Page 265 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 265

is also criticized by many in the security and privacy community as an
               overbroad law. Under some interpretations, CFAA criminalizes the

               violation of a website’s terms of service. This law was used to
               prosecute MIT student Aaron Schwartz for downloading a large
               number of academic research papers from a database accessible on the
               MIT network. Schwartz committed suicide in 2013 and inspired the
               drafting of a CFAA amendment that would have excluded the violation
               of website terms of service from CFAA. That bill, dubbed Aaron’s Law,
               never reached a vote on the floor of Congress.



               Federal Sentencing Guidelines

               The Federal Sentencing Guidelines released in 1991 provided
               punishment guidelines to help federal judges interpret computer
               crime laws. Three major provisions of these guidelines have had a
               lasting impact on the information security community.

                    The guidelines formalized the prudent man rule, which requires
                    senior executives to take personal responsibility for ensuring the

                    due care that ordinary, prudent individuals would exercise in the
                    same situation. This rule, developed in the realm of fiscal
                    responsibility, now applies to information security as well.

                    The guidelines allowed organizations and executives to minimize
                    punishment for infractions by demonstrating that they used due
                    diligence in the conduct of their information security duties.

                    The guidelines outlined three burdens of proof for negligence.
                    First, the person accused of negligence must have a legally

                    recognized obligation. Second, the person must have failed to
                    comply with recognized standards. Finally, there must be a causal
                    relationship between the act of negligence and subsequent
                    damages.


               National Information Infrastructure Protection Act of 1996

               In 1996, Congress passed yet another set of amendments to the
               Computer Fraud and Abuse Act designed to further extend the
               protection it provides. The National Information Infrastructure

               Protection Act included the following main new areas of coverage:
   260   261   262   263   264   265   266   267   268   269   270