Legal Considerations
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> We've covered prior sections on governance and risk,
00:00
and now we're going to shift gears a little bit and
00:00
talk about some legal considerations.
00:00
Now, with that being said,
00:00
we're going to look at some legal considerations
00:00
with a United States-based focus,
00:00
so we'll talk about the different types of laws
00:00
here: criminal, civil, and regulatory.
00:00
But I want to stress to you,
00:00
this exam is an international exam,
00:00
it's not just for folks that are in the US.
00:00
With that being said,
00:00
I'm going to cover this next section,
00:00
but I really don't expect you to
00:00
see a lot of US-based specifics.
00:00
With the rules associated with criminal law, civil law,
00:00
regulatory law, I think
00:00
you're not as likely to see this on the exam.
00:00
What I do think you're going to see more
00:00
of on the exam is in our next section,
00:00
which is on intellectual property law
00:00
but we're going to cover this just in case.
00:00
Here in the US, our three main types
00:00
of laws that we're going to
00:00
focus on are going to be
00:00
>> criminal, civil, and regulatory
00:00
>> but then like I said in the next section,
00:00
we're going to cover intellectual property law.
00:00
Criminal law.
00:00
When we talk about criminal law,
00:00
what we're talking about is
00:00
basically crimes against an individual
00:00
or an organization,
00:00
and there are various penalties
00:00
associated with criminal law.
00:00
We can certainly look at fines,
00:00
but also jail time,
00:00
even the death penalty could
00:00
result as being found convicted of a criminal law.
00:00
Because the penalties are so harsh,
00:00
the burden of proof is beyond a reasonable doubt.
00:00
Now, in computer-related crimes,
00:00
this is a very high burden of
00:00
proof beyond a reasonable doubt.
00:00
If you think about maybe prosecuting
00:00
a crime that's computer-based,
00:00
anytime your evidence is primarily technical,
00:00
digital evidence, this is going to be
00:00
tough to convince a district attorney,
00:00
a judge, a jury,
00:00
of the veracity of this evidence,
00:00
the integrity of the evidence,
00:00
it will be difficult because you'll have to have
00:00
experts help these folks to the conclusion.
00:00
It's difficult. Anytime I don't understand something,
00:00
I have doubt,
00:00
and there's the doubt that may make it
00:00
impossible to get a conviction in criminal law.
00:00
Now, criminal law is
00:00
divided up into felonies and misdemeanors.
00:00
Felonies are certainly more serious of the two,
00:00
and a lot of times
00:00
felonies result in incarceration or jail time.
00:00
Misdemeanors usually are reacted
00:00
to with financial penalties or fines,
00:00
but can result in jail time just depending.
00:00
A lot of times,
00:00
we don't necessarily think of
00:00
computer crimes and immediately go to criminal law,
00:00
though we're seeing that more and more,
00:00
we're seeing a lot of ransomware attacks that
00:00
are having some devastating consequences.
00:00
We've seen in this past year
00:00
attacks on our infrastructure,
00:00
we've seen food processing companies,
00:00
and we've seen pipelines,
00:00
gas supply, fuel supply being targeted.
00:00
These are certainly criminal actions and should we be
00:00
able to apprehend the attackers,
00:00
then certainly they would face time in criminal court.
00:00
Now, the next type of law we
00:00
would look at would be civil law,
00:00
also known as tort law.
00:00
You can see that the burden of proof is much lower.
00:00
Instead of beyond a reasonable doubt,
00:00
we have the preponderance of evidence.
00:00
The preponderance of evidence
00:00
suggest this happened this specific way.
00:00
Really, that's just another way of
00:00
saying the majority of evidence.
00:00
Here, this is where there has been usually,
00:00
harm to a person or, again,
00:00
to an organization,
00:00
we might see liability charges come up in civil law.
00:00
Where maybe a CEO didn't
00:00
protect company assets appropriately,
00:00
then they might be sued for failure
00:00
to use due care and due diligence,
00:00
so that would fall under civil law.
00:00
Because of the burden of proof is lower,
00:00
a lot of times we might see someone
00:00
who is acquitted in criminal law,
00:00
then be tried under civil law and found
00:00
guilty just because of that lower burden of proof;
00:00
but from our perspective,
00:00
our big concern here is this is
00:00
where liability charges are brought.
00:00
Now, there are certain types of
00:00
damages that are usually awarded.
00:00
Compensatory damages,
00:00
these are paid for your actual loss,
00:00
so a certain amount of money that was lost based
00:00
on my liability would be repaid.
00:00
There's also and these can be high fines as well,
00:00
these punitive charges as
00:00
a punishment for the offender sometimes,
00:00
it includes deterrence for
00:00
other folks in the same industry.
00:00
Then there's statutory damages where there's maybe
00:00
a specific amount of fine
00:00
that's associated with a particular violation,
00:00
but that's civil law.
00:00
Then we have administrative law,
00:00
sometimes referred to as regulatory law.
00:00
This is where the regulations come into place.
00:00
As we mentioned before,
00:00
the US doesn't have any federal regulations on privacy,
00:00
but they do have regulations
00:00
directed at particular industries.
00:00
If we were to talk about HIPAA,
00:00
for instance, that's for healthcare organizations,
00:00
healthcare insurance companies as
00:00
well in relation to protecting privacy of data.
00:00
You can see I've got Basel II here
00:00
and Energy Act of 2005,
00:00
we could also think about Gramm-Leach-Bliley,
00:00
which is to protect privacy in banking.
00:00
Well, PCI DSS actually isn't law,
00:00
it is a standard created by
00:00
the credit card company and it's enforced by contract,
00:00
not by law, so that doesn't fall under this category,
00:00
but it's the same idea.
00:00
Is these particular requirements
00:00
directed towards specific industries.
00:00
The burden of proof is more likely than not, so again,
00:00
not nearly as high a
00:00
burden of proof as would be in criminal law.
00:00
Usually, the penalties here
00:00
are most frequently financial,
00:00
but for the more egregious violations
00:00
could be imprisonment as well.
00:00
Here we just looked at
00:00
specific types of law here in the US,
00:00
criminal, civil, and regulatory.
00:00
The laws that are directed towards
00:00
>> information security,
00:00
>> we talked about how
00:00
computer violations could result in criminal,
00:00
civil, or administrative violation of law.
00:00
Again, though, I don't want you to spend
00:00
a ton of time here,
00:00
I want you to focus more of your efforts,
00:00
I want you to have a good understanding,
00:00
but most of our efforts are going to
00:00
go into the next section
00:00
because intellectual property is
00:00
really where they're most likely to ask you.
Up Next
Instructed By
Similar Content
