CCT 160: Contractual Law, Cybersecurity Legislation, and Computer Crimes (CISSP Domain 1)
Jul 22, 2024How does understanding the legal landscape in cybersecurity elevate your professional game? Join us on this episode of the CISSP Cyber Training Podcast as we unpack the complexities of civil, criminal, administrative, and contractual law. Learn how each legal category influences risk assessments, organizational policies, and legal prosecutions. We'll guide you through the nuances of civil law's role in resolving non-criminal disputes, the severe implications of criminal law, and the critical importance of maintaining proper logs for legal conformance.
Discover why precise contractual language is essential for protecting your organization in the event of a data breach. We delve into the importance of collaborating with legal experts when drafting contracts and examine key intellectual property areas like trademarks, patents, and trade secrets. Protect your brand from domain name scams and safeguard valuable business information from impersonation and counterfeiting with practical steps and real-world examples.
Finally, we delve into the pivotal laws that shape cybersecurity practices today. From the Computer Fraud and Abuse Act (CFAA) to the Electronic Communications Privacy Act (ECPA), understand how these laws aid in prosecuting unauthorized access and fraudulent activities. Explore the significance of the Economic Espionage Act, the Electronic Funds Transfer Act, and the UK GDPR in modern transactions and international business operations. Don't miss this comprehensive episode packed with invaluable insights for your CISSP preparation and professional growth in the cybersecurity field.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
TRANSCRIPT
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go. Cybersecurity knowledge All right, let's get started. Hey, all, it's Sean Gerber with CISSP Cyber Training, and I hope you all are having a great day today.
Speaker 1:
Today is a beautiful Monday. We are going to be talking about some amazing things that are happening, and they are things that will keep you so awake and so riveted that you will not know what to do with yourself. You won't be able to sleep at night, I guarantee you it. Just, you can't sleep after you hear about legal stuff. Yeah, legal stuff. It always will keep you awake, no matter what. Yeah, no, it makes you fall asleep, makes me fall asleep. So we're going to try to add a little spin to it today, because we're in domain one and we're going to be talking about aspects related to the various pieces around contractual law, cybersecurity legislation, computer crimes acts and the like. Yes, it's going to be riveting, so we definitely need to stick around because it is going to be amazing. Okay, so we're going to break this into, really basically the four categories of law that you can see. Now. We're going to get into a little bit about law and about the intellectual property pieces and then we're going to roll deeper into each one of these various laws and acts that are out there that you may potentially see on the exam.
Speaker 1:
Now we've got there's for the four types you have civil, criminal, administrative and contractual. Okay, so of those four you will typically see, I mean you'll deal with all of them. You might not deal much with the criminal aspect, just because that's usually when it goes down that path. I've had at one time in my entire career where I've actually had to deal with the criminal law piece around cybersecurity, but in most cases you will deal with civil, administrative and contractual law as a CISSP, unless you get into the law enforcement environment, then you probably deal a lot more with the criminal law piece of this.
Speaker 1:
But civil law this really focuses on resolving the non-criminal disputes and this includes contracts, properties and torts. Now, what that really comes down to is that if, say, for instance, I am a cyber criminal and I'm going out and I steal all this money electronically from an organization, I can be tried from a criminal law perspective and therefore the state will have the opportunity to come after me in that regard. But they also have the individuals that have been hurt by this can attack me from a civil law perspective and they can come after my family, they can come after my business all of those pieces from a civil standpoint but is focused on the non criminal dispute. So, in the case that I just kind of mentioned is that if I took money from some people the aspect of, say, it was a retirement account well, the overall one I took their money. Two, the anguish and the stress that it caused to them. They can sue me for that. They can turn around and come after me from two different directions and this also is a big factor that if okay, you get off on the criminal aspect. So now the state does not find me guilty of any criminal wrongdoing. However, there was enough that because, again, when you're dealing with criminal, it's beyond a shadow of a doubt here in the United States. But there was enough doubt to think that, yeah, maybe Sean did have his fingers in the cookie jar, but we can't really prove it. That's where the civil part will come after you on Now, when you're dealing with the CISSP and civil law, it's very useful when it comes to risk assessments, contractual information and then also ensuring that your organizational policies are meeting any sort of civil law compliancy. You want them to meet those. If you have that, so that's how the CISSP you can come in and start looking at those pieces.
