ASCL CyberLaw Bulletin

ASCL Cyber Law Bulletin
28th May, 2010

Mitchell L. Frost, a 23-year-old student, pleaded guilty to charges of causing damage to a protected computer system and possessing 15 or more unauthorized access devices.

Frost is from Bellevue, Ohio in USA.

According to court documents, Frost admitted that between August 2006, and March 2007, while enrolled as a student at the University of Akron, he used the University’s computer network to access IRC channels on the Internet to control other computers and computer networks via computers intentionally infected and taken over, known as “BotNet” zombies, which were located throughout the United States and in other countries.

Frost also admitted gaining access to other computers and computer networks by various means, including scanning the Internet searching for computer networks which were vulnerable to attack or unauthorized intrusion, gaining unauthorized access to and control over such computers, and fraudulently obtaining user names and passwords for users on such systems.

Frost admitted using the compromised computers to spread malicious computer codes, commands and information to even more computers, all for the purpose of harvesting and obtaining information and data from the compromised computer networks, including user names, passwords, credit card numbers, and CVV security codes, and for the purpose of launching Distributed Denial of Service (DDoS) attacks on computer systems and Internet websites.

Frost admitted that between August 2006 and March 2007, Frost initiated DDoS attacks on numerous computers connected to the Internet hosting various websites, including www.joinrudy2008.com, www.billoreilly.com, and www.anncoulter.com, among others, temporarily interrupting operation of the websites, which required the site owners to intervene and repair their computer systems.

Frost also admitted initiating denial of service attacks against the University of Akron computer server on or about March 14, 2007, which caused the entire  University of Akron computer network to be knocked off-line for approximately 8 ½ hours, preventing all students, faculty and staff members from accessing the network.  This denial of service attack required the University of Akron to employ diagnostic and remedial measures to restore computer service causing losses in excess of $10,000.

Frost will be sentenced on August 5, 2010, by U.S. District Judge Lesley Wells.  His sentence will be determined by the Court after review of factors unique to this case, including his prior criminal record, if any, his role in the offense and the characteristics of the violation.

Relevant US Law

TITLE 18–CRIMES AND CRIMINAL PROCEDURE

PART I–CRIMES

CHAPTER 47–FRAUD AND FALSE STATEMENTS

Sec. 1030. Fraud and related activity in connection with computers

(a) Whoever–

(1) having knowingly accessed a computer without authorization
or exceeding authorized access, and by means of such conduct having
obtained information that has been determined by the United States
Government pursuant to an Executive order or statute to require
protection against unauthorized disclosure for reasons of national
defense or foreign relations, or any restricted data, as defined in
paragraph y. of section 11 of the Atomic Energy Act of 1954, with
reason to believe that such information so obtained could be used to
the injury of the United States, or to the advantage of any foreign
nation willfully communicates, delivers, transmits, or causes to be
communicated, delivered, or transmitted, or attempts to communicate,
deliver, transmit or cause to be communicated, delivered, or
transmitted the same to any person not entitled to receive it, or
willfully retains the same and fails to deliver it to the officer or
employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or
exceeds authorized access, and thereby obtains–
(A) information contained in a financial record of a
financial institution, or of a card issuer as defined in section
1602(n) of title 15, or contained in a file of a consumer
reporting agency on a consumer, as such terms are defined in the
Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United
States; or
(C) information from any protected computer if the conduct
involved an interstate or foreign communication;

(3) intentionally, without authorization to access any nonpublic
computer of a department or agency of the United States, accesses
such a computer of that department or agency that is exclusively for
the use of the Government of the United States or, in the case of a
computer not exclusively for such use, is used by or for the
Government of the United States and such conduct affects that use by
or for the Government of the United States;

(4) knowingly and with intent to defraud, accesses a protected
computer without authorization, or exceeds authorized access, and by
means of such conduct furthers the intended fraud and obtains
anything of value, unless the object of the fraud and the thing
obtained consists only of the use of the computer and the value of
such use is not more than $5,000 in any 1-year period;

