General Sources
(see also "How to search, how to read Law" in the introduction)

• Subject specific:
  • The Department of Justice on computer crime
  • Useful links to Internet related legal documents from commercial sources:
    • BitLaw.com
    • Internet Attorney
    • West's Case Updates a West Legal Studies service from Thomson South Western
  • The Center for Democracy and Technology,
    a non-profit public policy organization dedicated to promoting the democratic potential of Internet
  • The Electronic Frontier Foundation, a non for profit advocacy organization devoted to the defense of privacy and other digital rights
  • The Electronic Privacy Information Center, a public interest research center focused on civil liberties and privacy issues
  • The Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization
  • Risk management from the perspective of the insurance industry
  • Overall Assessment on Current Threats from the perspective of the computer security industry
  
  
• Generic entry points:
  • about US law
    • The Government Printing Office, general entry point for all federal laws (and regulations), bills and more
    • The Office of the Federal Register, where to find all official updates to the laws (and regulations) of the land, by date of publication
    • The Library of Congress, where to track activity leading to future laws (and regulations) of the land
    • The official site on Regulations, a user-friendly way to search existing documents and formulate public comments
    • Massachusetts Trial Courts Law Libraries, where to find all official updates to the laws (and regulations) of Massachusetts
    • Cornell University Law School, linking to all laws, regulations and case decisions at both Federal and State levels.
    • FindLaw.com, linking to all laws, regulations and case decisions at both Federal and State levels.
    • Kathy Biehl's guide to law tracking resources
  • about International law
    • Canada
    • Europe
    • Home page of the European Commission on Data Protection
    • France (Warning: this site is in French - French codes are also available in English but beware of translation lags)
    • United Kingdom
  • about science: CiteSeer.IST, providing an entry point to the scientific literature.
  • about general knowledge: Wikipedia, a community-edited free encyclopedia, especially relevant in the present context for:
    • law (see for example computer law)
    • information technology (see for example Internet)
      .

I-1: Identity Theft

Relevant legal and regulatory documents:

US Federal Government
• Computer Fraud and Abuse Act, as amended in April 1996 (CFAA - 18 USC, section 1030)
  making attempted computer penetration used in interstate or foreign commerce or communications a federal crime
• CFAA statute analysis
• Federal Statute (18 USC, section 1028), as amended in October 1998
  making ID theft a federal crime (Identity Theft and Assumption Deterrence Act)
• Identity theft Enforcement and Restitution Act of 2008 (Sept 2008) (Public Law 110-326)
  strengthening and broadening the coverage of the Computer Fraud and Abuse Act, especially with respect to ID theft
• revised CFAA statute analysis, covering the 2008 amendments
• Real ID Act of 2005 (Public Law 109-13),
  mandating the states to upgrade the security of drivers' licences (see division B, Title II)
  .
  US States
• California disclosure law (aka SB 1386) Sept 2002, in case of a breach of security with the potential for ID theft
  for State agencies (see Civil Code section 1798.29) and businesses (see Civil Code section 1798.82)
• other relevant California law:
  • user friendly presentation
  • official guide to actual statutes
• MA General laws on ID theft
• list of all relevant state law, by state
  • official guide to actual statutes
    .
  Bills proposed at the Federal level
  • a bill introduced by Senator Feinstein on ID theft in April 2005 and ultimately buried in committee
  • also go check the Library of Congress for S.768, S.1326, S.1408, S1461, S.1789, H.R.3997 and H.R.4127 (109th congress)

Further Help:

• ID theft site of the Federal Trade Commission
• ID theft center, a nonprofit organization
• links useful for MA residents from the Commonwealth of Massachusetts
• Anti Phishing Working Group

I-2: Credit Fraud

Relevant legal, regulatory documents and industry standards:

US Federal Government
• the Fair Credit Reporting Act (FCRA - 15 USC section 1681 et seq), as amended in Oct 2001
• the Fair and Accurate Credit Transactions Act (Dec 2003) (Public Law 108-159) (FACTA)
• the Fair Credit Reporting Act (FCRA), as amended by FACTA, (all undated provisions were put in force during 2004)
  setting the responsabilities of the credit reporting agencies, their suppliers of information and their customers
• FCRA related rules:
  • for rules concerning the disposal of information, see chapter III-2 Disposing of Digital Information
  • rules issued on ID theft definition and proof of identity (16 CFR 603, 613, 614, Nov 2004)
  • rules for ID theft detection, i.e. Red Flag regulations (12 CFR 41, 222, 334, 364, 571, 717, 16 CFR 681, Oct 2007)
  • proposed interagency rule on Duties of Furnishers of Information (12 CFR 41, 222, 234, 571, 717, 16 CFR 660, Dec 2007)
  • amendment to the Red Flag Regulations (Public Law 111-319) Dec 2010
    exempting professional service providers such as lawyers and physicians
• the Gramm-Leach-Bliley Act (GLBA Public Law 106-102) Nov 1999
  the relevant text, title V, will be revisited in chapter II-2 Marketing Campaigns and chapter III-1 Protecting Digital Information
  for rules concerning the safeguarding of information, see chapter III-1 Protecting Digital Information
  .
  Bills proposed at the Federal level
  • a bill introduced by Senator Pryor on Consumer Report Security Freeze in June 2005 and ultimately buried in committee
  • also go check the Library of Congress for S.1408 (109th congress)
    .
  Payment Card Industry (PCI)
• Data Security Standard V2, October 2010
  (to be used under PCI SECURITY STANDARDS COUNCIL, LLC LICENSE AGREEMENT)
• Data Security Standard V1-1, as downloaded in 2006 from the site of the PCI Security Standards Council

