CCT 084: Navigating Contractual Law, Cybersecurity Legislation, and Computer Crime Acts (CISSP Domain 1.4)
Oct 30, 2023Discover the world of CISSP Cyber Training in a thrilling exploration that unravels the complex web of cybersecurity legislation, contractual law, and computer crimes acts. We'll begin our journey by studying recent cybercrimes, with a focus on the Singapore government and the US pledge to fight scams through cross-border cooperation. With the alarming statistic of scam losses in the US reaching around $10.3 billion last year, we aim to illuminate the critical importance of understanding these laws for your CISSP exam.
Intrigued about how various laws affect the protection of intellectual property? We've got you covered. We'll decipher the intricacies of civil, criminal, administrative and contractual law, and their implications on protecting trademarks, patents, and trade secrets. You'll be privy to in-depth conversations about working with attorneys when drafting contracts, and understand the legal recourse available if a vendor misplaces information. We'll also guide you through the steps to tackle issues such as domain name scams.
But that's not all. We venture into computer crime laws and their implications, focusing on the Computer Fraud and Abuse Act (CFA) and the Electronic Communications Privacy Act (ECPA). We'll examine the Electronic Funds Transfer Act of 1978, the Stored Communications Act, and discuss their impact on privacy and legal considerations related to accessing or disclosing electronic data. We'll also probe the Data Protection Act in the UK and the Identity Theft and Assumption Deterrence Act. To top it off, we have a unique segment on career coaching for CISSP Cyber Training. We'll share with you, invaluable tips on acing the CISSP exam, crafting compelling resumes and acing interviews. So, get ready to embark on a thrilling journey that will equip you with the essential training to excel in your cybersecurity career!
Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.
TRANSCRIPT
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey all, it's Sean Gerber with CISSP Cyber Training, and I hope you all are having a great day today. Today is a beautiful Monday. We are going to be talking about some amazing things that are happening, and they are things that will keep you so awake and so riveted that you will not know what to do with yourself. You won't be able to sleep at night, I guarantee you. You can't sleep after you hear about legal stuff. Yeah, legal stuff. It always will keep you awake, no matter what. Yeah, no, it makes you fall asleep, makes me fall asleep. So we're going to try to add a little spin to it today, because we're in domain one and we're going to be talking about aspects related to the various pieces around contractual law, cybersecurity legislation, computer crimes acts and the like. Yes, it's going to be riveting, so we definitely need to stick around because it is going to be amazing, but before we do, we're going to talk about an actual thing that popped up in the news and it kind of ties along with today's podcast as it relates to around the Singapore government and the US pledge to combat scams using cross-border cooperation, and one of this is in the ZD net is where it's at right. There you can find that if you go and just Google it. It came out not too long ago and what it's going to end up talking about is the ability for the Singapore government to work with the United States as FCC, which is the Federal Communication Commission, and their ultimate goal is to help basically combat a lot of the spam that goes across borders. And, as it relates to many of the people that launched these spam attacks, you don't really all you have to know is English, and even then you don't have to know that well because you use chat, gpt but they're trying to implement various scam measures to avoid or anti scam measures, I should say to help between the two countries, and you're beginning to see more and more of this within various countries because it's becoming a humongous problem, one for the United States, but also for these same countries as well. They're having these criminals that are basically utilizing computer aspects and then they're stealing from people around the United States and around the globe. Now, in this case here, singapore, they had a comment that they talk about where it's been a 25% increase in scams and cyber crimes just this past year and it's been up to around 40,000, or actually 34,000, reported cases, and that's been increased from 2021. But you think about it, you're going well, 40,000 cases isn't a lot. The 40,000 cases are ones that have actually been reported, and it seems like it's right now that it's cheating victims of around $509 million. So that's pretty impressive about that amount of money as being scammed from folks around the globe, and so, therefore, the United States is wanting to embark on these agreements between these other countries to kind of start hammering these folks, and I think it's really important that, especially with interconnected as we are, it's important that governments work together, because there's so many pieces to this that can cause one just by the social aspects of it. If you start dealing with the crime pieces and it's stealing money from one country to another country, you now deteriorate relations between countries, so now money isn't going to be flowing as easily. The second thing is is that when you have your this crime growing within your or your country as well, it makes it extremely challenging for other businesses to want to invest in you, and this is where the FBI has brought this up Right now. They said that the scam losses just last year in the United States tipped around $10.3 billion just in scam costs to the United States, and this is from the FBI's 2022 Internet Crime Report. So it's a pretty big deal. I know a lot of listeners I have from around the