For example, on the existence of a mutual legal assistance agreement between a particular foreign country and the United States. In the absence of a mutual legal assistance agreement, which makes assistance obligatory, in order to obtain evidence from a foreign country, American law enforcement agencies have to rely on letters rogatory, a judicial procedure enabling one country to request judicial assistance from another on a basis of comity. The U.S. Justice Department warns, however, that this process may take a year or more, and even in urgent cases, will likely take more than a month. All this undermines the deterrent and retributional effects of federal criminal law with regard to domestic, and especially, foreign cybercriminals. To compensate for this, some academic authors suggest steeper penalties for online crimes. 1 As discussed in the next Section, however, a better approach would be to focus primarily on the prevention of cybercrimes with criminal prosecution, with civil litigation playing an important but secondary role in ensuring online security.

The Role of Government Regulation and Private Legal Actions in Enforcing Information Security
The common theme of the criminal and civil cases discussed in Parts III and IV was the systematic failure of businesses, universities, and other organizations to follow sound information security policies and procedures, maintain an adequate level of information security, and protect their computer systems from unauthorized access by insiders, former employees, and malicious hackers located in the United States and abroad. 1 Due diligence in maintaining information system security would have prevented most of these cybercrimes and made fraudulent transactions virtually impossible. As discussed above, market forces alone will likely be insufficient to ensure adequate security of online transactions. 1 Government-mandated information security standards can help achieve this goal. Extensive government regulation of information security in financial institutions already plays a critical role in ensuring safety of online financial transactions.

Government regulation of information security combined with private enforcement of government-mandated information security standards and vigorous prosecution of computer crimes may be the optimal and cost-effective solution for improving the security of online transactions.
1. Enforcing Information Security Through Private Legal Actions Under Current Law
The threat of private actions by defrauded individuals and business organizations against negligent businesses and government agencies that failed to protect their confidential information may force organizations to treat information security issues seriously. 1 In such actions, however, plaintiffs face multiple challenges. Usually the plaintiff has to show damages that resulted from the defendant's failure to provide adequate protection for plaintiff's personal data. 1 Also, in most cases losses from Internet crimes do not exceed one thousand dollars. 1 Therefore, it is impractical for an individual plaintiff to sue a negligent party that failed to secure plaintiff's personal information unless the plaintiff's damages resulted from a massive security breach and the plaintiff can bring her suit as a class action on behalf of all similarly affected individuals. Plaintiffs who attempt to bring such class actions, however, face numerous obstacles in pursuing their claims. For example, despite the global nature of the Internet, plaintiffs usually have to bring their class actions under state law, where differences in substantive law and choice of law rules across states may prevent the plaintiffs' attempts to certify their suits as nationwide class actions. Written by James M. Sheehan, Special Agent in Charge, Criminal Division, FBI Los Angeles.