PCI standard guidance documents and enforcement:

• the PCI Security Standards Council:
  the following documents have been downloaded in October 2006. Check the PCI Security Standards Council site for the latest updates.
  • Self assessment
  • Security scanning, using a third party compliant vendor
  • Annual audit, using a third party compliant assessor
  • Qualification process for approved scanning vendors
  • Technical and operational procedures to be followed by approved scanning vendors
• Visa: overview of the Cardholder Information Security Program (CICS) (downloaded from Visa)
• Mastercard: the Merchant Rules cover the security program in its chapter 5 (downloaded from MasterCard)

Further Help:

• the Federal Trade Commission:
  • rules, reports and useful links related to FCRA and FACTA
  • special user friendly subsite on the red flag rules
  • furnishers of information: obligations under FCRA
  • users of information: obligations under FCRA
  • consumer advice: how to get a free credit report
• the Privacy Rights Clearinghouse
• pro-consumer organization Consumers Union

I-3: Ambush Marketing

Relevant legal, regulatory documents and industry policies:

US Federal Law
• The Lanham Act, July 1946, trademark law as amended over the years and as incorporated into 15 USC, sections 1051-1129
• Anti-cybersquatting Consumer Protection Act, Nov 1999, buried inside Public Law 106-113 by reference to Bill S.1948, subsequently incorporated into 15 USC, sections 1125 and 1129
  .
  US Federal Courts
• 1-800 Contacts Inc. versus WhenU.com Inc. and Vision Direct Inc., a decision by the US court of appeal for the second circuit, June 2005,
  stating that referencing a website name as a search key does not constitute a "use" of the associated trademark as defined by the Lanham Act.
• Google versus GEICO, an opinion by the US district court for the Eastern District of Virginia, August 2005,
  stating that one may use trademarks as keywords without infringing in the placement of search engine ads
  .
  EU Institutions
• Google versus Louis Vuitton Malletier et alii, an opinion by an Advocate General at the European Court of Justice, September 2009,
  stating that European Law allows the use of trademarks as keywords in the placement of search engine ads
• Google versus Louis Vuitton Malletier et alii, a judgment of the European Court of Justice, March 2010,
  stating that European Law allows the use of trademarks as keywords in the placement of search engine ads
  but reminding third parties advertising goods in such a way and search service providers of potential liabilities
  .
  Internet Corporation for Assigned Names and Numbers
• ICANN Uniform Domain Name Dispute Resolution Policy, Aug 1999

Further Help:

• from Dr. Stephan Ott: Links and Law
  information about legal aspects of search engines, hyperlinks (surface and deep links), inline links and frames (Canada, EU, Germany, US)

II-1: Handling of Medical Records

Relevant legal and regulatory documents:

• Summary of Health Insurance Portability & Accountability Act (HIPAA)
• HIPAA statute, August 1996 (Public Law 104-191)
• The Privacy Rule, December 2000 (from the Federal Register) Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8,
  .............background considerations precedes the text of the rule itself, which starts on page 38 of part 7
• Update to The Privacy Rule, August 2002 (from the Federal Register)
  .............background considerations precedes the text of the rule itself, which starts on page 86
• The Security Rule, February 2003 (from the Federal Register),
  .............background considerations precedes the text of the rule itself, which starts on page 42
• Improved Privacy Provisions and Security Provisions, in the American Recovery and Reinvestment Act of 2009 (February 2009)
  .............see subtitle D of title XIII, especially on data breach disclosure, duties of business associates and expanded patient rights
• Interim final Breach Notification Rule, taken in accordance with the previous act (August 2009) and retired by the following
• Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, January 2013
  (from the Federal Register), together with minor corrections, June 2013
  taking into account recent legislation (e.g. GINA as mentioned below) and field experience since initial enactment of HIPAA
  and implementing an increased level of patient privacy protection as mandated by the so called HITECH Act on Electronic Health Records
  .
• The Patient Safety and Quality Improvement Act, July 2005 (Public Law 109-041),
• Patient Safety and Quality Improvement Proposed Rule, February 2008 (42 cfr part 3),
• Patient Safety and Quality Improvement Final Rule, November 2008 (42 cfr part 3),
  to improve current practices by collecting information on medical errors while shielding care providers who volunteer the information
  .............background considerations precedes the text of the proposed rule itself, which starts on page 63
  .
• Genetic Information Nondiscriminatory Act, April 2008 (HR 493 - 110th Congress)
  banning use of genetic information to deny healthcare insurance or employment
  .