Speaker 1:
As it relates to the CISSP, when you're dealing with criminal law, this is again. These are crimes committed against the public or the state and they often involve penalties, which includes imprisonment, and therefore you can be breaking big rocks into very little rocks. And if you're not familiar, what that means is in the United States we used to have hard labor and you would go out and work on a chain gang and you would then basically do roads and infrastructure and all those kind of pieces. I don't know if they really do that so much now, but if you did get yourself in a position where you were under a criminal aspect, you could be doing hard time and that means you could go for away for a long period of time years and just because you decided to do whatever, that is, listen to people, hack people, scam people all of those things can happen, so there are consequences for those actions. Now, how this can also happen from a security standpoint. As a CISSP goes, you could serve as an expert witness and maybe in a criminal case involving hacking, you also could provide. This helps provide some level of understanding of how you might deal with an incident response process. I would say that I've learned that through the CISSP's, or through my certification, that I would work with my logging and monitoring folks to make sure that I restore and maintain the right amount of logs so that I have a case in which I can go and legally prosecute against an individual. So, as a CISSP, you're going to need to know that, understand why criminal law is important, not just the fact that the police are going to take care of this. You're going to have to help them take care of it with the logs and the understanding of the data itself.
Speaker 1:
Next one is administrative law. This is where you're dealing with public administration and regulatory agencies. This could come into when you have to deal with data protection laws and how they're implemented, and then how you have to deal with the administrative bodies as it relates to administrative law, you want to make sure that maybe your policies and procedures are compliant with the government regulations, and that's how administrative law is important. As it relates to your CISSP, you need to make sure that you follow these laws based on the government regulations that are there, and there are fines that can be imposed upon you and potentially, depending on how egregious the problem is there could be could follow on to have some sort of criminal prosecution being made of you, depending upon the situation. Then you have contractual law. Now these are between two parties. This is really like an obligation between a vendor and the overall consumer. This is what you would get within these various contracts.
Speaker 1:
Now, as a CISSP, I'll tell you I have gone through multiple contracts as it relates to how we're going to work with a company and your background in understanding how the security systems work, as well as the contractual language. Working with lawyers will be extremely helpful when you're drafting up this verbiage, because in some cases, when you're dealing with security tools or maybe even people that are storing and controlling your intellectual property, you will want to make sure that you have the right contractual agreements in place with them to ensure that, if they lose your information, there are some ramifications to the company and those can be quite stiff. They can be very severe. But in many cases, what I've learned is that if you don't have a security person or an IT person who understands security helping draft some of these contracts, especially as it relates to data privacy and data protection, you can be in a situation where they lose the information, the vendor and now you have no recourse to be able to try to get any sort of money compensation. In many cases you could actually take the entire company if the loss is that egregious. So it's important that you, as a CISSP, are tied into contractual laws. So, again, the main three types of laws, or four types of laws you need to be aware of, are civil, criminal, administrative and contractual law.
Speaker 1:
Okay, quickly, we're going to move into intellectual property and of intellectual property, there are three main areas we are going to focus on. It is trademarks, patents and trade secrets. So the reason I'm bringing these up before we get into some of the legal aspects is that they all tie together. Some of these acts protect these various aspects around intellectual property and around the civil, the types of law that are out there and that you have to maintain. So trademarks are the intellectual property for branding elements, such as logos, names and designs, and they are designed to protect your organization's unique identity within the market. Coca-cola, kentucky Fried Chicken, the Chelsea's, the soccer team, the football team, right, depending on who you talk to All of these have a brand on the market.
Speaker 1:
They have recognition, so that is a trademark, and those are highly protected. They're highly sought after. You have recognition, so that is a trademark, and those are highly protected. They're highly sought after. You have very tight requirements on utilizing a trademark. If you notice that you'll go to watch a show, a TV show, they may have the Apple logo hidden there because they didn't get approval to be able to use that Apple logo and that has to be done prior to filming. If they don't have that done, they have to cover it, and that can happen in a lot of different areas. Now the goal is that you have to protect the brand from impersonation attacks, counterfeiting and so forth.
