Security Awareness Laws FAQ

Laws

What will happen to you if you are found liable for copyright infringement?

In the US, if the copyright owner previously registered the copyright with the Copyright Office, then you may have to pay amounts of money set forth in the copyright statute, anywhere from $500 to $20,000. You may also have to pay the attorneys' fees of the copyright owner. In the US, regardless of whether or not the copyright owner previously registered the copyright, you may have to pay actual damages. In addition, the court may order impoundment and destruction of the instrumentalities that made the copying possible. This may include your computer, your hard disk, your backup media, your MIDI keyboard, your modem, and other hardware and software.

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

What is M.G.L. Chapter 75?

M.G.L. Chapter 75 refers to Massachusetts General Law, Chapter 75 and pertains to the University of Massachusetts. For the full text of this law go to http://www.state.ma.us/legis/laws/mgl/gl-75-toc.htm.

Date Revised : 2003-09-03

What is the Freedom of Information Act (FOIA)?

The Freedom of Information Act (FOIA) (5 U.S.C. 552) establishes a presumption that records in the possession of agencies and departments of the executive branch of the federal government are accessible to the people. FOIA, as amended, provides that the public has a right of access to federal agency records, except for those records that are protected from disclosure by nine stated exemptions. One of these exemptions allows the federal government to withhold information about individuals in personnel and medical files and similar files when the disclosure would constitute a clearly unwarranted invasion of personal privacy.

Date Revised : 2003-06-05

What is not included in the Copyright Law?

Several categories of material are generally not eligible for federal copyright protection. These may include among others: Works that have not been fixed in a tangible form of expression (for example, choreographic works that have not been notated or recorded, or improvisational speeches or performances that have not been written or recorded) Titles, names, short phrases, and slogans; familiar symbols or designs; mere variations of typographic ornamentation, lettering, or coloring; mere listings of ingredients or contents Ideas, facts, procedures, methods, systems, processes, concepts, principles, discoveries, or devices, as distinguished from a description, explanation, or illustration Works consisting entirely of information that is common property and containing no original authorship (for example: standard calendars, height and weight charts, tape measures and rulers, and lists or tables taken from public documents or other common sources).

Date Revised : 2003-09-03

What is the Digital Millennium Copyright Act (DMCA)?

Digital Millennium Copyright Act (PDF)

What is the Federal Copyright Law (Title 17 of the U.S. Code)?

Copyright law in the U.S. is governed by federal statute, namely the Copyright Act of 1976. The Copyright Act prevents the unauthorized copying of a work of authorship. A copyright is the set of exclusive legal rights authors have over their works for a limited period of time. These rights include copying the works (including parts of the works), making derivative works, distributing the works, and performing the works (this means showing a movie or playing an audio recording, as well as performing a dramatic work). Currently, the author's rights begin when a work is created. Copyrighted works are not limited to those that bear a copyright notice. As a result of changes in copyright law, works published since March 1, 1989 need not bear a copyright notice to be protected under the federal statute.

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

What is the Computer Security Act of 1987 (40 U.S. Code 759 and Public Law 100-235, Jan 8 1988)?

The Computer Security Act of 1987 is a federal law that: Requires Computer Security Awareness Establishes National Institute of Standards and Technology (NIST) as the focal point for non-classified information systems security for the Federal Government Defines and covers Sensitive Unclassified Information (SUI) Established National Security Agency/ Department of Defense control of - Classified Information Cryptography.

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

What is the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (Title 18 of the U.S. Code)?

The Computer Fraud and Abuse Act (CFAA), first enacted in 1984 and revised in 1994, criminalizes unauthorized access to a "protected computer" with the intent to obtain information, defraud, obtain anything of value or cause damage to a computer. A "protected computer" is a computer that is used in interstate or foreign commerce or communication, or by or for a financial institution, or the government of the United States. The "interstate or foreign commerce or communication" criteria of the protected computer definition may make the act of hacking into a secure web site from an out of state computer a violation of CFAA.