(5)(A)(i) knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a protected
computer;
(ii) intentionally accesses a protected computer without
authorization, and as a result of such conduct, recklessly causes
damage; or
(iii) intentionally accesses a protected computer without
authorization, and as a result of such conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii) of
subparagraph (A), caused (or, in the case of an attempted offense,
would, if completed, have caused)–
(i) loss to 1 or more persons during any 1-year period (and,
for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a
government entity in furtherance of the administration of
justice, national defense, or national security;

(6) knowingly and with intent to defraud traffics (as defined in
section 1029) in any password or similar information through which a
computer may be accessed without authorization, if–
(A) such trafficking affects interstate or foreign commerce;
or
(B) such computer is used by or for the Government of the
United States;

(7) with intent to extort from any person any money or other
thing of value, transmits in interstate or foreign commerce any
communication containing any threat to cause damage to a protected
computer;

shall be punished as provided in subsection (c) of this section.

(b) Whoever attempts to commit an offense under subsection (a) of  this section shall be punished as provided in subsection (c) of this section.

(c) The punishment for an offense under subsection (a) or (b) of  this section is–

(1)(A) a fine under this title or imprisonment for not more than
ten years, or both, in the case of an offense under subsection
(a)(1) of this section which does not occur after a conviction for
another offense under this section, or an attempt to commit an
offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than
twenty years, or both, in the case of an offense under subsection
(a)(1) of this section which occurs after a conviction for another
offense under this section, or an attempt to commit an offense
punishable under this subparagraph;
(2)(A) except as provided in subparagraph (B), a fine under this
title or imprisonment for not more than one year, or both, in the
case of an offense under subsection (a)(2), (a)(3), (a)(5)(A)(iii),
or (a)(6) of this section which does not occur after a conviction
for another offense under this section, or an attempt to commit an
offense punishable under this subparagraph;
(B) a fine under this title or imprisonment for not more than 5
years, or both, in the case of an offense under subsection (a)(2),
or an attempt to commit an offense punishable under this
subparagraph, if–
(i) the offense was committed for purposes of commercial
advantage or private financial gain;
(ii) the offense was committed in furtherance of any
criminal or tortious act in violation of the Constitution or
laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000;
and

(C) a fine under this title or imprisonment for not more than
ten years, or both, in the case of an offense under subsection
(a)(2), (a)(3) or (a)(6) of this section which occurs after a
conviction for another offense under this section, or an attempt to
commit an offense punishable under this subparagraph;
(3)(A) a fine under this title or imprisonment for not more than
five years, or both, in the case of an offense under subsection
(a)(4) or (a)(7) of this section which does not occur after a
conviction for another offense under this section, or an attempt to
commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than
ten years, or both, in the case of an offense under subsection
(a)(4), (a)(5)(A)(iii), or (a)(7) of this section which occurs after
a conviction for another offense under this section, or an attempt
to commit an offense punishable under this subparagraph;
(4)(A) except as provided in paragraph (5), a fine under this
title, imprisonment for not more than 10 years, or both, in the case
of an offense under subsection (a)(5)(A)(i), or an attempt to commit
an offense punishable under that subsection;
(B) a fine under this title, imprisonment for not more than 5
years, or both, in the case of an offense under subsection
(a)(5)(A)(ii), or an attempt to commit an offense punishable under
that subsection;
(C) except as provided in paragraph (5), a fine under this
title, imprisonment for not more than 20 years, or both, in the case
of an offense under subsection (a)(5)(A)(i) or (a)(5)(A)(ii), or an
attempt to commit an offense punishable under either subsection,
that occurs after a conviction for another offense under this
section; and
(5)(A) if the offender knowingly or recklessly causes or
attempts to cause serious bodily injury from conduct in violation of
subsection (a)(5)(A)(i), a fine under this title or imprisonment for
not more than 20 years, or both; and
(B) if the offender knowingly or recklessly causes or attempts
to cause death from conduct in violation of subsection (a)(5)(A)(i),
a fine under this title or imprisonment for any term of years or for
life, or both.

