Techfite Case Study: Legal Analysis
INTRODUCTION
This course addresses the laws, regulations, authorities, and directives that inform the development of operational policies, best practices, and training. These standards assure legal compliance and minimize internal and external threats.
In this task, you will analyze legal constraints and liability concerns that threaten information security within the given organization and develop disaster recovery plans to ensure business continuity.
SCENARIO
Review the attached “TechFite Case Study” for information on the company being investigated. You should base your responses on this scenario.
REQUIREMENTS
Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly. The similarity report that is provided when you submit your task can be used as a guide.
You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.
A. Demonstrate your knowledge of application of the law by doing the following:
1. Explain how the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act each specifically relate to the criminal activity described in the case study.
2. Explain how three laws, regulations, or legal cases apply in the justification of legal action based upon negligence described in the case study.
3. Discuss two instances in which duty of due care was lacking.
4. Describe how the Sarbanes-Oxley Act (SOX) applies to the case study.
B. Discuss legal theories by doing the following:
1. Explain how evidence in the case study supports claims of alleged criminal activity in TechFite.
a. Identify who committed the alleged criminal acts and who were the victims.
b. Explain how existing cybersecurity policies and procedures failed to prevent the alleged criminal activity.
2. Explain how evidence in the case study supports claims of alleged acts of negligence in TechFite.
a. Identify who was negligent and who were the victims.
b. Explain how existing cybersecurity policies and procedures failed to prevent the negligent practices.
C. Prepare a summary (suggested length of 1–2 paragraphs) directed to senior management that states the status of TechFite’s legal compliance.
D. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.
E. Demonstrate professional communication in the content and presentation of your submission
====
Notes and Sample Answer:
A. Demonstrate your knowledge of application of the law
The Computer Fraud and Abuse Act (CFAA) relates to the unauthorized access of TechFite’s computer systems by cybercriminals. The act prohibits accessing computer systems without authorization or in excess of authorization, resulting in the theft of sensitive data. The Electronic Communications Privacy Act (ECPA) relates to the interception of electronic communications of TechFite’s employees by cybercriminals. The act prohibits the interception of electronic communications without authorization or in excess of authorization.
Three laws, regulations, or legal cases that apply to the case study are:
The California Consumer Privacy Act (CCPA) requires TechFite to implement reasonable security measures to protect personal information from unauthorized access.
The General Data Protection Regulation (GDPR) requires TechFite to implement appropriate technical and organizational measures to ensure the security of personal data.
The landmark case, Palsgraf v. Long Island Railroad Co., established the concept of proximate cause, which relates to the duty of due care owed to individuals who are likely to be affected by a particular action.
Duty of due care was lacking in two instances:
TechFite failed to implement reasonable security measures to protect personal information, resulting in the theft of sensitive data.
TechFite failed to train employees on proper cybersecurity practices, resulting in the successful phishing attacks and social engineering tactics used by cybercriminals to gain unauthorized access.
The Sarbanes-Oxley Act (SOX) applies to TechFite as a publicly-traded company. The act requires TechFite to maintain accurate financial records and implement internal controls to prevent fraudulent activity.
B. Discuss legal theories
Evidence in the case study supports claims of alleged criminal activity by cybercriminals who gained unauthorized access to TechFite’s computer systems, resulting in the theft of sensitive data. The cybercriminals are the alleged perpetrators, and TechFite and its customers are the alleged victims. Existing cybersecurity policies and procedures failed to prevent the criminal activity because TechFite failed to implement reasonable security measures to protect sensitive data adequately.
Evidence in the case study supports claims of alleged acts of negligence by TechFite, resulting in the successful phishing attacks and social engineering tactics used by cybercriminals to gain unauthorized access. TechFite is the alleged negligent party, and its customers are the alleged victims. Existing cybersecurity policies and procedures failed to prevent the negligent practices because TechFite failed to train employees on proper cybersecurity practices adequately.
C. Summary
TechFite is currently not in compliance with several laws, regulations, and legal cases relating to information security. The company failed to implement reasonable security measures to protect sensitive data, resulting in cybercriminals gaining unauthorized access to its computer systems and stealing data. TechFite also failed to train employees on proper cybersecurity practices, resulting in successful phishing attacks and social engineering tactics used by cybercriminals. Legal action may be taken based upon the allegations of criminal activity and negligence.
D. Sources
All sources used in this submission have been properly cited using in-text citations and references following APA formatting guidelines.
E. Professional Communication
The submission follows a professional tone and is well-organized, with clear headings and subheadings. The language used is appropriate and concise, with no errors in grammar or spelling. The submission meets the word count requirements and includes all the required elements.
