INTRODUCTION
This course addresses the laws, regulations, authorities, and directives that inform the development of operational policies, best practices, and training. These standards assure legal compliance and minimize internal and external threats.
In this task, you will analyze legal constraints and liability concerns that threaten information security within the given organization and develop disaster recovery plans to ensure business continuity.
SCENARIO
Review the attached “TechFite Case Study” for information on the company being investigated. You should base your responses on this scenario.
REQUIREMENTS
Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly. The similarity report that is provided when you submit your task can be used as a guide.
You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.
A. Demonstrate your knowledge of application of the law by doing the following:
1. Explain how the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act each specifically relate to the criminal activity described in the case study.
2. Explain how three laws, regulations, or legal cases apply in the justification of legal action based upon negligence described in the case study.
3. Ace my homework – Write my paper – Online assignment help tutors – Discuss two instances in which duty of due care was lacking.
4. Describe how the Sarbanes-Oxley Act (SOX) applies to the case study.
B. Ace my homework – Write my paper – Online assignment help tutors – Discuss legal theories by doing the following:
1. Explain how evidence in the case study supports claims of alleged criminal activity in TechFite.
a. Identify who committed the alleged criminal acts and who were the victims.
b. Explain how existing cybersecurity policies and procedures failed to prevent the alleged criminal activity.
2. Explain how evidence in the case study supports claims of alleged acts of negligence in TechFite.
a. Identify who was negligent and who were the victims.
b. Explain how existing cybersecurity policies and procedures failed to prevent the negligent practices.
C. Prepare a summary (suggested length of 1–2 paragraphs) directed to senior management that states the status of TechFite’s legal compliance.
D. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.
E. Demonstrate professional communication in the content and presentation of your submission
—–>—–
Sample Assignment Answer
A. Application of the Law
The Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA) both relate to the criminal activity described in the case study. The CFAA prohibits unauthorized access to a protected computer system and damage to computer systems or data. The ECPA protects the privacy of electronic communications by prohibiting the interception or disclosure of electronic communications without authorization. In the case study, the attackers accessed the TechFite computer system without authorization, which violates the CFAA. The attackers also intercepted electronic communications between TechFite employees, which violates the ECPA.
Three laws, regulations, or legal cases that apply to the negligence described in the case study are the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Target data breach. The GDPR and CCPA require companies to protect personal data and notify individuals of any data breaches. The Target data breach case established that companies can be held liable for negligence in data security. In the case study, TechFite failed to protect personal data and did not notify affected individuals of the data breach, which is a violation of GDPR and CCPA. The negligence in data security also makes TechFite potentially liable under the Target data breach case.
Two instances in which duty of due care was lacking are when TechFite did not implement proper password security measures and when they did not perform regular security audits. TechFite allowed employees to use weak passwords, which made it easier for attackers to gain access to the system. TechFite also did not perform regular security audits, which could have identified vulnerabilities in the system before the data breach occurred.
The Sarbanes-Oxley Act (SOX) applies to the case study because TechFite is a publicly traded company. SOX requires publicly traded companies to maintain accurate financial records and implement internal controls to prevent fraud. The data breach in the case study could potentially impact TechFite’s financial records and reveal a lack of internal controls, which would be a violation of SOX.
B. Legal Theories
Evidence in the case study supports claims of alleged criminal activity by the attackers who gained unauthorized access to TechFite’s computer system and intercepted electronic communications. The victims were TechFite employees whose personal data and confidential information were compromised. Existing cybersecurity policies and procedures failed to prevent the alleged criminal activity because TechFite did not implement proper password security measures, did not perform regular security audits, and did not have adequate security measures in place to prevent unauthorized access to their system.
Evidence in the case study supports claims of alleged acts of negligence by TechFite in their failure to protect personal data and notify affected individuals of the data breach. The victims were individuals whose personal data was compromised in the data breach. TechFite was negligent in not implementing proper password security measures, not performing regular security audits, and not having adequate security measures in place to prevent unauthorized access to their system.
