Cybersecurity law

A definitive guide to cybersecurity law

Expanding on the author's experience as a cybersecurity lawyer and law professor, Cybersecurity Law is the definitive guide to cybersecurity law, with an in-depth analysis of U.S. and international laws that apply to data security, data breaches, sensitive information safeguarding, law enforcement surveillance, cybercriminal combat, privacy, and many other cybersecurity issues. Written in an accessible manner, the book provides real-world examples and case studies to help readers understand the practical applications of the presented material. The book begins by outlining the legal requirements for data security, which synthesizes the Federal Trade Commission's cybersecurity cases in order to provide the background of the FTC's views on data security. The book also examines data security requirements imposed by a growing number of state legislatures and private litigation arising from data breaches. Anti-hacking laws, such as the federal Computer Fraud and Abuse Act, Economic Espionage Act, and the Digital Millennium Copyright Act, and how companies are able to fight cybercriminals while ensuring compliance with the U.S. Constitution and statutes are discussed thoroughly. Featuring an overview of the laws that allow coordination between the public and private sectors as well as the tools that regulators have developed to allow a limited amount of collaboration, this book also:

* Addresses current U.S. and international laws, regulations, and court opinions that define the field of cybersecurity including the security of sensitive information, such as financial data and health information

* Discusses the cybersecurity requirements of the largest U.S. trading partners in Europe, Asia, and Latin America, and specifically addresses how these requirements are similar to (and differ from) those in the U.S.

* Provides a compilation of many of the most important cybersecurity statutes and regulations

* Emphasizes the compliance obligations of companies with in-depth analysis of crucial U.S. and international laws that apply to cybersecurity issues

* Examines government surveillance laws and privacy laws that affect cybersecurity as well as each of the data breach notification laws in 47 states and the District of Columbia

* Includes numerous case studies and examples throughout to aid in classroom use and to help readers better understand the presented material

* Supplemented with a companion website that features in-class discussion questions and timely and recent updates on recent legislative developments as well as information on interesting cases on relevant and significant topics

Cybersecurity Law is appropriate as a textbook for undergraduate and graduate-level courses in cybersecurity, cybersecurity law, cyber operations, management-oriented information technology (IT), and computer science. This book is also an ideal reference for lawyers, IT professionals, government personnel, business managers, IT management personnel, auditors, and cybersecurity insurance providers.

JEFF KOSSEFF is Assistant Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He frequently speaks and writes about cybersecurity and was a journalist covering technology and politics at The Oregonian, a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting.