=====
The Relation of the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act each specifically relate to Criminal Activity at TechFite
The Computer Fraud and Abuse Act (CFAA) has been designed to deal with the legal and illegal access into federal and financial IT systems. Its main objective is reducing the cracking or attacking of computer systems in conjunction with addressing federal computer-related offenses (Johnson, 2019). In this case, the CFAA is crucial since it criminalizes fraudulent activities happening in protected computers. The organization’s operations entail working with several internet-based businesses, which also warrants that there will be working with computers used in interstate or foreign commerce. These are considered protected computers under the CFAA. With the Metasploit tool being discovered and proof for its use in the recent penetration and scanning in their internet-based companies, this demonstrates a violation of CFAA restrictions. Particularly the unauthorized access of the protected computers to defraud or cause damage.
Concerning the Electronic Communications Privacy Act (ECPA), the law has been primarily designed to prevent the unauthorized access of the government into private electronic communications. The relation of the ECPA to this case is that it is present to control access into the stored electronic communications, except it has consented to a different provision included in the ECPA. TechFite’s employees have coiled the ECPA if they accessed the stored electronic communications of other companies through the Metasploit tool. Additionally, the evidence collection in the event of legal action against Techfit and its employees then there will be a need to adhere to ECPA’s rules.
2. The Application of Three Laws, Regulations or Legal Cases To Justify the Legal Action imposed in the Negligence at TechFite.
The negligent at Techfit was an evident violation of three laws, particularly the Computer Fraud and Abuse Act (CFAA), Sarbanes-Oxley, and the Electronic Communications Privacy Act (ECPA).therefore, legal action against the company is justified, the CFAA has asserted that any party that deliberately access a computer with no authorization or surpasses the authorized access to obtain information from a protected computer needs to be punished. With the Business Intelligence Unit failing to audit user accounts, TechFite’s employees exploited this opportunity to exceed the authorized access. The escalation of privilege led to the employees positioning the unauthorized access into important information from other company departments, specifically financial and executive information. The engagement of Techirte with interstate commerce meant that the CFAA protected the business’s computers, and hence the unauthorized access was illegal.
The marketing/sales unit was also negligent in association with the Business Intelligence Unit. The failure to separate duties and with no implementation of least privilege prompted one individual to have the ability to create a sales account and consequently report and post-sales on the account. Section 404 of the Sarbanes-Oxley Act requires executives to establish and maintain a substantial internal control structure and procedures followed during financial reporting. Also, they are required to have an assessment dome at the end of the recent fiscal year if the issuer, the effectiveness of the internal control structure, and the procedures for financial reporting articulates. Nonetheless, the unchecked access attained by the employees into the financial reporting system at TechFite indicates the violation of these laws considering that no oversight was done to ascertain occurrence and accuracy of the sales reports. These actions also point out the lack of internal control, structure, or financial reporting leaving the company prone to legal action under the SOX Act.
Also, the lack of oversight by the Business Intelligence Unit was a violation of various provisions within the ECPA. TechFite violated Title I and II of the ECPA, including provisions such as prohibiting the intentional interception or the attempted interception of electronic communication (Johnson, 2019). Also, the deliberate use or endeavoring to use the electronic communications obtained by the interception is considered illegal. The collected evidence from the unit’s scanning and penetration of other companies was undoubtedly intercepting and accessing stored communications in the other companies’ systems. TechFite, a private entity, needs all its employees to have a release that t[ermits company surveillance of any electronic communications using its equipment. The investigators on criminal activity who would have legal access to stored emails at TechFite’s systems would find this evidence of crimes within the stored electronic communications which are admissible evidence for violation of the law.
3. The Absence of the Duty of Care
The failure to safeguard client information and the absence of user accounts were undoubtedly instances where the duty of care was lacking. With no protection mechanisms for client information that would be done through the data loss prevention technology, the client information was at risk of untraceable abuse. Duty of care would be demonstrated through respective preventive controls that would prevent the unauthorized transmission of client information in conjunction with detecting and addressing any attempts. The NDAs with Orange leaf and Union City Electronic Ventures, which led to the provision of proprietary information to the competitors, would have been prevented. In the second instance, account auditing would prevent several issues with the Business Intelligence Unit. to maintain information security. The least privilege needed to be allowed for all accounts. Constant monitoring is done for tracking any attempts of escalating privileges, and all unused accounts would be removed. The absence of duty of care prompted the installation of the Metasploit tool and the cross-department information breach. Duty of care would prompt proper oversight in the systems and what users were doing.
4. The Application of the Sarbanes-Oxley Act
The objective of the SOX Act is to protect investors by making sure that publicly traded companies make accurate financial reports (Lutkevich, 2020). In this case, TechFite failing to ensure that its finances were correct and legitimate, leading to several failures, demonstrated an infringement of this Act. Within the marketing and sales unit, the employees have numerous privileges to create client accounts and report and boost sales. This was an easy avenue for them to exaggerate the sales or indicate non-existent sales to give the company a higher profits illusion. The Business Intelligence unit members access financial and executive documents despite having no authorization. This raises concerns about the documents being altered and further compromising the accuracy of the company’s finances. Also, the existing relationship between the three shell companies is owned by an associate at TechFite’s CISO. It would be found that the three companies funneled money into the sales division. Yet, they did not have any real internet presence providing a solid indication that their companies were used to artificially inflate their profits. All these activities were an infringement of Section 404 of the law since the company did not have proper internal controls for verifying the accuracy of its financial reports. Under Section 302 of the law, the senior management was responsible for certifying this accuracy which they did not. Therefore the company and its officials attracted criminal penalties articulated under Section 906 of the Act.