The Act made it illegal to access a computer without authorization to gain United States defense or foreign regulations information. It also made accessing a company's financial information, as well as damaging files illegal. The Computer Fraud and Abuse Act of 1986, which also included computer fraud, sharing of passwords and damage of federal information, updated the 1984 act. Once again in 1994, the act was updated by the Computer Abuse Amendments, which allowed the law to protect private computers instead of just federal computers.

Violation of CFAA can result in serious fines and/or imprisonment.

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

What is the Electronics Communications Privacy Act of 1986 (Public Law 99-474)?

The Electronic Communications Privacy Act (ECPA), enacted in 1986, amends title 18, United States Code (i.e., USC), with respect to provisions for the access, use, disclosure, interception and privacy protections of electronic, wire, or oral communications. The ECPA was designed to expand privacy protection to apply to radio paging devices, electronic mail, cellular telephones, private communication carriers, and computer transmissions. The Act also identified specific situations and types of transmissions that would not be protected, most notably an employer's monitoring of employee electronic mail on the employer's system.
ECPA contains two Titles. Title I - Interception of Communications and Related Matters, updates
existing laws to acknowledge and include in Title 18 of the USC new technologies such as computer
communication.

Title II - Stored Wire and Electronic Communications and Transactional
Records Access adds a new chapter to Title 18 of the USC prohibiting unlawful access and certain
disclosures of communication contents. Under the Act, it is now a federal offense to access a system
without authorization or exceed your authorized access on a system (e.g., accessing data for which
you have not been given authority to access; reading someone else's email without their authorization).

The Act excludes service providers (e.g., operator of a switchboard, or an officer, employee, or agent
of a provider of wire or electronic communication service) whose facilities are used in the transmission
of a wire or electronic communication. It allows such providers to intercept, disclose, or use wire or
electronic communications transmitted on their facilities in the normal course activities necessary to the
offering and support of the provider's service or to the protection of the rights or property of the
provider of that service. The provider cannot however, use the service to observe or randomly
monitor except for mechanical or service quality control checks.

Additionally, the Act outlines law enforcements abilities and outlines procedures required for them to
obtain disclosure of electronic communications from a provider. Providers are ?authorized to provide
information, facilities, or technical assistance to persons authorized by law to intercept wire, oral, or
electronic communications or to conduct electronic surveillance, as defined in section 101 of the
Foreign Intelligence Surveillance Act of 1978?. The law outlines what needs to be provided by law
enforcement to compel the service provider to "provide information, facilities or technical assistance."
Failure to comply with ECPA can result in civil damages and criminal penalties. Criminal penalties can
result from unauthorized access to computers if messages are obtained or altered. Felony charges can
be brought if the violation was committed maliciously or for commercial gain, in which case the act is
punishable by up to one-year imprisonment and a $250,000 fine. In other cases, a term of imprisonment
of six months and a maximum fine of $5,000 is applicable.

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

What is Family Educational Rights and Privacy Act of 1974?

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. ? 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of eligible student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

FERPA gives eligible students the following rights:

To inspect and review the eligible student's education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for the eligible student to review the records. Schools may charge a fee for copies.
To request that a school correct records which the eligible student believes to be inaccurate or misleading. If the school decides not to amend the record, the eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the eligible student has the right to place a statement with the record setting forth their view about the contested information.

Generally, schools must have written permission from the eligible student in order to release any information from an eligible student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR ? 99.31):

School officials with legitimate educational interest;
Other schools to which a eligible student is transferring;
Specified officials for audit or evaluation purposes;
Appropriate parties in connection with financial aid to a eligible student;
Organizations conducting certain studies for or on behalf of the school;
Accrediting organizations;
To comply with a judicial order or lawfully issued subpoena;
Appropriate officials in cases of health and safety emergencies; and
State and local authorities, within a juvenile justice system, pursuant to specific State law.

Schools may disclose, without consent, "directory" information such as an eligible student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell eligible students about directory information and allow eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a bulletin, student handbook, or newspaper article) is left to the discretion of each school.