(d)

(1) The United States Secret Service shall, in addition to any
other agency having such authority, have the authority to investigate
offenses under this section.
(2) The Federal Bureau of Investigation shall have primary authority
to investigate offenses under subsection (a)(1) for any cases involving
espionage, foreign counterintelligence, information protected against
unauthorized disclosure for reasons of national defense or foreign
relations, or Restricted Data (as that term is defined in section 11y of
the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses
affecting the duties of the United States Secret Service pursuant to
section 3056(a) of this title.
(3) Such authority shall be exercised in accordance with an
agreement which shall be entered into by the Secretary of the Treasury
and the Attorney General.
(e) As used in this section–
(1) the term “computer” means an electronic, magnetic,
optical, electrochemical, or
other high speed data processing device performing logical,
arithmetic, or storage functions, and includes any data storage
facility or communications facility directly related to or operating
in conjunction with such device, but such term does not include an
automated typewriter or typesetter, a portable hand held calculator,
or other similar device;
(2) the term “protected computer” means a computer–
(A) exclusively for the use of a financial institution or
the United States Government, or, in the case of a computer not
exclusively for such use, used by or for a financial institution
or the United States Government and the conduct constituting the
offense affects that use by or for the financial institution or
the Government; or
(B) which is used in interstate or foreign commerce or
communication, including a computer located outside the United
States that is used in a manner that affects interstate or
foreign commerce or communication of the United States;

(3) the term “State” includes the District of Columbia, the
Commonwealth of Puerto Rico, and any other commonwealth, possession
or territory of the United States;
(4) the term “financial institution” means–
(A) an institution, with deposits insured by the Federal
Deposit Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve
including any Federal Reserve Bank;
(C) a credit union with accounts insured by the National
Credit Union Administration;
(D) a member of the Federal home loan bank system and any
home loan bank;
(E) any institution of the Farm Credit System under the Farm
Credit Act of 1971;
(F) a broker-dealer registered with the Securities and
Exchange Commission pursuant to section 15 of the Securities
Exchange Act of 1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are
defined in paragraphs (1) and (3) of section 1(b) of the
International Banking Act of 1978); and
(I) an organization operating under section 25 or section
25(a)
(5) the term “financial record” means information derived from
any record held by a financial institution pertaining to a
customer’s relationship with the financial institution;
(6) the term “exceeds authorized access” means to access a
computer with authorization and to use such access to obtain or
alter information in the computer that the accesser is not entitled
so to obtain or alter;
(7) the term “department of the United States” means the
legislative or judicial branch of the Government or one of the
executive departments enumerated in section 101 of title 5;
(8) the term “damage” means any impairment to the integrity or
availability of data, a program, a system, or information;
(9) the term “government entity” includes the Government of
the United States, any State or political subdivision of the United
States, any foreign country, and any state, province, municipality,
or other political subdivision of a foreign country;
(10) the term “conviction” shall include a conviction under
the law of any State for a crime punishable by imprisonment for more
than 1 year, an element of which is unauthorized access, or
exceeding authorized access, to a computer;
(11) the term “loss” means any reasonable cost to any victim,
including the cost of responding to an offense, conducting a damage
assessment, and restoring the data, program, system, or information
to its condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of
interruption of service; and
(12) the term “person” means any individual, firm,
corporation, educational institution, financial institution,
governmental entity, or legal or other entity.

(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a
State, or of an intelligence agency of the United States.

(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable
relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.

(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under subsection (a)(5).

PART I–CRIMES

CHAPTER 47–FRAUD AND FALSE STATEMENTS

Sec. 1029. Fraud and related activity in connection with access
devices

(a) Whoever–
(1) knowingly and with intent to defraud produces, uses, or
traffics in one or more counterfeit access devices;
(2) knowingly and with intent to defraud traffics in or uses one
or more unauthorized access devices during any one-year period, and
by such conduct obtains anything of value aggregating $1,000 or more
during that period;
(3) knowingly and with intent to defraud possesses fifteen or
more devices which are counterfeit or unauthorized access devices;
(4) knowingly, and with intent to defraud, produces, traffics
in, has control or custody of, or possesses device-making equipment;
(5) knowingly and with intent to defraud effects transactions,
with 1 or more access devices issued to another person or persons,
to receive payment or any other thing of value during any 1-year
period the aggregate value of which is equal to or greater than
$1,000;
(6) without the authorization of the issuer of the access
device, knowingly and with intent to defraud solicits a person for
the purpose of–
(A) offering an access device; or
(B) selling information regarding or an application to
obtain an access device;

