Leaks and Hacks. When Is It Illegal To Get Hacked - Essay Example

of When is it illegal to Get Hacked Introduction Hacking basically refers to the breach ofcomputer security. On the other hand, hacking can be used to describe smart or quick fix to computer problems or an awkward and inelegant resolution to a problem, this is according to computer science and technology way of definition. The term is also used to describe variation of a program or mechanism to give the user entrance to computer features that otherwise would be inaccessible like the DIY circuit bending. Hacking has been considered a serious crime especially when one hacks in to a government. There are instances when some get involved in what is termed as "ethical hacking"; this is company's strategy to determine their security weaknesses or target for intruders. Even so, the ethical hacker may get in trouble with the law, it is therefore necessary that some one gets the Get out of jail Free Card (GOOJFC) which is a document that states that you have been authorized by someone in power to do so. Hacking is a federal crime and any cases of suspicion would be investigated by the federal Bureau of Investigation (FBI) and Department of Justice (DOJ), the crime can never be expunged unlike the other state crimes, depending on the damage caused, one could also be sued for damages ion the civil court leading to possible jail term or job termination. There are some critics who are proposing that any company hacked should be held responsible and make it a rule that it's illegal to be hacked. Taking Responsibility In the recent years, the Federal Trade Commission (FTC) has issued claims and charged hefty fine to some companies that had leaked data to hackers. This of course brought about some critical questions about taking responsibility if the firm in question is hacked (Severson.1997, 36). Usually it's very difficult to stop a company's computer system from being hacked if not impossible; hence imposing liability to the affected company could result in unintentional consequences. The development of disclosure laws has played a great deal in revealing that some of the security breaches that have bee common over the pas t few years were actually due to negligence on the part of the corporate information technology (IT) team failing to lock down the data in any considerable mode. This revelation encouraged the pressure on companies that get hacked to take responsibility for the crime. The computer systems hold very critical information about consumers, company's corporate management, finances and other critical information that should not be accessed by just anybody; companies that leak such information should be help responsible (Hammond & Hammond 2003, 36). This is according to Slashdot post at info world. Imposing serious penalties on the involved companies especially on claims of negligence is also very risky undertaking on the company and consumers. This is because the regulations may be very strict and could result in unintended consequences bearing in mind that hacking is inevitable, companies may even totally stop accepting credit cards from customer since the liability could be very great (Severson.1997, 42). This means that people would have to forego the convenience of using credit cards to protect their safety. Most of the credit card users however would rather use their credit cards for convenience and risk their safety since benefits outweigh the chances of risk. Leaks and Hacks The difference between leaks and hacks is not very distinct as in leaking information facilitates hacking and it's likened to the difference between negligence and wickedness (Hammond & Hammond 2003, 39). This is the basis on which some penalty is imposed on companies with arguments that doing something stupid that hams others should be penalized. This is like the situation when a driver falls asleep at the wheel and because a fatal accident, it's quite justified to hold him accountable for being negligent with other people's life, in the same way a negligent information technology staff should be for risking personal information. Leaking information is like doing something deliberately to harm others (Masnick 2008). When a system is hacked, people's personal information and company's data is at risk, when information is leaked the same situation presents but in the later case, the situation boils down to the question of intent. Being safe is very critical for any company to develop and grow in terms of customer trust and other corporate operations. Any company that has a questionable security measures gets interesting to deal with, the question is that they are not trying to be unsafe but they don't have a clue of safety implying that the company is incompetent to put safety measures in place. The definition of safe in terms of information security and federal regulation is very hard and it has been suggested that the federal government should come up with a definition that would not land everybody in jail but those actually guilty of the felony. Meaning that in case a company is confronted with such standard set by federal government as security measures and the company's information is compromised by an intruder, then the company should not suffer the same consequences as a corporation that disregards information security; this would be likened to penalizing a victim of an assault for not resisting or defending herself (Masnick 2008). Legal Regulations In general operations, there are industry standards in the field of information security which are raising debate on whether or not to make them enforceable. The existing legal frame work for safeguarding critical infrastructure consists of a hodgepodge of federal and state laws that should be intended to deter certain types