Speaker 1:
Now, from a cybersecurity standpoint, not just the logo but the domain name is a big factor. Nikecom, applecom, all of those are brand names. They are trademarks and therefore you need to work to help protect those. I've been through plenty of conversations with lawyers around protecting the domain name and people scamming the domain name. So you'll say, let's say golfcom. Okay, that's where you hit the little white ball golfcom. Well, you could make a change of calling it g0lfcom, and that looks like golfcom, but it's actually not. And so now you have to deal with the legal ramifications of somebody trying to scam your brand name of golfcom.
Speaker 1:
So it's just important that, as a cybersecurity professional, you need to be aware of how do you mitigate these issues, how do you resolve them? Are there? Is there any sort of legal recourse? And you'll have to work with your lawyers to help you in that space. If you're in a large company, you maybe have more capability to get recourse. If you're in a smaller company, you may have a lot less and you may have to just work with the domain controllers, the domain I can't think of the name the folks that maintain your domains, your domain, your go daddies, your all of those folks. You're going to have to work with each of them to ensure that you can remove that domain name, and that's one of the main processes you would do is through the domain people. I know there's a name and I'm gonna think about it once we're done here. But once you work through those those folks, the registrars of these domain names, they will help tear them down and help you remove those. But I will tell you that takes a lot of time Just to remove a domain name from someone that's scamming you. Yeah, it takes way longer than it should. They're really good at responsive and they do a great job getting at it, but I've seen it happen within a few days. I've also seen it take a couple months, so that takes time. I've also seen it take a couple months, so that takes time.
Speaker 1:
Patents another thing around patents is you typically have exclusive rights over your invention for a period of 20 years and there is a temporary what we call a monopoly on that. But it's designed to help protect you, the person who came up with the design, so that people cannot infringe on your design and what your capability is, and so therefore, it's important that you provide and it does allow you to get your foot in the market. So I'll use an example. If you have the lightning connector on your phone, well, when those come out, that lightning connector that was patented and that patent was good for 20 years, and you see a lot of people doing knockoffs off of that connector. They're not as good as the original, but they'll do knockoffs off of it. Now, legally, can you attack those people for taking your design? Yes, you could. However, because connectors are so widespread, you may choose not to do that. I don't know. But if there's that connector, you have that patent for 20 years that allows you to make changes to it and no one else can, unless they can't remarket it or rebrand it unless they get approval from you and, in many cases, will pay you some level of a royalty to be able to do that. So, as a CISSP person, there are plenty of implications that I deal with. Almost for the past 20 years that I've been doing cybersecurity as it relates to patents, and I've worked with R&D folks. You work with your legal teams to help around patents related to cybersecurity and around to your company Trade secrets, trade secrets these are the legal protection for confidential business information and or the processes.
Speaker 1:
Right, let's go for the process of coca-cola the drink. So you have coca cola. There is a very specific process and a very specific formula by which they create their signature flavor. It's very well protected and they do not like. I don't know how you can gain access. I think there's like three people in the company that know how to know the actual formula and therefore that entire process, from the point of what are the flavorings to what are, how do you put the right amount of carbonation in there. All of those aspects are considered what they call a trade secret. Now you have NDAs that can help with that. Are people that are working on that saying that non-disclosure agreements? In those non-disclosure agreements, if I work with Coca-Cola, I cannot talk about how Coca-Cola does this process? Now, typically you'd have contractors that may work on aspects of the overall process, but these folks would only know a piece of it and I would have to sign an NDA saying that I know the amount of carbonation that goes into the Coca-Cola drink. If I'm smart from a data protection standpoint, no one person has all that information. You break it out amongst multiple people so that if the information does get out, it is limited to just a very small subset of individuals.
Speaker 1:
Okay, so let's get into some of the computer crime laws that are out there. So the first one is the Computer Fraud and Abuse Act, the CFAA. Now, this came out in 1986, and it does involve computers and computer systems. It is designed to protect the confidentiality, integrity and availability of the data within these systems, and the ultimate part around the Computer Fraud and Abuse Act is that it provides a way to prosecute people from having unauthorized access or exceedingly allowed access to computer systems. So it does have a very wide range of offenses that fall in it. This would include standard hacking, includes unauthorized access and then computer based fraud.