(7) knowingly and with intent to defraud uses, produces,
traffics in, has control or custody of, or possesses a
telecommunications instrument that has been modified or altered to
obtain unauthorized use of telecommunications services;
(8) knowingly and with intent to defraud uses, produces,
traffics in, has control or custody of, or possesses a scanning
receiver;
(9) knowingly uses, produces, traffics in, has control or
custody of, or possesses hardware or software, knowing it has been
configured to insert or modify telecommunication identifying
information associated with or contained in a telecommunications
instrument so that such instrument may be used to obtain
telecommunications service without authorization; or
(10) without the authorization of the credit card system member
or its agent, knowingly and with intent to defraud causes or
arranges for another person to present to the member or its agent,
for payment, 1 or more evidences or records of transactions made by an access device;
shall, if the offense affects interstate or foreign commerce, be
punished as provided in subsection (c) of this section.

(b)(1) Whoever attempts to commit an offense under subsection (a) of
this section shall be subject to the same penalties as those prescribed
for the offense attempted.
(2) Whoever is a party to a conspiracy of two or more persons to
commit an offense under subsection (a) of this section, if any of the
parties engages in any conduct in furtherance of such offense, shall be
fined an amount not greater than the amount provided as the maximum fine
for such offense under subsection (c) of this section or imprisoned not
longer than one-half the period provided as the maximum imprisonment for
such offense under subsection (c) of this section, or both.

(c) Penalties.–
(1) Generally.–The punishment for an offense under subsection
(a) of this section is–
(A) in the case of an offense that does not occur after a
conviction for another offense under this section–
(i) if the offense is under paragraph (1), (2), (3),
(6), (7), or (10) of subsection (a), a fine under this title
or imprisonment for not more than 10 years, or both; and
(ii) if the offense is under paragraph (4), (5), (8), or
(9) of subsection (a), a fine under this title or
imprisonment for not more than 15 years, or both;

(B) in the case of an offense that occurs after a conviction
for another offense under this section, a fine under this title
or imprisonment for not more than 20 years, or both; and
(C) in either case, forfeiture to the United States of any
personal property used or intended to be used to commit the
offense.

(2) Forfeiture procedure.–The forfeiture of property under this
section, including any seizure and disposition of the property and
any related administrative and judicial proceeding, shall be
governed by section 413 of the Controlled Substances Act, except for
subsection (d) of that section.

(d) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.

(e) As used in this section–
(1) the term “access device” means any card, plate, code,
account number, electronic serial number, mobile identification
number, personal identification number, or other telecommunications
service, equipment, or instrument identifier, or other means of
account access that can be used, alone or in conjunction with
another access device, to obtain money, goods, services, or any
other thing of value, or that can be used to initiate a transfer of
funds (other than a transfer originated solely by paper instrument);
(2) the term “counterfeit access device” means any access
device that is counterfeit, fictitious, altered, or forged, or an
identifiable component of an access device or a counterfeit access
device;
(3) the term “unauthorized access device” means any access
device that is lost, stolen, expired, revoked, canceled, or obtained
with intent to defraud;
(4) the term “produce” includes design, alter, authenticate,
duplicate, or assemble;
(5) the term “traffic” means transfer, or otherwise dispose
of, to another, or obtain control of with intent to transfer or
dispose of;
(6) the term “device-making equipment” means any equipment,
mechanism, or impression designed or primarily used for making an
access device or a counterfeit access device;
(7) the term “credit card system member” means a financial
institution or other entity that is a member of a credit card
system, including an entity, whether affiliated with or identical to
the credit card issuer, that is the sole member of a credit card
system;
(8) the term “scanning receiver” means a device or apparatus
that can be used to intercept a wire or electronic communication in
violation of chapter 119 or to intercept an electronic serial
number, mobile identification number, or other identifier of any
telecommunications service, equipment, or instrument;
(9) the term “telecommunications service” has the meaning
given such term in section 3 of title I of the Communications Act of
1934 (47 U.S.C. 153);
(10) the term “facilities-based carrier” means an entity that
owns communications transmission facilities, is responsible for the
operation and maintenance of those facilities, and holds an
operating license issued by the Federal Communications Commission
under the authority of title III of the Communications Act of 1934;
and
(11) the term “telecommunication identifying information”
means electronic serial number or any other number or signal that
identifies a specific telecommunications instrument or account, or a
specific communication transmitted from a telecommunications
instrument.