• New Hampshire Prescription Confidentiality Act, February 2006 (HB 1346),
  forbidding the use or transfer of physician prescriptions by pharmacists for marketing purposes
• IMS Health and Verispan v. Ayotte, opinion by the US Court of Appeals for the First Circuit, November 2008,
  affirming the constitutionality of said New Hampshire Prescription Confidentiality Act
• Sorrell v. IMS Health, US Supreme Court oral arguments over Vermont's enforcing similar restrictions, April 2011,
  disputing state rights to prevent pharmacies from selling physician prescription profiles compiled from their business records
• Sorrell v. IMS Health, US Supreme Court opinion over Vermont's enforcing similar restrictions, June 2011,
  denying Vermont the right to selectively prevent pharmacists from selling physicians' prescription data for marketing purposes
  .

Relevant guidance documents from the Health and Human Services Department:

• Initial Guidance provided on The Privacy Rule,
• Initial Guidance On The Security Rule: Overview, Technical, Physical, Procedural, Administrative Safeguards
• Uptodate guidance currently provided by the Department of Health and Human Services

Further Help:

• Center for Medicare and Medicaid Services
• American Medical Association,
• example of a patient rights declaration from Lahey Clinic (MA) (this link represents no sponsorship of Lahey Clinic by ePrio Inc. nor of ePrio Inc. by Lahey Clinic)
• the list of data breaches reported to the Department of Health and Human Services per the breach notification rule,
  indicating the variety of practical matters to which one needs to pay attention

Helpful note:

• Healthcare service providers who extend credit to "a person for expenses incidental to a service provided by the creditor to that person" are exempted from the so-called Red Flag regulations on ID theft detection.
  Free from the associated administrative burden, physicians and other providers will do well, nonetheless, to remember they are not unfortunately exempted from ID theft itself, especially in view of an increased reliance on Electronic Medical Records Systems.
  For more details on "Red Flags", look up section I-2 on Credit Fraud

II-2: Marketing Campaigns

Relevant legal, regulatory documents and bills under discussion:

US Federal Government
• the Telephone Consumer Protection Act (TCPA) (47 USC section 227) Dec 1991 with later amendment,
  restricting telemarketing practices by phone and fax
• FCC's regulations for TCPA, 47 CFR 64.1200, Jul 2003
• the Telemarketing and Consumer Fraud and Abuse Prevention Act (Public Law 103-297 - 15 USC section 6101) Jan 1994
• The Telemarketing Sales Rule (16 CFR 310), Jan 2003,
  FTC's regulations for TCFAPA introducing a Do Not Call National Registry
• for the Children's Online Privacy Protection Act (COPPA), see chapter II-3 International Data & Safe Harbors
• the Gramm-Leach-Bliley Act (GLBA Public Law 106-102) Nov 1999,
  policing the right of financial institutions to share customer data
• the Privacy of Consumer Financial Information rule (16 CFR 313) May 2000, issued by the FTC pursuant to GLBA
• CAN-SPAM Act of 2003 (Public Law 108-187), Dec 2003,
  restricting telemarketing practices by email, with special consideration given to pornography
• Definitions and Implementations Under the CAN-SPAM Act (16 CFR 316), Jan 2004, issued by the FTC pursuant to CAN-SPAM
• Junk Fax Prevention Act of 2005 (Public Law 109-21), Jul 2005 ,
  restricting telemarketing practices by fax
• FCC's regulations for TCPA and Junk Fax (47 CFR Part 64), Apr 2006
  weakening TCPA rule enforcement in compliance with the Junk Fax Act in the case of an "established business relationship"
  .
  US States
• California Shine the Light law (Cal. Civil Code 1798, sections 83-84) May 2003, aka SB 27, regulating list-based marketing
  .
  Bills proposed at the Federal level
  • A bill introduced by Senators Specter and Leahy in September 2005 (S1789 - 109th Congress) and ultimately buried in committee
    proposing to extend to all data brokers regulations similar to those currently applied to consumer credit report agencies
  • A draft circulated by Representative Rick Boucher in May 2010 (111th Congress)
    proposing measures to protect consumer privacy regarding the collection and aggregation of personal information