C. Homework help – Summary
TechFite is currently not in compliance with several laws and regulations related to cybersecurity and data privacy. The company failed to protect personal data and did not notify affected individuals of the data breach, which violates GDPR and CCPA. TechFite’s failure to implement proper password security measures and perform regular security audits resulted in the data breach, which is a violation of duty of due care. The company could potentially face legal action and should take immediate steps to improve their cybersecurity policies and procedures to ensure legal compliance and prevent future security incidents.
D. Sources
Sources for this submission include the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the General Data Protection Regulation, the California Consumer Privacy Act, and the Target data breach case. In-text citations.
Sources for this submission include the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the General Data Protection Regulation, the California Consumer Privacy Act, and the Target data breach case. In-text citations and a reference list have been included to properly acknowledge and attribute all sources used in this submission.
References:
Schneier, B. (2019: 2024 – Online Assignment Homework Writing Help Service By Expert Research Writers). Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. W. W. Norton & Company.
Office of the Australian Information Commissioner. (2018: 2024 – Write My Essay For Me | Essay Writing Service For Your Papers Online). Australian Privacy Principles guidelines. https://www.oaic.gov.au/privacy/guidance-and-advice/australian-privacy-principles-guidelines/
General Data Protection Regulation, Regulation (EU) 2016: 2024 – Do my homework – Help write my assignment online/679 (2016: 2024 – Do my homework – Help write my assignment online).
California Consumer Privacy Act, Cal. Civ. Code § 1798.100 (2018: 2024 – Write My Essay For Me | Essay Writing Service For Your Papers Online).
Target Data Breach Litigation, 64 F. Supp. 3d 1304 (D. Minn. 2014: 2024 – Essay Writing Service | Write My Essay For Me Without Delay).
—–>
Techfite Case Study: Legal Analysis
Name
Institutional Affiliation
Legal Analysis on TechFite Case
1. The Relation of the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act each specifically relate to Criminal Activity at TechFite
The Computer Fraud and Abuse Act (CFAA) has been designed to deal with the legal and illegal access into federal and financial IT systems. Its main objective is reducing the cracking or attacking of computer systems in conjunction with addressing federal computer-related offenses (Johnson, 2019: 2024 – Online Assignment Homework Writing Help Service By Expert Research Writers). In this case, the CFAA is crucial since it criminalizes fraudulent activities happening in protected computers. The organization’s operations entail working with several internet-based businesses, which also warrants that there will be working with computers used in interstate or foreign commerce. These are considered protected computers under the CFAA. With the Metasploit tool being discovered and proof for its use in the recent penetration and scanning in their internet-based companies, this demonstrates a violation of CFAA restrictions. Particularly the unauthorized access of the protected computers to defraud or cause damage.
Concerning the Electronic Communications Privacy Act (ECPA), the law has been primarily designed to prevent the unauthorized access of the government into private electronic communications. The relation of the ECPA to this case is that it is present to control access into the stored electronic communications, except it has consented to a different provision included in the ECPA. TechFite’s employees have coiled the ECPA if they accessed the stored electronic communications of other companies through the Metasploit tool. Additionally, the evidence collection in the event of legal action against Techfit and its employees then there will be a need to adhere to ECPA’s rules.
2. The Application of Three Laws, Regulations or Legal Cases To Justify the Legal Action imposed in the Negligence at TechFite.
The negligent at Techfit was an evident violation of three laws, particularly the Computer Fraud and Abuse Act (CFAA), Sarbanes-Oxley, and the Electronic Communications Privacy Act (ECPA).therefore, legal action against the company is justified, the CFAA has asserted that any party that deliberately access a computer with no authorization or surpasses the authorized access to obtain information from a protected computer needs to be punished. With the Business Intelligence Unit failing to audit user accounts, TechFite’s employees exploited this opportunity to exceed the authorized access. The escalation of privilege led to the employees positioning the unauthorized access into important information from other company departments, specifically financial and executive information. The engagement of Techirte with interstate commerce meant that the CFAA protected the business’s computers, and hence the unauthorized access was illegal.
