Featured Opinion: Taxes, death and policy

by Marcia J. Wilson, CCSP Staff Writer
April 13, 2004


"Reprinted from MAY 21, 2k3"

“Our Constitution is in actual operation; everything appears to promise that it will last; but in this world, nothing is certain but death and taxes."

Benjamin Franklin wrote those words in 1789.

I would have to say to Ben that nothing is certain but death, taxes and policy. It appears that security policy will be mandated if not voluntarily implemented. I so love to offer rather than be forced, don't you? I'm like the little girl who is sitting down quietly on the outside but is standing straight up and rebellious on the inside. Tell me what to do, and I won't do it. Ask me kindly, and I will go out of my way for you.

Organizations, whether in the private or public sector, must form policies and procedures to address the requirements of the law. We can no longer plead innocence, and rebellious obstinacy isn't going to be useful in jail. Now is the time to write a policy if you haven't already done so. It's unfortunate that we have to be forced to comply, isn't it? But it's human nature to be lazy and to procrastinate when we have to do things we don't want to do, like pay taxes and write policies.

Security policy is being mandated for all of us and by various legal entities, such as the federal government. Let's review some of the legislation that requires a formation of policy and the tedious and loathsome procedural documentation:

The Computer Fraud and Abuse Act

In the simplest terms, this law directly correlates an abusive or inappropriate electronic act by an employee to the employer. Interpretation: Your employee may harm the entire company by inappropriate behavior. Your only way to get off the hook is to write an appropriate use policy and require a signature on that policy from each and every employee, including the executives. They aren't exempt.

If your employee turns out to be a pedophile and has been contacting children using company equipment in the office or at home with a company-paid-for Digital Subscriber Line, you're in big trouble. Monitoring employees' behavior is controversial, yet what choice does an employer have?

Employees must dismiss forever in their minds that they have the right to privacy in our networked world. If you want privacy, stay off the network and don't use company-provided equipment. Your company has the right to monitor your behavior for the protection of others, and your company is held accountable by law. And if you think your Internet connection at home is unmonitored, think again. Internet service providers have legal responsibilities as well.

Here are some steps employers can take to make their position crystal clear with regard to employee use of company technology:

• Integrate the e-mail/Internet/computer usage policy with harassment and nondiscriminatory policy.
  
  
• Limit the use of technology to business purposes only. Be firm with employees or don't complain about their computer use.
  
  
• Reserve the right to review and monitor all communications.
  
  
• Include notice and consent language.
  
  
• Strictly define appropriate Internet usage.

The Digital Millennium Copyright Act (DCMA) (download PDF)

This one is fun. Say goodbye to copying CDs and DVDs and downloading music with your favorite file-sharing application. At the least, organizations should have a policy regarding the above. The DCMA does the following:

• Makes it a crime to circumvent antipiracy measures built into most commercial software.
  
  
• Outlaws the manufacture, sale or distribution of code-cracking devices used to illegally copy software.
  
  
• Permits the cracking of copyright protection devices, however, to conduct encryption research, assess product interoperability and test computer security systems.
  
  
• Provides exemptions to nonprofit libraries, archives and educational institutions that allow these institutions to circumvent the copyright-protection devices under certain circumstances.
  
  
• In general, limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet. Service providers, however, are expected to remove material from users' Web sites that appears to constitute copyright infringement.
  
  
• Limits the liability of nonprofit institutions of higher education when they serve as online service providers, and under certain circumstances, for copyright infringement by faculty members or graduate students.
  
  
• Requires that webcasters pay licensing fees to recording companies.
  
  
• Requires that the Register of Copyrights, after consultation with relevant parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while "maintaining an appropriate balance between the rights of copyright owners and the needs of users."
  
  
• States explicitly that "nothing in this section shall affect rights, remedies, limitations or defenses to copyright infringement, including fair use."

The Electronic Communications Protection Act (ECPA)

The ECPA has two major parts: the Wiretap Act and the Stored Communications Act.

The ECPA seeks to protect individuals from having their electronic communications intercepted and monitored. Because e-mail, telephone conversations and data stored electronically are covered by the law, monitoring of such communications is generally prohibited.

The ECPA, however, also provides exceptions that allow interception and disclosure of communications that might extend specifically to organizations using e-mail or doing business on the Internet. The ECPA allows all network providers, under certain conditions, to monitor employee communications. These statutory exceptions include a provider exception, business extension or ordinary-course-of-business exception and a consent exception.

The bottom line is that there are legal reasons to monitor behavior. Even if you think your online behavior is inoffensive, it may be used to incriminate you somehow or in some way at some point in your life. Think of it this way: If you can't do or say something publicly with an audience of thousands, maybe you should rethink saying or doing it. This law also protects corporations from hackers and malcontents.

The Gramm-Leach-Bliley Act (GLB)

This law is chock-full of policy and procedure if I ever saw one. Basically, financial institutions must comply with the following:

Protection of nonpublic personal information

• a. Privacy obligation policy
  
  
• b. Financial institutions safeguards

Obligations with respect to disclosures of personal information

• a. Notice requirements.
  
  
• b. Opt out.
  
  
• c. Limits on reuse of information.
  
  
• d. Limits on the sharing of account number information for marketing purposes.

Disclosure of institution privacy policy

• a. Disclosure required.
  
  
• b. Disclose the kind of personal information that will be protect.

And there is more. If you work for a financial institution, your day of reckoning is here. Not only do you have to audit your networked environment, you have to document it, fix it, then document it again. I love it!

The Health Insurance Portability and Accountability Act of 1996

Electronic Protected Health Information is all about our personal and most private health information being protected, unless of course an arm of the law wants access to it. If you are a parent of a minor child (by definition under age 1, good luck at getting access to your child's health information. I guess the state owns our children now. (I say, "Good riddance!") The health care world is in even more pain than the financial institutions. However, the point here is that policy and procedure must be written in depth to comply with this law. And this particular law will be debated in the court systems for years to come from both sides of the fence.

The Children's Online Privacy Protection Act (COPPA)

The new rules spell out what a Web site operator must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities an operator has to protect children's privacy and safety online.

COPPA applies to individually identifiable information about a child that's collected online, such as full name, home address, e-mail address, telephone number or any other information that would allow someone to identify or contact the child. The law also covers other types of information about hobbies and interests and data collected through cookies or other types of tracking mechanisms when they are tied to individually identifiable information. This applies to every Web site that solicits information from children and even those Web sites that don't intentionally solicit information from children.

The policy must be understood and written and adhered to for the protection of our children. It's also important to code the Web site application in such a way as to verify parental consent.

The above laws are only a handful of the legislation written in the past decade or two that have a catch-22 associated with them: The more privacy legislation we approve, the less privacy we have.

In order to catch the bad guys, the good guys have to give up some rights. The trick is to maintain a balance and our rights to a fair trial, to privacy and to freedom. How does it all balance out? Each court case changes the balance.

As for employers and employees, write policy and procedural guidelines until you are blue in the face. Those written words may be your only protection in court.

*Note: Some links to stories may no longer function or now require you to register to view.




by Marcia J. Wilson ComputerCops Staff Writer

Marcia J. Wilson, holds the CISSP designation and is the founder and CEO of Wilson Secure LLC, a company focused on providing independent network security assessment and risk analysis. She is also a free lance columnist for Computer World and Security Focus.

She can be reached at . Corporate website: wilsonsecure.com (see Prime Choice top left)

Copyright ©Marcia J. Wilson All Rights Reserved 2004.