1.5 Understand legal and regulatory issues that pertain to information security in a holistic context

  • Cyber crimes and data breaches
  • Licensing and Intellectual Property (IP) requirements
  • Import/export controls
  • Trans-border data flow
  • Privacy

There are multiple laws that cover cyber security, some of which were discussed in the previous section.

The most important laws in the United States are

  • The Privacy Act of 1974

  • The Computer Fraud & Abuse Act of 1986

  • The Electronic Communications Privacy Act of 1986

  • The Economic Espionage Act of 1996

  • The Identity Theft and Assumption Deterrence Act of 1998

  • The PATRIOT Act of 2001

  • The Homeland Security Act of 2002

  • The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003

  • The Intelligence Reform and Terrorism Prevention Act of 2004

  • Health Insurance Portability and Accountability Act (HIPAA)

  • Children’s Online Privacy Protection Act

  • The Right to Financial Privacy Act (RFPA)

The most important laws abroad are

  • The Council of Europe’s Convention on Cybercrime of 2001

  • The Computer Misuse Act of 1990 in the UK

  • The Information Technology Act of 2000 in India

  • The Cybercrime Act of 2001 in Australia

  • European Union General Data Protection Regulation (GDPR)

In the United States, all distribution of malware falls under the Computer Fraud & Abuse Act (18 U.S. Code § 1030).  This broad law covers most forms of computer abuse.

Specifically, section (5) states that whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; “ can be punished by imprisonment for up to ten years.

Note that the term “protected computer” is defined as

  • any computer that is used by a financial institution of the United States,

  • any computer that is used by the United States government, or

  • a computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

The federal government’s jurisdiction is limited to matters that affect financial institutions, the federal government, or interstate/foreign commerce.  The federal government does not have jurisdiction over crimes that occur within a single state (unless they involve a federal subject matter).

But note the following:

  • Due to the nature of the internet, some data will almost always travel between different states, even if the hacker and the victim are in the same state.  Thus, most computer crimes fall under federal jurisdiction and can be prosecuted by the federal government.  

  • In addition, Courts have held that provided the computer is “connected to the internet”, then it falls under the definition of “interstate or foreign commerce”, even if there was no proof that the Defendant used the computer to access the internet or used the internet to access the computer.  Practically every computer that is connected to the internet will download a software update that crosses state lines.

  • State and local governments typically don’t have the resources or experience to investigate/prosecute complex computer crimes and will refer such cases to the FBI.

  • An “air gapped” computer (one that is not connected to the internet, such as a control system for a power plant or industrial facility) can fall under the jurisdiction of the CFAA provided that it affects “interstate or foreign commerce”.

The Defendant must

  • Access the computer “without authorization”; or

    • Most courts have held that authorization is valid until it is revoked by the issuing party

    • A few courts have held that authorization could be considered invalid when the Defendant accesses the computer in a manner contrary to the interests of the authorizing party

  • “Exceed authorized access”

    • The authorizing party has prohibited the Defendant from accessing the computer for a specific purpose

    • The authorizing party did not expressly prohibit the Defendant from accessing the computer, but the Defendant acted contrary to the authorizing party’s interests

In general, Courts have drawn a distinction between accessing a computer without authorization (applies to outsiders) and exceeding authorized access (applies to insiders).

18 U.S.C. § 1030(a)(2) applies to keyloggers and other forms of spyware, if the Defendant

  • Intentionally accesses a computer without authorization; and

    • Access must be intentional

  • Obtains “information” from “any protected computer”

    • Information can be obtained even if the Defendant did not copy or download a file

18 U.S.C. § 1030(a)(5) applies to acts that damage a computer system or information

It is a felony to damage a computer system or information if

  • A loss of $5000 or more results

  • The medical care of a person is modified

  • Physical injury is caused

  • Public health or safety is affected

  • Systems used by the government for justice or national security are affected; or

  • Ten or more computers are damaged within a one-year period

Damage can occur

  • When the act impairs the integrity of the data (such as when the data is deleted or changed)

  • When the act affects the availability of the data (such as in a denial of service attack that brings a website offline)

  • When the victim must investigate to determine if the data bas been damaged (even if it is determined later that no files have been changed)

