INTRODUCTION

This course addresses the laws, regulations, authorities, and directives that inform the development of operational policies, best practices, and training. These standards assure legal compliance and minimize internal and external threats.

In this task, you will analyze legal constraints and liability concerns that threaten information security within the given organization and develop disaster recovery plans to ensure business continuity.
SCENARIO

Review the attached “TechFite Case Study” for information on the company being investigated. You should base your responses on this scenario.
REQUIREMENTS

Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly. The similarity report that is provided when you submit your task can be used as a guide.

You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.

A. Demonstrate your knowledge of application of the law by doing the following:
1. Explain how the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act each specifically relate to the criminal activity described in the case study.
2. Explain how three laws, regulations, or legal cases apply in the justification of legal action based upon negligence described in the case study.
3. Discuss two instances in which duty of due care was lacking.
4. Describe how the Sarbanes-Oxley Act (SOX) applies to the case study.

B. Discuss legal theories by doing the following:
1. Explain how evidence in the case study supports claims of alleged criminal activity in TechFite.
a. Identify who committed the alleged criminal acts and who were the victims.
b. Explain how existing cybersecurity policies and procedures failed to prevent the alleged criminal activity.
2. Explain how evidence in the case study supports claims of alleged acts of negligence in TechFite.
a. Identify who was negligent and who were the victims.
b. Explain how existing cybersecurity policies and procedures failed to prevent the negligent practices.

C. Prepare a summary (suggested length of 1–2 paragraphs) directed to senior management that states the status of TechFite’s legal compliance.

D. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

E. Demonstrate professional communication in the content and presentation of your submission

Techfite Case Study: Legal Analysis
TechFite is a hypothetical company that is facing legal action due to various forms of criminal activity carried out by its employees. The legal analysis of the case involves understanding the relation of the Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA) to the case. It also involves identifying the application of three laws, regulations, or legal cases that justify the legal action imposed on the negligence at TechFite. Additionally, it includes examining the absence of the duty of care and the application of the Sarbanes-Oxley Act (SOX) in the case.

The CFAA is important in this case because it criminalizes fraudulent activities happening in protected computers. TechFite’s operations involve working with several internet-based businesses, which also warrant that there will be working with computers used in interstate or foreign commerce. These are considered protected computers under the CFAA. With the Metasploit tool being discovered and proof for its use in the recent penetration and scanning in their internet-based companies, this demonstrates a violation of CFAA restrictions. The unauthorized access of the protected computers to defraud or cause damage is a violation of the CFAA. The ECPA, on the other hand, controls access to stored electronic communications, except if consent has been given. TechFite’s employees have violated the ECPA if they accessed the stored electronic communications of other companies through the Metasploit tool.

The legal action imposed on TechFite is justified through the application of three laws, particularly the CFAA, SOX, and the ECPA. TechFite violated the CFAA by allowing its employees to exceed authorized access to obtain information from protected computers. The marketing/sales unit was also negligent as they failed to separate duties and implement least privilege, which led to one individual having the ability to create a sales account and consequently report and post-sales on the account. TechFite violated the SOX by having an unchecked access attained by the employees into the financial reporting system. The lack of oversight by the Business Intelligence Unit was a violation of various provisions within the ECPA.

The absence of the duty of care was evident in TechFite’s failure to safeguard client information and the absence of user accounts. Duty of care would be demonstrated through respective preventive controls that would prevent the unauthorized transmission of client information in conjunction with detecting and addressing any attempts. The NDAs with Orange leaf and Union City Electronic Ventures, which led to the provision of proprietary information to the competitors, would have been prevented. In the second instance, account auditing would prevent several issues with the Business Intelligence Unit.

The SOX Act is applicable in this case as it aims to protect investors by ensuring that publicly traded companies make accurate financial reports. TechFite failed to establish and maintain a substantial internal control structure and procedures for financial reporting, which led to a lack of oversight, structure, or financial reporting. Therefore, TechFite violated the SOX Act.

Ultimately, the legal analysis of the TechFite case involves understanding the CFAA and ECPA, identifying the application of three laws that justify the legal action imposed on the negligence at TechFite, examining the absence of the duty of care, and applying the SOX Act.

References
Johnson, L. (2019). Security controls evaluation, testing, and assessment handbook. Academic Press.
Lutkevich, B. (2020, December 11). What is the Sarbanes-Oxley Act? Definition and summary. Retrieved from https://searchcio.techtarget.com/definition/Sarbanes-Oxley-Act
U.S Department of Justice. (2022). Electronic Communications Privacy Act of 1986 (ECPA). Retrieved from https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285
United States Government. (2022). 18 U.S. Code § 1030 – Fraud and related activity in connection with computers. Retrieved from https://www.law.cornell.edu/uscode/text/18/1030

More useful resources:
Goldstein, S. (2020). Cybersecurity and Privacy Law: Cases and Materials. New York: Wolters Kluwer. This book offers a comprehensive overview of the legal and regulatory issues related to cybersecurity and privacy, including discussions on the CFAA, ECPA, and Sarbanes-Oxley Act. It includes relevant cases and legal analysis that could be useful for supporting arguments in the paper.

Department of Justice. (2021). Computer Crime and Intellectual Property Section: Prosecuting Computer Crimes. Retrieved from https://www.justice.gov/criminal-ccips/prosecuting-computer-crimes. This resource from the Department of Justice provides a detailed explanation of the CFAA and how it is applied in prosecuting computer crimes. It also offers information on other federal computer-related statutes and could be helpful in understanding the legal framework for cybersecurity-related offenses.

Published by
Write
View all posts