Module‐02 - LPouliot/Soph-Spring-FOR-100-Digital-Forensics GitHub Wiki

Each group of maximum three has to choose a case from the list below and perform a search that describes:

  1. Brief about the case

  2. Law used and why

  3. What violation was performed

  4. Share your personal opinion about the law and if there is any flaws in it

  5. List all the references used

Cybercrime Laws Cases: Rite Aid (Hipaa, 2010)

In 2010, Rite Aid pharmacies were caught disposing of prescription medicine and labeled pill bottles with individuals’ personal information in public trash cans which are accessible to unauthorized people. Disposing of people's private health information in an industrial trash can accessible to anyone violates several requirements of the HIPAA privacy rule. Rite Aid and its associates have agreed to pay a Million to settle potential compromises of privacy and information security. HIPAA, or The Health Insurance Portability and Accountability Act of 1996, “is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge” (CDC). Part of the HIPAA law is the “Privacy Rule,” which provides “Standards for Privacy of Individually Identifiable Health Information” (hhs.gov). Essentially, the HIPAA privacy rule protects an individual’s right to control who has access to their personally identifiable information, especially related to their health. Rite Aid’s disposal of prescription medications in public trash cans risks exposure of individuals’ names, addresses, and medications that they otherwise would not want exposed to unauthorized sources. HIPAA is an incredibly important law that protects the right to privacy. Without it, individual health data could be used in ways that patients would not approve of otherwise (ie. data selling). However, HIPAA, as well as most cyber privacy laws, has failed to keep up with the privacy concerns born out of the digital age. HIPAA does not specify rules and regulations that social media companies are required to follow, and thus many of these companies do not take serious measures to protect personally identifiable information (PII) of their users. Online healthcare providers are subject to HIPAA compliance, however, HIPAA does not outline suggestions for digital protection measures that should be taken – they just say that PII has to be protected somehow. This limitation is likely due to HIPAA being written before the explosion of social media and online healthcare providers and needs to be updated to be more secure.

Works Cited

(OCR), Office for Civil Rights. “Rite Aid Agrees to Pay $1 Million to Settle Hipaa Privacy Case.” HHS.Gov, 28 June 2021, www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/rite-aid/index.html. (OCR), Office for Civil Rights. “Summary of the HIPAA Privacy Rule.” HHS.Gov, 19 Oct. 2022, www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Anonymous. “Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Centers for Disease Control and Prevention, Centers for Disease Control and Prevention, 27 June 2022, www.cdc.gov/phlp/publications/topic/hipaa.html. Ritchie, John Newman & Amy, and The Office of Technology. “Rite Aid Settles FTC Charges That It Failed to Protect Medical and Financial Privacy of Customers and Employees.” Federal Trade Commission, 28 Feb. 2019, www.ftc.gov/news-events/news/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failed-protect-medical-financial-privacy-customers-employees. Roth, Tanya. “Rite Aid Pays $1M to Settle HIPAA Privacy Policy Issue - Findlaw.” FindLaw, 5 Aug. 2010, www.findlaw.com/legalblogs/courtside/rite-aid-pays-1m-to-settle-hipaa-privacy-policy-issue/.

Research a Vermont (or other state) cyber crime law and prepare a 1-2 page summary, discussing the statute. Include two types of common crimes where the statute could be utilized.

Cybercrime Law

For the state I would like to research, I have to pick my home state, Massachusetts. The small, but full-of-attitude, neighboring state of Vermont does have a vast number of laws that now apply to electronics. Some of these laws apply to organizations found in the state, which helps the protection of civilians and people who work for these companies. Some honorable mentions include The Safeguards Regulation, The Agency Privacy Rules, and the Data Breach Notification Law. The Safeguards Regulation promotes standards for the protection of personal information for all Massachusetts residents; the Agency Privacy Rules apply to executive agencies found in the Massachusetts state government, as they are not bound by The Safeguards Regulation but rather the stricter Agency Privacy Rules; and lastly, the Data Breach Notification Law, which requires anyone who is aware of a breach to contact OCABAR (Massachusetts' Office of Consumer Affairs and Business Regulation). I find these laws very helpful as they make companies more liable when it comes to companies losing civilians’ personal information, and they have to tell anyone who has subscribed to their business, or else they will face a lot of legal trouble.

For the law that will be mostly discussed in this paper, I would like to go over M.G.L. c. 265, s. 43, or Massachusetts General Laws, Part 4, Title 1, Chapter 265, Section 43. In simpler terms, this is Massachusetts’s law on stalking, both the physical and electronic versions. The text first defines what the state defines as stalking as malicious, which can seriously annoy or alarm someone enough to cause fear or harm. Although there is a specific section that is important to security online, the text states, “The conduct, acts or threats described in this subsection shall include, but not be limited to, conduct, acts or threats conducted by mail or by use of a telephonic or telecommunication device or electronic communication device including, but not limited to, any device that transfers signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo-electronic or photo-optical system, including, but not limited to, electronic mail, internet communications, instant messages or facsimile communications” (malegislature.gov). As the quote outlines, these threats branch over to electronic mail, communication options on the internet, and any place on the internet that could cause harm or harassment to the victim. This law also states that stalking is a felony and is punishable by state prison for up to five years or a fine of a thousand dollars or less. If a victim ever finds themselves being harassed or stalked online, there is a downloadable criminal harassment document provided by the Massachusetts government’s website that can be printed out and used by anyone who may need it to file a complaint. Criminal harassment in Massachusetts is defined as someone who willfully and maliciously performs a pattern of acts over time directed at a specific person, which causes a great deal of damage and distress, so stalking physically and online counts as criminal harassment and can be filed or sent to court as such.

Works Cited

Anonymous. “Massachusetts: Cybersecurity | Insights | Dataguidance.” Massachusetts: Cybersecurity, Dec. 2021, www.dataguidance.com/opinion/massachusetts-cybersecurity. malegislature.gov. “Section 43.” General Law - Part IV, Title I, Chapter 265, Section 43, 2024, malegislature.gov/Laws/GeneralLaws/PartIV/TitleI/Chapter265/Section43.
Mass.gov. “Cyber Crimes.” Mass.Gov, 2024, www.mass.gov/info-details/cyber-crimes.