The loss amount can include

  • Cost to any victim

  • Cost of investigating the security breach

  • Cost of restoring the data and/or repairing the systems

  • Lost revenue

The National Information Infrastructure Protection Act amended the CFAA to do the following

  • Protect computer systems used in international commerce

  • Protect computers used by infrastructure like railroads, pipelines, and telecommunications

The Federal Information Security Management Act requires the government to implement an information security plan.  NIST or The National Institute of Standards and Technology develops guidelines for protecting information.  It requires agencies to

  • Perform regular risk assessments

  • Implement policies to reduce security risks

  • Implement plans to protect their networks and facilities

  • Provide security awareness training to their employees and contractors

  • Regularly test their information security policies

  • Plan, document, evaluate, and implement activities to correct deficiencies in their policies

  • Implement procedures to detect security incidents

  • Implement plans to ensure business continuity in the event of a disaster

The Federal Information Systems Modernization Act

  • Makes the Department of Homeland Security responsible for maintaining information security in the federal government

  • Defense security remains with the Department of Defense

  • Intelligence security remains with the Director of National Intelligence

The Cybersecurity Enhancement Act

  • Requires NIST to develop cybersecurity standards

The National Cybersecurity Protection Act

  • Requires the Department of Homeland Security to create a national cybersecurity center that provides a liaison between different federal agencies so that they can share security information

The Privacy Act of 1974

  • Prohibits the government from maintaining records for longer than necessary

  • Requires the government to disclose records that they hold on an individual to that individual upon request

Electronic Communications Privacy Act

  • This act is made up of three smaller acts

    • The Wiretap Act

      • Defines the types of communications that can be lawfully intercepted (public radio communications, emergency communications, satellite communications, etc. can be intercepted)

      • Makes it illegal to sell or advertise a device that can intercept a wire communication

      • A wiretap must be authorized by a federal judge; an application made to a federal judge must be approved by a Deputy Assistant Attorney General or higher

      • The application must state

        • A description of the offense that has been committed, a description of the person whose communications are being intercepted, and a description of the communications that are being intercepted

        • That other investigative procedures have been attempted and failed or that they are too dangerous

        • The length of time that the interception must take place

        • A list of all other applications for interceptions that have been filed and whether they were approved or denied

      • The application will be approved if

        • There is probable cause to show that an offense has been committed or will be committed

        • Evidence of the offense can be obtained through the interception

        • Normal investigative procedures have failed or are too dangerous

      • A wiretap order expires after thirty days

      • The interception must be conducted in a method that minimizes the interception of irrelevant communications.  Courts have created different methods for minimization.  For example,

        • Law enforcement can listen to all conversations, but can only record or keep communications that are relevant

        • Law enforcement can listen to the first part of each conversation, but can only continue listening or recording the conversation if the first part contains signs of criminal activity

        • Patterns of telephone use that indicate criminal activity

        • Use of code or cryptic language in the conversation may indicate the presence of criminal activity.

    • The Stored Communications Act

      • There are two types of service providers

        • A Remote Computing Service: “any service which provides to users thereof the ability to send or receive wire or electronic communications.”

        • An Electronic Communications Service: “the provision to the public of computer storage or processing services by means of an electronic communications system”

      • Any e-mail in storage for 180 days or less is considered an electronic communication and may only be disclosed

        • In response to a search warrant.

        • To the government when urgent disclosure is necessary to prevent the death or serious injury of a human

      • Disclosing e-mail metadata (e-mail addresses, time/date sent/received, etc.) does not require a warrant

      • Disclosure of e-mail content is not permitted through a civil subpoena

      • Many companies (such as Facebook, Twitter, etc.) have classified themselves as “electronic communications services” instead of “remote computing services” and are refusing to provide most “content” data through civil subpoenas.

    • The Pen Register and Trap and Trace Devices Statute

      • A pen register records the phone numbers that a user dialed, and the duration of each phone call.  It does not record the content of a phone call.