globe. They're not just the United States and unfortunately, you guys hear a lot about the US stuff, but you can assume that in whatever country you're in right now listening to this podcast, this is just a maybe a smaller version of that, but it's still. The percentages probably are relatively close to what you're seeing in the United States, so that's pretty impressive $10 billion just in one year in the United States alone. So that's why we are going to focus on various aspects around that today, and the goal is is that when you get done with this, when you see those test questions on your CISSP exam, you don't just go oh my gosh, I don't understand that. There's too many of these categories. There's too many of these laws and yes, there are, but they're going to be more and you're just going to have to know it because as a CISSP, it's an important part of what you do for a living. So let's get started into what you can expect for the CISSP exam. Okay, so we're going to break this into really, basically the four categories of law that you can attend, you can see. Now we're going to get into a little bit about Law and about the intellectual property pieces and then we're going to roll deeper into each one of these various laws and acts that are out there that you may potentially see on the exam. Now we've got there's for the four types you have civil, criminal and legal, administrative and contractual. So of those four you will typically see I mean you'll deal with all of them you might not deal much with the criminal aspect, just because that's usually when it goes down that path. I've said I've had it one time in my entire career where I've actually had to deal with the criminal law piece around cybersecurity. But in most cases you will deal with civil, administrative and contractual law as a CISSP, unless you get into the law enforcement environment, then you'll probably deal a lot more with the criminal law piece of this. But civil law, this really focuses on resolving the non-criminal disputes and this includes contracts, properties and torts. Now, what that really comes down to is that if, say, for instance, I am a cyber criminal and I'm going out and I steal all this money electronically from an organization, I can be tried from a criminal law perspective and therefore the state will have the opportunity to come after me in that regard. But they also have the individuals that have been hurt by this can attack me from a civil law perspective and they can come after my family, they can come after my business all of those pieces from a civil standpoint, but it's focused on the non-criminal dispute. So in the case that I just kind of mentioned is that if I took money from some people the aspect of, say, it was a retirement account well, the overall one I took their money to the anguish and the stress that it caused of them. They consume me for that. They can turn around and come after me from two different directions and this also is a big factor that if, okay, you get off on the criminal aspect. So now the state does not find me guilty of any criminal wrongdoing. However, there was enough that because, again, when you're dealing with criminals, it's beyond a shadow of a doubt here in the United States, but there was enough doubt to think that, yeah, maybe Sean did have his fingers in the cookie jar, but we can't really prove it. That's where the civil part will come after you on Now, when you're dealing with the CISP and civil law, it's very useful when it comes to risk assessments, contractual information and then also ensuring that your organizational policies are meeting any sort of civil law compliancy. You want them to meet those. If you have that, so that's how the CISP you can come in and start looking at those pieces. As relates to the CISP, when you're dealing with criminal law, this is again. These are crimes committed against the public or the state and they often involve penalties, which includes imprisonment, and therefore you can be breaking big rocks into very little rocks. And if you're not familiar with what that means is, in the United States we used to have hard labor and you would go out and work on a chain gang and you would then basically do roads and infrastructure and all those kind of pieces. I don't know if they really do that so much now, but if you did yourself in a position where you were under a criminal aspect, you could be doing hard time and that means you could go for a way for a long period of time years and just because you decided to do whatever, that is, listen to people, hack people, scam people all of those things can happen, so there are consequences for those actions. Now, how this can also happen from a security standpoint, as a CISP goes, you could serve as an expert witness and maybe in a criminal case involving hacking, you also could provide. This helps provide some level of understanding of how you might deal with an instant response process. I would say that I've learned that through the CISPs or through my certification, that I would work with my logging and monitoring folks to make sure that I restore and maintain the right amount of logs so that I have a case in which I can go and legally prosecute against an individual. So, as a CISP, you're going to need to know that, understand why criminal law is important, not just the fact that the police are going to take care of this. You're going to have to help them take care of it with the logs and the understanding of the data itself. Next one is administrative law. This is where you're dealing with public administration and regulatory agencies. This could come into when you have to deal with data protection laws and how they're implemented, and then how you have to deal with the administrative bodies. As it relates to administrative law, you want to make sure that maybe your policies and procedures are compliant with the government regulations, and that's how administrative law is important. As it