An eligible student may file a written complaint with the Family Policy Compliance Office (i.e., Compliance Office) regarding an alleged violation under the Act. If a complaint is deemed valid, the Compliance Office notifies the educational institution noted in the complaint, requests a response to and investigates the complaint. If the Compliance Office finds that the educational institution has not complied with the Act it notes specific steps that the institution must take to comply; and provides a reasonable period of time, given all of the circumstances of the case, during which the educational institution may comply voluntarily

If the educational agency or institution does not comply during the period of time set under Sec. 99.66(c), the Secretary may, in accordance with part E of the General Education Provisions Act--
(1) Withhold further payments under any applicable program;
(2) Issue a compliant to compel compliance through a cease-and-desist order; or
(3) Terminate eligibility to receive funding under any applicable program.

Date Revised : 2006-03-22

What is Title 20 U.S.C.?

Title 20 U.S.C. is United States Code or federal law addressing education. Chapter 31of Title 20 address General provisions concerning education and includes section 1232g., the Family Educational and Privacy Rights (i.e., FERPA).

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

What is the Massachusetts Fair Information Practices Act?

The Massachusetts Fair Information Practices Act refers to the Massachusetts General Law (e.g., MGL) Chapter 66A which outlines how personal data should be collected, used and secured. For the full text of this Law go to http://www.mass.gov/legis/laws/mgl/gl-66a-toc.htm.

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

What is the Americans with Disabilities Act (ADA)?

The Americans with Disabilities Act (i.e., ADA) gives civil rights protections to individuals with disabilities similar to those provided to individuals on the basis of race, color, sex, national origin, age, and religion. It guarantees equal opportunity for individuals with disabilities in public accommodations, employment, transportation, State and local government services, and telecommunications. Equal access to technology is addressed in the ADA.

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-03-22

What is the Graham-Leach Bliley Act of 1999?

The Graham-Leach Bliley (i.e., GLB) Act requires financial institutions to take steps to ensure the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers.
The GLB Act broadly defines financial institution as any institution engaging in the financial activities enumerated under the Bank Holding Company Act of 1956, including making, acquiring, brokering, or servicing loans and collection agency services. Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLB Act purposes.

The GLB Act spells out several specific requirements regarding the privacy of customer financial information. The law imposes two fundamental requirements: explicit notification of information-sharing policies and the means for customers to "opt out" of those practices. Privacy and opt-out notification is not a one-time procedure under GLBA. Such notification must occur at least annually. In addition, if an organization's privacy policies change in any way that would let information sharing occur other than as previously described, the new policy must be sent to all customers. When a new privacy policy is developed, the organization cannot share any information until the consumer has had a "reasonable opportunity" to opt out.
To be in compliance with GLBA, financial institutions must deliver a copy of their privacy policies to their customers in a "clear and conspicuous" manner no later than July 1, 2001. Although "clear and conspicuous" has not been formally defined, most financial organizations agree that such notification should consist of a written copy of an institution's privacy policy and practices. The institution would then mail a copy to each and every customer.

Under regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provisions of the GLB Act for student financial information if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the Act related to the administrative, technical, and physical safeguarding of customer information.

The GLB Act requires financial institutions to develop a written information security plan that describes the institution's program to protect customer information. As part of the plan, the institutions must:

Designate one or more employees to coordinate the safeguards.
Identify and assess the risks to customer information in each relevant area operation, and evaluate the effectiveness of the current safeguards for controlling these risks.
Design and implement a security safeguard program, and regularly monitor and test it.
Select appropriate Internet Service Providers and contract with them to implement safeguards.
Evaluate and adjust the program in light of relevant circumstances, including changes in operations, or the results of testing and monitoring of safeguards.

Non-compliance of GLBA can result in a variety of fines and up to 5 years imprisonment for EACH violation.

Date Revised : 2004-07-16

What is the Patriot Act?

Patriot Act (PDF)

What is the TEACH Act?

TEACH Act (PDF)

What is SEVIS?

SEVIS (PDF)

What is HIPAA?

HIPAA (PDF)

Can websites that allow people to download illegally be sued in addition to the person downloading?

Yes. On June 27, 2005 the U.S. Supreme court ruled that websites that allow people to download illegally could also be sued. For more information see US Supreme Court ruling: MGM Studios Inc. et al v Grokster Ltd. et al.