Relevant guidance documents from the Federal Trade Commission:

• Complying with the Telemarketing Sales Rule
• Agreement Containing Consent Order in the matter of Microsoft, file no. 012 3240, August 2002
  giving a plain English version of what the FTC considers a safe behavior for a company collecting consumer information:
  "establish and maintain a comprehensive information security program in writing that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. The security program must contain administrative, technical, and physical safeguards appropriate to [the company]'s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers."
• Possible Self-Regulatory Principles for Online Behavioral Advertising, December 2007
  published on the day of the decision allowing the acquisition of DoubleClick by Google
• Report on Self-Regulatory Principles for Online Behavioral Advertising, February 2009
  with update to proposed principals
• Guides Concerning the Use of Endorsements and Testimonials in Advertising, October 2009
  revised to take into account the rise of bloggers and word of mouth marketing
• Staff Recommendations for Smartphone Privacy, February 2012
  listing desirable practices for all companies working on the so-called "Mobile Technology"
• Data Brokers, a Call for Transparency and Accountability, May 2014
  advising the US Congress on how to improve the legal framework of the data brokerage industry

The National Do Not Call Registry

• Telemarketers entry page

Further help:

• from the US Department of the Treasury: operational guidance for the banking industry on telemarketing
• from the Federal Communications Commission: consumer information on fax advertising
• non for profit sources:
  • the Electronic Privacy Information Center, on California SB 27
• marketing industry associations: (warning: some of the best information is reserved to association members)
  • the Direct Marketing Association (see the Ethical Best Practices section)

II-3: International Data & Safe Harbors

Relevant legal and regulatory documents:

US Federal Government
• the Children's Online Privacy Protection Act (COPPA) (15 USC sections 6501-6506) Oct 1998,
  restricting data collection on children over the Internet without parental consent,
  establishing safe harbours to facilitate compliance
  (for COPA, see chapter III-3: Distributing Digital Information )
• FTC's regulations for COPPA, 16 CFR 312, Nov 1999
• FTC's amendments to COPPA rule, Dec 2012
  .
  EU Institutions
• European Directive 95/46/EC, Oct 1995,
  on the protection of individuals with regard to the processing of personal data and on the free movement of such data,
  with consequences for data transfers from Europe to the US
• Directive on privacy and electronic communications (EU 2002/58/EC), Jul 2002,
  which requires opt-in from targets of unsollicited direct marketing communications
• Directive amending the previous directive on privacy (EU 2009/136/EC), Nov 2009,
  with additional privacy protection measures
  .
  EU States
• La loi pour la Confiance dans l'Economie Numérique (Loi n°2004-575), Juin 2004,
  transposing the opt-in requirement of European directive 2002/58/EC into French law
• Loi n°2004-801, Août 2004, transposing European directive 95/46/EC into French law
• UK Data Protection Act 1998, July 1998, transposing European directive 95/46/EC into British law
• UK Privacy and Electronic Communications Regulations 2003, 2003, transposing European directive 2002/58/EC into British law
  amended in May 2011, in particular with respect to the use of cookies (see guidance by the Information Commissioner's Office)

Relevant guidance documents from

• European Institutions:
  • the European Commission entry point for all matters related to Data Protection
  • the the European Data Protection Supervisor:
    • home page
    • opinion on amending the European eprivacy directive (aka EU Directive 2002/58/EC) and related texts, Apr 2008
  • the European Article 29 Data Protection Working Party:
    • WP 90: Opinion on unsollicited communications for marketing purposes under EU Directive 2002/58/EC, Art. 13 (11601/EN) Feb 2004
    • WP 163: Opinion on online social networking, (01189/09/EN) Jun 2009
• French Government:
  • Mission d'expertise sur la fiscalité du numérique by Pierre Collin et Nicolas Colin, Jan 2013
    a white paper making a well argued case for a new tax on private data collection and usage (written in French)
    - Digital economy taxation - executive summary (English translation)

The Safe Harbor (a EU approved, US managed mechanism for data transfers, invalidated by the EU Court of Justice)

• US organization:
  • Overview
  • The 7 principles
  • How to join
• EU opinion
  • Oct 2004 report
  • Complaint form
• Invalidation of the Safe Harbor mechanism, a judgment of the European Court of Justice, Oct 2015,
  deciding case C-362/14 brought forward by Maximillian Schrems

The EU-US Privacy Shield (a new EU approved, US managed mechanism for data transfers to replace the prior, invalidated one)

• The context
• The decision (February 2016)
• The principles
• The US commitments