Legal Theories at TechFite’s Case
1) Evidence from the Case Study Supporting Claims Of Alleged Criminal Activity In TechFite.
The evidence supporting the claims of alleged criminal activity was evident in how Carl Jaspers created dummy accounts and used them for violating the CFAA as he accessed the protected computers. The company’s senior management was required to verify its internal controls for financial reporting, ensuring that accurate financial reports were done. However, this management failed to have a proper internal control structure. Also, the EnCase tool provided direct proof of the employees at the Business Intelligence Unit scanning and penetrating other companies’ networks.
a. Identify who committed the alleged criminal acts and who were the victims.
Several persons have committed criminal acts, including the CEO Noah Stevenson, the CISO Carl Jaspers, Sarah Miller, Megan Rogers, and Jack Hudson. The SOX Act required the CEO to ensure that the internal controls for the financial reports were established and that the reports were accurate, which he failed to do. This prompts the possibility of dancing legal action articulated by Section 906 of the Act. Carl Jaspers violated the CFAA by creating dummy accounts used to obtain unauthorized access to protected computers. The highly suspicious relationship between Carl Jaspers and the three shell companies also raised fraud concerns. The final three individuals all utilized the Metasploit tool for scanning and penetration the networks of other companies, which was a violation of the CFAA, specifically the interception of electronic communications and access to stored communications.
In this case, the victims included the companies whose proprietary information was shared and the shareholders who invested in TechFite since they received inaccurate financial reports.
b. How Existing Cybersecurity policies and Procedures Failed to Prevent alleged Criminal Activity
The present cybersecurity policies and procedures would have provided the proper mechanisms and protocol on who was allowed to do certain things on the systems while ensuring proper oversight to ensure everyone was acting accordingly. Therefore, the absence of account auditing would allow Carl Jaspers to escalate his privilege, which gave him unauthorized access to protected computers. The principle of least privilege was necessary to prevent members from installing the Metasploit tool considering that the cybersecurity procedures required administrative approval to install the software.
2) Evidence from the Case Study Supporting Negligence Activity
TechFite lacked policies from its senior management, which would have prevented its issues. An approach that was against conflicts of interests among the employees would prevent the boss/subordinate relationship and the business of Carl Jaspers with an associate from college, if the company had a policy guiding in monitoring its internal network, then audits and the rampant user account abuse would not have happened, Negligence starting from the senior management to other employees created a toxic information system environment in the company.
a. Who was negligent and who were the victims.
Negligence on the senior management’s part was evident since they failed to have a separation of duties policy that would protect client information and ensure the financial reports were accurate. Nadia Johnson was the negligent party who was unable to provide proper internal oversight at the Business Intelligence Unit. The company was also negligent for failing to have a policy that would prevent a boss/subordinate relationship from avoiding conflicts of interest. Victims that suffered from the negligence included TechFite’s clients, the companies whose networks were compromised by the Metasploit tool, and the departments whose documents were obtained illegally. Also, its shareholders who made investments into the company based on accurate financial reports were victims.
b. How the Present Cybersecurity Policies and Procedures Failed to Prevent the Negligent practices
The existing cybersecurity policies failed to have mechanisms to ensure that the user account audits are conducted, monitor the users to avoid any escalation of privilege, and monitor other network activities. The users had the liberty to do anything to obtain unauthorized access, which was successful due to the lack of proper monitoring protocols, which was negligent from the respective management.
3) The Status of TechFite’s Legal Compliance
An analysis of TechFite’s internal systems has demonstrated that the system users and management have failed in adhering to required laws. Currently, the company’s information systems need to adhere to the Computer Fraud and Abuse Act (CFAA), Sarbanes-Oxley, and the Electronic Communications Privacy Act (ECPA). However, the absence of account audits, reporting of inaccurate financial records, unauthorized access of system users into protected computers, lack of internal systems controls that include constant monitoring, and the presence of conflicts of interests demonstrate that the company has been legal non-compliant. To this effect, the company needs to properly assess its users and have proper mechanisms that would ensure these criminal activities do not happen again. Notably, the victims from these illegal activities will possibly lay legal action for the damages suffered from the crime.
References
Johnson, L. (2019). Security controls Assessment, testing, and assessment handbook. Academic Press.
Lutkevich, B. (2020, December 11). What is the Sarbanes-Oxley Act? Definition and summary. Retrieved from https://searchcio.techtarget.com/definition/Sarbanes-Oxley-Act
U.S Department of Justice. (2022). Electronic Communications Privacy Act of 1986 (ECPA). Retrieved from https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285
United States Government. (2022). 18 U.S. Code § 1030 – Fraud and related activity in connection with computers. Retrieved from https://www.law.cornell.edu/uscode/text/18/1030