      • A law enforcement officer can apply to a court for a pen register if they can certify that the information to be obtained is relevant to a criminal investigation

      • A law enforcement officer can install and maintain a pen register without a court order if an emergency exists, but only for up to 48 hours, and must then apply for an order after the fact

Communications Assistance for Law Enforcement Act

  • Requires a telecommunication provider to assist the government with a wiretap. 

  • The communications provider must ensure that the technology that it uses allows communications to be intercepted.  The provider cannot make an excuse that they implemented technology that does not allow for wiretaps.

  • The provider is not responsible for decrypting communications that are encrypted by the customers

Economic Espionage Act

  • Changed the legal definition of theft by changing the definition of property to include proprietary economic information

  • This allows the government to prosecute the theft of information, not just physical objects

Health Insurance Portability and Accountability Act (HIPAA)

  • It defines Personal Health Information (PHI) as

    • An individual’s past, present or future physical or mental health or condition

    • The provision of healthcare to the individual

    • Payment for healthcare

  • PHI may not be disclosed except

    • To the government (to investigate fraud, for compliance, etc.)

    • To law enforcement if it will prevent the death or serious injury of a person

    • In response to a court order

    • To the patient’s healthcare provider

    • To the patient or patient’s authorized representatives

  • An organization that stores PHI must

    • Designate a privacy officer who is responsible for maintaining privacy policies

    • Install data safeguards

    • Implement a mitigation plan for disclosure of protected data

    • Accept complaints from individuals regarding the storage of data

    • Train all employees to protect PHI

Health Information Technology for Economic and Clinical Health Act

  • Updated HIPAA

  • A covered organization with Protected Health Information that has a business associate must govern the relationship with a Business Associate Agreement

  • Any health care information breach must be notified to the media and the Secretary of Health and Human Services when more than 500 people are affected

Children’s Online Privacy Protection Act

  • Websites must have a privacy notice that states

    • What information they collect

    • What they do with the information

    • Whether they disclose the information to third parties

    • Contact information for the operator of the website

  • Websites must provide parents with the opportunity to review information collected from their children, and request permanent deletion

  • Websites must require parents to consent to the collection of information from children under thirteen years old

The Fair Credit Reporting Act (FCRA), 15 USC § 1681

  • A consumer reporting agency (credit bureau) can only provide a credit report

    • To the consumer it relates to

    • In response to a court order

    • To a person who is evaluating a transaction with a consumer, to the consumer’s employer, to the consumer’s insurer, to the consumer’s investor, or for another legitimate business requirement

    • To determine child support payments

    • To the federal government if it relates to national security

  • An employer may not take any adverse action that relies on a credit report report without first providing the consumer with a copy of the report

  • A consumer has the right to obtain a copy of his report at no cost

Freedom of Information Act

  • Information held by federal government agencies is subject to public inspection in an electronic format

  • A person may apply to a government agency for access to records.  The agency must then search for the records.  The person may request specific records or request that the agency search for records that match specific keywords or circumstances.

  • The government does not disclose

    • Classified information

    • Trade secrets and financial information

    • Personnel and medical files

    • Law enforcement data that is considered private, that could hurt a Defendant’s right to a fair trial, that could compromise the identity of an informant, that could endanger a person, or that could disclose specific law enforcement techniques

    • Geological data

  • The federal government of Canada and some provinces in Canada have similar acts with similar names

The Right to Financial Privacy Act (RFPA), 12 USC § 3414.

  • In 1976, the Supreme Court found in United States v. Miller that financial institution customers had no legal right to privacy with respect to their financial records

  • As a result, the RFPA was passed

  • The law states that “no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described”

  • The government must provide the customer with advanced notice prior to obtaining the records, so that the customer can challenge the disclosure in court

  • Exceptions

    • Disclosure of records that do not identify a specific customer

    • Disclosures to the IRS

    • Emergency disclosures

    • Disclosures in the interest of national security

    • Disclosures in response to civil litigation

  • A financial institution could be any organization that issues credit, including

    • Depository institution (banks, thrifts, credit unions)