• About the Author p. xv
• Acknowledgment p. xvii
• About the Companion Website p. xix
• Introduction p. xxi
• 1 Data Security Laws and Enforcement Actions p. 1
• 1.1 FTC Data Security p. 2
• 1.1.1 Overview of Section 5 of the FTC Act p. 2
• 1.1.2 Wyndham: Does the FTC have Authority to Regulate Data Security under Section 5 of the FTC Act? p. 5
• 1.1.3 LabMD: What Constitutes "Unfair" or "Deceptive" Data Security? p. 9
• 1.1.4 FTC June 2015 Guidance on Data Security p. 11
• 1.1.5 FTC Protecting Personal Information Guide p. 14
• 1.1.6 Lessons from FTC Cybersecurity Complaints p. 15
• 1.1.6.1 Failure to Secure Highly Sensitive Information p. 16
• 1.1.6.1.1 Use Industry-Standard Encryption for Sensitive Data p. 16
• 1.1.6.1.2 Routine Audits and Penetration Testing are Expected p. 17
• 1.1.6.1.3 Health-Related Data Requires Especially Strong Safeguards p. 18
• 1.1.6.1.4 Data Security Protection Extends to Paper Documents p. 19
• 1.1.6.1.5 Business-to-Business Providers also are Accountable to the FTC For Security of Sensitive Data p. 20
• 1.1.6.1.6 Companies are Responsible for the Data Security Practices of Their Contractors p. 22
• 1.1.6.1.7 Make Sure that Every Employee Receives Regular Data Security Training for Processing Sensitive Data p. 23
• 1.1.6.1.8 Privacy Matters, Even in Data Security p. 23
• 1.1.6.1.9 Limit the Sensitive Information Provided to Third Parties p. 24
• 1.1.6.2 Failure to Secure Payment Card Information p. 24
• 1.1.6.2.1 Adhere to Security Claims about Payment Card Data p. 24
• 1.1.6.2.2 Always Encrypt Payment Card Data p. 25
• 1.1.6.2.3 Payment Card Data Should be Encrypted Both in Storage and at Rest p. 26
• 1.1.6.2.4 In-Store Purchases Pose Significant Cybersecurity Risks p. 26
• 1.1.6.2.5 Minimize Duration of Storage of Payment Card Data p. 28
• 1.1.6.2.6 Monitor Systems and Networks for Unauthorized Software p. 29
• 1.1.6.2.7 Apps Should Never Override Default App Store Security Settings p. 29
• 1.1.6.3 Failure to Adhere to Security Claims p. 30
• 1.1.6.3.1 Companies Must Address Commonly Known Security Vulnerabilities p. 30
• 1.1.6.3.2 Ensure that Security Controls are Sufficient to Abide by Promises about Security and Privacy p. 31
• 1.1.6.3.3 Omissions about Key Security Flaws can also be Misleading p. 33
• 1.1.6.3.4 Companies Must Abide by Promises for Security-Related Consent Choices p. 33
• 1.1.6.3.5 Companies that Promise Security Must Ensure Adequate Authentication Procedures p. 34
• 1.1.6.3.6 Adhere to Promises about Encryption p. 35
• 1.2 State Data Breach Notification Laws p. 36
• 1.2.1 When Consumer Notifications are Required p. 37
• 1.2.1.1 Definition of Personal Information p. 37
• 1.2.1.2 Encrypted Data p. 38
• 1.2.1.3 Risk of Harm p. 39
• 1.2.1.4 Safe Harbors and Exceptions to Notice Requirement p. 39
• 1.2.2 Notice to Individuals p. 40
• 1.2.2.1 Timing of Notice p. 40
• 1.2.2.2 Form of Notice p. 40
• 1.2.2.3 Content of Notice p. 41
• 1.2.3 Notice to Regulators and Consumer Reporting Agencies p. 41
• 1.2.4 Penalties for Violating State Breach Notification Laws p. 42
• 1.3 State Data Security Laws p. 42
• 1.3.1 Oregon p. 43
• 1.3.2 Rhode Island p. 45
• 1.3.3 Nevada p. 45
• 1.3.4 Massachusetts p. 46
• 1.4 State Data Disposal Laws p. 49
• 2 Cybersecurity Litigation p. 51
• 2.1 Article III Standing p. 52
• 2.1.1 Applicable Supreme Court Rulings on Standing p. 53
• 2.1.2 Lower Court Rulings on Standing in Data Breach Cases p. 57
• 2.1.2.1 Injury-in-Fact p. 57
• 2.1.2.1.1 Broad View of Injury-in-Fact p. 57
• 2.1.2.1.2 Narrow View of Injury-in-Fact p. 60
• 2.1.2.2 Fairly Traceable p. 62
• 2.1.2.3 Redressability p. 63
• 2.2 Common Causes of Action Arising from Data Breaches p. 64
• 2.2.1 Negligence p. 64
• 2.2.1.1 Legal Duty and Breach of Duty p. 65
• 2.2.1.2 Cognizable Injury p. 67
• 2.2.1.3 Causation p. 69
• 2.2.2 Negligent Misrepresentation or Omission p. 70
• 2.2.3 Breach of Contract p. 72
• 2.2.4 Breach of Implied Warranty p. 76
• 2.2.5 Invasion of Privacy by Publication of Private Facts p. 80
• 2.2.6 Unjust Enrichment p. 81
• 2.2.7 State Consumer Protection Laws p. 82
• 2.3 Class Action Certification in Data Breach Litigation p. 84
• 2.4 Insurance Coverage for Cybersecurity Incidents p. 90
• 2.5 Protecting Cybersecurity Work Product and Communications from Discovery p. 94
