unregulated. The United States has chosen to regulate privacy by industry. For example, health care information, financial services information, and even what videos a person views is protected, but general customer data including name , address, telephone number, and buying habits is not.