Speaker 1:
So if you have individuals that are utilizing your computer systems say you have an employee that is using it for some level of fraud the CFAA could be used against them. And so there's the aspects around. That is that if you have legal counsel and say you have an individual who has elevated access, but with their elevated access they utilize it to cause an encryption event at your facility, you could come after them with the CFAA because they had the rights to do it, but they turned around and used it for unauthorized access or exceedingly unauthorized access to that environment, and CFAA would be one of the things that you would go against them for. So again, and you're going to have to as a security professional they may come up to you. Your lawyers may say well, what are some of the options I have and you may have to provide that for them. So just keep in mind that's why you learn these things. I know they're boring and you're like I can't remember all these. That's okay, because the cool part is you can come to CISSP, cyber Training and I have these. You have this stuff is available to you, but at the end of the day, you have lawyers. Your lawyers will be the ones that will help you with this process. You do not have to do it. However, you need to understand what is the kind of information you need to provide to them.
Speaker 1:
Another one is the Electronic Communications Privacy Act, or ECPA Echo, charlie, papa, alpha. Now, this was passed in 1986 to regulate governmental and organizational wiretaps. Now they used to have the wiretap law that was out there and I used that for a long time, and there's different types, because this ECPA focuses on the electronic communications piece of this, but then there's also a wiretap law that can be utilized as well. Now I want to also preface this as I'm going into these conversations. One, I'm not a lawyer. I do not play on TV, nor do I practice law anywhere other than talking about it on CISSP, cyber Training, and I'm telling you this because I've had lawyers come up to me and say you need to make sure that you tell people you are not a lawyer, and that's true. I'm not a lawyer, but I play one on TV, no, so the point is is that you need to if you have questions, these laws will change these laws.
Speaker 1:
There may be ones that supersede it. You need to have legal counsel help you when you're working through all of these types of law legal aspects. Do not just go out and think you can do this on your own. One, your company will not be happy with you and two, it could get you into a lot of trouble. So make sure that you work with legal counsel on all aspects around legal issues. Work with legal counsel on all aspects around legal issues.
Speaker 1:
But back to the ECPA, some guidelines around that would be this gives organizations the legality on monitoring employees' email and online activities. So people I've had people come up to me and say what gives you the right to watch my email? What gives you the right to potentially get into my team's calls and the recordings around my team's calls? This would be one that would potentially give you the ability, from a legal standpoint, that allows you to do that. The other part that helps is your policies that you already have defined for individuals saying what you are monitoring and how you are monitoring it. That, along with these various laws, does give you the ability to have some level of control on the monitoring that goes on within your organization. That in mind, that does not mean that you have you can carte blanche listen to everything and everybody of what they're saying. You have to have justification behind it and you need to have your legal, your HR teams and your compliance teams all on board with any of these aspects.
Speaker 1:
It does impose some requirements on law enforcement agencies to obtain warrants or other court orders for wiretaps or electronic surveillance. So you see this on the news or on TV, where you got to get a warrant to do that. That is true you do. Now I will say and this is what I've used in the past it may have changed since then, but you can record conversations with one or more people as long as at least one person on the call is aware that the recording is occurring. Now you'll notice, though, if people do a lot of Zoom calls now and Teams calls, they will have disclaimers out there saying, hey, this is being recorded If you don't like it leave. And that's, I think, is really valuable, especially for an organization to have that type of disclaimer out there for people that are on these calls. Because it does one, it protects the company and two, it's just being upfront and transparent with folks that calls are being recorded.
