Item Barcode
Call Number
Material Type
Item Category 1
33000000002925 KF1263.C65 K67 2017 Open Access Book Book

On Order



A definitive guide to cybersecurity law

Expanding on the author's experience as a cybersecurity lawyer and law professor, Cybersecurity Law is the definitive guide to cybersecurity law, with an in-depth analysis of U.S. and international laws that apply to data security, data breaches, sensitive information safeguarding, law enforcement surveillance, cybercriminal combat, privacy, and many other cybersecurity issues. Written in an accessible manner, the book provides real-world examples and case studies to help readers understand the practical applications of the presented material. The book begins by outlining the legal requirements for data security, which synthesizes the Federal Trade Commission's cybersecurity cases in order to provide the background of the FTC's views on data security. The book also examines data security requirements imposed by a growing number of state legislatures and private litigation arising from data breaches. Anti-hacking laws, such as the federal Computer Fraud and Abuse Act, Economic Espionage Act, and the Digital Millennium Copyright Act, and how companies are able to fight cybercriminals while ensuring compliance with the U.S. Constitution and statutes are discussed thoroughly. Featuring an overview of the laws that allow coordination between the public and private sectors as well as the tools that regulators have developed to allow a limited amount of collaboration, this book also:

* Addresses current U.S. and international laws, regulations, and court opinions that define the field of cybersecurity including the security of sensitive information, such as financial data and health information

* Discusses the cybersecurity requirements of the largest U.S. trading partners in Europe, Asia, and Latin America, and specifically addresses how these requirements are similar to (and differ from) those in the U.S.

* Provides a compilation of many of the most important cybersecurity statutes and regulations

* Emphasizes the compliance obligations of companies with in-depth analysis of crucial U.S. and international laws that apply to cybersecurity issues

* Examines government surveillance laws and privacy laws that affect cybersecurity as well as each of the data breach notification laws in 47 states and the District of Columbia

* Includes numerous case studies and examples throughout to aid in classroom use and to help readers better understand the presented material

* Supplemented with a companion website that features in-class discussion questions and timely and recent updates on recent legislative developments as well as information on interesting cases on relevant and significant topics

Cybersecurity Law is appropriate as a textbook for undergraduate and graduate-level courses in cybersecurity, cybersecurity law, cyber operations, management-oriented information technology (IT), and computer science. This book is also an ideal reference for lawyers, IT professionals, government personnel, business managers, IT management personnel, auditors, and cybersecurity insurance providers.

JEFF KOSSEFF is Assistant Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He frequently speaks and writes about cybersecurity and was a journalist covering technology and politics at The Oregonian, a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting.

Author Notes

Jeff Kosseff is Assistant Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He frequently speaks and writes about cybersecurity and was a journalist covering technology and politics at The Oregonian, a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting.