relates to your CISP, you need to make sure that you follow these laws. Based on the government regulations that are there, and there are fines that can be imposed upon you and potentially, depending on how egregious the problem is, there could be could follow on to have some sort of criminal prosecution being made of you, depending upon the situation. Then you have contractual law. Now these are between two parties. This is really like an obligation between a vendor and the overall consumer. This is what you would get within these various contracts. Now, as a CISSP, I'll tell you I have gone through multiple contracts as it relates to how we're going to work with a company and you're background in understanding how the security systems work, as well as the contractual language. Working with lawyers will be extremely helpful when you're drafting up this verbiage, because in some cases, when you're dealing with security tools or maybe even people that are storing and controlling your intellectual property, you will want to make sure that you have the right contractual agreements in place with them to ensure that, if they lose their information, there are some ramifications to the company. Those can be quite stiff, they can be very severe, but in many cases, what I've learned is that if you don't have a security person or an IT person who understands security, helping draft some of these contracts, especially as it relates to data privacy and data protection you can be in a situation where they lose the information that the vendor and now you have no recourse to be able to try to get any sort of money compensation. In many cases, you could actually take the entire company if the loss is that egregious. So it's important that you, as a CISSP, are tied into contractual laws. So, again, the main three types of laws or four types of laws you need to be aware of are civil, criminal, administrative and contractual law. Okay, quickly, we're going to move into intellectual property and of intellectual property, there are three main areas we are going to focus on. It is trademarks, patents and trade secrets. So the reason I'm bringing these up before we get into some of the legal aspects is that they all tie together. Some of these acts protect these various aspects around intellectual property and around the civil, the types of law that are out there and that you have to maintain. So trademarks are the intellectual property for branding elements, such as logos, names and designs, and they are designed to protect your organization's unique identity within the market. Coca Cola, kentucky Fried Chicken, the Chelsea's, the soccer team, the football team, right, depending on who you talk to All of these have a brand in the market. They have recognition, so that is a trademark and those are highly protected. They're highly sought after. You have very tight requirements on utilizing a trademark. If you notice that you'll go to a watch, a show, a TV show, they may have the Apple logo hidden there because they didn't get approval to be able to use that Apple logo and that has to be done prior to filming. If they don't have that done, they have to cover it, and that can happen in a lot of different areas. Now the goal is that you have to protect the brand from impersonation, attacks, counterfeiting and so forth. Now, from a cybersecurity standpoint, not just the logo but the domain name is a big factor Nikecom, applecom all of those are brand names. They are trademarks and therefore you need to work to help protect those. I've been through plenty of conversations with lawyers around protecting the domain name and people scamming the domain name. So let you'll say, let's say golfcom. Okay, that's where you hit the little white ball golfcom. Well, you could make a change of calling it g0lfcom, and that looks like golfcom, but it's actually not. And so now you have to deal with the legal ramifications of somebody trying to scam your brand name of golfcom. So it's just important that, as a cybersecurity professional, you need to be aware of how do you mitigate these issues? How do you resolve them? Are there any sort of legal recourse? And you'll have to work with your lawyers to help you in that space. If you're in a large company, you maybe have more capability to get recourse. If you're in a smaller company, you may have a lot less and you may have to just work with the domain controllers the domain I can't think of the name the folks that maintain your domains, your domain, your go daddies you're all of those folks. You're going to have to work with each of them to ensure that you can remove that domain name, and that's one of the main processes you would do is through the domain people. I just I know there's a name and I'm going to think about it once we're done here, but once you work through those, those folks, the registrars of these domain names, they will help tear them down and help you remove those. But I will tell you that takes a lot of time Just to remove a domain name from someone that's scamming you. Yeah, that's, it takes way longer than it should. They're really good at responsive and they do a great job getting at it, but I've seen it happen within a few days. I've also seen it take a couple months. So that takes time. Patents another thing around patents is you typically have exclusive rights over your invention for a period of 20 years and there is a temporary, what we call a monopoly on that. But there's designed to help protect you who, the person who came up with the design, so that people cannot infringe on your design and what your capability is, and so therefore, it's important that you provide and it doesn't allow you to get your foot in the market. So I'll use an example If you have the lightning connector on your phone, well, when those come out that lightning connector that was patented and that patent was good for 20 years. And you see a lot of people doing knockoffs off of that