lOMoAR cPSD| 65448581
WGU C841 IHP4 Task 1: Legal Analysis of CFAA, ECPA, and
SOX Violations | Actual verified Study complete Solutions
| A+ Graded | 2026 Updates | 100% correct
Legal Issues in Information Security
C841
IHP4 Task 1: Legal Analysis
IHP4 Task 1: Legal Analysis
A1. CFAA and ECPA
Within the TechFite case study, there were many violations of the Computer Fraud and Abuse
Act (CFAA) and Electronic Communications Privacy Act (ECPA). The CFAA was violated by the
Business Intelligence (BI) Unit by setting up dummy user accounts to gain access to other groups
and units within TechFite outside its division, without proper authorization. Under the CFAA, a
person exceeds authorized access when he or she accesses a computer with authorization but
uses that access to get or alter information that he or she is not allowed to use or alter. (Grama,
2020)
The ECPA was violated when it was discovered that the Metasploit tool was used on multiple
machines, and evidence on numerous hard drives also indicated that recent penetration and
scanning activity was done on several IP addresses linked to different internet-based companies.
The Electronic Communications Privacy Act (ECPA) sets out the rules for access, use, disclosure,
and interception of stored electronic communications. Electronic communications include
telephone, cell phones, computers, email, faxes, and texting. Under the ECPA, no one may
access the contents of these communications unless it is allowed somewhere else in the ECPA.
The law has different rules for the government and for private entities. (Grama, 2020)
A2. Three Laws
1. The absence of account auditing led to the creation of two accounts for employees who
no longer worked for the company. These accounts were used for unauthorized access
to workstations and also accessed information in other departments. This violates the
CFAA, as under the CFAA, essentially any computer that connects to the internet is a
, lOMoAR cPSD| 65448581
protected computer because the internet facilitates commerce between different states.
(Grama, 2020)
2. The absence of internal auditing led to the installation and use of unauthorized
software, Metasploit. This software is used for system penetrations and network
reconnaissance, which Miller, Rogers, and Hudson use to scan other companies’
networks. This is a clear violation of the ECPA, which protects electronic
communications from unauthorized interception, access, and disclosure.
3. The absence of oversight led to the creation of three clients that may not be actual, real
clients, but may simply be conduits for moving money into TechFite’s sales figures for
the division. This violates SOX as corporate officers are supposed to maintain accurate
financial record-keeping and reporting.
A3. Duty of Due Care
In the TechFite case study, there were several instances in which the duty of due care was
lacking. The first instance involved the principle of least privilege. Within the BI Unit, the
principles of least privilege and separation of duties were not enforced. Every workstation and
computer had full administrative rights. In the marketing/sales unit associated with the BI Unit,
the same person can create customers (clients), report sales, and post sales on the system.
There is no IT segmentation or separation between the two units—data or applications. Each
unit has complete visibility and access to the other.
The second instance was the lack of coverage on safeguarding sensitive and proprietary
information belonging to existing, potential, and previous clients. No plan was evident in
keeping different clients’ information segregated from each other and employing a Chinese wall
methodology.
A4. SOX
The TechFite case had several violations of the Sarbanes-Oxley Act (SOX). The SOX Act, passed
by Congress in 2002, is under the Public Company Accounting Reform and Investor Protection
Act. It was passed in response to corporate scandals such as Enron, WorldCom, and Adelphia.
(Grama, 2020) This law was designed to protect investors by ensuring that publicly traded
companies, like TechFite, gave accurate and reliable accounting reports.
The TechFite client database was audited, as it had never been done before. The audit found
that most of the clients are well-known companies in the Internet arena. The businesses that
were not immediately recognized online were researched. All but three came up as legitimate
companies in the Internet field. These three organizations—Bebop Software of Alberta, FGH
Research Group of Indiana, and Dazzling Comet Software of Florida—had no Internet presence.
Further investigation revealed they were all incorporated in Nevada. The registered agent for all
three corporations was Yu Lee, who attended graduate school with Carl Jaspers, Head of the
Application Division, at Stanford University.
