2 cissp ® Official Study Guide Eighth Edition

130
Chapter 4 
■
Laws, Regulations, and Compliance
modern type of crime was too far a stretch. Legislators responded by passing specifi c statutes 
that defi ned computer crime and laid out specifi c penalties for various crimes. In the follow-
ing sections, we’ll cover several of those statutes. 
The U.S. laws discussed in this chapter are federal laws. But keep in mind 
that almost every state in the union has also enacted some form of legis-
lation regarding computer security issues. Because of the global reach of 
the internet, most computer crimes cross state lines and, therefore, fall 
under federal jurisdiction and are prosecuted in the federal court system. 
However, in some circumstances, state laws can be more restrictive than 
federal laws and impose harsher penalties.
Computer Fraud and Abuse Act 
The Computer Fraud and Abuse Act (CFAA) was the fi rst major piece of cybercrime-specifi c 
legislation in the United States. Congress had earlier enacted computer crime law as part of 
the Comprehensive Crime Control Act (CCCA) of 1984, but CFAA was carefully written 
to exclusively cover computer crimes that crossed state boundaries to avoid infringing on 
states’ rights and treading on thin constitutional ice. The major provisions of the original 
CCCA made it a crime to perform the following: 
■
Access classified information or financial information in a federal system without 
authorization or in excess of authorized privileges 
■
Access a computer used exclusively by the federal government without authorization 
■
Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to 
gain use of the computer itself) 
■
Cause malicious damage to a federal computer system in excess of $1,000 
■
Modify medical records in a computer when doing so impairs or may impair the exam-
ination, diagnosis, treatment, or medical care of an individual 
■
Traffic in computer passwords if the trafficking affects interstate commerce or involves 
a federal computer system
When Congress passed the CFAA, it raised the threshold of damage from $1,000 to 
$5,000 but also dramatically altered the scope of the regulation. Instead of merely cover-
ing federal computers that processed sensitive information, the act was changed to cover all 
“federal interest” computers. This widened the coverage of the act to include the following: 
■
Any computer used exclusively by the U.S. government 
■
Any computer used exclusively by a financial institution 
■
Any computer used by the government or a financial institution when the offense 
impedes the ability of the government or institution to use that system 
■
Any combination of computers used to commit an offense when they are not all located 
in the same state

Laws 

Download 19,3 Mb.

Do'stlaringiz bilan baham: