TASK 1 - LEGAL ANALYSIS

docx

School

Western Governors University *

*We aren’t endorsed by this school

Course

C841

Subject

Information Systems

Date

Apr 3, 2024

Type

docx

Pages

5

Uploaded by CorporalArmadillo3991

Report
TechFite Case Study Assignment – Susan Crowe Legal Issues in Information Security -C841 TASK 1: Legal Analysis Susan Crowe #011374378
TechFite Case Study Assignment – Susan Crowe A1. Explain how the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act   each   specifically relate to the criminal activity described in the case study. The two laws being evaluated against this case study appear to be approaching competenance based on the Rubric. The Computer Fraud and Abuse Act is summarized by the NACDL website: https://www.nacdl.org/Landing/ComputerFraudandAbuseAct#:~:text=The%20CFAA%20prohibits %20intentionally%20accessing,every%20aspect%20of%20computer%20activity . As “prohibits intentionally accessing a computer without authorization or in excess of authorization”. This law was violated by TechFite employees, Sarah Miller, Megan Rogers, and Jack Hudson. Their actions included actively scanning other companies’ networks to gather intelligence. These employees would have no authority to penetrate and scan the networks of companies outside of their own. Jack Hudson additionally has a membership of the Strategic and Competitive Intelligence Professionals (SCIP) organization, which indicates he has direct knowledge of the moral violation of his actions. Another potential violation is the activity of the BI Unit employees actively gaining access to other computers outside of their own division. These devices contain sensitive data that should only be permitted to authorized personnel. It has not been stated the reason or justification why these BI Unit employees would have a need to access sensitive data from these other departments. Over the years, the Electronic Communications Privacy Act (ECPA) has been updated to account for all methods of transmission of communication, per the URL https://epic.org/ecpa/ . This law protects against information collected unlawfully whether it is intercepted by a wire, orally, or electronically. This must also be collected/intercepted by use of a tool or a device; eavesdropping by ear is not illegal based on the ECPA guidelines. There appears to be no indication that wiretapping was conducted as part of the TechFite Case Study. However, it could be argued that the disclosure of sensitive company information during the preconsulting process with TechFite could have been used unethically. The signed NDA between Orange Leaf and TechFite provides permission to exchange the data, but not to release the data or use it in any way. This data was to remain classified and confidential between the two parties. This law could also be interpreted to mean that the employees at TechFite that were able to access sensitive outside company information are in violation of the law. This data would have been collected/stolen electronically without authorization of the originating party. A2.   Explain how   three   laws, regulations, or legal cases apply in the justification of legal action based upon negligence described in the case study. During one of the enhancements of the Electronic Communications Privacy Act (ECPA), an additional law was written and put into effect. This is the Stored Communications Act (SCA). This law states the unlawful access to stored communications https://www.law.cornell.edu/uscode/text/18/2701 . This law protects against intentional access of electronic data while it is in storage without the authorization. This act was violated during the process of the BI Unit employees, Miller, Rogers, and Hudson while they were collecting information from other company networks as well as altering departments within their own organization. At the beginning of the business interactions between Orange Leaf and TechFite, an NDA was implemented. This became a legal binding contract agreement between the two organizations to protect information shared and ensure it would not be shared to any outside organization. While initially, this is not proven beyond a reasonable doubt, the indicators or compromise are visible. The information that was discovered gave direct advantage of a competitor that was a customer of the TechFit organization. This creates high suspicion that information could have been disclosed to help the competing company that gave their business to TechFite gained proprietary information to create a technology leveraging Intellectual Property from Orange Leaf.
TechFite Case Study Assignment – Susan Crowe One example of a case regarding negligence of electronic data is the Reetz vs. Advocate Aurora Health, Inc. This was summarized on https://www.staffordlaw.com/blog/business-law/negligence-claims-for- cybersecurity-attacks-allowed-but-invasion-of-privacy-requires-intention/ . The summary of this case explains that unauthorized access was gained to an Aurora HR system which contained private personnel data. This data was stolen and compromised. Ultimately the case was dismissed but appealed and was found to be negligent by Aurora’s acts. Aurora did not properly protect their PII due to negligence, putting their employees at risk. A3. Discuss   two   instances in which duty of due care was lacking. In the case study of TechFite, there were at least two situations resulting in lack of due care. It was discovered that TechFite did not conduct proper practices to audit user account settings to include levels of access, disabling terminated or no longer employed employees, lack of data loss prevention practices, etc. A second situation was the lack of protections and segmentation of sensitive client data. All the client data was accessible by all employees, as all employees had administrative privileges. This information is sensitive and was not properly safeguarded. A4.   