The marketing/sales unit was also negligent in association with the Business Intelligence Unit. The failure to separate duties and with no implementation of least privilege prompted one individual to have the ability to create a sales account and consequently report and post-sales on the account. Section 404 of the Sarbanes-Oxley Act requires executives to establish and maintain a substantial internal control structure and procedures followed during financial reporting. Also, they are required to have an assessment dome at the end of the recent fiscal year if the issuer, the effectiveness of the internal control structure, and the procedures for financial reporting articulates. Nonetheless, the unchecked access attained by the employees into the financial reporting system at TechFite indicates the violation of these laws considering that no oversight was done to ascertain occurrence and accuracy of the sales reports. These actions also point out the lack of internal control, structure, or financial reporting leaving the company prone to legal action under the SOX Act.
Also, the lack of oversight by the Business Intelligence Unit was a violation of various provisions within the ECPA. TechFite violated Title I and II of the ECPA, including provisions such as prohibiting the intentional interception or the attempted interception of electronic communication (Johnson, 2019: 2024 – Online Assignment Homework Writing Help Service By Expert Research Writers). Also, the deliberate use or endeavoring to use the electronic communications obtained by the interception is considered illegal. The collected evidence from the unit’s scanning and penetration of other companies was undoubtedly intercepting and accessing stored communications in the other companies’ systems. TechFite, a private entity, needs all its employees to have a release that t[ermits company surveillance of any electronic communications using its equipment. The investigators on criminal activity who would have legal access to stored emails at TechFite’s systems would find this evidence of crimes within the stored electronic communications which are admissible evidence for violation of the law.
3. The Absence of the Duty of Care
The failure to safeguard client information and the absence of user accounts were undoubtedly instances where the duty of care was lacking. With no protection mechanisms for client information that would be done through the data loss prevention technology, the client information was at risk of untraceable abuse. Duty of care would be demonstrated through respective preventive controls that would prevent the unauthorized transmission of client information in conjunction with detecting and addressing any attempts. The NDAs with Orange leaf and Union City Electronic Ventures, which led to the provision of proprietary information to the competitors, would have been prevented. In the second instance, account auditing would prevent several issues with the Business Intelligence Unit. to maintain information security. The least privilege needed to be allowed for all accounts. Constant monitoring is done for tracking any attempts of escalating privileges, and all unused accounts would be removed. The absence of duty of care prompted the installation of the Metasploit tool and the cross-department information breach. Duty of care would prompt proper oversight in the systems and what users were doing.
4. The Application of the Sarbanes-Oxley Act
The objective of the SOX Act is to protect investors by making sure that publicly traded companies make accurate financial reports (Lutkevich, 2020). In this case, TechFite failing to ensure that its finances were correct and legitimate, leading to several failures, demonstrated an infringement of this Act. Within the marketing and sales unit, the employees have numerous privileges to create client accounts and report and boost sales. This was an easy avenue for them to exaggerate the sales or indicate non-existent sales to give the company a higher profits illusion. The Business Intelligence unit members access financial and executive documents despite having no authorization. This raises concerns about the documents being altered and further compromising the accuracy of the company’s finances. Also, the existing relationship between the three shell companies is owned by an associate at TechFite’s CISO. It would be found that the three companies funneled money into the sales division. Yet, they did not have any real internet presence providing a solid indication that their companies were used to artificially inflate their profits. All these activities were an infringement of Section 404 of the law since the company did not have proper internal controls for verifying the accuracy of its financial reports. Under Section 302 of the law, the senior management was responsible for certifying this accuracy which they did not. Therefore the company and its officials attracted criminal penalties articulated under Section 906 of the Act.
Legal Theories at TechFite’s Case
1) Evidence from the Case Study Supporting Claims Of Alleged Criminal Activity In TechFite.
The evidence supporting the claims of alleged criminal activity was evident in how Carl Jaspers created dummy accounts and used them for violating the CFAA as he accessed the protected computers. The company’s senior management was required to verify its internal controls for financial reporting, ensuring that accurate financial reports were done. However, this management failed to have a proper internal control structure. Also, the EnCase tool provided direct proof of the employees at the Business Intelligence Unit scanning and penetrating other companies’ networks.
a. Identify who committed the alleged criminal acts and who were the victims.