EU compliance outside the Safe Harbor

• Standard Contractual Clauses:
  • first set, C(2001) 1539, June 2001
  • first set for data processors, C(2001) 4540, Dec 2001
  • second set, C(2004) 5271, Dec 2004
• Binding Corporate Rules:
  • Definition WP 74, June 2003
  • Process WP 107, April 2005
  • Checklist WP 107, April 2005

II-4: Surveillance

Relevant legal and regulatory documents:

US Federal Government
• Foreign Intelligence Surveillance Statute, 50 U.S.C. 1801 and sequel
  compiling the original Foreign Intelligence Act of 1978 (Public Law 95-511)
  for the latest version, see the July 2008 amendments below
• Stored Communications Statute, 18 U.S.C. 2701 and sequel
  limiting legal access to communications stored by "communications" and "remote computing" service providers without user consent
  and compiling the original Stored Communication Act of 1986 (Public Law 99-508)
• Protect America Act of 2007, Aug 2007
  allowing warrantless surveillance of domestic communications with foreign correspondents
• FISA Amendements Act of 2008, Jul 2008, which received a five year extension through Public Law 112-238, Dec 2012
  granting legal protection to telecommunication service providers for their assistance in wiretapping
  and updating the Foreign Intelligence Surveillance Act of 1978 (see reference to 50 USC, 1801 and seq. above)
• opinion of the US Supreme Court, Jun 2010
  giving no general guidance on balancing employers' searches of employees' communications versus the latter's expectation of privacy,
  but deciding the case against the government employee by finding the contested review of his text messages reasonable
• opinion of the US Supreme Court, Jan 2012
  assimilating the use of GPS tracking by the police to a Fourth Amendment search, subject to the obtention and the terms of a warrant,
  thus reinforcing the protection offered by "a person's reasonable expectation of privacy".
• opinion of the US Supreme Court, June 2014,
  making it illegal for the police to search a cellphone without a warrant if there is no emergency
  .
  US States
• opinion of the Supreme Court of Ohio, December 2009,
  making it illegal for the police to search a cellphone without a warrant if there is no emergency
  a decision now superseded with a similar decision by the US Supreme Court
  .
  EU Institutions
• European Directive 2006/24/EC, March 2006,
  mandating the retention of communication-related data by phone and Internet public service providers

Further Help:

III-1: Protecting Digital Information

Relevant legal and regulatory documents:

• Computer Fraud and Abuse Act, as amended in April 1996 (CFAA - 18 USC, section 1030)
  making attempted computer penetration used in interstate or foreign commerce or communications a federal crime
• Wire and Electronic Communications Interception, 18 USC, section 2510 and seq
  as amended in Oct 1986 (Electronic Communications Privacy Act)
  making eavesdropping on communications a federal crime (see also section 2701 and seq, extending the law to stored communications)
• Standard for Safeguarding Customer Information, 16 CFR 314, May 2002,
  rules mandated by the Gramm-Leach-Bliley Act (see chapter II-2 Marketing Campaigns)
• on protection of customer information by the telecommunication industry, see chapter III-3 Distributing Digital Information
  the relevant text is in the Telecommunications Act of 1996, title V - section 702 (47 USC section 222)
• Sarbanes Oxley Act of 2002 (SOX Public Law 107-204) Jul 2002,
  requesting inter alii periodic reporting on internal controls of public companies.
  The relevant text is in section 404 (sections 802 and 1102 will be examined in chapter III-2 Disposing of Digital Information)
• disclosure required by sections 404, 406 and 407 of SOX (17 CFR 210, 228, 229, 240, 249, 270, 274) Oct 2002,
  proposed rule by the Securities and Exchange Commission (aka Rel 33-8138)
• Revised Auditing Standard on Internal Control over Financial Reporting (PCAOB Release No. 2006-007) Dec 2006,
  proposed by the Public Company Accounting Oversight Board to emphasize risk assessment and scalability in implementing SOX section 404
  The paragraphs on testing (par 41-52) and benchmarking (par B30-B35) are of special relevance to data protection.