Describe how the Sarbanes-Oxley Act (SOX) applies to the case study. The Case study provided information around the company’s use of a financial institution to commit fraud. There were three companies discovered that appeared to be fraudulent across three different states. These companies all had the same owner listed in a separate state, all of which used the same bank, the Freeworker’s bank. These companies showed frequent payments to TechFite. The SOX was created to protect against financial fraud, and this activity violated this act. B1. Explain how evidence in the case study supports claims of alleged criminal activity in TechFite. Based on the case study findings, there were several criminal acts in play. We start the case study assessing two companies that potentially have been victims of leaked intellectual property by TechFite, directly leading to both companies facing competitor technologies released using their IP. While this does not appear to be have been proven beyond a reasonable doubt, the evidence shows that both companies appear to have been violated by TechFite. Another crime that has not been discussed yet was the use of two accounts that were used after employees were no longer employed. It is not completely clear if the two accounts were actual people or if they were fraudulent and fake employees, as these two accounts were initially requested by Carl Jaspers himself, which is unusual in itself. These two accounts were used to conduct malicious business internally, and had inappropriate access to data. B1A. Identify who committed the alleged criminal acts and who were the victims. There were several criminals in this case study. Carl Jaspers was a primary criminal who appears to have been conducting fraudulent activities for personal gain across the organization. He was involved in the SOX violation between fraudulent companies and a bank, as well as having unauthorized accounts accessing sensitive data that should not have been enabled in the first place. Additional criminals include the Business Intelligence Unit - Sarah Miller, Megan Rogers, and Jack Hudson. The victims were Orange Leaf and Union City Electronic Ventures specifically. B2B. Explain how existing cybersecurity policies and procedures failed to prevent the alleged criminal activity. There were several cybersecurity policies and procedures that were not being followed within TechFite. First of all, there was no identity governance being leveraged to audit and manage user
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
TechFite Case Study Assignment – Susan Crowe accounts. There were not checks being conducted to validate or capture escalation privileges being granted to user accounts that were not supposed to have them. In addition, the lack of least privilege protections in place allowed all users to have administrative privileges and provided the potential exposure of data to all employees without the proper need to know. This put all the data within the organization at risk. Additionally, there was no DLP enforcement to track and prevent unauthorized data transmission. B2. Explain how evidence in the case study supports claims of alleged acts of negligence in TechFite. Negligence could be put on the CISO, Nadia Johnson, and even Carl Jaspers. Nadia Johnson consistently reported “no irregularities” during audit exercises. There were never any safeguards implemented by the department under the CISO to ensure that this statement could be reported on regularly. The entire infrastructure was flat, with no segmentation identified. This allowed anyone who was administrator the ability to elevate their own privileges and access any data across the entire network. B2A. Identify who was negligent and who were the victims. The CISO, Nadia Johnson, and Carl Jaspers would be considered negligent. Nadia Johnson was ultimately negligent as the actor enforcing the policies and did not do her job. She put the entire company at risk of having all the company’s as well as their clients’ data exposed and accessible. The CISO is responsible for maintaining the security department and ensuring that the policies and procedures are properly created as well as enforced. B2B. Explain how existing cybersecurity policies and procedures failed to prevent the negligent practices. Existing practices are in place to provide direction on segmentation of the network to protect data from exposure or leakage between clients and employees with rights to access the information. Without having this in place, TechFite was exposing data to anyone that wanted to get their hands on it. The process of applying least privilege controls to accounts was also not practiced. Not having this in place allowed Carl Jaspers accounts to collect data at will, as well as allowing the Business Intelligent team to access data they should never have been able to access (legal, HR, etc.). Internal audits were not properly conducted, which was negligent. This effort, if done properly, would have exposed the critical issues within the network. C. Prepare a summary ( suggested length of 1–2   paragraphs ) directed to senior management that states the status of TechFite’s legal compliance. Senior Management, In light of recent events, an investigation into the IT and business practices of Applications Division has been executed, as directed by the Chairperson of the Board. During this investigation, TechFite has been found to be susceptible and highly at risk of compromise. It has been discovered that several cybersecurity policies and procedures have not been enforced properly across the organization. Techfite’s legal compliance with cyber laws has been found to be ineffective and potentially negligent. Based on these findings, immediate action must be taken. As a result of this behavior, at least two companies may file lawsuits against TechFite. Several cyber law violations have been identified, including the Computer Fraud and Abuse Act (CFAA), Electronic Communications Privacy Act (ECPA), and Sarbanes-OxleyAct of 2002 (SOX). Multiple illegal activities have been identified, including unlawful intelligence collection against both
TechFite Case Study Assignment – Susan Crowe the organization as well as outside companies, and requesting fake user accounts for unethical activities. TechFite’s cybersecurity department will be expected to audit all policies and procedures and implement an immediate remediation plan to rectify the findings. At a minimum, the cybersecurity office will need to develop and implement policies and processes to enforce least privilege access for user accounts, deploy Data Loss Prevention (DLP) to activate and monitor all data in transit. By working to improve the overall cybersecurity of Techfite, unlawful and risky behaviors would be able to be detected and properly addressed. D. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized. The Computer Fraud and Abuse Act is summarized by the NACDL website: https://www.nacdl.org/Landing/ComputerFraudandAbuseAct#:~:text=The%20CFAA%20prohibits %20intentionally%20accessing,every%20aspect%20of%20computer%20activity Electronic Communications Privacy Act (ECPA) https://epic.org/ecpa/ Stored Communications Act (SCA) https://www.law.cornell.edu/uscode/text/18/2701 Reetz vs. Advocate Aurora Health, Inc. https://www.staffordlaw.com/blog/business-law/negligence-claims- for-cybersecurity-attacks-allowed-but-invasion-of-privacy-requires-intention/

Related Documents

Mitchell McCullough_CYB 260 Project One Milestone Template.docx
Assignment2 of Unix.docx
Task 2 - WLAN and Mobile Security Plan.docx
Task1 - Investigative Plan of Action.docx
Task2 - Forensic Investigation.docx
Task 2 - Addressing Ethical Issues in Cybersecurity.docx
Strategy Mid Term.pdf
Final assessment BAS51 A 15 Nov.docx
ASSESSMENT 3 BAS51.docx
Assignment 3.docx
MMP219 A1 layout guide to show in class.docx
BSBSTR601 Student Assessment Tasks (1)(1).pdf