    • Money services business

    • Money order issuers, sellers and redeemers

    • Travelers check issuers, sellers and redeemers

    • U.S. Postal Service

    • Securities and futures industries

    • Futures commission merchants

    • Commodity trading advisor

    • Casino and card clubs

  • A financial institution has the legal obligation to disclose the following

    • Any kind of insider abuse of a financial institution

    • Federal crimes against, or involving transactions conducted through, a financial institution that the financial institution detects and that involve at least $5,000 if a suspect can be identified, or at least $25,000 regardless of whether a suspect can be identified

    • Transactions of at least $5,000 that the institution knows, suspects, or has reason to suspect involve funds from illegal activities or are structured to attempt to hide those funds

    • Transactions of at least $5,000 that the institution knows, suspects, or has reason to suspect have no business or apparent lawful purpose or are not the sort in which the particular customer would normally be expected to engage and for which the institution knows of no reasonable explanation after due investigation

Gramm-Leach-Bliley Act

  • A financial institution must safeguard the privacy of its customers

  • Financial institutions include companies that are engaged in

    • Lending, exchanging, transferring, investing for others, or safeguarding money or securities

    • Providing financial, investment or economic advisory services

    • Brokering loans

    • Servicing loans

    • Debt collecting

    • Providing real estate settlement services

    • Career counseling

  • Any information that is personally identifiable financial information is protected unless it is publicly available

  • A financial institution must provide each customer with a Privacy Notice

  • The notice contains

    • Categories of information collected

    • Categories of information disclosed

    • Categories of affiliates and non-affiliated third parties to whom the information is disclosed

    • Categories of information disclosed and to whom under the joint marketing/ service provider exception in section 313.13 of the Privacy Rule (see “Exceptions”).

    • Any disclosures required by the Fair Credit Reporting Act

    • Policies and practices for protecting the confidentiality and security of information

    • An “opt-out” notice explaining the individual’s right to not have their information shared; a reasonable way to opt out; and, a reasonable amount of time to opt out before the information is disclosed

  • The organization must safeguard data by

    • Designating an employee to maintain information security

    • Identify risks to security, confidentiality, and integrity of the information

    • Perform a risk assessment, which includes employee training, information systems, detecting intrusions

    • Install safeguards to prevent risks that were identified in the risk assessment and test or monitor those safeguards to ensure that they are functional


  • Provides additional power to law enforcement

  • Allows a law enforcement officer to obtain a wiretap order to monitor a person and then monitor any communications that that person has instead of having to obtain a wiretap order to monitor a specific telephone number.  This helps law enforcement because in the past, criminals could quickly change their telephone numbers to avoid detection.  By the time law enforcement obtained a wiretap order, the subject would have changed his number.

  • Authorizes law enforcement to obtain voicemail messages through the use of a search warrant, instead of a wiretap.  As discussed earlier, wiretaps are extremely difficult to obtain (even more difficult to obtain than search warrants).

  • Allows an ISP to disclose customer information without a warrant if there is an imminent threat.

  • Allows a court to order the use of a pen register nationwide.  Previously, a pen register could only be used in the jurisdiction of the court that issued the order.  If a law enforcement officer wanted to use a pen register effectively, he would have to obtain orders from courts in multiple jurisdictions.

  • Allows a law enforcement officer to serve a search warrant for electronic evidence nationwide instead of just the jurisdiction of the court that issued the warrant.

  • Modifies the definition of terrorism to include destruction of communication lines.

  • Requires the attorney general to set up computer forensic laboratories and provide training to federal, state, and local law enforcement.

  • Allows ISPs to provide detailed information about their users to the government without a warrant

The Homeland Security Act

  • Created the Department of Homeland Security

  • Merged many different government agencies into the Department of Homeland Security

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act

  • Gave the Federal Trade Commission the power to regulate commercial e-mail.  A commercial e-mail is one that advertises a product or service.

