The introduction of the internet hasbrought us into a whole new era which is the Information Age.
Information Ageis also known as Computer Age or Digital Age. Digital Age is a period in whichthe human history shift from traditional industry to an economy based oninformation technology. Undeniably, the Internet has brought benefits to us inthe field of business, science, education and others. But, Internet is justlike any other invention of human is a double edged sword. Internet allows usto obtain information with just a single tap and share data almostinstantaneously but it also open the door wide for crimes.
Internet has createdseveral new forms of crimes and made old crimes easier to commit. The examplesof cyber crimes are cyber-stalking, identity theft, child pornography, copyrightviolations, hacking, fraud and scams. The growth in information has givenrise to cyber crimes and caused a huge loss. Due to impact of digitization onfinancial, healthcare, small and medium sized enterprises and other industries,data breaches have gained more attention Even though advanced countermeasuresand consumers awareness are applied, cyber crimes continues to climb. This ismainly because the criminals finds smarter ways to install disruptive viruses,steal intellectual property, commit identity theft, access to financialinformation and shut down the corporation computer systems. In year 2016, wehave witnessed the largest data breach till date in United State history whichis amounted to 1093 million with close to 36.6 million records exposed asonline platform Yahoo revealed that hackers stole user data and informationrelated to at least 500 million accounts back in 2014.
1 Department of Justice has classifiedcyber crime into three types.2 First of all, there arecriminal who target the computer. These crimes could be theft of data, hardwaretheft or plantation of virus. Computers are used as a weapon to commit crime.Criminals use the computers to commit many traditional crimes and get away withit because of its unique nature that transcends national borders and theanonymity. Besides these, computer also used as legal accessories for storingincriminating information.
Computer related crime involves both software andhardware. In year 2003, a survey was conducted by Container Security Initiative(CSI) with the participation of San Francisco Federal Bureau of Investigation’sComputer Intrusion Squad. 530 respondents who have participated in the surveyare made up of United State corporations, government agencies, financialinstitutions and 56% of them reported unauthorized use of their computersystems.
A major security service, Symantec estimates that direct crimes hascaused companies to lose $114billion annually while the cost of recovery fromcyber crimes is $274billion.3 Cyber crime costs havesurpassed the expenses caused by the sales of drug in the black market. It isan unavoidable risk that all the computer and technology users have to face.This is because brilliant computer skills cannot longer characterize computercriminals since children can also download the hacking tools online and usethem easily.
The issue arose is whether there islaws which can deal with computer related crimes? Arguably, the United Statesprivacy system is the oldest and most effective in the world. The United Statesprivacy system relies more on post hoc government enforcement and privatelitigation. The government of United States thinks that the security ofcomputer systems is important for two reasons. The first reason is that theincreased role of Information Technology and the growth of E-commerce sectorhave made cyber security an essential component of the economy. The next reasonis that the cyber security is vital to the operation of safety critical systemsand the protection of infrastructure systems.
Critical infrastructure isdefined in Section 5195C of United States Code as systems and assets whetherphysical or virtual so vital to the United States that the incapacity ordestruction of such systems of assets would lead to a depilating impact onsecurity, national economic security, national public health or safety. The three main United States federalgovernment cyber security regulations are the 1996 Health Insurance Portabilityand Accountability Act(HIPPA), the 1999 Gramm-Leach-Bliley Act and the 2002Homeland Security Act which included the Federal Information SecurityManagement Act(FISMA). These regulations mandate that healthcare organization,federal agencies and financial institutions should protect their systems andinformation.
But, these three regulations are not foolproof in securing thesystems and information as they do not specify what cyber security methods mustbe implemented and only require a reasonable level of security. As an example,FISMA which applies to every government agency only requires the developmentand implementation of mandatory policies, standards, principles and guidelineson information security. However, these regulations do not address numerouscomputer related industries such as Internet Service Provider and softwarecompanies.