(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States, or any activity authorized under chapter 224 of this title. For purposes of this subsection, the term “State” includes a State of the United States, the District of Columbia, and any commonwealth, territory, or
possession of the United States.

(g)(1) It is not a violation of subsection (a)(9) for an officer,
employee, or agent of, or a person engaged in business with, a
facilities-based carrier, to engage in conduct (other than trafficking)
otherwise prohibited by that subsection for the purpose of protecting
the property or legal rights of that carrier, unless such conduct is for
the purpose of obtaining telecommunications service provided by another
facilities-based carrier without the authorization of such carrier.
(2) In a prosecution for a violation of subsection (a)(9), (other
than a violation consisting of producing or trafficking) it is an
affirmative defense (which the defendant must establish by a
preponderance of the evidence) that the conduct charged was engaged in
for research or development in connection with a lawful purpose.
(h) Any person who, outside the jurisdiction of the United States,  engages in any act that, if committed within the jurisdiction of the United States, would constitute an offense under subsection (a) or (b) of this section, shall be subject to the fines, penalties, imprisonment, and forfeiture provided in this title if–
(1) the offense involves an access device issued, owned,
managed, or controlled by a financial institution, account issuer,
credit card system member, or other entity within the jurisdiction
of the United States; and
(2) the person transports, delivers, conveys, transfers to or
through, or otherwise stores, secrets, or holds within the
jurisdiction of the United States, any article used to assist in the
commission of the offense or the proceeds of such offense or
property derived therefrom.

ASCL Cyber Law Bulletin
27th May, 2010

Galaxy Internet Services, Inc and its wireless customers and WiFi users in Massachusetts, have initiated a class action law suit against Google, Inc.

The suit revolves around the “capture and storage of WiFi information by Google’s street mapping team”.

Google’s official blog post on the relevant topic states:

….Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars

…….we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.

See: http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html

Applicable Massachusetts data privacy law

201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH

Section:
17.01: Purpose and Scope
17.02: Definitions
17.03: Duty to Protect and Standards for Protecting Personal Information
17.04: Computer System Security Requirements
17.05: Compliance Deadline

17.01 Purpose and Scope

(1) Purpose
This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

(2) Scope
The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth.

17.02: Definitions

The following words as used herein shall, unless the context requires otherwise, have the following meanings:

Breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
Electronic, relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.
Encrypted, the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.

Owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.

Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.

Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Record or Records, any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.
Service provider, any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.

17.03: Duty to Protect and Standards for Protecting Personal Information

(1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

(2) Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:

(a) Designating one or more employees to maintain the comprehensive information security program;

(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
1. ongoing employee (including temporary and contract employee) training;
2. employee compliance with policies and procedures; and
3. means for detecting and preventing security system failures.

(c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.

(d) Imposing disciplinary measures for violations of the comprehensive information security program rules.

(e) Preventing terminated employees from accessing records containing personal information.

(f)  Oversee service providers, by:
1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and
2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information;  provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.

(g) Reasonable restrictions upon physical access to records containing personal information,, and storage of such records and data in locked facilities, storage areas or containers.

(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

17.04: Computer System Security Requirements

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a
security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

(1) Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:
(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

17.05: Compliance Deadline
(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

REGULATORY AUTHORITY

201 CMR 17.00: M.G.L. c. 93H

ASCL Cyber Law Bulletin
26th May, 2010

Kris Papaj, a 24-year-old carpenter was arrested for possession and import of child pornography by the “Crimes Against Children Task force” of the Stamford Police in Connecticut, USA.

