Because of this, almost every state, along with the federal government, have adopted new laws specific to computer-related abuses. These new laws, which have been redefined over the years to keep abreast of the constant changes in the technological forum, have been subjected to an ample amount of scrutiny due to many social issues that have been affected by the proliferation of computers in society. Some of these issues, such as privacy, copyright infringement, and software ownership, are yet to be resolved. More changes to the current collection of laws can be expected. Some of the computer-related crimes that are addressed by the new state and federal laws are:

•  Unauthorized access.

•  Exceed authorized access.

•  Intellectual property theft or misuse of information.

•  Pornography.

•  Theft of services.

•  Forgery.

•  Property theft (e.g., computer hardware and chips).

•  Invasion of privacy.

•  Denial of services.

•  Computer fraud.

•  Viruses.

•  Sabotage (i.e., data alteration or malicious destruction).

•  Extortion.

•  Embezzlement.

•  Espionage.

•  Terrorism.

All but one state, Vermont, have created or amended laws specifically to deal with computer-related crime; 25 states have enacted specific computer crime statutes, and the other 24 states have merely amended their traditional criminal statutes to confront computer crime issues. Vermont has announced legislation under Bill H.0555 that deals with the theft of computer services. The elements of proof, which define the basis of the criminal activity, vary from state to state. Security practitioners should be fully cognizant of their state laws, specifically the elements of proof. In addition, traditional criminal statutes, such as theft, fraud, extortion, and embezzlement, can still be used to prosecute computer crime.

Just as there has been abundant new legislation at the state level, there have also been many new federal policies, such as the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act of 1986. They have been established to deal precisely with computer and telecommunications abuses at the federal level. Moreover, many modifications and updates have been made to the Federal Criminal Code, Section 1030, to deal with a variety of computer-related abuses. Even though these new laws have been adopted for use in the prosecution of a computer-related offense, some of the older, proven federal laws discussed later in this chapter offer a simpler case to present to judges and juries:

•  Wire fraud.

•  Mail fraud.

•  Interstate transportation of stolen property.

•  Racketeer influenced and corrupt organizations (RICO).

Civil Law

Civil law (or tort law) identifies a tort as a wrong against an individual or business which normally results in damage or loss to that individual or business. The major differences between criminal and civil law is the type of punishment and the level of proof required to obtain a guilty verdict. There is no jail sentence under the civil law system. Victims may receive financial or injunctive relief as restitution for their loss. An injunction against the offender will attempt to thwart any further loss to the victim. In addition, a violation of the injunction may result in a contempt of court order, which places the offender in jeopardy of going to jail. The main purpose of seeking civil remedy is for financial restitution, which can be awarded as follows:

•  Compensatory damages.

•  Punitive damages.

•  Statutory damages.

In a civil action, if there is no culpability on the part of the victim, the victim may be entitled to compensatory (i.e., restitution) and punitive damages. Compensatory damages are actual damages to the victim and include attorney fees, lost profits, and investigation costs. Punitive damages are damages set by the jury with the intent to punish the offender. Even if the victim is partially culpable, an award may be made on the victim’s behalf, but may be lessened due to the victim’s culpable negligence. Statutory damages are damages determined by law. Mere violation of the law entitles the victim to a statutory award.

Civil cases are much easier to convict under because the burden of proof required for the conviction is much less. To be found guilty of a civil wrong, the jury must believe, based only on the preponderance of the evidence, that the offender is guilty of the offense. It is much easier to show that the majority (i.e., 51%) of the evidence is pointing to the defendant’s guilt.

Finally, just as a search warrant is used by law enforcement as a tool in the criminal investigation, the court can issue an impoundment order, which is a court order to take back the property in question. The investigator should also keep in mind that the criminal and civil case can take place simultaneously, thus allowing items seized during the execution of the search warrant to be used in the civil case.

Insurance

An insurance policy is generally part of an organization’s overall risk mitigation or management plan. The policy transfers the risk of loss to the insurance company in return for an acceptable level of loss (i.e., the insurance premium). Because many computer-related assets (i.e., software and hardware) account for the majority of an organization’s net worth, they must be protected by insurance. If there is a loss to any of these assets, the insurance company is usually required to pay out on the policy. An important factor is the principle of culpable negligence. This places part of the liability on the victim if the victim fails to follow a “standard of due care” in the protection of its assets. If a victim organization is held to be culpably negligent, the insurance company may be required to pay only a portion of the loss.