of conduct that include protection of electronic information pertaining individual customers and for specific sectors such as the Gramm-Leach-Bliley (GLD) act for financial sector and health services is governed by Health Insurance Portability and accountability act (HIPAA) (Hammond & Hammond 2003, 45). The law, which is the tool for implementing policies, the legal structure for the safeguarding information should be considered in the larger context of business, ethical, technical and social aspects (Severson.1997, 53). The Department of justice (DOJ) specifically the Computer Crime and Intellectual Property Section of the United States gives a multidisciplinary action plan; 1. Technical solution where retailers have to produce safer products while on the other hand the consumers should demand systems that execute safer security measures 2. Corporations should adopt and share best management practices in their operations. This is safe management solution 3. Developing computer ethics and educating the public will help all the users to understand that computer use do require ethics, hence nuisance attacks would be cut down hence resources would target greater threats. 4. all the stakeholders need to be knowledgeable on the possible solutions, this means that the private sector as well as the law enforcers should collect and share information about susceptibility, threats and remedy The enactment of the Computer Fraud and Abuse Act (CFAA) has enabled criminalization of security breach for information especially when the information is classified information on government computers or financial systems or certain institutions (Hammond & Hammond 2003, 56). National security is the major concern in this information age and the federal law imposes a serious penalty or sentence for individuals wrongdoings for leading information or for illegal access, misuse, alteration or transmission of data stored by or is possession of important data infrastructure. Computer crimes could lead to serious negative effects such as the terrorist attacks of September 11, 2001 on the twin towers. The congress in reaction to such incidence passed a law that altered a range of penalties in the CFAA - Computer Fraud and Abuse Act to reflect the prospect that contravention of information security deliberately or carelessly could cause serious body injury or even death. To reduce chances of such occurrences however the company that is hacked should also be help responsible for their action whether it was with intent or not. Federal Information Security Management Act (FISMA) is another crucial body that regulates information security (Hammond & Hammond 2003, 64). A very important issue has arisen concerning the fate of ISP - Internet Service Providers and IT - Information Technology engineers in terms of the information security breach. Should the ISP and IT engineers be held responsible or not Primarily is better to stress the insufficient remedies for companies that are hacked in the present court systems, the legal systems cannot combat the high level of hacking civil responsibility despite vigilance. Due to all these blames and the cost of bearing responsibility, some stakeholders have proposed varied cause of action that include the third parties via whom the hacking takes place (Severson.1997, 52). This means that Internet service providers, system operators and information technology engineers would be penalized in an incidence of hacking. The supporters of this means of action against hacking crimes do so based on the ill-founded basis that the hackers are judgment proof and insolvent, in the real situation on the ground, such assumptions that hackers are young irresponsible adults or closeted teenagers is incorrect because it lacks the evidence to justify the claims. There are some courts that have identified trespass to chattels as a suitable cause of action against hackers, trespass falls under common law and covers the use of personal property without authorization and the primary significance is that there may be some recovery (Hammond & Hammond 2003, 36). Current Law The current laws that regulate computer hacking has incorporated the security codes of information. The regulations is very sophisticated with measures that take in to account all the stakeholders, internet providers, information technology and the companies that use them. Best Western is the popular hotel chain was attacked by hackers who stole names, credit cards information and addresses of every customer since the year 2007 (Masnick 2008). The hackers accessed databases and additional consumer information, however the information technology staff has taken measures to provide solution to the problem and render inoperative the compromised log in accounts; clients losses are however totally inevitable due to the bulkiness of information stolen from the chains databases. Laws that victimize the victims are ethically unacceptable but on the other hand however, security professionals must be competent enough in terms of skills in the area of security execution and they should be prepared to provide assistance to companies in bringing down the criminals. In order to do this, the security professional should be well conversant with the laws that govern privacy, criminal and civil activities in information security (Masnick 2008). The issues that comprise the investigations of computer crimes, evidences to be looked into, and that the company in question should comply with the laws plus the fact that the security professionals should be able to make prudent judgment in tense situations to facilitate decision making. A major setback to combating computer or cyber crime is the jurisdiction issues during investigations and the rapid development ion technology which has not been