connector. They're not as good as the original, but they'll do knockoffs off of it. Now, legally, can you attack those people for taking your design? Yes, you could. However, because connectors are so widespread, you may choose not to do that. I don't know. But if there's that connector, you have that patent for 20 years that allows you to make changes to it and no one else can, unless they can't remarket or rebrand it unless they get approval from you and, in many cases, will pay you some level of a royalty to be able to do that. So, as a CISP person, there are plenty of implications that I deal with. Almost for the past 20 years that I've been doing cybersecurity as it relates to patents, and I've worked with R&D folks. You work with your legal teams to help around patents related to cybersecurity and around to your company Trade secrets, trade secrets these are the legal protection for confidential business information and or the processes, right. So let's go for the process of Coca-Cola, the drink. So you have Coca-Cola. There is a very specific process and a very specific formula by which they create their signature flavor. It's very well protected and they do not like I don't know how you can gain access. I think there's like three people in the company that know how to know the actual formula and therefore that entire process, from the point of what are the flavorings to what are. How do you put the right amount of carbonation in there. All of those aspects are considered what they call a trade secret. Now you have NDAs that can help with that. Are people that are working on that saying that non-disclosure agreements? Given those non-disclosure agreements, if I work with Coca-Cola, I cannot talk about how Coca-Cola does this process. Now, typically you'd have contractors that may work on aspects of the overall process, but these folks would only know a piece of it and I would have to sign an NDA saying that I know the amount of carbonation that goes into the Coca-Cola drink. If I'm smart from a data protection standpoint, no one person has all those that information. You break it out amongst multiple people so that if the information does get out, it is limited to just a very small subset of individuals. Okay, so let's get into some of the computer crime laws that are out there. So the first one is the Computer Fraud and Abuse Act, the CFA. Now, this came out in 1986 and it does involve computers and computer systems. It is designed to protect the confidentiality, integrity and availability of the data within these systems, and the ultimate part around the Computer Fraud and Abuse Act is that it provides a way to prosecute people from having unauthorized access or exceedingly allowed access to computer systems. So it does have a very wide range of offenses that fall in it. This would include standard hacking, includes unauthorized access and then computer-based fraud. If you have individuals that are utilizing your computer systems say you have an employee that is using it for some level of fraud the CFA could be used against them, and so the aspects around that is that if you have legal counsel and say you have an individual who has elevated access, but with their elevated access they utilize it to cause an encryption event at your facility, you could come out to them with the CFA because they had the rights to do it, but they turned around and used it for unauthorized access or exceedingly unauthorized access to that environment and CFA would be one of the things that you would go against them for. So again and you're going to have to as a security professional they may come up to you. Your lawyers may say, well, what are some of the options I have, and you may have to provide that for them. So just keep in mind that's why you learn these things. I know they're boring and you're like I can't remember all these. That's okay, because the cool part is you can come to CISP Cyber Training and I have these. You have, this stuff is available to you, but at the end of the day, you have a lawyer's. Your lawyers will be the ones that will help you with this process. You do not have to do it. However, you need to understand what is the kind of information you need to provide to them. Another one is the Electronic Communications Privacy Act, or ECPA, echo, charlie, papa, alpha. Now, this was passed in 1986 to regulate governmental and organizational wiretaps. Now they used to have the wiretap law that was out there and I used that for a long time. Just when there's different types because, like this, ecpa focuses on the electronic communications piece of this, but then there's also a wiretap law that can be utilized as well. Now I want to also preface this as I'm going into these conversations. One, I'm not a lawyer. I do not play one on TV, nor do I practice law anywhere other than talking about it on CISP, cyber Training, and I'm telling you this because I've had lawyers come up to me and say you need to make sure that you tell people you are not a lawyer. And that's true, I'm not a lawyer, but I play one on TV. So the point is that you need to if you have questions, these laws will change these laws. There may be ones that supersede it. You need to have legal counsel help you when you're working through all of these types of law legal aspects. Do not just go out and think you can do this on your own. One, your company will not be happy with you and two, it could get you into a lot of trouble. So make sure that you work with legal counsel on all aspects around legal issues. But back to the ECPA some exilite guidelines around. That would be this gives organizations the legality on monitoring employees' email and online activities. So people have had people come up to me and say what gives you the right to watch my email? What gives you the right to potentially get into my team's calls and the recordings around my team's calls? This would be one that would potentially give you the ability from a legal