Policy Referenced : Responsible/Acceptable use of Computing and Data Resources (PDF)

Date Revised : 2006-02-24

What is the CAN-SPAM Act of 2003?

The Controlling the Assault of Non-Solicited Pornography and Marketing (i.e.,CAN-SPAM) Act of 2003 (15 U.S.C. 7701), effective January 1, 2004, establishes the United States' first national standards for the sending of commercial e-mail and requires the Federal Trade Commission (FTC) to enforce its provisions. CAN-SPAM defines spam as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)."
The bill permits e-mail marketers to send unsolicited commercial e-mail as long as it contains all of the following:

an opt-out mechanism;
a valid subject line and header (routing) information; and
the legitimate physical address of the mailer.
a label if the content is adult

If a user opts out, a sender has ten days to remove the address. The legislation also prohibits the sale or other transfer of an e-mail address after an opt-out request. Use of automated means to register for multiple e-mail accounts from which to send spam compound other violations. It prohibits sending sexually-oriented spam without the label later determined by the FTC of SEXUALLY-EXPLICIT. This label replaced the similar state labeling requirements of ADV:ADLT or ADLT.
CAN-SPAM pre-empts existing state anti-spam laws that do not deal with fraud. It makes it a misdemeanor to send spam with falsified header information. A host of other common spamming practices can make a CAN-SPAM violation an "aggravated offense," including harvesting, dictionary attacks, Internet protocol spoofing, hijacking computers through Trojan horses or worms, or using open mail relays for the purpose of sending spam.
The legislation does not allow e-mail recipients to sue spammers or class-action lawsuits, but allows enforcement by the FTC, State Attorneys General, Internet service providers, and other federal agencies for special categories of spammers (such as banks).

Date Revised : 2006-02-24

What states require people to be notified if their personal information may be compromised?

As of 4 January 2006 at least 23 states have passed security breach notification laws:
Arkansas, California, Connecticut, Delaware, Florida, Georgia (data brokers only),Illinois, Indiana (state agencies only), Louisiana, Maine (Information brokers only), Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas, Washington

Other states that considered breach bills in 2005:
AK, AZ, CA, CO, MD, MA, MI, MO, OR, SC, VA, WV, WI

For more information go to the following sites:
http://www.pirg.org/consumer/credit/statelaws.htm
www.consumersunion.org/campaigns/Breach_laws_May05.pdf
http://www.issa-ne.org/documents/SSBNL.pdf

Date Revised : 2006-03-22

What states have laws allowing consumers to restrict access to their credit reports if their personal information may have been compromised?

As of 4 January 2006, there are twelve states with laws allowing consumers to restrict access to their credit reports:

California: ALL CONSUMERS
Colorado: ALL CONSUMERS
Connecticut: ALL CONSUMERS
Illinois: IDENTITY THEFT VICTIMS
Louisiana: ALL CONSUMERS
Maine: ALL CONSUMERS
Nevada: ALL CONSUMERS
New Jersey: ALL
North Carolina: ALL CONSUMERS. Signed 21 Sept 05. Effective 1 December 2005.
Texas: IDENTITY THEFT VICTIMS
Vermont: IDENTITY THEFT VICTIMS
Washington: IDENTITY THEFT VICTIMS, INCLUDING VICTIMS OF SECURITY
BREACHES

For more information go to http://www.pirg.org/consumer/credit/statelaws.htm

Date Revised : 2006-03-22

What is the concept of "copyleft"?

The "copyleft" license grants free access to specific content in the same sense as free software is licensed freely. The specified content can be copied, modified, and redistributed so long as the new version grants the same freedoms to others and acknowledges the authors of text used.

Date Revised : 2006-03-29

Where can I find information regarding how to obtain copyright permission?

A good place to start is the Copyright Clearance Center (http://www.copyright.com/) manages the rights to over 1.75 million works and represents more than 9,600 publishers and hundreds of thousands of authors and other creators.

Date Revised : 2006-03-29

Where can I learn more about copyright related to higher education?