Speaker 1:
The Economic Espionage Act of 1996. Now this is a federal law that addresses theft or misappropriation of valuable business information, including trade secrets. It does criminalize the theft of trade secrets for your economic or commercial benefit. So that's the Economic Espionage Act of 96. So if you have someone it's an insider that decides he wants he or she wants to steal information from your company, you can nail them with the CFAA and you can nail them with the Economic Espionage Act of 96. That possibly right I'm not saying you can't in all cases, but possibly you could do that and so it's important, especially as this is where you're dealing, to protect American businesses. But each country may have something very similar to this and therefore, well, you could have, let's say, a situation where you are an Australian company and you put your IP in the United States because you want to build relations with the Americans, while somebody in the United States steals your IP and gives it to somebody else, that would fall under the Economic Espionage Act of 96. And therefore, anybody that would be that insider, that American, that was the insider that was selling the Aussie information would be held responsible under this act. Now he or she may also be held responsible under an Australian act as well, and then that's where the FBI and all the fund folks come together to figure out who's going to hammer them worse. Is it someone in Australia or is it someone in the United States?
Speaker 1:
The problem is with all of these and this is why you as a security professional are so valuable and you need to really work with your teams to help understand and convey this to your senior leaders is because once that information leaves the company, it's on its own right, who knows where it goes. But if you have a good data protection strategy and you are the person responsible for protecting that information, you become extremely valuable because you go okay, the information left. That's not good. We may miss some of it, but for the majority of it, yeah, we're good. That part of it is extremely valuable for a company. So this is why you need to work very closely with your legal teams to understand the protection mechanisms and they understand the protection mechanisms and that your senior leaders are understanding what is the risk that they want to mitigate. Because if you do that, if you do this well, you can provide a lot of value for people. And this is where people talk about in the cybersecurity space. They go well, cisos are making gobs of money $300,000, $400,000, $500,000, and they are and as a CISSP, that opens that up for you to have that ability to potentially do that. But for that to occur, you have to bring a lot of value to the table. You have to be able to give the companies the ways and means to protect their data, their people and their information in a way that is providing that level of value, and there's plenty of people that are doing that.
Speaker 1:
Now, the UK Computer Misuse Act of 1990. Now, this is done up by the United Kingdom and this unauthorized access to computer systems is addressed by the Computer Misuse Act of 1990. Now, this is done up by the United Kingdom and this unauthorized access to computer systems is addressed by the Computer Misuse Act of 1990. It makes it a criminal offense to access computer systems without authorization. So again, it's very similar to the CFAA and that is within the UK. I know the EU has other policies that are similar to that. I just kind of pulled, grabbed one from the UK because I have a lot of people that listen from the UK. This does give legal recourse against hacking, unauthorized data access and the distribution of malware. Again, a very wide range of cyber crimes will fall under this UK Misuse Act of 1990.
Speaker 1:
The US Patriot Act this is one that's come out in the United States after the 2011 terrorism attack that occurred on 9-11. And what it does is it allows the government to allows companies to store and collect information, especially and share this with government agencies. Now, this isn't I can't remember if it's been reapplied or not. I think they've toyed with it back and forth, whether they're going to continue it, but bottom line is is that if the US government came up to me and my company and said, hey, we want to, we want this information, then the company doesn't have to provide that information, unless there is some sort of legal recourse. And that's where the lawyers would come in and say the government would say we want this information and here's why, and then you would have to provide that information to them if they had the legal basis to request that information.
Speaker 1:
It's been like everything that deals with the government and with any government is. It starts off probably very benign and focused on a very specific need and reason. Unfortunately, it has spread and has gone in some cases beyond its initial charter. Many people in the United States here are not big fans of the Patriot Act. I'm not talking for my company or any companies I've represented. I'm talking just to people in general. We are not big fans of it just because there is protection. I get that, but there's also. It has gotten to the point where it's so much data sprawl that they suck in all kinds of information which then starts really warranting down the path of data privacy. So that's the part where you gotta. It's that fine line you have to play is working with the governments and working with other legal entities on sharing this information with them. So, yeah, it's fun, right, as a cybersecurity professional, you will deal with all of these aspects.