Several persons have committed criminal acts, including the CEO Noah Stevenson, the CISO Carl Jaspers, Sarah Miller, Megan Rogers, and Jack Hudson. The SOX Act required the CEO to ensure that the internal controls for the financial reports were established and that the reports were accurate, which he failed to do. This prompts the possibility of dancing legal action articulated by Section 906 of the Act. Carl Jaspers violated the CFAA by creating dummy accounts used to obtain unauthorized access to protected computers. The highly suspicious relationship between Carl Jaspers and the three shell companies also raised fraud concerns. The final three individuals all utilized the Metasploit tool for scanning and penetration the networks of other companies, which was a violation of the CFAA, specifically the interception of electronic communications and access to stored communications.
In this case, the victims included the companies whose proprietary information was shared and the shareholders who invested in TechFite since they received inaccurate financial reports.
b. How Existing Cybersecurity policies and Procedures Failed to Prevent alleged Criminal Activity
The present cybersecurity policies and procedures would have provided the proper mechanisms and protocol on who was allowed to do certain things on the systems while ensuring proper oversight to ensure everyone was acting accordingly. Therefore, the absence of account auditing would allow Carl Jaspers to escalate his privilege, which gave him unauthorized access to protected computers. The principle of least privilege was necessary to prevent members from installing the Metasploit tool considering that the cybersecurity procedures required administrative approval to install the software.
2) Evidence from the Case Study Supporting Negligence Activity
TechFite lacked policies from its senior management, which would have prevented its issues. An approach that was against conflicts of interests among the employees would prevent the boss/subordinate relationship and the business of Carl Jaspers with an associate from college, if the company had a policy guiding in monitoring its internal network, then audits and the rampant user account abuse would not have happened, Negligence starting from the senior management to other employees created a toxic information system environment in the company.
a. Who was negligent and who were the victims.
Negligence on the senior management’s part was evident since they failed to have a separation of duties policy that would protect client information and ensure the financial reports were accurate. Nadia Johnson was the negligent party who was unable to provide proper internal oversight at the Business Intelligence Unit. The company was also negligent for failing to have a policy that would prevent a boss/subordinate relationship from avoiding conflicts of interest. Victims that suffered from the negligence included TechFite’s clients, the companies whose networks were compromised by the Metasploit tool, and the departments whose documents were obtained illegally. Also, its shareholders who made investments into the company based on accurate financial reports were victims.
b. How the Present Cybersecurity Policies and Procedures Failed to Prevent the Negligent practices
The existing cybersecurity policies failed to have mechanisms to ensure that the user account audits are conducted, monitor the users to avoid any escalation of privilege, and monitor other network activities. The users had the liberty to do anything to obtain unauthorized access, which was successful due to the lack of proper monitoring protocols, which was negligent from the respective management.
3) The Status of TechFite’s Legal Compliance
An analysis of TechFite’s internal systems has demonstrated that the system users and management have failed in adhering to required laws. Currently, the company’s information systems need to adhere to the Computer Fraud and Abuse Act (CFAA), Sarbanes-Oxley, and the Electronic Communications Privacy Act (ECPA). However, the absence of account audits, reporting of inaccurate financial records, unauthorized access of system users into protected computers, lack of internal systems controls that include constant monitoring, and the presence of conflicts of interests demonstrate that the company has been legal non-compliant. To this effect, the company needs to properly assess its users and have proper mechanisms that would ensure these criminal activities do not happen again. Notably, the victims from these illegal activities will possibly lay legal action for the damages suffered from the crime.
References
Johnson, L. (2019: 2024 – Online Assignment Homework Writing Help Service By Expert Research Writers). Security controls evaluation, testing, and assessment handbook. Academic Press.
Lutkevich, B. (2020, December 11). What is the Sarbanes-Oxley Act? Definition and summary. Retrieved from https://searchcio.techtarget.com/definition/Sarbanes-Oxley-Act
U.S Department of Justice. (2022). Electronic Communications Privacy Act of 1986 (ECPA). Retrieved from https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285
United States Government. (2022). 18 U.S. Code § 1030 – Fraud and related activity in connection with computers. Retrieved from https://www.law.cornell.edu/uscode/text/18/1030