• 2.5.1 Attorney-Client Privilege p. 96
• 2.5.2 Work Product Doctrine p. 98
• 2.5.3 Non-Testifying Expert Privilege p. 101
• 2.5.4 Applying the Three Privileges to Cybersecurity: Genesco v. Visa p. 102
• 3 Cybersecurity Requirements for Specific Industries p. 105
• 3.1 Financial institutions: Gramm-Leach-Bliley Act Safeguards Rule p. 106
• 3.1.1 Interagency Guidelines p. 106
• 3.1.2 Securities and Exchange Commission Regulation S-P p. 109
• 3.1.3 FTC Safeguards Rule p. 110
• 3.2 Financial Institutions and Creditors; Red Flag Rule p. 112
• 3.2.1 Financial Institutions or Creditors p. 116
• 3.2.2 Covered Accounts p. 116
• 3.2.3 Requirements for a Red Flag Identity Theft Prevention Program p. 117
• 3.3 Companies that use Payment and Debit Cards: Payment Card Industry Data Security Standard (PCI DSS) p. 118
• 3.4 Health Providers: Health Insurance Portability and Accountability Act (HIPAA) Security Rule p. 121
• 3.5 Electric Utilities: Federal Energy Regulatory Commission Critical Infrastructure Protection Reliability Standards p. 127
• 3.5.1 CÍP-003-6: Cybersecurity - Security Management Controls p. 127
• 3.5.2 CIP-004-6: Personnel and Training p. 128
• 3.5.3 CIP-006-6: Physical Security of Cyber Systems p. 128
• 3.5.4 CIP-007-6: Systems Security Management p. 128
• 3.5.5 CIP-009-6: Recovery Plans for Cyber Systems p. 129
• 3.5.6 CIP-010-2: Configuration Change Management and Vulnerability Assessments p. 129
• 3.5.7 CIP-011-2: Information Protection p. 130
• 3.6 Nuclear Regulatory Commission Cybersecurity Regulations p. 130
• 4 Cybersecurity and Corporate Governance p. 133
• 4.1 Securities and Exchange Commission Cybersecurity Expectations for Publicly Traded Companies p. 134
• 4.1.1 10-K Disclosures: Risk Factors p. 135
• 4.1.2 10-K Disclosures: Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A) p. 137
• 4.1.3 10-K Disclosures: Description of Business p. 137
• 4.1.4 10-K Disclosures: Legal Proceedings p. 138
• 4.1.5 10-K Disclosures: Examples p. 138
• 4.1.5.1 Wal-Mart p. 138
• 4.1.5.2 Berkshire Hathaway p. 143
• 4.1.5.3 Target Corp p. 144
• 4.1.6 Disclosing Data Breaches to Investors p. 147
• 4.2 Fiduciary Duty to Shareholders and Derivative Lawsuits Arising from Data Breaches p. 150
• 4.3 Committee on Foreign Investment in the United States and Cybersecurity p. 152
• 4.4 Export Controls and the Wassenaar Arrangement p. 154
• 5 Anti-Hacking Laws p. 159
• 5.1 Computer Fraud and Abuse Act p. 160
• 5.1.1 Origins of the CFAA p. 160
• 5.1.2 Access without Authorization and Exceeding Authorized Access p. 161
• 5.1.2.1 Narrow View of "Exceeds Authorized Access" and "Without Authorization" p. 163
• 5.1.2.2 Broader View of "Exceeds Authorized Access" and "Without Authorization" p. 167
• 5.1.2.3 Attempts to Find a Middle Ground p. 169
• 5.1.3 The Seven Sections of the CFAA p. 170
• 5.1.3.1 CFAA Section (a)(1): Hacking to Commit Espionage p. 172
• 5.1.3.2 CFAA Section (a)(2): Hacking to Obtain Information p. 172
• 5.1.3.3 CFAA Section (a)(3): Hacking a Federal Government Computer p. 176
• 5.1.3.4 CFAA Section (a)(4); Hacking to Commit Fraud p. 178
• 5.1.3.5 CFAA Section (a)(5): Hacking to Damage a Computer p. 181
• 5.1.3.5.1 CFAA Section (a)(5)(A): Knowing Transmission that Intentionally Damages a Computer Without Authorization p. 181
• 5.1.3.5.2 CFAA Section (a)(5)(B): Intentional Access Without Authorization that Recklessly Causes Damage p. 184
• 5.1.3.5.3 CFAA Section (a)(5)(C): Intentional Access Without Authorization that Causes Damage and Loss p. 185
• 5.1.3.5.4 CFAA Section (a)(5): Requirements for Felony and Misdemeanor Cases p. 186
• 5.1.3.6 CFAA Section (a)(6): Trafficking in Passwords p. 188
• 5.1.3.7 CFAA Section (a)(7): Threatening to Damage or Obtain Information from a Computer p. 190
• 5.1.4 Civil Actions under the CFAA p. 193
• 5.1.5 Criticisms of the CFAA p. 195
• 5.2 State Computer Hacking Laws p. 198
• 5.3 Section 1201 of the Digital Millennium Copyright Act p. 201
• 5.3.1 Origins of Section 1201 of the DMCA p. 202
• 5.3.2 Three Key Provisions of Section 1201 of the DMCA p. 203
• 5.3.2.1 DMCA Section 1201(a)(1) p. 203
• 5.3.2.2 DMCA Section 1201(a)(2) p. 208
• 5.3.2.2.1 Narrow Interpretation of Section (a)(2): Chamberlain Group v. Skylink Technologies p. 209
