Case study:

• The Fugitive:
  directed by Andrew Davis, starring Harrison Ford (1993)
  look for the scene when the hero retrieves medical records to trace the murderer (Sorry, no free download link available at this time!)
• The Sniffer vs. the Cybercrooks:
  part 1, part 2, part 3
  by Gary Rivlin (New-York Times) - July 2005

Topic notes

Relevant legal and regulatory documents:

• Computer Fraud and Abuse Act, as amended in April 1996(CFAA - 18 USC, section 1030)
  making attempted computer penetration used in interstate or foreign commerce or communications a federal crime
• Wire and Electronic Communications Interception, 18 USC, section 2510 and seq
  as amended in Oct 1986 (Electronic Communications Privacy Act)
  making eavesdropping on communications a federal crime (see also section 2701 and seq, extending the law to stored communications)
• Standard for Safeguarding Customer Information, 16 CFR 314, May 2002,
  rules mandated by the Gramm-Leach-Bliley Act (see chapter II-2 Marketing Campaigns)
• Sarbanes Oxley Act of 2002 (SOX Public Law 107-204) Jan 2002,
  requesting inter alii periodic reporting on internal controls of public companies.
  The relevant text is in section 404 (sections 802 and 1102 will be examined in chapter III-2 Disposing of Digital Information)
• disclosure required by sections 404, 406 and 407 of SOX (17 CFR 210, 228, 229, 240, 249, 270, 274) Oct 2002,
  proposed rule by the Securities and Exchange Commission (aka Rel 33-8138)

Further Help:

• from the SEC: list of SOX related rulemaking and reports
• from the University of Cincinnati College of Law:
  • a web friendly version of SOX, from its Securities Lawyer's Deskbook
  • a forum devoted to SOX
• from the UK Financial Services Authority: a report on Countering Financial Crime Risks in Information Security, Nov 2004
• from the National Institute of Standards and Technology: the home page of the Computer Security Resource Center
• from the CERT, a non for profit organization federally funded and hosted at Carnegie Mellon University, devoted to ensuring that appropriate technology and systems management practices are used to resist attacks on networked systems and to limiting damage and ensure continuity of critical services in spite of successful attacks, accidents, or failures: access to the CERT home page.
• from the The Information Systems Security Association (ISSA)®, a not-for-profit, international organization of information security professionals and practitioners: further reading on security related best practices and Generally Accepted Information Security Principles
• from the SANS, a cooperative research and education organization: the list of top twenty vulnerablities.

Note:

• the ISO 17799 Standard is an extremely thorough methodology for achieving information system security.
  It is quite relevant in the context of GLBA, HIPPA and SOX compliance, at least for large organizations.
  Unfortunately the standard itself is for sale. Due to wide variations in pricing and considering that ISO 17799 will be best implemented with external help from a competent consulting firm, the author declines to recommend any source.
  However the interested reader is referred to a free ISO 17799 preview by Praxiom Research Group Ltd, a proof of marketing acumen.