The Copyright Clearance Center offers a called the Campus Guide to Copyright Compliance (http://www.copyright.com/Services/copyrightoncampus/). The Guide addresses issues related to traditional photocopied handouts and paper based interlibrary loans and more contemporary issues including the Internet, course management systems, customized coursepacks and e-reserves.

Date Revised : 2006-03-29

What is the Identity Theft and Assumption Deterrence Act of 1998?

This Act makes it a crime when someone:

"knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law."

Under the Identity Theft And Assumption Deterrence Act, a name, birth certificate or SSN is considered a "means of identification." So is a credit card number, driver's license, cellular telephone electronic serial number or any other piece of information that may be used alone or in conjunction with other information to identify a specific individual.

In most instances, a conviction for identity theft carries a maximum penalty of 15 years imprisonment, a fine and forfeiture of any personal property used or intended to be used to commit the crime.

Schemes to commit identity theft or fraud also may involve violations of other statutes, such as credit card fraud; computer fraud; mail fraud; wire fraud; financial institution fraud; or Social Security fraud. Each of these federal offenses is a felony and carries substantial penalties - in some cases, as high as 30 years in prison, fines and criminal forfeiture.

Date Revised : 2006-07-17

Is it legal for professors to post grades by the last four digits of a student's social security number? No student names are listed and this enables students to easily identify their own grades, yet remain unable to identify any other student's identities. Is this practice in violation of FERPA or any other applicable laws?

This practice is not legal and is in violation of FERPA. FERPA protects privacy interests of parents in their children's "education records," and generally prohibits the disclosure of personally identifiable information from education records without the consent of the parent. The term "education records" is broadly defined as all records, files, documents and other materials which:

contain information directly related to a student; and are maintained by the educational agency or institution or by a person acting for such agency or institution.

20 U.S.C. § 1232g(a)(4)(A); 34 CFR § 99.3 "Education records." When a student reaches the age of 18 or attends an institution of postsecondary education, the student is considered an "eligible student" under FERPA and all of the rights afforded by FERPA transfer from the parents to the student.

Under FERPA an eligible student must provide his or her prior written consent before an educational agency or institution discloses personally identifiable information from his or her education records. 20 U.S.C. § 1232g(b); 34 CFR § 99.30. Section 99.3 of the regulations defines the "Personally identifiable information" as information that includes but is not limited to:

the student's name
the name of the student's parent or other family member
the address of the student or the student's family
a personal identifier, such as the student's social security number or student number
a list of personal characteristics that would make the student's identity easily traceable
other information that would make the student's identity easily traceable.

34 CFR § 99.3 Personally identifiable information. A student's social security number is, by definition, personally identifiable information under FERPA, and may not be disclosed without consent in any form.

FERPA provides that educational agencies and institutions may not disclose personally identifiable, non-directory information from education records unless a parent or eligible student has provided a signed and dated written consent in accordance with the requirements of § 99.30 of the FERPA regulations. While there are certain exceptions to this general prohibition, none permit an educational agency or institution to publicly disclose personally identifiable information, including the student's grades and portions of the student's social security number, from the education records of students.

FERPA does not prevent an educational agency or institution from posting the grades of students without written consent when it is not done in a personally identifiable manner. Thus, while FERPA precludes a school from posting grades by social security numbers, student ID numbers, or by names because these types of information are personally identifiable or easily traceable to the students, nothing in FERPA would preclude a school from assigning individual numbers to students for the purpose of posting grades as long as those numbers are known only to the student and the school officials who assigned them.

What is the No Electronic Theft (NET) Act?

The No Electronic Theft (NET) Act criminalizes sound recording copyright infringements occurring on the Internet regardless of whether there is financial gain from such infringements. A copyright is infringed when a song is made available to the public by uploading it to an Internet site for other people to download, sending it through an e-mail or chat service, or otherwise reproducing or distributing copies without authorization from the copyright owner. In civil cases copyright infringement can occur whether or not money was exchanged for the music, and in criminal cases there only needs to be a possibility of financial loss to the copyright holder or financial gain to the infringer. The NET Act sets penalties for willful copyright infringement.

Printer Friendly | E-mail this page

Virus Alerts

Current Security Tip