Further Help:

• the Federal Trade Commission: resource page on the Safeguards Rule for financial institutions
• from the SEC:
  • list of SOX related rulemaking and reports
  • Further Relief From the Section 404 Requirements for Smaller Companies and Newly Public Companies
• from the Public Company Accounting Oversight Board: the announcement of PCAOB Release No. 2006-007
• from the University of Cincinnati College of Law:
  • a web friendly version of SOX, from its Securities Lawyer's Deskbook
  • a forum devoted to SOX
• from the UK Financial Services Authority: a report on Countering Financial Crime Risks in Information Security, Nov 2004
• from Princeton University: a report on Harvesting Encryption Keys, Feb 2008, by a research team lead by Prof Felten
• from the National Institute of Standards and Technology: the home page of the Computer Security Resource Center
• from the CERT, a non for profit organization federally funded and hosted at Carnegie Mellon University, devoted to ensuring that appropriate technology and systems management practices are used to resist attacks on networked systems and to limiting damage and ensure continuity of critical services in spite of successful attacks, accidents, or failures: access to the CERT home page.
• from the The Information Systems Security Association (ISSA)®, a not-for-profit, international organization of information security professionals and practitioners: further reading on security related best practices and Generally Accepted Information Security Principles
• from the SANS, a cooperative research and education organization: the list of top twenty vulnerablities and top twenty-five software errors.
• from the US Department of Homeland Security and the Information Technology Sector Coordinating Council , a cooperative organization of companies and associations concerned by IT security issues: a report on IT sector baseline risk assessment, Aug 2009.
• from the National Security Council (at the White House): the Comprehensive National Cybersecurity Initiative,
  the public version ( Mar 2010) of the federal strategy for protecting US computer systems (Jan 2008).

Note:

• the ISO 17799 Standard is an extremely thorough methodology for achieving information system security.
  It is quite relevant in the context of GLBA, HIPAA and SOX compliance, at least for large organizations.
  Unfortunately the standard itself is for sale. Due to wide variations in pricing and considering that ISO 17799 will be best implemented with external help from a competent consulting firm, the author declines to recommend any source.
  However the interested reader is referred to a free ISO 17799 preview by Praxiom Research Group Ltd, a proof of marketing acumen.

III-2: Disposing of Digital Information

Relevant legal and regulatory documents:

US Federal Laws and regulations
• FTC rule on disposal of consumer report information and records, 16 CFR 682, Nov 2004
  rule mandated by FACTA (see see chapter I-2 on Credit Fraud)
  .............background considerations precedes the text of the rule itself, which starts on page 32
• when relevant, disposal and retention policies should be considered in the context of:
  HIPAA's Security Rule and GLBA's Standard for Safeguarding Customer Information
• Sarbanes Oxley Act of 2002 (SOX Public Law 107-204) Jul 2002,
  requesting inter alii proper document retention and punishing document tampering and obstruction of justice.
  The relevant text is in sections 802 and 1102 (section 400 has been examined in chapter III-1 Protecting Digital Information)
• SEC rule on retention of audit and review records (17 CFR 210.2-06 aka SEC rule 2-06), Jan 2003,
• Records to Be Preserved by Certain Exchange Members, Brokers and Dealers (17 CFR 240.17a-4 aka SEC rule 17a-4), March 2003,
  .
  US Federal Courts
• Landmark decisions from the US District Court of Southern District New York on electronic document retention in case of litigation:
  Zubulake IV, Oct 2003 and Zubulake V, July 2004
• Amendments to the Federal Rules of Evidence approved by the US Supreme Court, April 2006
  settling the rules of e-discovery, effective December 1, 2006
• Rule 502 proposed by the Advisory Committee on Evidence Rules, Judicial Conference of the United States
  addressing the issue of privileged information caught in e-discovery, amended after comments (May 15, 2007)

Further Help:

• from the The Storage Networking Industry Association (SNIA): a non-profit trade association
• a quick tutorial on the new rules for e-discovery from Farella Braun + Martel LLP, a California law firm
• from NASD, a private-sector provider of financial regulatory services, Guidance Regarding the Review and Supervision of Electronic Communications, proposed jointly with the N.Y.S.E. for comments until July 13, 2007

III-3: Distributing Digital Information

Relevant legal and regulatory documents:

US Federal Government: copyright laws
• Copyright statutes, 17 USC, sections 101-1332, mainly based on the Copyright Act of 1976 (Public Law 94-553)
  as amended over the years including by the Digital Millennium Copyright Act (DMCA Public Law 105-304), Oct 1998
• Copyright protection and management systems, 17 USC chapter 12 (sections 1201-1205),
  preventing the circumvention of copyright protection systems as enacted through DMCA
• Current legislative activity in copyright law, compiled by the US Copyright Office
  .
  US Federal Government: copyright rules
• Rates and terms for webcasting, a decision by the Copyright Royalty Board (Mar 2007)
  .
  US Federal Government: decency laws
  (for information on legal challenges, see the Congressional Research Service report below)
• Communications Decency Act of 1996 (CDA Public Law 104-104) Feb 1996, embedded as title V of the Telecommunications Act of 1996
  partially struck down (see CRS report below) but, inter alia, shielding Internet service providers and users from liabilities stemming
  from third parties' postings and from "Good Samaritan" censorship (see section 509, 47 USC 230).
• Child Online Protection Act (COPA HR.3783, 105th Congress), Dec 1998, buried inside Public Law 105-277
  whose enforcement has been stayed permanently on issues of constitutionality (see ACLU versus Janet Reno below)
  (for COPPA, see chapter II-3: International Data & Safe Harbors)
• Children Internet Protection Act (Public Law 106-554) Dec 2000, buried as title XVII of an appropriation bill
  imposing decency filters on schools and libraries receiving federal funding, found constitutional by the US Supreme Court
• Protect Act (Public Law 108-21) Apr 2003,
  a fall back measure after parts of CDA were struck down by the Supreme Court (see CRS report below)
  .
  US Federal and State Courts: decency laws - the final word on constitutionality
• United Sates versus Williams, May 2008, in the US Supreme Court
  affirming the constitutionality of the Protect Act (see above)
  .
  US Federal and State Courts: decency laws - when do internet service providers lose immunity
• ACLU versus Janet Reno, Oct 2006, in the US District Court for the Eastern District of Pennsylvania
  a transcript of the first day of trial provided by the ACLU with the opening statements of both parties (see COPA above)
• Permanent injunction against the enforcement of COPA, Mar 2007, a decision by Lowell L. Reed, Jr. adjudicating the above case
• Barret versus Rosenthal, Nov 2006, a California Supreme Court opinion
  confirming the shielding provided by CDA to Internet service providers, including individuals, in regard to state law
• Fair Housing Council of San Fernando Valley... versus Roommates.com, May 2007, a US Court of Appeals (Ninth Circuit) ruling
  denying Internet service providers CDA shielding when they actively shape user-provided content, e.g. by supplying questionnaires to users
  .
  Bills proposed at the Federal level
  • a bill introduced by Representative Michael Fitzpatrick on policing Internet social networking sites and chat rooms in May 2006 and ultimately buried in committee

Further Help:

• from the U.S. Copyright Office, the US regulatory agency
  including this analysis of the Digital Millennium Copyright Act
• from the Congressional Research Service:
  a Status Report on Legislative Attempts to Protect Children from Unsuitable Material on the Web, Jul 2004
  summarizing the effects of the various legal challenges mounted against decency laws based on First Amendment rights

IV-1: Spamming

Relevant legal and regulatory documents: see chapter II-2: marketing

Further Help:

• from the SpamHaus Project:
  • the current list of top spammers
  • SBL, a list of IP addresses of verified spam sources
  • XBL, a list of IP addresses of compromised third parties
  • ROKSO, a list of current spamming operations
• from SPEWS, an anonymous anti-spam organization: multiple blacklists and other resources
• from LURHQ: a resource file to find open proxies

IV-2: Denial of Service

Relevant legal and regulatory documents: see chapter III-1: protecting digital information

Further Help:

• an initiative of the FTC against so called zombie networks:
  while this initiative explicitly targets spamming, zombie networks are commonly used in DOS attacks.
• from the Departement of Homeland Security: a fact sheet on Cyber Security,
  including the National Cyber Alert System operated by the United States Computer Emergency Readiness Team (US-CERT)
• from the Computer Security Resource Center: Computer Security Incident Handling Guide, Jan 2004
• from the CERT: Creating a Computer Security Incident Response Team: A Process for Getting Started, Aug 2002
• from Dave Dittrich, Senior Security Engineer and researcher at the Center for Information Assurance & Cybersecurity and the Information School (iSchool) at the University of Washington:
  resource page on DOS attacks
  similar resources are also available from his home page on relevant subjects from computer forensics to cyberwarfare
• from the Open Web Application Security Project: advice on testing for denial of service

IV-2b: Censorship

Relevant legal and regulatory documents:

US Federal Courts
• Verizon versus the FCC, a decision by the US court of appeal for the District of Columbia, January 2014,
  stating that the FCC has the right to regulate broadband communication carriers and demand transparency
  but that current anti-discrimation and anti-blocking rules are inconsistent with its considering broadband carriers not to be common carriers.

US Federal Government
• New Rule Making Proposal for an Open Internet, by the FCC, May 2014,
  compelling broadband carriers to transparently offer a base service meeting the openness criteria
  while freeing faster services from this requirement.

EU Institutions
• an opinion of the European Court of Justice Advocate General, June 2013,
  advising the Court to exempt the search engines from having to grant requests from individuals
  to delete references to personal information published legally by third-parties
• Google versus Mario Costeja González, a decision by the European Court of Justice, May 2014,
  stating that, in view of the right to forget, search engines must remove links to personal information
  whenever "inadequate, irrelevant or no longer relevant, or excessive" unless it is contrary to the preponderant interest of the general public.