  • Each violation of the CAN-SPAM Act is subject to a fine of up to $43,792

  • The rules of the CAN-SPAM Act with respect to commercial e-mails

    • The To:, From:, and Reply-To: fields must be accurate

    • The subject line must be accurate

    • The message must be identified as an advertisement

    • The message must contain the physical address of the sender

    • The message must allow the recipient to opt out of future messages, and the sender must honour the opt out requests

The Intelligence Reform and Terrorism Prevention Act

  • Created the Director of National Intelligence

  • Updated security clearance requirements and procedures

  • Improved transportation security

  • Provided changes to immigration procedures

  • Improved border protection

  • Implemented recommendations made by the 9/11 commission

  • Requires US government agencies to share intelligence information

Family Educational Rights and Privacy Act

  • Applies to educational institutions that receive funding from the federal government

  • Requires them to protect the records of their students

  • Students have the right to inspect any records and the right to request records be corrected

  • A school cannot release personal information without consent

Identity Theft and Assumption Deterrence Act

  • Makes identity theft illegal

  • Prior to this act, a creditor was considered the victim of identity theft under the law, not the person whose identity was stolen

European Union Privacy Law

  • In the EU, you cannot obtain or process personal information unless you have

    • Consent

    • A contract

    • A legal obligation

    • A vital interest, or

    • A balance between the data holder’s rights and the data subject’s rights

  • A person has

    • The right to access the data

    • The right to know the source of the data

    • The right to correct inaccurate data

    • The right to refuse consent in some cases

    • The right to take legal action

When you collect data about a citizen of the EU and store it in another country, you must still comply with the EU’s law.  The USA and the EU have an agreement to protect American companies from prosecution for violating the EU’s privacy laws.  This is called Privacy Shield.

You will comply with Privacy Shield if

  • You inform individuals about the information you collect and inform them about their rights under the Privacy Shield

  • You provide the consumers with access to their data, respond to complaints within 45 days, and agree to an appeal process that has binding arbitration

  • You cooperate with the Department of Commerce in the United States

  • You only collect and retain personal information if it is for the purpose that you stated to the consumers

  • You ensure accountability for data transferred to third parties, and only transfer data for a limited purpose

  • You are transparent with enforcement actions that result from failing to comply with the Privacy Shield

  • You continue to comply with Privacy Shield for as long as you retain data

European Union General Data Protection Regulation (GDPR)

  • Much wider scope for protecting privacy

  • Applies to companies that are not located in the EU if they collect information about EU residents

  • Serious breaches of consumer data must be disclosed within 72 hours

  • Requires that different service providers cooperate to transfer consumer data at the request of that consumer (data portability).  For example, if you move from one insurance company to another, the two insurance companies must transfer your data at your request.

  • Contains the right to be forgotten – consumers have the right to have online service providers delete their personal data

The Council of Europe’s Convention on Cybercrime of 2001

  • 65 countries got together in Europe and signed a treaty

  • They agreed to change their laws to ensure that specific acts were illegal.  These include

    • Illegal access, illegal interception, data interference (i.e. hacking)

    • Making or selling hacking tools

    • Computer fraud

    • Computer Forgery

    • Copyright

  • They also agreed to implement specific frameworks

    • Ability to compel an ISP to monitor a subject’s internet activity

    • Cooperate with international investigations

The Computer Misuse Act of 1990 in the UK

  • Makes unauthorized access to a computer network illegal

The Information Technology Act of 2000 in India

  • Regulates electronic records and digital signatures

  • Makes unauthorized access to a computer network illegal

The Cybercrime Act of 2001 in Australia

  • Makes unauthorized access to a computer network illegal

  • Regulates search and seizure of electronic information

Intellectual property covers the protection of ideas.  Good businesses need to protect their intellectual property so that they can remain viable and competitive.

A copyright protects an original work such as

  • Books or other writing (literary works)

  • Music

  • Drama or plays

  • Choreographic work

  • A painting, photograph, or sculpture

  • Movies

  • Architectural works

Computer software is considered a literary work.  Copyright law protects the expression of an idea, not the idea itself.  For example, the general plotline of a romantic movie is not copyrightable, but script is.  When you create a copyrighted work, it is automatically protected under copyright law, even if you don’t register the work.  Of course, it is easier to prove that you are the owner if you obtain copyright registration.

The person who created a copyrighted work is the owner.  For example, the person who takes a photograph is the copyright holder of that photograph, not the person in the photograph. 

There is an exception for this, known as a work for hire.  If somebody hires you to create a copyrighted work for them, they might specify that it is a “work for hire”.  That means that the copyrighted work is belongs to the person who hired you.  If you work for a company, the works that you create at the company usually belong to your employer.  They want to make sure that if you come up with a great idea at work, you won’t run off with it. 

