|
This is the second part of a four-part series looking at U.S. information security laws and the way those laws affect security professionals. In the first part of this series, we looked at the legal framework for protection of information systems and the role of information security professionals in the creation of trade secret interests. In this installment, we will look at the legal framework for security of an enterprise's working environment from the perspective of information security professionals, with particular emphasis on the protection of communications.
Of course, protecting communications necessarily depends on the security of the systems used to transmit and store them. Drawing a rigid line between protecting systems and protecting communications might not always be useful or possible. That said, for our discussion, treating the protection of communications separately from the protection of systems illustrates how the Computer Fraud and Abuse Act, 18 U.S.C.§ 1030 (the "CFAA"), and the Electronic Communications Protection Act, 18 U.S.C. §§ 2510-22 and §§ 2701-12 (the "ECPA"), two critically important federal information security statutes, work together.
As discussed in the first article in this series, the primary thrust of the CFAA, with respect to private sector systems, is to prohibit access to protected computers without authorization or exceeding authorization, whether to obtain something of value or to damage systems or data. The primary concern of the ECPA is related, but distinct. The ECPA prohibits the unauthorized and unjustified interception, disclosure, or use of communications, including electronic communications[1]. In a situation in which a bad actor hacks into a corporate network and obtains access to sensitive email, the CFAA and the ECPA are both violated. But having discussed the CFAA in Article 1, our discussion of the legal framework for protecting communications will focus on the ECPA.
Understanding the organization of the ECPA is a real help in understanding how the act works. The ECPA has two major parts: Title I - The Wiretap Act, 18 U.S.C. §§ 2510-22 (the "Wiretap Act"); and Title II, the Stored Communications Act, 18 U.S.C. §§ 2701-12. (the "Stored Communications Act"). The Wiretap Act was a pre-existing statute that, prior to the passage of the ECPA, protected communications mediated by a "wire, cable or other like connection" from unauthorized and unjustified interception and disclosure. In theory, the ECPA amended the Wiretap Act to extend those protections to electronic communications. As we will see below, there is reason to question how fully the ECPA accomplished that goal. The second part of the ECPA, the Stored Communications Act, 18 U.S.C. §§ 2701-12, was a new enactment that protects communications stored in electronic communications facilities from unauthorized and unjustified access or disclosure. We will look at the Wiretap Act and the Stored Communications Act in turn.
|