standpoint that allows you to do that. The other part that helps is your policies that you already have defined for individuals saying what you are monitoring and how you are monitoring it. That, along with these various laws, does give you the ability to have some level of control on the monitoring that goes on within your organization. That mind that does not mean that you can carte blanche listen to everything and everybody of what they're saying. You have to have justification behind it and you need to have your legal, your HR teams and your compliance teams all on board with any of these aspects. It does impose some requirements on law enforcement agencies to obtain warrants or other court orders for wiretaps or electronic surveillance. So you see this on the news on TV, where you gotta get a warrant to do that. That is true you do. Now, I will say, and this is what I've used in the past it may have changed since then, but you can record conversations with one or more people as long as at least one person on the call is aware that the recording is occurring. Now you'll notice, though, if people do a lot of Zoom calls now and Teams calls, they will have disclaimers out there saying, hey, this is being recorded. If you don't like it, leave. And that I think is really valuable, especially for an organization to have that type of disclaimer out there for people that are on these calls. Because it does one it protects the company and two, it's just being upfront and transparent with folks that calls are being recorded. The Economic Espionage Act of 1996. Now, this is a federal law that addresses theft or misappropriation of valuable business information, including trade secrets. It does criminalize the theft of trade secrets for your economic or commercial benefit. So that's the Economic Espionage Act of 96. So if you have someone it's an insider that decides he or she wants to steal information from your company, you can nail him with the CFAA and you can nail him with the Economic Espionage Act of 96. That possibly right I'm not saying you can in all cases, but possibly you could do that. And so it's important, especially as this is where you're dealing with, to protect American businesses. But each country may have something very similar to this and therefore, well, you could have a, let's say, a situation where you are an Australian company and you put your IP in the United States because you wanna build relations with the Americans. Well, somebody in the United States steals your IP and gives it to somebody else, that would fall under the Economic Espionage Act of 96. And therefore, anybody that would be that insider, that American, that was the insider that was selling the Aussie information would be held responsible under this act. Now he or she may also be held responsible under an Australian act as well, and then that's where the FBI and all the fun folks come together to figure out who's gonna hammer them worse. Is it someone in Australia or is it someone in the United States? The problem is with all of these and this is why you, as a security professional, are so valuable and you need to really work with your teams to help understand and convey this to your senior leaders is because once that information leaves the company, it's on its own right, who knows where it goes. But if you have a good data protection strategy and you are the person responsible for protecting that information, you become extremely valuable because you go okay, the information left. That's not good. We may miss some of it, but for the majority of it, yeah, we're good. That part of it is extremely valuable for a company. So this is why you need to work very closely with your legal teams to understand the protection mechanisms and they understand the protection mechanisms and that your senior leaders are understanding what is the risk that they want to mitigate. Because if you do that, if you do this well, you can provide a lot of value for people. And this is where people talk about in the cybersecurity space. They go well, sisos are making gobs of money 300, 400, $500,000 and they are and as a CISSP, that opens that up for you to have that ability to potentially do that. But for that to occur you have to bring a lot of value to the table. You have to be able to give the companies the ways and means to protect their data, their people and their information in a way that is providing that level of value. And there's plenty of people that are doing that. Now the UK Computer Misuse Act of 1990. Now this is done up by the United Kingdom and this unauthorized access to computer systems is addressed by the Computer Misuse Act of 1990. It makes it a criminal offense to access computer systems without authorization. So again, it's very similar to the CFAA and that is in the UK. I know the EU has other policies that are similar to that. I just kind of pulled grab one from the UK, because I have a lot of people that listen from the UK. This does give legal recourse against hacking, unauthorized data access and the distribution of malware. Again, a very wide range of cyber crimes will fall under this UK Misuse Act of 1990. Us Patriot Act this is one that's come out in the United States after the 2011 terrorism attack that occurred on 9-11. And what it does is it allows the government to. It allows companies to store and collect information, especially and share this with government agencies. Now, this isn't I can't remember if it's been reapplied or not. I think they've toyed with it back and forth, whether they're gonna continue it, but bottom line is is that if the US government came up to me and my company and said, hey, we want this information, then the company doesn't have to provide that information unless there is some sort of legal recourse. And that's where the lawyers would come in and say the government would say we want this information and here's why, and then you would have to provide that information to