In the United States, copyrighted works belong to the owner for 70 years after the death of the last surviving author.  If the work is a work for hire or an anonymous work, it is protected for 95 years after the date it was first published.

The Digital Millennium Copyright Act or DMCA provides additional copyright protection

  • Makes it illegal under criminal law to remove copyright protection mechanisms such as Digital Rights Management

  • Makes ISPs and websites liable for copyrighted content posted by their users, unless they follow the DMCA process

    • The ISP must agree to remove any copyrighted works when notified by the copyright owner

    • The ISP must be in a position to control or profit from the copyright infringement

    • The ISP must not have posted the copyrighted works themselves

  • DMCA allows us to create back up copies of software for maintenance or other routine activities when the software is licensed

A Trademark protects logos and slogans that identify specific products, services, or companies.  For example, the Nike Swoosh symbol is protected by the trademark, but the design of the shoe is protected by copyright law.

A trademark is automatically protected when you create it, but it is better to obtain a trademark registration in case of a dispute.  You must be able to argue that your trademark is well recognized by consumers.  If you fail to protect your trademark from infringers, others can argue that you are no longer entitled to protection, even if you have a registered trademark.

It is recommended to use the TM symbol next to your trademark and the ® symbol next to a registered trademark.  This makes it harder for an infringer to argue that they did not realize you had a trademark.

You can apply to register a trademark with the United States Patent and Trademark Office.  The trademark office will search its database for similar trademarks and if none are found, will let you register your trademark.  It is possible for this process to take over a year.  When you register a trademark, you must list the types of products that will be protected.  For example, an auto manufacturer will not register a trademark to manufacture food products.

The trademark office will publish your proposed trademark prior to granting it.  This gives other people time to review and oppose your trademark if it is confusingly similar to theirs.  If another person files a dispute, then you will not be able to register the trademark until it is resolved in your favor.  If you own trademarks, you should check with the trademark office for pending registrations to verify whether any of them are confusingly similar to your own.  The trademark office doesn’t catch everything.

The trademark cannot describe the goods or their quality.  For example, you cannot register a trademark like “comfortable shoes”.

The United States has a reciprocal arrangement with the trademark offices of other countries.  That means that when you register your trademark in the United States, you can apply to have it automatically protected in many other countries.

The types of things you can trademark

  • A logo like the Nike Swoosh

  • A name like General Motors

  • A tone or sound like the Cisco WebEx music

  • A color such as the red on the bottom of a Christian Louboutin shoe.  The color of a product can only be trademarked if you can prove that it is not a functional element.  For example, you cannot trademark the color yellow if you are selling yellow reflective equipment, because competitors will not be able to use the yellow color, and the yellow color is necessary to make the equipment work.

A Patent provides protection for 20 years.  A patent protects an invention for up to 20 years.  The protection period starts when the invention is discovered.  You might discover the invention but not be able to manufacture or sell it for a long time.  You should file for patent protection right away.  Like trademarks, the patent office will search for similar patents before deciding whether to grant yours.

In the United States, the first person to discover the invention is the one who gets the patent.  In other countries, the first person to file the patent is the one who gets the patent.  The United States patent office has reciprocal arrangements with patent offices in other countries.  If you obtain a patent in the United States, it is easy to obtain the same protection in other countries.

In order to obtain the patent, the invention must meet the following requirements

  • It must be a new, original idea.

  • The invention must be useful.

  • The invention must not be obvious to others.  You must have a good idea that took some effort to discover.

The types of things that you can patent

  • Physical inventions

  • Manufacturing processes

  • Business processes

  • Software processes

  • Chemicals and pharmaceuticals

Once the patent is granted, it is published.  That means that anybody can see the details of your patent and copy it.  If somebody copies your patent, you can sue them, but you will have to be able to prove that their product infringed on your patent.  It is possible that they might change their product slightly so that it does not infringe on your patent but still steal your market share.  It is also possible that you won’t have enough money to sue them.

If you are a small business that discovers a great invention, a large company with brand recognition could steal your patent and sell the product under their trademark.  You might not have enough money to put up a fight, and you might not be able to find a lawyer who is willing to work for free.