matched by the same advances in terms of cyber law. This is a swift crime that is not restricted by nation's boundaries and therefore the need to collectively address such crimes needs to be reevaluated by many nations so as to cooperate in investigations (Masnick 2008). The Certified Information Systems Security Professionals (CISSP) is a certified body that takes care of information security and provides education on the corporate security, privacy policies and defining the accepted character of employees. There are different laws that are covered and they include criminal, civil and regulatory laws which should be well understood by the security professional since the importance of the laws is continually increasing in the industry. Most civil crimes relate to intellectual property regulations that encompass trade secrets, trademarks, copyright and patents as the corporate value of many firms is embodied in these (Masnick 2008). All these have a value that must be classified to make sure that appropriate intensity of security is applied for their safeguarding. The ethics covered in the CISSP exam include the privacy laws including health insurance portability and accountability act, import and export laws and transborder information flow; federal privacy act and European Union principles on privacy, computer fraud and abuse act, Gramm-lech-Bliley Act and the computer security act. Information security crimes become serious issues for debate in the US in the 1990s and saw the passage of federal penalty guidelines on computer or cyber crimes that are related to anti-trust, fraud including other white collar crimes; the passage of the Economic Espionage act also gives the federal bureau of investigation (FBI) authority to look in to the corporate and industrial surveillance. Federal Trade Commission Unfair Practice The regulation of other institutions apart from financial institutions is very crucial in the development of economy. The federal trade commission provides that an act or practice would be considered deceptive if it entails an omission, a representation, or a practice that is likely to misguide customers and cause them to act irresponsibly under the circumstances and the omissions in place is materialistic (Hammond & Hammond 2003, 69). A product promotion is said to be deceptive when it includes some information that is forged or that is likely to misguide a customer. On the other hand an advert can be termed deceptive if it omits some material information that is likely to misguide a customer under the prevailing circumstances. Federal trade commission FTC has taken to regulate websites for violating their own standards and privacy policy claiming that this is a deceptive trade practice. The commission utilizes its section five powers to pursue deception claims against online companies for various cyber crimes; 1. spy ware and ad ware providers who furtively download software onto unsuspicious computer users 2. unlawful charges in association with phishing 3. A reverse auction site that used unacceptable promotional actions to petition for customers of competitive auction site. 4. a credit company that fails to substantiate the identity of persons to whom it is releasing private customer information to and also fail to scrutinize illegal activities among other practices. An act or practice is descried as unfair if it violates the requirements of the federal trade commission act causing injury to the customer. The injury which is; substantial, the clients could not realistically avoid and the injury that is outweighing the countervailing benefits to the customer and competition. In such an instance, the commission is authorized to seek an injunctive and other unbiased relief, which may include remedy, for the infringement of the act and also provide the foundation for the government enforcement of certain fair information applications. A company's failure to comply with the outlined information practices may constitute a deceptive practice, for these reason the commission uses the unfair jurisdiction in a wide range of cases including failure data security department to put into practice sensible protection to the consumer information and consequently cause injury that cannot counterbalance the benefits. Evidence of Intent The FTC regulations take into account the reasons fro a certain computer crime to be committed. Any company should not disclose individual's information to another institution without the consent of the owner of the information in place (Masnick 2008). If some evidence of intentional violation of the rules regarding disclosure of information is established, the company would be held responsible for that, however, there are some crucial concerns that affect some twisted cases in the same field say for example when a company deliberately sends an uniformed delegate to take part in the standards body and the agent fails to make proper disclosure (Severson.1997, 63). In this case, the FTC may be unable to obtain satisfactory verification of intent or on the other hand a firm may carry out a disorganized job of searching patents. Motives of Hacking The crimes faced in the information structure today are not so different for from those crimes before the computer age. Embezzlement, fraud and simple theft are the main motivating factors for the hacking crime. Computer crimes are getting more complicated, with the criminals working in groups to steal credit card information, cash, individual personal information and even armed forces secrets (Hammond & Hammond 2003, 72). It has been affirmed that some of the hackers may not have criminal intent, some are just curious smart students who may be trying out their skills, for security reasons, security professionals are require d to treat even the most