Further Help:

IV-3: Copying

Relevant legal and regulatory documents:

International Treaties:
• The Berne Convention, as revised in 1971,
  an international treaty for the protection of literary and artistic works, ratified by the US(1989),
  the index itself providing an excellent introduction to the different types of rights involved
• The WIPO Copyright Treaty (WCT) adopted in Geneva, Dec 1996
  especially addressing the issues stemming from digital rights and digital rights management systems
  .
  US Federal law:
  • for copyright laws, see chapter III-3: distributing digital information
  
  .
  US Federal Courts:
  • Metro-Goldwyn-Mayer Studios Inc. et al. versus Grokster, Ltd., et al. in the Supreme Court
    file sharing over peer to peer networks
    • a summary of all the briefs presented on the case, prepared by Jonathan Band (Morrison and Foerster LLP)
    • 03/29/05 - the oral arguments
    • 06/27/05 - the decision against the defendants
  • Bilski et al. versus Kappos, [...] director, patent and trademark office, a US Supreme Court decision (June 2010)
    ruling out patentability of abstract ideas while leaving open patentability of business methods beyond the machine-or-transformation test
  • Viacom versus YouTube, a US District Court decision (June 2010)
    granting YouTube the benefit of the DMCA safe harbor clause against claims of infringement by YouTube users of Viacom copyrights,
    a decision later partly reversed on appeal by the US Second Circuit Court of Appeal
  • Kirtsaeng versus John Wiley, a US Supreme Court decision (March 2013)
    allowing legally acquired physical works to be freely imported and resold in the US under its copyright law first sale doctrine
  • ReDigi versus Capitol Records, a US District Court decision (March 2013)
    forbidding legally acquired digital files to be freely resold in the US under its copyright law first sale doctrine
  • WNET versus Aereo, a US District Court decision (April 2013)
    allowing public broadcasts to be freely recorded and retransmitted as a user service under US copyright law
    a decision reversed by the following
  • ABC versus Aereo, a US Supreme Court decision (June 2014)
    assimilating the Aereo service to a cable company subject to public performance licensing as imposed by US copyright law
  
  EU Institutions:
• Directive harmonizing the term of protection of copyright and certain related rights (EU 93/98/EEC), Oct 1993
• Directive harmonizing certain aspects of copyright and related rights (EU 2001/29/EC), May 2001
  together with this correction to the wording of a phrase
  .
  EU States:
• Loi no 2006-961 du 1er août 2006 relative au droit d'auteur et aux droits voisins dans la société de l'information
  transposing European Directive 2001/29/EC into French Law (loi DADVSI) and amending the "Code de la Propriété Intellectuelle"
  note: this code is downloadable in English from the French law portal (see General Sources) but this English version has not yet been updated.
• Projet de Loi votée le 12 Mai 2009 favorisant la diffusion et la protection de la création sur Internet (aka loi HADOPI)
  establishing a three step approach, two warnings and the suppression of Internet access, to combat illegal downloads
  Its main tool, Internet access suppression, has been invalidated by the following decision.
• Decision du Conseil Constitutionnel (2009-580 DC), 10 Juin 2009 declaring contrary to the French Constitution and the 1789 Declaration of the Rights of Man the process established by the HADOPI bill above to suppress the Internet access of those suspected of illegal downloads
• Loi no 2009-669 du 12 Juin 2009 favorisant la diffusion et la protection de la création sur Internet (aka loi HADOPI)
  removing the sections struck down by the French Constitutional Council (see above) and amending the "Code de la Propriété Intellectuelle"
• Projet de Loi voté le 22 Septembre 2009 relatif à la protection pénale de la propriété littéraire et artistique sur internet (aka loi HADOPI-2)
  reestablishing the penalty of Internet access suppression with better protection of the rights of the accused,
  amending law 2009-669 (see above) and the "Code de la Propriété Intellectuelle"
  note: both the HADOPI laws and the French Constitutional Council decision are in French.

Further Help:

• duration of copyright protection in the US: a summary by Lolly Gasaway (University of North Carolina)
• duration of copyright protection in Europe: an overview by the Project Gutenberg EU foundation,
  an offshoot of the Project Gutenberg, the oldest producer of free ebooks on the Internet (including sheet music)
• a worldwide view on copyright protection, by the Online Books Page (University of Pennsylvania)
• from the World Intellectual Property Organization, responsible for the application of the Berne Convention:
  its page on copyright and related rights

Disclaimers:

• Links to third party material may have become obsolete since publication.
• these links do not represent an endorsement of any organisation, public or private,
  and no compensation has been received nor sollicited by the author for their inclusion.
• the author is not a lawyer. While discussing matters arising from Federal and State laws and regulations, the opinions provided here are for general information only. As the need arises, any specific legal question must be directed to a lawyer with the proper training and qualification.