them if they had the legal basis to request that information. It's been like everything that deals with the government and with any government is. It starts off probably very benign and focused on a very specific need and reason. Unfortunately, it has spread and has gone in some cases beyond its initial charter. Many people in the United States here are not big fans of the Patriot Act. I'm not talking for my company or any companies I've represented. I'm talking just in people in general. We are not big fans of it just because it has. There is protection, I get that, but there's also. It has gotten to the point where it's so much data sprawl that they suck in all kinds of information, which then starts really warranting down the path of data privacy. So that's the part where you got to set a fine line. You have to play is working with the governments and working with other legal entities on sharing this information with them. So, yeah, it's fun, right? As a cybersecurity professional, you will deal with all of these aspects. The next one is the CAN SPAM Act. Now, this is commonly referred to as the CAN SPAM, but it's basically controlling the assault of non-solicited pornographic and marketing act of 2003. What it basically does is it regulates commercial email communications and it gives you the ability for recipients to opt out of this option. So if you see the unsubscribe piece of this, this falls into the CAN SPAM Act. Now, you still unsubscribe and, like you all know you would all know this you do the unsubscribe but somehow or another, my name gets added back on the list and yeah, that just it's so frustrating and it comes down to you didn't check the one box that you're supposed to have checked to get your name removed. But it does allow you to reduce the amount of spam that you get on a routine basis, and this is where you need to understand how the compliance around the CAN SPAM Act works to ensure that it does align with your legal requirements and your email practices. So, if you have, you do marketing emails to people, you need to be aware and you need to ensure your marketing people are aware of this, which I'm sure they are that they have to have the ability to do an opt out or unsubscribe from these email marketing. If they don't do that, they could be in violation of the CAN SPAM Act and therefore there are some ramifications that come to that. The next one is the Electronic Funds Transfer Act. Now, this was done in 1978 and this makes it a federal law in the United States and it provides protections to consumers conducting electronic fund transfers and obviously in 78. You're talking ATM withdrawals, but now you've got point of sale purchases, electronic bill payments, Venmos, your Stripes, you're all this stuff. You've got all of that out there. This would fall if there was violations around. It could potentially fall under the Electronic Funds Transfer Act. Now it does set limits for consumers on cases where there's unauthorized transactions or errors. One thing to consider is if you use a credit card, a lot many of the credit card companies have been absorbing these expenses. So you get someone steals your credit card, runs up a $50 fee, $100 fee. The credit card agencies and companies have been absorbing these costs in many cases, but that isn't always the case. Now you get into more of a debit card where they're pulling right out of your bank account. Even that, there's some restrictions around that as well. The great part around the cybersecurity piece of this is the fact that now any transaction that occurs you can get almost instantaneously If it is not around something you purchase on a routine basis, it will flag as fraudulent and it's really saved. It saved me money big time because I've had people that have used my card and have stolen money out of my account. But it limits it to a very small amount and it also protects the banks themselves. I was talking to a banker friend of mine here in our local community and he came up to me and he asked what I did for a living and he said that's amazing because he goes, everything I do in the banking industry is all cybersecurity. It's all that way. So you guys that are out there listening right now, you are in a great career field to be able to do so many great things and to be able to earn the potential earning that you want, as well as provide a great service for lots of companies. I'm gonna roll into the Stored Communications Act. This is SCA. Now this is part of the Electronic Communications Privacy Act, the ECPA. That is in the United States, and this deals around disclosure of stored wire and electronic communications. Now this addresses basically the privacy and legal considerations related to accessing or disclosing electronic data. So again, it's the Stored Communications Act, which is tied to the ECPA. Focus on privacy. That's the main piece of this. Now. It affects how companies store emails, messages and other forms of electronic communications and it will define the circumstances and what is the legal process by which you can disclose this information in an electronic stored communication media. So it's just important for you to understand how the ECPA and the Stored Communication Act allow you to share information with other people. What it also really comes down to is we know people share information back and forth all the time. If you do this inappropriately, you could get nailed with this and you don't even really realize it. But the ultimate goal is you must be aware, as a CISSP, around the legal requirements and limitations regarding the disclosure of electronic communications, especially when you're handling legal requests. And I come back to this is that if you, when in doubt, ask the question, if you have any semblance of doubt, ask the question, especially in these legal areas, and you're sharing information both from a privacy standpoint and from an intellectual property standpoint. Ask lots of