innocent mischief as a deviant behavior that warrants punishment. There are several classes of common computer crimes; gaining excessive privileges on a system, in this manner allowing some un-permitted person the capacity to alter the presented data this is usually referred to as data diddling; carrying out less important attacks on the big crimes usually goes overlooked for example salami attacks; and implementing or handing out code that could lead to a denial of service attack; internet provider spoofing, password sniffing, wiretapping and signal production of capture is also used to collect information that is used to carry out such crimes. Some of the feature that can lead to hacking are however not technology based, they may be as simple as collecting personal information from littered documents, perusing through discarded garbage of credit card receipts and tricking people into disclosing their personal information described as social engineering attacks. For these reasons it's very important that security awareness programs be put in place and observance of appropriate disposal of wastes to avoid unintentional; leaking of information. It's quite essential that the firm's security staff have enough information and be aware of the possible types of crimes that can be accomplished within their environs and the resulting outcomes of the practices. Professional Ethics Ethics are described as a rule that regulate the socially acceptable means of performance and is usually resort to when the other rules and regulations do not give a clear direction or guidance pertaining a certain situation or circumstance. Those that deal with information security are expected to know and observe the laws and regulations that govern the use of computers and handling of information to the latter. The Certified Information Security System Professional (CISSP) is one such body that educates the information security professionals on such requirements. These responsibilities are essential to establishing confidence in the information security profession that motivate mutual respect from management and other stake holders; this encourages job performance to the fullest. Identity Theft A Crime The act of using someone else identity or stealing of somebody's identity is an illegal practice. Allowing hackers to access personal information in the first place is illegal and should never happen. There are recent incidences that include Best Western where al the personal consumer information since 2007 including credit cards information was stolen (Masnick 2008). How the hackers managed to access the information is very unclear and very hard to imagine, this make people to constantly change their credit card numbers several times over a short period of time. The other victims of identity theft are the TJ Maxx and Hannaford stores, though the banks covered the losses from illegal charges on the accounts, victims are forced to spend a lot of time revoking the cards, altering all kinds of direct charge accounts that may use the numbers stolen (Masnick 2008). These occasions usually bring about a lot of inconveniences including cancellation of a credit card while one is traveling. The victims of identity theft are proposing that the companies that leak their personal information be held responsible for the actions. They claim that the corporations are not supposed to keep the data in the first place, more or less to give it to some felonious people who manage to breach their information security, this being the bottom line of the matter. The information leaked once it gets to the hand of criminals does not matter whether it was stolen or leaked out through negligence or even on purpose but someone has to take responsibility and in this case, the victims claim that the hacked company should. This is because the company retains sensitive individual identity information and hence responsible for the attack (Severson.1997, 73). Criminal charges should include charges on both the receiver of the information and those who leak it. Incident Investigation When a company is hacked, it usually hires professionals to carry out a crime scene investigation, any information that provides evidence to the crime should be properly handled since mishandling may contradict any chance for prosecution. Forensic analysis of computer crime scenes is a particular science methodology steps must be followed. Very frequently a corporation will call in specialized consultants to conduct the crime scene investigation. On the other hand, all security professionals should be aware of the basics of how to safeguard a crime scene for additional examinations (Hammond & Hammond 2003, 55). To circumvent any blunder that could spoil the evidence, an incident response policy should provide details on how to deal with a particular kind of coordination in the event of a cyber or computer crime. Conclusion Computer exploitation and crime is a different way in which computers can be misused to cause problems to individuals and businesses. Computer use increases develops daily along hence the wide spread comes with felony. As we rely so much on the use of computers we need efficient regulation and legislation over them to help manage crime and misuse hence successful litigation and prosecution would require that corporations and the public get acquainted with hacking techniques and consequences. References Severson. R.J. (1997) The Principles of Information Ethics.M.E. Sharpe pp 34 - 76 Masnick M (2008) Should it Be Illegal To Get Hacked Might-be-a-bit-extreme Dept retrieved from http://.techdirt.com/articles/2008825/23200129094.shtml on 18th November 2008 at 1646hrs Hammond R.J & Hammond R.J Jnr (2003). Identity Theft. How to Protect Your Most Valuable Asset. Career Press pp 35 - 79 Read More