• 5.3.2.2.2 Broad Interpretation of Section (a)(2): MDY Industries, LLC v. Blizzard Entertainment, Inc. p. 211
• 5.3.2.3 DMCA Section 1201(b)(1) p. 215
• 5.3.3 Section 1201 Penalties p. 217
• 5.3.4 Section 1201 Exemptions p. 218
• 5.3.5 The First Amendment and DMCA Section 1201 p. 224
• 5.4 Economic Espionage Act p. 227
• 5.4.1 Origins of the Economic Espionage Act p. 228
• 5.4.2 Criminal Prohibitions on Economic Espionage and Theft of Trade Secrets p. 229
• 5.4.2.1 Definition of "Trade Secret" p. 230
• 5.4.2.2 "Knowing" Violations of the Economic Espionage Act p. 234
• 5.4.2.3 Purpose and Intent Required under Section 1831: Economic Espionage p. 234
• 5.4.2.4 Purpose and Intent Required under Section 1832: Theft of Trade Secrets p. 236
• 5.4.3 Civil Actions for Trade Secret Misappropriation: The Defend Trade Secrets Act of 2016 p. 238
• 5.4.3.1 Definition of "Misappropriation" p. 239
• 5.4.3.2 Civil Seizures p. 240
• 5.4.3.3 Injunctions p. 241
• 5.4.3.4 Damages p. 241
• 5.4.3.5 Statute of Limitations p. 242
• 6 Public-Private Cybersecurity Partnerships p. 243
• 6.1 U.S. Government's Civilian Cybersecurity Organization p. 244
• 6.2 Department of Homeland Security Information Sharing under the Cybersecurity Act of 2015 p. 245
• 6.3 Energy Department's Cyber-Threat Information Sharing p. 249
• 6.4 Critical Infrastructure Executive Order and the National Institute of Standards and Technology's Cybersecurity Framework p. 250
• 6.5 U.S. Military Involvement in Cybersecurity and the Posse Comitatus Act p. 256
• 7 Surveillance and Cyber p. 259
• 7.1 Fourth Amendment p. 260
• 7.1.1 Was the Search or Seizure Conducted by a Government Entity or Government Agent? p. 261
• 7.1.2 Did the Search or Seizure Intrude Upon an Individual's Privacy Interests? p. 265
• 7.1.3 Did the Government have a Warrant? p. 269
• 7.1.4 If the Government Did Not Have a Warrant, Did an Exception to the Warrant Requirement Apply? p. 271
• 7.1.5 Was the Search or Seizure Reasonable under the Totality of the Circumstances? p. 273
• 7.2 Electronic Communications Privacy Act p. 275
• 7.2.1 Stored Communications Act p. 276
• 7.2.1.1 Section 2701: Third-Party Hacking of Stored Communications p. 278
• 7.2.1.2 Section 2702: Restrictions on Service Providers' Ability to Disclose Stored Communications and Records to the Government and Private Parties p. 279
• 7.2.1.2.1 The Cybersecurity Act of 2015: Allowing Service Providers to Disclose Cybersecurity Threats to the Government p. 282
• 7.2.1.3 Section 2703: Government's Ability to Force Service Providers to Turn Over Stored Communications and Customer Records p. 284
• 7.2.2 Wiretap Act p. 286
• 7.2.3 Pen Register Act p. 290
• 7.2.4 National Security Letters p. 291
• 7.3 Communications Assistance for Law Enforcement Act (CALEA) p. 293
• 7.4 Encryption and the All Writs Act p. 294
• 8 Cybersecurity and Federal Government Contractors p. 299
• 8.1 Federal Information Security Management Act p. 300
• 8.2 NIST Information Security Controls for Government Agencies and Contractors p. 301
• 8.3 Classified Information Cybersecurity p. 306
• 8.4 Covered Defense Information and Controlled Unclassified Information p. 309
• 9 Privacy Laws p. 317
• 9.1 Section 5 of the FTC Act and Privacy p. 318
• 9.2 Health Insurance Portability and Accountability Act p. 324
• 9.3 Gramm-Leach-Bliley Act and California Financial Information Privacy Act p. 326
• 9.4 CAN-SPAM Act p. 327
• 9.5 Video Privacy Protection Act p. 328
• 9.6 Children's Online Privacy Protection Act p. 330
• 9.7 California Online Privacy Laws p. 332
• 9.7.1 California Online Privacy Protection Act (CalOPPA) p. 332
• 9.7.2 California Shine the Light Law p. 333
• 9.7.3 California Minor "Eraser Law" p. 335
• 9.8 Illinois Biometric Information Privacy Act p. 337
• 10 International Cybersecurity Law p. 339
• 10.1 European Union p. 340
• 10.2 Canada p. 346
• 10.3 China p. 350
• 10.4 Mexico p. 353
• 10.5 Japan p. 356
• Appendix A Text of Section 5 of the FTC Act p. 361
• Appendix B Summary of State Data Breach Notification Laws p. 369
• Appendix C Text of Section 1201 of the Digital Millennium Copyright Act p. 413
• Appendix D Text of the Computer Fraud and Abuse Act p. 425
• Appendix E Text of the Electronic Communications Privacy Act p. 433
• Index p. 485