WGU C841 IHP4 Task 1: Legal Analysis of CFAA, ECPA, and
SOX Violations | Actual verified Study complete Solutions
| A+ Graded | 2026 Updates | 100% correct
Legal Issues in Information Security
C841
IHP4 Task 1: Legal Analysis
IHP4 Task 1: Legal Analysis
A1. CFAA and ECPA
Within the TechFite case study, there were many violations of the Computer Fraud and Abuse
Act (CFAA) and Electronic Communications Privacy Act (ECPA). The CFAA was violated by the
Business Intelligence (BI) Unit by setting up dummy user accounts to gain access to other groups
and units within TechFite outside its division, without proper authorization. Under the CFAA, a
person exceeds authorized access when he or she accesses a computer with authorization but
uses that access to get or alter information that he or she is not allowed to use or alter. (Grama,
2020)
The ECPA was violated when it was discovered that the Metasploit tool was used on multiple
machines, and evidence on numerous hard drives also indicated that recent penetration and
scanning activity was done on several IP addresses linked to different internet-based companies.
The Electronic Communications Privacy Act (ECPA) sets out the rules for access, use, disclosure,
and interception of stored electronic communications. Electronic communications include
telephone, cell phones, computers, email, faxes, and texting. Under the ECPA, no one may
access the contents of these communications unless it is allowed somewhere else in the ECPA.
The law has different rules for the government and for private entities. (Grama, 2020)
A2. Three Laws
1. The absence of account auditing led to the creation of two accounts for employees who
no longer worked for the company. These accounts were used for unauthorized access
to workstations and also accessed information in other departments. This violates the
CFAA, as under the CFAA, essentially any computer that connects to the internet is a
, lOMoAR cPSD| 65448581
protected computer because the internet facilitates commerce between different states.
(Grama, 2020)
2. The absence of internal auditing led to the installation and use of unauthorized
software, Metasploit. This software is used for system penetrations and network
reconnaissance, which Miller, Rogers, and Hudson use to scan other companies’
networks. This is a clear violation of the ECPA, which protects electronic
communications from unauthorized interception, access, and disclosure.
3. The absence of oversight led to the creation of three clients that may not be actual, real
clients, but may simply be conduits for moving money into TechFite’s sales figures for
the division. This violates SOX as corporate officers are supposed to maintain accurate
financial record-keeping and reporting.
A3. Duty of Due Care
In the TechFite case study, there were several instances in which the duty of due care was
lacking. The first instance involved the principle of least privilege. Within the BI Unit, the
principles of least privilege and separation of duties were not enforced. Every workstation and
computer had full administrative rights. In the marketing/sales unit associated with the BI Unit,
the same person can create customers (clients), report sales, and post sales on the system.
There is no IT segmentation or separation between the two units—data or applications. Each
unit has complete visibility and access to the other.
The second instance was the lack of coverage on safeguarding sensitive and proprietary
information belonging to existing, potential, and previous clients. No plan was evident in
keeping different clients’ information segregated from each other and employing a Chinese wall
methodology.
A4. SOX
The TechFite case had several violations of the Sarbanes-Oxley Act (SOX). The SOX Act, passed
by Congress in 2002, is under the Public Company Accounting Reform and Investor Protection
Act. It was passed in response to corporate scandals such as Enron, WorldCom, and Adelphia.
(Grama, 2020) This law was designed to protect investors by ensuring that publicly traded
companies, like TechFite, gave accurate and reliable accounting reports.
The TechFite client database was audited, as it had never been done before. The audit found
that most of the clients are well-known companies in the Internet arena. The businesses that
were not immediately recognized online were researched. All but three came up as legitimate
companies in the Internet field. These three organizations—Bebop Software of Alberta, FGH
Research Group of Indiana, and Dazzling Comet Software of Florida—had no Internet presence.
Further investigation revealed they were all incorporated in Nevada. The registered agent for all
three corporations was Yu Lee, who attended graduate school with Carl Jaspers, Head of the
Application Division, at Stanford University.
