Handbook of Information Security Management:Law, Investigation, and Ethics

Previous Table of Contents Next


Some schemes define the severity of harm in terms of the dollar value of resulting damage to hardware or data, the value of data taken or compromised, or the value of the property that was the object of a related scheme to defraud. Other schemes may attempt to estimate the value of intangible information by its type or by the nature of the computer system from which it came. Still others treat as determining factors the mental state that accompanied or followed from the act of unauthorized access or unauthorized use. Such is the case with laws that prohibit, for example, unauthorized access or use of a computer with an intent to defraud. For example, the Virginia Code Ann. § 18.2-152.4 says that someone commits computer trespass when he or she uses a “computer or computer network without authority and with intent to ...remove computer data, programs, or software...cause a computer to malfunction... [or] alter or erase any computer data.” Under many such laws, the prosecuting authority need not show that the fraud scheme succeeded, for it is obtaining access with the requisite mental state that is the act proscribed as criminal.

One problem, of course, is that legislation prohibiting unauthorized access or use necessarily suffers from having to define exhaustively yet clearly what it is that cannot be accessed or used. Thus, laws drawn to prohibit unauthorized access must define the term computer and its related components with sufficient particularity to place an individual on notice as to what behavior is prohibited, that is, what environment cannot be so accessed or used. It must do so, however, in a manner that is sufficiently broad and adaptable that the statute will not be rendered obsolete by rapid technological change. Definitions drawn too narrowly or that find themselves too closely tied to prevailing technology may soon be incapable of reaching abuses of systems or devices otherwise plainly within the spirit, if not the letter, of legislative enactments. Definitions drawn too broadly may criminalize innocuous conduct and may be struck down by the courts as unconstitutionally vague. Legislators who focus on how technologies are used can avoid these two problems.

Laws Prohibiting Information Abuse

There is also a difference between focusing legislation on the computers themselves and focusing on the information they contain. As Donn Parker has noted, it may well be that “[l]ooking back, we wouldn’t classify crimes by computer, but would classify such acts instead as information crimes.” (Carol C. McCall, “Computer Crime Statues: Are They Bridging the Gap Between Law and Technology?” 11 Criminal Justice Journal (1988). The author continued: “According to Parker, the focus of legislation should be on the nature of the asset subject to loss, rather than on the technology which is rapidly subject to obsolescence and requires repeated amendment.”) Indeed, some states have ventured to proscribe information abuse as a crime independent of the circumstances surrounding the manner of its commission.

The merger of these two distinct entities — computers and information — is perhaps natural, because for many individuals a computer is a tangible representation of the intangible information stored therein. Because computers were the most recognizable devices known to trade information, proscribing conduct with regard to computers preserved the confidentiality, integrity, and availability of the information they contain.

Laws that were drawn to incidentally, rather than directly, safeguard information are being rendered increasingly incapable of doing so because the information society really wants to protect can be accessed, and thus abused, by more devices than the computer. Personalized, digitized information can be accessed by telephone and by various modes of cable, satellite, and cellular channels of communication in ways that may — but may not — entail use of what laws have come to recognize as a computer.

Few can dispute that there is considerable value in the exclusivity of information. That a theft of information may not deprive the original owner of his or her copy does not change the fact that its value may have been lessened by the owner’s loss of control or by subsequent disclosure of the information. Increasingly, therefore, state legislatures are devising new means of directly protecting valued information from abuse, misuse, or disclosure. A number of states are acting in accord with legislative determinations that certain types of information command enhanced protection. Such sentiments led directly to the passage of trade secret protections in more than thirty states. It is also likely, with new and justifiable concerns over privacy in the workplace and confidentiality of computerized information, that laws will be designed to protect that information as well.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.