Cybercrime as an International Problem

Cybercrime is an international problem that's faced every day. Regardless of the prevention techniques in place, the infrastructure of companies, corporations, and individuals are at risk for various types of cybercrimes. Cybercrimes are defined by Mirriam-Webster as criminal activities that are carried out using a computer especially when transmitting, manipulating, or accessing data (Miriam-Webster 2018). Currently, there is no way to completely prevent these crimes from occurring, however it is possible to put best practices into place. The United States uses three broad approaches in effort to prevent and react to cybercrimes: Criminal, civil, and voluntary industry guidelines. Internationally these industry best practices vary. After a comparison of the U.S. and international law, the U.S. application of all three practices appears to be the best technique for prevention and response to cybercrimes, however the UK, Russia, and China also have excellent laws and regulations in place. While these countries have a great set of comprehensive laws, there is always room for improvement.

United States Approach to Cybersecurity:

As mentioned above the United States incorporates three different approaches for cybersecurity. The Computer Fraud and Abuse Act (CFAA) and Cybersecurity Enhancement Act of 2015 cover the criminal sanction while the laws pertaining to negligence and HIPPA compliance in the health care field set forth civil liability. The National Institute of Standards and Technology (NIST) created a cybersecurity framework that sets forth a voluntary standard.

Criminal:

The Computer Fraud and Abuse Act (CFAA) of 1986 18 U.S.C.S. § 1030, an amendment to the computer fraud law, made it a federal crime to access computers without appropriate authorization and obtaining any information about any US department or agency, financial records/consumer information, and anything collected from a protected computer. The United States v. Nosal outlined the definition of exceeds authorized access as authorized access to computers and use access to obtain or alter information that the accessor does not have entitlement to do so (United States v Nosal, 676 F3d 854 [9th Cir 2012].) The act has been amended several times since inception, and has expanded its scope beyond its original intention which covered only U.S. government computer and some financial systems. The Patriot Act of 2001 came shortly after the 9/11 attacks and was an update to the CFAA allowing for expanded access for law enforcement to investigate possible acts of terrorism. In 2015, President Barack Obama's administration saw a major problem in the United States infrastructure finding that several hundreds of millions of dollars has been stolen via intrusion due to the weakness, and the Racketeer Influence and Corrupt Organizations Act (RICO)(18 U.S Code Chapter 96) was put in place in an effort to rid organized crime in the United States. Penalties for violation of the CFAA include range from fines to imprisonment up to 20 years in some instances.

Civil:

There are several laws that are organized to handle civil cases of cybercrimes. Two major examples are Health Insurance Portability and Accountability Act (HIPPA) which protects patient data/medical information transmitted electronically and negligence laws that forces people to follow a certain level of care for others. While HIPPA is a federal law, negligence laws are set forth by individual states. The Office for Civil Rights (OCR) is the enforcement authority for the HIPPA act and enforces the penalties. Since the medical field is moving toward electronic filing, billing, and monitoring of patient information for efficient, HIPPA has never been more important as a national standard. Health plans, health care providers (providing they electronically transmit health information), heath care clearinghouse, and any business associates (such as pharmacy) that fall under the umbrella of those needing to abide by HIPPA regulation. It covers any physical and mental health information, what treatment is being received, and any financial/payment information of an individual. HIPPA requires any entity with access to health care information to retrieve an authorization for the electronic transmission, and requires a notice of the privacy practices. Penalties for non-compliance can range anywhere from $100 to $50,000.

A second important civil law is negligence. Each state may have different standards for negligence. As previously stated, individuals are required to act in a manner that shows a duty of care to other individuals. Duty of care is a basic requirement that an individual act with a carefulness, attention, and consideration towards other in order to prevent the risk of harm. There are four elements necessary to prove negligence, 1. Proof that an individual had a legal duty of care to the other, 2. A breach of that duty of care, 3. Because of that breach an injury was suffered, and, 4. Proximate cause. Failure to provide the appropriate duty of care to another results in fines that can vary in degree depending on the level of injury to a person.

Voluntary Standard:

The National Institute of Standards and Technology (NIST) has a framework tha outlines protection for infrastructures, and that have a systematic process to identify, assess, and managed cybersecurity risk (National Institute of Standards and Technology, 2018). While this framework is a voluntary framework, it's an industry best standard and was designed with the help of several individuals in the industry, government, and academia through several workshops around the country (NIST, 2018). There are no civil or criminal ramifications for not using the standard, but it should be understood that not using this framework or another standard could result in civil and criminal suits. This framework helps cover the necessary aspects for prevention and response to cybersecurity incidents. The NIST framework covers five core functions that include Identification, Protection, Detection and follows with Response, and Recovery techniques. These five core functions help manage risk assessment which can identify the crown jewels of a company (those things that need to be protected), assess possible breaches/cybersecurity instances, and allows for a plan of response and recovery in the instance of a breach.
The Cybersecurity Enhancement Act of 2014 was an effort to improve cybersecurity research and development; the act authorized financial allotment for continued research and helps to educate the public on awareness and preparedness. (Heckert, 2010).