Furthermore, the language of the three main regulations are toovague and it leaves much room for the interpretation. Bruce Schneier who is thefounder of Cupertino’s Counterpane Internet Security states that a company willnot make sufficient investments in cyber security unless government forces himto do so. The effort to strengthen the cybersecurity laws has never been stopped. Recently, the federal government isintroducing several new cyber security laws and amending the existing cybersecurity laws for a better security ecosystem.
Cybersecurity InformationSharing Act (CISA) was introduced in the United States Senate on July 10, 2014and passed in the Senate on October 27, 2015. Its objective is to improve cybersecurity in the United States through enhanced sharing of information aboutcyber security threats and for other purposes. The law allows the sharing of Internettraffic information between the United States government and technology andmanufacturing companies. National Cybersecurity Protection Advancement Act of2015 amends the Homeland Security Act of 2002 to allow the Department ofSecurity’s national cyber security and communications integration center to includetribal governments, information sharing and private entities among itsnon-federal representatives. The purpose of cyber security regulation is toforce companies and organizations to protect their systems and information fromcyber-attacks such as viruses, phishing, denial of service attacks,unauthorized access and control system attacks.4 Other than federal government,attempts have been made by the state governments to improve cyber security byincreasing public visibility of firms with weak security. California passed theNotice of Security Breach Act in year 2003. By this, it requires any companythat maintains personal information of citizens of California and has asecurity breach must disclose the details of the event.
The examples forpersonal information are name, social security number, credit card number,driver’s license number or financial information. There are several otherstates which have followed California and passed the similar security breachnotification regulations. While giving the freedom to the firms on how tosecure their systems, these security breach notification regulations alsopunish the firms for their cyber security failures. In fact, this regulationcreates an incentive to the companies which voluntarily invest in cybersecurity. This could prevent the companies from suffering potential loss due toa successful cyber attack. In year 2004, the California State Legislaturepassed California Assembly Bill 1950 which applies to business that own ormaintain personal information for California residents.
5 This regulation can besaid as an improvement on the federal standard because it expands the number offirms required to maintain an acceptable standard of cyber security. Itdictates that the businesses have tomaintain a reasonable level of security and these required security practicesextend to business partners. Besides this, the New York Cyber Securityregulation has been effective since March 1, 2017. This regulation is designedto protect customer information as well as the information technology systemsof regulated entities. This regulation requires each company to access itsspecific risk profile and design a program that addresses its risks in a robustfashion.6 In conclusion, the United Stategovernment has been putting effort to introduce a stricter laws to equiporganizations to secure the data from the latest cyber threats.
However, BruceSchneier has rightly said that successful cyber attacks on the governmentsystems still occur despite of the efforts putting into by the government. Thisapplies to private sector as well. Lately, the cyber criminals have sought toexploit technological vulnerabilities to gain access to sensitive electronicdata. These criminals can cause a huge financial losses for Department ofFinancial Service regulated entities as well as the consumers whose privateinformation may be revealed or stolen for illicit purposes. It would be betterfor the organizations to be proactive about the security of their apps and dataas the cyber criminals are always on the prowl and are becoming sophisticatedin their approach to attack.
Therefore, the companies should keep a regularcheck on their systems to identify any vulnerabilities and address theloopholes immediately.1 Kelly andWarner. CyberCrime Laws in the United States. Retrieved fromhttp://www.aaronkellylaw.
com/cybercrime-laws-united-states/2 Federal ComputerCrime Laws. Retrieved fromhttps://www.sans.org/reading-room/whitepapers/legal/federal-computer-crime-laws-14463 CSI/FBI ComputerCrime and Security Survey(2003).Retrieved fromhttp://www.usdoj.
gov/criminal/cybercrime/CSI_FBI.htm4 A Glance at theUnited States Cyber Security Laws. Retrieved fromhttps://blog.appknox.com/a-glance-at-the-united-states-cyber-security-laws/5 Cyber-SecurityRegulation(2014). Retrieved fromhttps://en.
wikipedia.org/wiki/Cyber-security_regulation#Reasons_for_cybersecurity6 Maria T.Vullo. Cyber Security Requirements for Financial ServicesCompanies.
Retrieved from https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf