The Computer Security Act Of 1987: An Overview

computer security act of 1987

The Computer Security Act of 1987 was a United States federal legislation enacted in 1987 to improve the security and privacy of personal computer systems. It was designed to set forth minimal security standards for such computers and to protect from identity theft by requiring identity proof for passwords and credit card numbers. The Computer Security Act also sought to regulate access to protected information on personal computer systems. For example, it requires computer security software that can be used by any person who has access to a computer to install a security program that will prevent unauthorized removal or modification of data.

Two primary objectives of the computer security act were to provide guidelines for ensuring adequate protection of intellectual property and to promote international goodwill. The guidelines established by the act to provide for the protection of certain types of trade secrets, proprietary information, records of payment transactions, bank accounts, and other similar items. Protection is also provided for software that contains trade secrets or is protected by patents. This protects from unfair competition from other companies that may infringe upon your rights to protect the rights in your intellectual property.

Some Facts To Know

A sign on the side of a building

Part of the purpose of the act is to define the responsibilities and duties of providers of computer services and software. This section sets forth the obligations and duties of service providers with regard to security standards, computer security, privacy policy, and credit policy. Also included are guidelines for developing a plan to comply with the security standards. Also required is a statement that describes how the provider defines the terms of their security policy and is obtained from another supplier. It is important that all service providers take a policy statement very seriously because the failure to do so could result in a challenge under the Anti-Cyberspace Theft and Cybersecurity Protection Act of the 1988 Can-Do Act.

The Computer Security Policy Act was added by the Secretary of Education to the Security Policy Act. This is a very broad policy that is required to include all relevant policies and procedures regarding computer systems security. It is not as strong as the Department of Transportation’s” Aviation Security Policy” or Department of Transportation’s” Aviation Security Order.” Nevertheless, it does cover all of the aspects of computer systems security as directed by the Secretary.

There Are Two Branches Within The Act

A person sitting at a table using a laptop

Within this act there are two main branches: Federal and State. The Federal Security Agency is the Federal authority and the Department of Homeland Security is the State authority. Within the Federal Security Agency there are three main agencies; the National Security Agency, the Central Intelligence Agency, and the Federal Bureau of Investigation. Additionally, there are several smaller intelligence agencies that are part of the Department of Homeland Security.

The most important part of the computer security act is Section 100 235. This part authorizes the sharing of investigative information between Federal investigative agencies. Additionally, it permits disclosure to any other federal agency if either (a) the disclosure is for authorized identification purposes and (b) if any of the authorized users is a foreign nation. This section is also divided into two parts: (a) rule concerning notice of designation and (b) rule concerning statements.

The guidelines issued by the Secretary of Education regarding the enforcement of the anti-cybersecurity act are found in the CSAA Order of 2021. Although all of the guidelines were previously issued by the Federal Computer Security Compliance Act, the Order emphasizes that the CSAA does not rely on existing statutory definitions or interpretations of the Act. Moreover, all of the guidelines do not apply to the States unless those states affirmatively waive their rights in accordance with the statutory definitions found in theCSAA Order. In addition, the guidelines are intended to provide notice to businesses, consumers, and non-profit organizations of the federal government’s position on combating cyber threats and educating them on how to protect themselves against such threats.

Bottom Line

In short, the statutory language of the CSAA includes a number of definitions that are interpreted broadly in many ways. Consequently, it is very difficult to cite an exact list of what is covered by each and every word in the Act. It would be useful, however, to determine which specific types of information are to be protected by federal computer security standards, and then going beyond that list to determine what those standards should mean for particular types of information. Only when such an understanding exists will a company be in a position to properly determine whether its employees are acting appropriately in terms of the federal information systems regulations.

Subscribe to our monthly Newsletter
Subscribe to our monthly Newsletter