Of course, protecting communications necessarily depends on the security of the systems used to transmit and store them. Drawing a rigid line between protecting systems and protecting communications might not always be useful or possible. That said, for our discussion, treating the protection of communications separately from the protection of systems illustrates how the Computer Fraud and Abuse Act, 18 U.S.C.§ 1030 (the "CFAA"), and the Electronic Communications Protection Act, 18 U.S.C. §§ 2510-22 and §§ 2701-12 (the "ECPA"), two critically important federal information security statutes, work together.
As discussed in the first article in this series, the primary thrust of the CFAA, with respect to private sector systems, is to prohibit access to protected computers without authorization or exceeding authorization, whether to obtain something of value or to damage systems or data. The primary concern of the ECPA is related, but distinct. The ECPA prohibits the unauthorized and unjustified interception, disclosure, or use of communications, including electronic communications[1]. In a situation in which a bad actor hacks into a corporate network and obtains access to sensitive email, the CFAA and the ECPA are both violated. But having discussed the CFAA in Article 1, our discussion of the legal framework for protecting communications will focus on the ECPA.
The link for this article located at SecurityFocus is no longer available.