Table of Contents

About the Authorp. xv
Acknowledgmentp. xvii
About the Companion Websitep. xix
Introductionp. xxi
1 Data Security Laws and Enforcement Actionsp. 1
1.1 FTC Data Securityp. 2
1.1.1 Overview of Section 5 of the FTC Actp. 2
1.1.2 Wyndham: Does the FTC have Authority to Regulate Data Security under Section 5 of the FTC Act?p. 5
1.1.3 LabMD: What Constitutes "Unfair" or "Deceptive" Data Security?p. 9
1.1.4 FTC June 2015 Guidance on Data Securityp. 11
1.1.5 FTC Protecting Personal Information Guidep. 14
1.1.6 Lessons from FTC Cybersecurity Complaintsp. 15 Failure to Secure Highly Sensitive Informationp. 16 Use Industry-Standard Encryption for Sensitive Datap. 16 Routine Audits and Penetration Testing are Expectedp. 17 Health-Related Data Requires Especially Strong Safeguardsp. 18 Data Security Protection Extends to Paper Documentsp. 19 Business-to-Business Providers also are Accountable to the FTC For Security of Sensitive Datap. 20 Companies are Responsible for the Data Security Practices of Their Contractorsp. 22 Make Sure that Every Employee Receives Regular Data Security Training for Processing Sensitive Datap. 23 Privacy Matters, Even in Data Securityp. 23 Limit the Sensitive Information Provided to Third Partiesp. 24 Failure to Secure Payment Card Informationp. 24 Adhere to Security Claims about Payment Card Datap. 24 Always Encrypt Payment Card Datap. 25 Payment Card Data Should be Encrypted Both in Storage and at Restp. 26 In-Store Purchases Pose Significant Cybersecurity Risksp. 26 Minimize Duration of Storage of Payment Card Datap. 28 Monitor Systems and Networks for Unauthorized Softwarep. 29 Apps Should Never Override Default App Store Security Settingsp. 29 Failure to Adhere to Security Claimsp. 30 Companies Must Address Commonly Known Security Vulnerabilitiesp. 30 Ensure that Security Controls are Sufficient to Abide by Promises about Security and Privacyp. 31 Omissions about Key Security Flaws can also be Misleadingp. 33 Companies Must Abide by Promises for Security-Related Consent Choicesp. 33 Companies that Promise Security Must Ensure Adequate Authentication Proceduresp. 34 Adhere to Promises about Encryptionp. 35
1.2 State Data Breach Notification Lawsp. 36
1.2.1 When Consumer Notifications are Requiredp. 37 Definition of Personal Informationp. 37 Encrypted Datap. 38 Risk of Harmp. 39 Safe Harbors and Exceptions to Notice Requirementp. 39
1.2.2 Notice to Individualsp. 40 Timing of Noticep. 40 Form of Noticep. 40 Content of Noticep. 41
1.2.3 Notice to Regulators and Consumer Reporting Agenciesp. 41
1.2.4 Penalties for Violating State Breach Notification Lawsp. 42
1.3 State Data Security Lawsp. 42
1.3.1 Oregonp. 43
1.3.2 Rhode Islandp. 45
1.3.3 Nevadap. 45
1.3.4 Massachusettsp. 46
1.4 State Data Disposal Lawsp. 49
2 Cybersecurity Litigationp. 51
2.1 Article III Standingp. 52
2.1.1 Applicable Supreme Court Rulings on Standingp. 53
2.1.2 Lower Court Rulings on Standing in Data Breach Casesp. 57 Injury-in-Factp. 57 Broad View of Injury-in-Factp. 57 Narrow View of Injury-in-Factp. 60 Fairly Traceablep. 62 Redressabilityp. 63
2.2 Common Causes of Action Arising from Data Breachesp. 64
2.2.1 Negligencep. 64 Legal Duty and Breach of Dutyp. 65 Cognizable Injuryp. 67 Causationp. 69
2.2.2 Negligent Misrepresentation or Omissionp. 70
2.2.3 Breach of Contractp. 72
2.2.4 Breach of Implied Warrantyp. 76
2.2.5 Invasion of Privacy by Publication of Private Factsp. 80
2.2.6 Unjust Enrichmentp. 81
2.2.7 State Consumer Protection Lawsp. 82
2.3 Class Action Certification in Data Breach Litigationp. 84
2.4 Insurance Coverage for Cybersecurity Incidentsp. 90
2.5 Protecting Cybersecurity Work Product and Communications from Discoveryp. 94
2.5.1 Attorney-Client Privilegep. 96
2.5.2 Work Product Doctrinep. 98
2.5.3 Non-Testifying Expert Privilegep. 101
