U.S. Federal Law
Following are some Sections of the United States Code (U.S.C.) that pertain to Information Security.
However, this is only a sampling and other Sections may also apply. A short abstract of each code Section
is given after each underlined heading. Click on the underlined heading to view the complete U.S.C.
Section. Consult with appropriate legal counsel for the latest U.S.C. updates if legal action is
15 U.S.C. § 6801, et seq.
Gramm-Leach-Bliley Act of 1999 (GLBA) (Public Law 106-102, 113 STAT 1338) —
Restricts the disclosure of nonpublic customer information by financial institutions.
All financial institutions must provide customers the opportunity to "opt-out" of the
sharing of the customers' nonpublic information with unaffiliated third parties.
The Act imposes criminal penalties on anyone who obtains customer information from a
financial institution under false pretenses. November 12, 1999.
18 U.S.C. § 1029.
Fraud and Related Activity in Connection with Access Devices —
Defines federal crimes related to counterfeit access devices, unauthorized access devices,
device-making equipment, telecommunications instruments that have been modified or altered to
obtain unauthorized use of telecommunications services, scanning receivers, etc.
18 U.S.C. § 1030.
Fraud and Related Activity in Connection with Computers (Computer Fraud and Abuse Act) —
Establishes federal penalties for fraudulent use of or unauthorized access to computer systems.
Unauthorized attempts to upload information or change information are prohibited and may be punishable
under this law. Amended October 26, 2001 by the USA Patriot Act (see below). 12 pages long.
18 U.S.C. § 1362.
Communication Lines, Stations, or Systems —
Prohibits the malicious injury or destruction of radio, telegraph, telephone or cable, line, station, or system, or
other means of communication, operated or controlled by the United States, or used or intended to be used for military
or civil defense functions of the United States, etc., shall be fined or imprisoned or both.
18 U.S.C. § 2511.
Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited —
This is but one section of the very large Chapter 119 — Wire and Electronic Communications Interception and
Interception of Oral Communications. Chapter 119 is 42 pages long and its subordinate Section 2511 is 8 pages long.
Click on the underlined Section 2511 heading to view all 42 pages of Chapter 119.
18 U.S.C. § 2701.
Unlawful Access to Stored Communications — Defines it a federal crime to intentionally access without
authorization a facility through which an electronic communication service is provided, or to intentionally exceed
an authorization to access that facility and thereby obtain, alter, or prevent authorized access to a wire or
electronic communication while it is in electronic storage in such system.
18 U.S.C. § 2702.
Voluntary Disclosure of Customer Communications or Records — Defines it as a federal crime if
a person or entity providing an electronic communication service to the public knowingly divulges to any person or entity
the contents of a communication while in electronic storage by that service; and (2) a person or entity providing remote
computing service to the public shall knowingly divulge to any person or entity the contents of any communication which
is carried or maintained on that service. etc.
18 U.S.C. § 2703.
Required Disclosure of Customer Communications or Records — A governmental entity may require the disclosure
by a provider of electronic communication service of the contents of a wire or electronic communication, that is in
electronic storage in an electronic communications system for 180 days or less, only pursuant to a warrant issued
using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued
using State warrant procedures) by a court of competent jurisdiction. etc.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) —
The privacy provisions of this federal law apply to health information created or maintained by health care providers
who engage in certain electronic transactions, health plans, and health care clearinghouses.
The Department of Health and Human Services issued the regulation,"
Standards for Privacy of Individually Identifiable Health Information,"
applicable to individuals and entities covered by HIPAA. December 28, 2000.
Electronic Signatures in Global and National Commerce Act (E-Sign Act) (Public Law 106-229) —
Allows the use of electronic signatures and electronic records in executing contracts. June 30, 2000.
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (USA Patriot Act) Act of 2001 (Public Law 107-56) —
This large and complex Act was enacted a few weeks after and in response to the September 11, 2001,
terrorist attacks. Many of the act's provisions were to expire beginning 31 Dec 2005; however,
an update was signed into law by President George W. Bush on 9 and 10 Mar 2006. On 26 May 2011,
President Barack Obama signed a four-year extension of three key provisions in the act: roving wiretaps,
searches of business records (the library records provision), and conducting surveillance of lone
wolves linked to terrorist groups. 26 May 2011.
Sarbanes-Oxley Act of 2002 (SOX) (Public Law 107-204) —
Snuffs out fraud inside of publicly traded businesses by requiring expanded record-keeping rules and audit requirements.
This large and complex Act deeply impacts the controls, security, and IT infrastructure of public companies. Note that
SOX requires improved information security in all public companies — not just financial institutions and health care
organizations. July 30, 2002.
Federal Information Security Management Act of 2002 (FISMA) and E-Government Act of 2002 (Public Law 107-347) —
Establishes a framework for securing federal assets and information. Requires each agency to
develop, document, and implement an agency-wide information security (IS) program, including periodic tests
and evaluation of IS controls and techniques to assure its effectiveness. Defines FISMA
compliance as a priority to be audited by the highest levels of government. Applies to all
organizations that possess or use federal data, or that use or have access to federal information systems,
such as contractors, state governments, and other local governments. December 17, 2002.
Fair Credit Reporting Act (FCRA) (16 C.F.R. Part 600) — Sets forth legal
standards governing the collection, use, and communication of credit data
and certain other information about consumers. Amended 1996, 1997, 1998, 2001, and by the
Fair and Accurate Credit Transactions Act (FACTA) (Public Law 108-159) of December 4, 2003.
The FACTA includes many new provisions to prevent identity theft. It requires that account
numbers on credit card receipts be shortened or "truncated" to limit access to the full numbers.
Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act of 2003)
(Public Law 108-187) —
Requires unsolicited commercial e-mail messages to include opt-out instructions and the sender's address,
and to not have deceptive subjects or false headers. Authorizes the FTC to have a "do-not-email"
registry. Pre-empts certain state laws on unsolicited commercial e-mail messages, but state
laws govering deception may not be pre-empted.
December 16, 2003.
Note: For a similar listing of federal laws, but from the viewpoint of a U.S. educational institution, click
here. April 5, 2012