Details of the case can be obtained from here.

Applicable US Law

Title 18, Sec. 1466A of the US Code titled” Obscene visual representations of the sexual abuse of children”. This is as below:

TITLE 18–CRIMES AND CRIMINAL PROCEDURE

PART I–CRIMES

CHAPTER 71–OBSCENITY

Sec. 1466A. Obscene visual representations of the sexual abuse of children

(a) In General.–Any person who, in a circumstance described in subsection (d), knowingly produces, distributes, receives, or possesses with intent to distribute, a visual depiction of any kind, including a drawing, cartoon, sculpture, or painting, that–

(1)
(A) depicts a minor engaging in sexually explicit conduct;  and
(B) is obscene; or

(2)
(A) depicts an image that is, or appears to be, of a minor engaging in graphic bestiality, sadistic or masochistic abuse, or sexual intercourse, including genital-genital, oral-genital, anal-genital, or oral-anal, whether between persons of the same or opposite sex; and
(B) lacks serious literary, artistic, political, or scientific value;

or attempts or conspires to do so, shall be subject to the penalties provided in section 2252A(b)(1), including the penalties provided for cases involving a prior conviction.

(b) Additional Offenses.–Any person who, in a circumstance described in subsection (d), knowingly possesses a visual depiction of any kind, including a drawing, cartoon, sculpture, or painting, that–

(1)
(A) depicts a minor engaging in sexually explicit conduct; and
(B) is obscene; or

(2)
(A) depicts an image that is, or appears to be, of a minor engaging in graphic bestiality, sadistic or masochistic abuse, or sexual intercourse, including genital-genital, oral-genital, anal-genital, or oral-anal, whether between persons of the same or opposite sex; and
(B) lacks serious literary, artistic, political, or scientific value;

or attempts or conspires to do so, shall be subject to the penalties provided in section 2252A(b)(2), including the penalties provided for cases involving a prior conviction.

(c) Nonrequired Element of Offense.–It is not a required element of any offense under this section that the minor depicted actually exist.

(d) Circumstances.–The circumstance referred to in subsections (a) and (b) is that–

(1) any communication involved in or made in furtherance of the offense is communicated or transported by the mail, or in interstate or foreign commerce by any means, including by computer, or any means or instrumentality of interstate or foreign commerce is otherwise used in committing or in furtherance of the commission of the offense;

(2) any communication involved in or made in furtherance of the offense contemplates the transmission or transportation of a visual depiction by the mail, or in interstate or foreign commerce by any means, including by computer;

(3) any person travels or is transported in interstate or foreign commerce in the course of the commission or in furtherance of the commission of the offense;

(4) any visual depiction involved in the offense has been mailed, or has been shipped or transported in interstate or foreign commerce by any means, including by computer, or was produced using materials that have been mailed, or that have been shipped or transported in interstate or foreign commerce by any means, including by computer; or

(5) the offense is committed in the special maritime and territorial jurisdiction of the United States or in any territory or possession of the United States.

(e) Affirmative Defense.–It shall be an affirmative defense to a charge of violating subsection (b) that the defendant–

(1) possessed less than 3 such visual depictions; and

(2) promptly and in good faith, and without retaining or allowing any person, other than a law enforcement agency, to access any such visual depiction–
(A) took reasonable steps to destroy each such visual depiction; or
(B) reported the matter to a law enforcement agency and afforded that agency access to each such visual depiction.

(f) Definitions.–For purposes of this section–

(1) the term “visual depiction” includes undeveloped film and videotape, and data stored on a computer disk or by electronic means which is capable of conversion into a visual image, and also includes any photograph, film, video, picture, digital image or picture, computer image or picture, or computer generated image or picture, whether made or produced by electronic, mechanical, or other means;

(2) the term “sexually explicit conduct” has the meaning given the term in section 2256(2)(A) or 2256(2)(B); and

(3) the term “graphic”, when used with respect to a depiction of sexually explicit conduct, means that a viewer can observe any part of the genitals or pubic area of any depicted person or animal during any part of the time that the sexually explicit conduct is being depicted.