questions. Okay, so the last two I'm gonna focus on is Data Protection Act in the UK and the Identity Theft and Assumption Deterrence Act. So the Data Protection Act in the UK this is a governing data protection primarily refers to the Data Protection Act of 2018 and the UK GDPR, which is your General Data Protection Regulation. Now, gdpr, if you guys are all aware of, gdpr, allows data to be shared amongst multiple people, but it also allows them to be forgotten if they don't want to be this data not to be shared. It also allows for animization of the details that are associated with that data. Now, the Data Protection Act of 2018 does is designed to protect the privacy and the rights of individuals in the UK regarding the processing of personal data. So it's important that you understand that there's the GDPR piece of this, which is your Data Protection Regulation, but there's also the Data Protection Act of 2018, which is a writer that goes along with that GDPR, and it's important for you to know how they all play. If I have GDPR, I just can't assume well, that's all encompassing and covers everybody. You have to understand the other acts that potentially could affect GDPR as a whole. It does set standards and requirements for the collection, storage and use of personal information, including the rights of individuals to control their data. If you want to be forgotten, you should have the ability to do that, and so, therefore, it is important for you to understand that businesses and international companies conducting business in the UK must comply with these various data protection laws. Now, this doesn't just reply to the United States. There's art into UK. China has a very similar type law, which is PIPL, which is the Personal Identifiable Privacy Legislation I think that's what it is and the PIPL law is also tied into a lot into data privacy and data regulations. Again, the difference is China is more for the state and within the UK it's more for the individual. And the last one we're gonna get into is Identity Theft and Assumption Deterrence Act. Now the Identity Theft and Assumption Deterrence Act, or ITAD, was enacted in 1998 and it basically identifies it as a federal offense or potentially a felony for knowingly transferring another person's identification for unlawful purposes. So basically, if you're stealing people's information to try to use it to get money, to get whatever you're trying to do with it, you could be held under a fine not under a fine, but under a felony that you could go to prison on a criminal law and be because of the fact that you're trying to knowingly steal individuals' information. So it does. It prosecutes individuals who engage in Identity Theft which involves someone's personal information without authorization. I saw this happen. I think it was in Uganda or Nigeria, somewhere over in Africa. The FBI actually worked with that government and they were able to capture these individuals and then extradite them to the United States and they would then basically penalize them or put them under court to charge them with these types of laws, especially with the Over Identity Theft and Deterrence Act. Now, one of the things that comes into this is the government will look at various laws that are out there and they will throw the most painful one at them, which one that they think that they can actually prosecute and win. So you may get multiple hopefully this isn't you, hopefully you never have to deal with this but you may get multiple counts put against you with various different legal aspects, and then they're gonna look at which one one has the hardest time. That's associated with it, or two, which one do they know they for sure can win against you, and then they will start working on you. The ultimate goal is, once you're in that position, odds are not good. You're gonna come out of this unscathed. If you do, from a standpoint that you were able to get off, you probably have a lot of legal fees that you're gonna have to pay back. So the overall plan for this and the recommendation is use your powers for good, not evil. Do not do bad stuff. If you do bad stuff, you may have short-term gain, but you will have long-term consequences because it will come back and bite you at some point in time. As it relates to the CISSP, you need to really understand how do these work together and you need to make sure that your policies and practices that you have in place for your company make that they fit in line with what the Identity Theft and Deterrence Act meets. So if you're sharing data amongst your people, you need to have policies around why you're doing that, and you also need to have the ability to do that in a lawful way. Again, work with legal counsel to ensure that you are meeting all of these requirements as you're sharing data back and forth. All right, that's all I've got for you today. I hope you guys have a wonderful day. I know this was a bit dry, probably a little hard, but when it comes right down to it, all this information is available at CISSP Cyber Training. You can go there and get this information. Also, one thing I'm looking to be bringing out a coaching program is gonna be happening at CISSP Cyber Training. I've had numerous people ask me if I wanna be coached. What is that going to take? And this comes down to career coaching One, helping you get through the CISSP, which is a first step, but then the second, second and ongoing steps are helping you in a coaching environment to help you with resumes, to help you with your career, to help you with interviews and to help you gain you in that experience that you need to be successful in the cybersecurity space. I mean it. You have the potential to make significant amount of money for you and your family, and let me help you do that at CISSP Cyber Training. All right, I hope you guys have a wonderful day and we will catch you on the flip side, see ya.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!