Speaker 1:
The next one is the can spam Act. Now, this is commonly referred to as the CAN-SPAM, but it's basically controlling the assault of non-solicited pornographic and marketing act of 2003. What it basically does is it regulates commercial email communications and it gives you the ability for recipients to opt out of this option. So, if you see the unsubscribe piece of this, this falls into the CAN-SPAM Act. Now, you do unsubscribe, like you all know this. You do the unsubscribe piece of this. This falls into the canned spam act. Now, you do unsubscribe, like you all know this. You do the unsubscribe but somehow or another, my name gets put added back on the list and yeah, that just is so frustrating and it comes down to you didn't check the one box that you're supposed to have checked to get your name removed. But it does allow you to reduce the amount of spam that you get on a routine basis, and this is where you need to understand how the compliance around the Can Spam Act works to ensure that it does align with your legal requirements and your email practices. So, if you have, you do marketing emails to people, you need to be aware and you need to ensure your marketing people are aware of this, which I'm sure they are that they have to have the ability to do an opt-out or unsubscribe from these email marketings. If they don't do that, they could be in violation of the CAN-SPAM Act and therefore there are some ramifications that come to that.
Speaker 1:
The next one is the Electronic Funds Transfer Act. Now this was done in 1978, and this makes it a federal law in the United States and it provides protections to consumers conducting electronic fund transfers. And obviously in 78, you're talking ATM withdrawals. But now you've got point-of-sale purchases, electronic bill payments, venmos, your stripes, your all this stuff. You've got all of that out there. This would fall if there was violations around. It could potentially fall under the Electronic Fund, the electronic funds transfer act. Now it does set limits for consumers on cases where there's unauthorized transactions or errors.
Speaker 1:
One thing to consider is if you use a credit card, a lot many of the credit card companies have been absorbing these expenses, you know. So you get someone steals your credit card, runs up a fifty dollar fee, a hundred dollar fee. Your credit card runs up a $50 fee, $100 fee. The credit card agencies and companies have been absorbing these costs in many cases, but that isn't always the case. Now you get into more of a debit card where they're pulling right out of your bank account, even that there's some restrictions around that as well.
Speaker 1:
The great part around the cybersecurity piece of this is the fact that now any transaction that occurs you can get almost instantaneously. If it is not around something you purchase on a routine basis it will flag as fraudulent and it's really saved. It saved me money big time because I've had people that have used my card and have stolen money out of my account. But it limits it to a very small amount and it also protects the banks themselves. I was talking to a banker friend of mine here in our local community and he came up to me and he asked what I did for a living and he said that's amazing, because he goes everything I do in the banking industry is all cybersecurity. It's all that way. So you guys that are out there listening right now, you are in a great career field to be able to do so many great things and to be able to earn the potential earning that you want, as well as provide a great service for lots of companies.
Speaker 1:
I'm going to roll into the Stored Communications Act. This is SCA. Now this is part of the Electronic Communications Privacy Act, the ECPA that is in the United States, and this deals around disclosure of stored wire and electronic communications. Now this addresses basically the privacy and legal considerations related to accessing or disclosing electronic data. So again, it's the Stored Communications Act, which is tied to the ECPA, focus on privacy. That's the main piece of this Now. It affects how companies store emails, messages and other forms of electronic communications, and it will define the circumstances and what is the legal process by which you can disclose this information in an electronic stored communication media. So it's just important for you to understand how the ECPA and the Stored Communication Act allow you to share information with other people.
Speaker 1:
What it also really comes down to is we know people share information back and forth all the time. If you do this inappropriately, you could get nailed with this and you don't even really realize it. But the ultimate goal is you must be aware, as a CISSP, around the legal requirements and limitations regarding the disclosure of electronic communications, especially when you're handling legal requests. And I come back to this is that if, when in doubt, ask the question. If you have any semblance of doubt, ask the question, especially in these legal areas, and you're sharing information both from a private standpoint and from an intellectual property standpoint. Ask lots of questions, okay.
Speaker 1:
So the last two I'm going to focus on is Data Protection Act in the UK and the Identity Theft and Assumption Deterrence Act, so the Data Protection Act in the UK. This is a governing data protection, primarily refers to the Data Protection Act of 2018 and the UK GDPR, which is your General Data Protection Regulation. Now GDPR, if you guys are all aware of GDPR, gdpr allows data to be shared amongst multiple people, but it also allows them to be forgotten if they don't want to be this data not to be shared. It also allows for animization of the doc of the details that are associated with that data. Now, the data protection act of 2018 does is designed to protect the privacy and the rights of individuals in the uk regarding the processing of personal data, so it's it's important that you understand that there are. There's the gdpr of this, which is your data protection regulation, but there's also the Data Protection Act of 2018, which is a rider that goes along with that GDPR, and it's important for you to know how they all play.