2.5.4 Applying the Three Privileges to Cybersecurity: Genesco v. Visap. 102
3 Cybersecurity Requirements for Specific Industriesp. 105
3.1 Financial institutions: Gramm-Leach-Bliley Act Safeguards Rulep. 106
3.1.1 Interagency Guidelinesp. 106
3.1.2 Securities and Exchange Commission Regulation S-Pp. 109
3.1.3 FTC Safeguards Rulep. 110
3.2 Financial Institutions and Creditors; Red Flag Rulep. 112
3.2.1 Financial Institutions or Creditorsp. 116
3.2.2 Covered Accountsp. 116
3.2.3 Requirements for a Red Flag Identity Theft Prevention Programp. 117
3.3 Companies that use Payment and Debit Cards: Payment Card Industry Data Security Standard (PCI DSS)p. 118
3.4 Health Providers: Health Insurance Portability and Accountability Act (HIPAA) Security Rulep. 121
3.5 Electric Utilities: Federal Energy Regulatory Commission Critical Infrastructure Protection Reliability Standardsp. 127
3.5.1 CÍP-003-6: Cybersecurity - Security Management Controlsp. 127
3.5.2 CIP-004-6: Personnel and Trainingp. 128
3.5.3 CIP-006-6: Physical Security of Cyber Systemsp. 128
3.5.4 CIP-007-6: Systems Security Managementp. 128
3.5.5 CIP-009-6: Recovery Plans for Cyber Systemsp. 129
3.5.6 CIP-010-2: Configuration Change Management and Vulnerability Assessmentsp. 129
3.5.7 CIP-011-2: Information Protectionp. 130
3.6 Nuclear Regulatory Commission Cybersecurity Regulationsp. 130
4 Cybersecurity and Corporate Governancep. 133
4.1 Securities and Exchange Commission Cybersecurity Expectations for Publicly Traded Companiesp. 134
4.1.1 10-K Disclosures: Risk Factorsp. 135
4.1.2 10-K Disclosures: Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A)p. 137
4.1.3 10-K Disclosures: Description of Businessp. 137
4.1.4 10-K Disclosures: Legal Proceedingsp. 138
4.1.5 10-K Disclosures: Examplesp. 138 Wal-Martp. 138 Berkshire Hathawayp. 143 Target Corpp. 144
4.1.6 Disclosing Data Breaches to Investorsp. 147
4.2 Fiduciary Duty to Shareholders and Derivative Lawsuits Arising from Data Breachesp. 150
4.3 Committee on Foreign Investment in the United States and Cybersecurityp. 152
4.4 Export Controls and the Wassenaar Arrangementp. 154
5 Anti-Hacking Lawsp. 159
5.1 Computer Fraud and Abuse Actp. 160
5.1.1 Origins of the CFAAp. 160
5.1.2 Access without Authorization and Exceeding Authorized Accessp. 161 Narrow View of "Exceeds Authorized Access" and "Without Authorization"p. 163 Broader View of "Exceeds Authorized Access" and "Without Authorization"p. 167 Attempts to Find a Middle Groundp. 169
5.1.3 The Seven Sections of the CFAAp. 170 CFAA Section (a)(1): Hacking to Commit Espionagep. 172 CFAA Section (a)(2): Hacking to Obtain Informationp. 172 CFAA Section (a)(3): Hacking a Federal Government Computerp. 176 CFAA Section (a)(4); Hacking to Commit Fraudp. 178 CFAA Section (a)(5): Hacking to Damage a Computerp. 181 CFAA Section (a)(5)(A): Knowing Transmission that Intentionally Damages a Computer Without Authorizationp. 181 CFAA Section (a)(5)(B): Intentional Access Without Authorization that Recklessly Causes Damagep. 184 CFAA Section (a)(5)(C): Intentional Access Without Authorization that Causes Damage and Lossp. 185 CFAA Section (a)(5): Requirements for Felony and Misdemeanor Casesp. 186 CFAA Section (a)(6): Trafficking in Passwordsp. 188 CFAA Section (a)(7): Threatening to Damage or Obtain Information from a Computerp. 190
5.1.4 Civil Actions under the CFAAp. 193
5.1.5 Criticisms of the CFAAp. 195
5.2 State Computer Hacking Lawsp. 198
5.3 Section 1201 of the Digital Millennium Copyright Actp. 201
5.3.1 Origins of Section 1201 of the DMCAp. 202
5.3.2 Three Key Provisions of Section 1201 of the DMCAp. 203 DMCA Section 1201(a)(1)p. 203 DMCA Section 1201(a)(2)p. 208 Narrow Interpretation of Section (a)(2): Chamberlain Group v. Skylink Technologiesp. 209 Broad Interpretation of Section (a)(2): MDY Industries, LLC v. Blizzard Entertainment, Inc.p. 211 DMCA Section 1201(b)(1)p. 215