A patent troll is a person who buys many patents (usually from bankrupt companies) with no intention of using them.  That person will wait until you have manufactured a product and sue you for infringing one of his patents.  The cost of settling with the patent troll might be lower than the cost of defending yourself against the troll.  The Supreme Court has ruled that the behavior of patent trolls is illegal because patents are designed to protect consumers through the encouragement of new inventions.  In other words, a patent is an incentive for people to create new inventions that benefit the public.

A Trade Secret is an idea that your business uses to obtain a competitive advantage.  An example of a trade secret is the recipe for Coca Cola.  Coca Cola would not obtain a patent on the recipe because it would be known to the public (anybody can copy it) and because it would expire after twenty years.  The recipe for Coca Cola is not protected by any kind of intellectual property law but might be protected by theft of property law.  That means that Coca Cola must take efforts to protect its trade secret through physical and digital security and through non-disclosure agreements.  Coca Cola limits the number of employees who have access to the recipe and requires them to sign Non-Disclosure Agreements so that they do not disclose the information.

Trade secrets are protected by the Economic Espionage Act of 1996, which punishes the theft of trade secrets by up to 10 years in prison.  A company must take efforts to protect its trade secrets.  If a company is negligent in protecting trade secrets, then they will not gain any protection from the law.

When you purchase software, you must accept a license.  The license is an agreement between you and the software publisher.  The license might limit

  • The use of the software (whether it can be used for commercial purposes and whether some purposes are prohibited).

  • The length of time that you can use the software.  You might purchase the software for use perpetually or for a limited time.

  • The number of times that you can use the software

  • The number of users that can use the software at a time

You should be careful to review the terms of the agreement so that you do not violate it.

In the United States, you cannot export software or computer equipment that could be used for military purposes without a license from the federal government.  The types of software and computer equipment that are covered is broad.

The International Traffic in Arms Regulations prohibits the export of items that are designed for use by the military.  The United States maintains a list of items on a Munitions List (22 CFR 121).  You must check the list and make sure that your product does not meet the definition of a product on the list before exporting it.  If it does, you must obtain a license prior to exporting it.  The following are considered munitions

  • Firearms, Close Assault Weapons and Combat Shotguns

  • Guns and Armament

  • Ammunition/Ordnance

  • Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines

  • Explosives and Energetic Materials, Propellants, Incendiary Agents, and Their Constituents

  • Surface Vessels of War and Special Naval Equipment

  • Ground Vehicles

  • Aircraft and Related Articles

  • Military Training Equipment and Training

  • Personal Protective Equipment

  • Military Electronics

  • Fire Control, Range Finder, Optical and Guidance and Control Equipment, Night Vision Goggles

  • Materials and Miscellaneous Articles

  • Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment

  • Spacecraft and Related Articles

  • Nuclear Weapons Related Articles

  • Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated

  • Directed Energy Weapons

  • Gas Turbine Engines and Associated Equipment

  • Submersible Vessels and Related Articles

  • Articles, Technical Data, and Defense Services Not Otherwise Enumerated

The Export Administration Regulations cover more items that have commercial use but could also be used by the military.  They are listed on the Commerce Control List.

Encryption is considered a munition and cannot be exported without a review by the federal government.  If your product contains encryption technology, you must submit your product for review (which lasts up to thirty days) before being allowed to export it.

The word “export” is subject to interpretation.  The courts have ruled that putting documentation on the internet or sending it through an e-mail can be considered an export.

We must also take into consideration where we store our data.  Remember that when we collect data, we are subject to the laws of the jurisdiction where we collected it, where we reside, and where we store it.  If those are three different jurisdictions, then we are subject to three different sets of laws.

  • The jurisdiction of the users who provided us with the data might not allow us to store or process the data in another jurisdiction.  For example, some provinces in Canada do not allow healthcare data to leave the country.

  • We may be required to obtain consent from the users prior to moving their data to another jurisdiction.

  • The jurisdiction where we store the data might protect the privacy rights of our customers.  They may want to access the data without due process.  This could put us in a situation where we are violating the laws of one country to comply with the laws of another.