Speaker 1:
If I have GDPR, I just can't assume. Well, that's all encompassing and covers everybody. You have to understand the other acts that potentially could affect GDPR as a whole. It does set standards and requirements for the collection, storage and use of personal information, including the rights of individuals to control their data. If you want to be forgotten, you should have the ability to do that, and so, therefore, it is important for you to understand that businesses and international companies conducting business in the UK must comply with these various data protection laws. Now, this doesn't just apply to the United States. There's art into UK. China has a very similar type law, which is PIPL, which is the personal identifiable privacy legislation. I think that's what it is, and the PIPL law is also tied into a lot into data privacy and data regulations. Again, the difference is China is more for the state and within the UK it's more for the individual.
Speaker 1:
And the last one we're going to get into is Identity Theft and Assumption Deterrence Act. Now, the Identity Theft and Assumption Deterrence Act, or ITAD, was enacted in 1998, assumption Deterrence Act, or ITAD, was enacted in 1998. And it basically identifies it as a federal offense or potentially a felony for knowingly transferring another person's identification for unlawful purposes. So, basically, if you're stealing people's information to try to use it to get money, to get whatever you're trying to do with it, you could be held under a fine not under a fine, but under a felony that you could go to prison on a criminal law and be able because of the fact that you're trying to knowingly steal individuals' information, so it does. It prosecutes individuals who engage in identity theft, which involves someone's personal information without authorization. I saw this happen. I think it was in Uganda or Nigeria, somewhere over in Africa.
Speaker 1:
The FBI actually took, or they worked with, that government and they were able to capture these individuals and then extradite them to the United States and they will then basically penalize them or put them under court to charge them with these types of laws, especially with the Over Identity of Theft and Deterrence Act. Now, one of the things that comes into this is the government will look at various laws that are out there and they will throw the most painful one at them, which one that they think that they can actually prosecute and win. So you may get multiple hopefully this isn't you, hopefully you never have to deal with this but you may get multiple counts put against you with various different legal aspects, and then they're going to look at which one one has the hardest time. That's associated with it, or two, which one do they know they for sure can win against you, and then they will start working on you. The ultimate goal is once you're in that position odds are not good You're going to come out of this unscathed.
Speaker 1:
If you do, from a standpoint that you were able to get off, you probably have a lot of legal fees that you're going to have to pay back. So the overall plan for this and the recommendation is use your powers for good, not evil. Do not do bad stuff. If you do bad stuff, you may have short-term gain, but you will have long-term consequences because it will come back and bite you at some point in time. As it relates to the CISSP, you need to really understand how do these work together and you need to make sure that your policies and practices that you have in place for your company make that they fit in line with what the Identity Theft and Deterrence Act meets. So if you're sharing data amongst your people, you need to have policies around why you're doing that, and you also need to have the ability to do that in a lawful way. Again, work with legal counsel to ensure that you are meeting all of these requirements as you're sharing data back and forth. All right, that's all I've got for you today. I hope you guys have a wonderful day.
Speaker 1:
I know this was a bit dry, probably a little hard, but when it comes right down to it. All this information is available at CISSP Cyber Training. You can go there and get this information. Also, one thing I'm looking to be bringing out a coaching program is going to be happening at CISSP Cyber Training. I've had numerous people ask me if I want to be coached. What is that going to take? And this comes down to career coaching One, helping you get through the CISSP, which is the first step, but then the second, second and ongoing steps are helping you in a coaching environment to help you with resumes, to help you with your career, to help you with interviews and to help you gain you in that experience that you need to be successful in the cybersecurity space. I mean it. You have the potential to make significant amount of money for you and your family, and let me help you do that at CISSP Cyber Training. All right, I hope you guys have a wonderful day and we will catch you on the flip side, see ya.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!