United Kingdom (UK) Approach to Cybercrime:

Criminal :

The Computer Misuse Act enacted (CMA) in 1990 made it so that without authorization from the owner of the data there could be no changes to the information whether on a computer or on another device. This Act was derived from Regina v. Gold and Schifreen, 1998 which was a case where the defendants hacked into the computer system of the Duke of Edinburg's email using an ID and password that was not authorized for their use. The CMA cited different criminal offenses: unauthorized access to carry out further offenses, modify material, and general unauthorized access to a computer. Punishment is generally around twelve months and a fine. In 2015, the act was modified in order to coincide with the Serious Crime Act which aided law enforcement with search and seizure operations. This Serous Crime Act could lead to up to 14 years in prison and a large fine (What is the Computer Misuse Act, 2018).

Civil:

The Data Protection Act of 1988 (DPA) was an act that worked to protect the personal data of an individual that was being stored on a computer and was replaced by the General Data Protection Regulations (GDPR). The GDPR was approved in April of 2016, and fully implemented two years later, in May 2018. The GDPR covers the member states of the European Union, with the purpose of protecting the EU citizens personal data from data and privacy breaches. Changes that came with the GDPR include a clear jurisdictional extension that covers any and all companies that collect and process personal data in the EU including those who outsource the information, whereas previously the DPA was ambiguous. The GDPR made it mandatory for national states to This is done by regulating usage of personal data by any company, organization, or individual that processes it for non-personal usage; regardless of the type of technology that is used. The regulation does not only cover processing that is done in the EU, rather it covers EU citizens regardless of where the processing occurs, making it globally effective. Processing includes collection, storage, transmission, and recording among many others in relation to personal information. Personal data is defined in the GDPR as information that can identify an individual or relates to the identity of a living person, or information that may be put together to identify a person. (European Commission, 2018). This information includes, but is not limited to information such as name, address, email, ID card, location data, and any information help by a doctor/hospital. This information is no longer considered identifiable once it has been encrypted or goes through the process of anonymization (European Commission, 2018). The GDPR also made it mandatory for any breaches to be announced within the first 72 hours of awareness. In order to be compliant within with the GDPR organizations must get consent from customers/consumers prior to storing and processing data. There must also be a Data Processing Officer within each organization who is appointed to monitor data, as well as the necessity for breach notification. Data Protection Impact Assessments need to be completed. The organizations must Data Protection Authorities (DPA) are the authority that investigate and correct any issues and complaints that are lodged for non-compliance and are considered supervisory. Each nation state has their own DPA, and each state decides what the penalty is for non-compliance. The penalties range through a variety of fines and can be as high as 4% or as low as 2% of the previous year's revenue (GDPREU.org, 2018).

China

China has no data protection laws that are comprehensive but are rather spread apart across several laws and regulations that have already been enacted. These regulations can be found throughout the General Principles of Civil Law and Tort Liability Law, as well as the Criminal Law of the People's Republic (Data Protection Laws of the World, 2018). In 2017, the first national-level law went into effect which was called the Cybersecurity Law and was the first enacted law to discuss data privacy and cybersecurity. This law was to protect and safeguard online information for citizens and legal entities. China collectively use the Decision on Strengthening Online Information Protection and NIST as a backbone to help create such data protection rules. The Cyberspace Administration of China is the authority for data protection in China, but there is also the PBOC or CBRC who are involved with regulation of larger financial institutions. China requires permission from the owner of personal data prior to its allowance to be transferred or disclosed. Only when data is collected appropriately and necessarily while abiding by the regulations can organizations collected, store, and use personal information. It requires organizations to take appropriate measures against processing data illegally/exposure of personal information by ensuring proper protect systems are in place. It doesn't appear to have a timeline for notification of data breaches, however it does require notification to be made to those effected within a timely manner (Data Protection Laws of the World, 2018). Enforcement for cybersecurity crimes vary from fines all the way to criminal activity. China's law making is beginning to lean towards forming more laws and regulations that are similar to the GDPR making it more effective overall.

Russia

The bulk of the cybersecurity laws in Russia are embedded in the legislation of the Data Protection Act, while the Russian Construction covers the privacy rights of individuals. Prior to 2014, Russia didn't focus on data protection as much as it should have. However, in 2014, Russia began regulating the usage of personal data. The focus was on data processors, and required the information to be processed inside Russia, instead of using outside sources. The regulations require full disclosure and transparency about a business's privacy practices, and permissions from the owner of the data in order to transfer it. The DPA requires a data control officer to be appointment in order to oversee compliance with regulation. The federal government (The Agency) is the authority for seeking repercussions for now complying with the cybersecurity practices. Penalties for not following the requirements set forth for cybersecurity protection as subject to the shit down of any websites that participate in unlawful acts and requires registrations on the Register of Infringers of Rights of Personal Data Subjects (Data Protection Laws of the World, 2018). In the event of a data breach, there is unfortunately no requirement for reporting.

In conclusion, while the United States seems to have the best practices when it comes to cybersecurity, considering it covers civil and criminal sanctions along with a voluntary framework, other countries have also set forth excellent cybersecurity regimes. The United Kingdom is an under the umbrella of the EU, and is covered under the GDPR, but also has its own civil sanction making it very strong overall with cybersecurity practices. China, while working on cybersecurity laws has the regulation buried throughout its current law system and covers a vast majority of necessary prevention techniques and enforcement related to cybercrimes. As mentioned above, China's laws are very similar to the EU GDPR. Lastly, Russia, has several specific laws and uses the DPA in order to protect its citizens data. While some countries do not cover regulation in civil and criminal penalties, and do not have voluntary frameworks, the United States has the most articulated and mature laws and regulations for cybersecurity. It's important that these acts and laws continue to be amended and grow, so that there is always protection of personal data.

Cite this page