USA: +1(669)289-8683 
Sign in
Respond to the following questions:
- Does the hacker who sends emails with attachments containing ransomware software violate the law, commit a crime? Remember, the attachment must be opened to trigger the attack. Identify some of the criminal laws which might apply?
- Referring to the 2021 Executive Order on Improving the Nation’s Cybersecurity, identify the six areas which the contract language for information and communications technology (ICT) contractors to the federal government, recommended to the Federal Acquisition Regulation (FAR) Council needs to address. Assuming the role of the Secretary of Homeland Security, select one of the six areas and describe the contract provisions you would recommend to the FAR Council.
please see the attached document.
Business Law for Technical
Professionals
Cyber Law and Data Privacy
Overview
§ Cyber law and cybersecurity general issues
§ Federal data privacy laws and Federal Trade Commission (FTC) guidelines
§ Ecommerce and Payment Card Industry (PCI) security standards
§ Data security and ransomware
§ Employee responsibility and cyber space
2
Cyber Law and Cybersecurity
§ What is cyber law?
o ”Laws, or a specific law, relating to internet and computer offenses, especially
fraud or copyright infringement.” Oxford Languages Dictionary
o “An evolving area of law that is applied to computers and the various activities
over the internet and networks.” Black’s Law Dictionary
§ Multitude of legal issues related to the internet, social media and cyber attacks
o e.g., employee revealing company trade secrets or making defamatory comments
about a competitor on Facebook, LinkedIn, or Twitter; misuse of customer
information gathered online by companies; data security breach
§ What is cyber security?
o “The state of being protected against the criminal or unauthorized use of
electronic data or the measures taken to achieve this.” Lexico
3
Cyber Law and Cybersecurity
§ No unified set of cyber laws or regulations in the U.S.
o Patchwork of federal and state rules
o According to the National Conference of State Legislatures all 50 states have laws
requiring businesses and governments to notify individuals of security breaches
involving their personal information
§ Breaches may lead to identity theft (e.g., name, SSN, account number, password) or
financial crimes/fraud (e.g., theft of credit card, phone or utilities, bank, mortgage,
employment related, loan or healthcare information)
§ Curious about your state? Review the National Conference of State Legislatures site
4
“Relying on the government to protect your privacy is like
asking a peeping tom to install your window blinds.”
John Perry Barlow, poet and sometimes songwriter for the Grateful Dead
5
Federal Data Privacy Laws
§ Children’s Online Privacy Protection Act (COPPA), 2000
§ Gramm-Leach-Bliley Act (GLB Act), 1999
§ Fair Credit Reporting Act, 1970, amended in 2003
§ Electronic Communications Privacy Act (ECPA), 1986
§ Health Insurance Portability and Accountability Act (HIPAA), 1996
6
Data Privacy Best Practices
§ Federal Trade Commission’s four “fair information practice principles”:
1. Notice
2. Choice
3. Access
4. Security
§ FTC data breach response advice for businesses:
o Secure operations (e.g., adopt payment card industry practices)
o Identify and fix vulnerabilities
o Notify affected individuals, law enforcement and businesses affected
7
Ecommerce and Data Security
§ Ecommerce: buying and selling of products or services over the internet
o Transmission of payment information and personally identifiable information
online fraught with risk of fraud and theft
Tools Adopted to Reduce the Risk of Fraud and Theft
§ Payment Card Industry (PCI) Security Standards Council (SSC)
o PCI SSC provides a global forum for the payment industry to develop and refine
data security standards to ensure safe payments worldwide
§ PCI Data Security Standards – the industry overall has agreed to store, process, or
transmit cardholder data in accordance with the standards set by the PCI SSC
8
Ecommerce and Data Security
§ PCI data security goals developed by the PCI build and maintain a secure network:
o Protect cardholder data
o Implement strong access control measures
o Regularly monitor and test networks
o Maintain a vulnerability management program and information security policy
§ Details provided on PCI SSC website, Maintaining Payment Security
9
Ransomware
§ Ransomware: “malicious software that infects a computer and restricts users’ access
to it until a ransom is paid to unlock it.” UC Berkeley
§ How to respond to an attack:
o Disconnect from networks
o Disconnect external devices
o Report it
§ Tools to Prevent:
o Employ a data backup and recovery plan
o Download latest patches to operating systems and software
o Maintain up-to-date anti-virus software
o Restrict user permissions to install or run software
10
Ransomware
How bad is it?
§ Washington state problems illustrate growing threat:
o Through the first 10 months of 2021
o 280 data breaches compared to 60 in all of 2020
o 150 ransomware incidents, more than previous 5 years combined
§ Federal Laws may help:
o July 21, 2021, house passed H.R.3138 – State and Local Cybersecurity
Improvement Act; still under review in Senate
o Infrastructure law signed by President Biden in November 2021 included $500
million to go to municipalities and tribal communities to fight the problem
11
Employees’ Responsibility and Role
§ Employee social media use key
o Avoid downloading on email, phones or computers documents or links from
unknown sources. Phishing attacks are becoming more and more sophisticated.
§ Content which employees should avoid posting:
o Information related to litigation in which company is involved
o Non-public information of any kind about company, including, technical
and financial information, future business plans
o Defamatory material (negative comments about competitors)
o Personal, sensitive, or confidential information of any kind
12
Employee Related Matters in Cyber Space
§ Monitoring employee emails and online activities
o No 4th amendment privacy protection
o Electronic Communications Privacy Act comes into play
• grants employers the authority to review to evaluate the ‘efficiency and
effectiveness’ of the employee efforts
§ Monitoring employee remote working space and activities
o More protection by 4th amendment but not for equipment provided by employer
• e.g., computers, phones, etc.
• COVID experience likely to lead to new laws
§ Advice to employers – adopt and revise policies
13
© The Johns Hopkins University 2021, All Rights Reserved.