5.3.3 Section 1201 Penaltiesp. 217
5.3.4 Section 1201 Exemptionsp. 218
5.3.5 The First Amendment and DMCA Section 1201p. 224
5.4 Economic Espionage Actp. 227
5.4.1 Origins of the Economic Espionage Actp. 228
5.4.2 Criminal Prohibitions on Economic Espionage and Theft of Trade Secretsp. 229 Definition of "Trade Secret"p. 230 "Knowing" Violations of the Economic Espionage Actp. 234 Purpose and Intent Required under Section 1831: Economic Espionagep. 234 Purpose and Intent Required under Section 1832: Theft of Trade Secretsp. 236
5.4.3 Civil Actions for Trade Secret Misappropriation: The Defend Trade Secrets Act of 2016p. 238 Definition of "Misappropriation"p. 239 Civil Seizuresp. 240 Injunctionsp. 241 Damagesp. 241 Statute of Limitationsp. 242
6 Public-Private Cybersecurity Partnershipsp. 243
6.1 U.S. Government's Civilian Cybersecurity Organizationp. 244
6.2 Department of Homeland Security Information Sharing under the Cybersecurity Act of 2015p. 245
6.3 Energy Department's Cyber-Threat Information Sharingp. 249
6.4 Critical Infrastructure Executive Order and the National Institute of Standards and Technology's Cybersecurity Frameworkp. 250
6.5 U.S. Military Involvement in Cybersecurity and the Posse Comitatus Actp. 256
7 Surveillance and Cyberp. 259
7.1 Fourth Amendmentp. 260
7.1.1 Was the Search or Seizure Conducted by a Government Entity or Government Agent?p. 261
7.1.2 Did the Search or Seizure Intrude Upon an Individual's Privacy Interests?p. 265
7.1.3 Did the Government have a Warrant?p. 269
7.1.4 If the Government Did Not Have a Warrant, Did an Exception to the Warrant Requirement Apply?p. 271
7.1.5 Was the Search or Seizure Reasonable under the Totality of the Circumstances?p. 273
7.2 Electronic Communications Privacy Actp. 275
7.2.1 Stored Communications Actp. 276 Section 2701: Third-Party Hacking of Stored Communicationsp. 278 Section 2702: Restrictions on Service Providers' Ability to Disclose Stored Communications and Records to the Government and Private Partiesp. 279 The Cybersecurity Act of 2015: Allowing Service Providers to Disclose Cybersecurity Threats to the Governmentp. 282 Section 2703: Government's Ability to Force Service Providers to Turn Over Stored Communications and Customer Recordsp. 284
7.2.2 Wiretap Actp. 286
7.2.3 Pen Register Actp. 290
7.2.4 National Security Lettersp. 291
7.3 Communications Assistance for Law Enforcement Act (CALEA)p. 293
7.4 Encryption and the All Writs Actp. 294
8 Cybersecurity and Federal Government Contractorsp. 299
8.1 Federal Information Security Management Actp. 300
8.2 NIST Information Security Controls for Government Agencies and Contractorsp. 301
8.3 Classified Information Cybersecurityp. 306
8.4 Covered Defense Information and Controlled Unclassified Informationp. 309
9 Privacy Lawsp. 317
9.1 Section 5 of the FTC Act and Privacyp. 318
9.2 Health Insurance Portability and Accountability Actp. 324
9.3 Gramm-Leach-Bliley Act and California Financial Information Privacy Actp. 326
9.4 CAN-SPAM Actp. 327
9.5 Video Privacy Protection Actp. 328
9.6 Children's Online Privacy Protection Actp. 330
9.7 California Online Privacy Lawsp. 332
9.7.1 California Online Privacy Protection Act (CalOPPA)p. 332
9.7.2 California Shine the Light Lawp. 333
9.7.3 California Minor "Eraser Law"p. 335
9.8 Illinois Biometric Information Privacy Actp. 337
10 International Cybersecurity Lawp. 339
10.1 European Unionp. 340
10.2 Canadap. 346
10.3 Chinap. 350
10.4 Mexicop. 353
10.5 Japanp. 356
Appendix A Text of Section 5 of the FTC Actp. 361
Appendix B Summary of State Data Breach Notification Lawsp. 369
Appendix C Text of Section 1201 of the Digital Millennium Copyright Actp. 413
Appendix D Text of the Computer Fraud and Abuse Actp. 425
Appendix E Text of the Electronic Communications Privacy Actp. 433
Indexp. 485