Learn to protect your clients with this definitive guide to cybersecurity law in this fully-updated third edition
Cybersecurity is an essential facet of modern society, and as a result, the application of security measures that ensure the confidentiality, integrity, and availability of data is crucial. Cybersecurity can be used to protect assets of all kinds, including data, desktops, servers, buildings, and most importantly, humans. Understanding the ins and outs of the legal rules governing this important field is vital for any lawyer or other professionals looking to protect these interests.
The thoroughly revised and updated Cybersecurity Law offers an authoritative guide to the key statutes, regulations, and court rulings that pertain to cybersecurity, reflecting the latest legal developments on the subject. This comprehensive text deals with all aspects of cybersecurity law, from data security and enforcement actions to anti-hacking laws, from surveillance and privacy laws to national and international cybersecurity law. New material in this latest edition includes many expanded sections, such as the addition of more recent FTC data security consent decrees, including Zoom, SkyMed, and InfoTrax.
Readers of the third edition of Cybersecurity Law will also find: - An all-new chapter focused on laws related to ransomware and the latest attacks that compromise the availability of data and systems - New and updated sections on new data security laws in New York and Alabama, President Biden’s cybersecurity executive order, the Supreme Court’s first opinion interpreting the Computer Fraud and Abuse Act, American Bar Association guidance on law firm cybersecurity, Internet of Things cybersecurity laws and guidance, the Cybersecurity Maturity Model Certification, the NIST Privacy Framework, and more - New cases that feature the latest findings in the constantly evolving cybersecurity law space - An article by the author of this textbook, assessing the major gaps in U.S. cybersecurity law - A companion website for instructors that features expanded case studies, discussion questions by chapter, and exam questions by chapter
Cybersecurity Law is an ideal textbook for undergraduate and graduate level courses in cybersecurity, cyber operations, management-oriented information technology (IT), and computer science. It is also a useful reference for IT professionals, government personnel, business managers, auditors, cybersecurity insurance agents, and academics in these fields, as well as academic and corporate libraries that support these professions.
Table of Contents
About the Author xvii
Acknowledgment and Disclaimers xix
Foreword to the Third Edition (2022) xxi
Foreword to the Second Edition (2019) xxiii
Introduction to First Edition xxvii
About the Companion Website xxxv
1 Data Security Laws and Enforcement Actions 1
1.1 FTC Data Security 2
1.1.1 Overview of Section 5 of the FTC Act 2
1.1.2 Wyndham: Does the FTC Have Authority to Regulate Data Security Under Section 5 of the FTC Act? 6
1.1.3 LabMD: What Constitutes “Unfair” Data Security? 10
1.1.4 FTC June 2015 Guidance on Data Security, and 2017 Updates 13
1.1.5 FTC Data Security Expectations and the NIST Cybersecurity Framework 18
1.1.6 Lessons from FTC Cybersecurity Complaints 18
1.1.6.1 Failure to Secure Highly Sensitive Information 19
1.1.6.1.1 Use Industry-standard Encryption for Sensitive Data 20
1.1.6.1.2 Routine Audits and Penetration Testing Are Expected 20
1.1.6.1.3 Health-related Data Requires Especially Strong Safeguards 21
1.1.6.1.4 Data Security Protection Extends to Paper Documents 23
1.1.6.1.5 Business-to-business Providers Also Are Accountable to the FTC for Security of Sensitive Data 25
1.1.6.1.6 Companies Are Responsible for the Data Security Practices of Their Contractors 27
1.1.6.1.7 Make Sure that Every Employee Receives Regular Data Security Training for Processing Sensitive Data 28
1.1.6.1.8 Privacy Matters, Even in Data Security 28
1.1.6.1.9 Limit the Sensitive Information Provided to Third Parties 29
1.1.6.1.10 Children’s Data Requires Special Protection 29
1.1.6.2 Failure to Secure Payment Card Information 30
1.1.6.2.1 Adhere to Security Claims about Payment Card Data 30
1.1.6.2.2 Always Encrypt Payment Card Data 31
1.1.6.2.3 Payment Card Data Should Be Encrypted Both in Storage and at Rest 31
1.1.6.2.4 In-store Purchases Pose Significant Cybersecurity Risks 32
1.1.6.2.5 Minimize Duration of Storage of Payment Card Data 34
1.1.6.2.6 Monitor Systems and Networks for Unauthorized Software 35
1.1.6.2.7 Apps Should Never Override Default App Store Security Settings 35
1.1.6.3 Failure to Adhere to Security Claims 36
1.1.6.3.1 Companies Must Address Commonly Known Security Vulnerabilities 36
1.1.6.3.2 Ensure That Security Controls Are Sufficient to Abide by Promises About Security and Privacy 37
1.1.6.3.3 Omissions about Key Security Flaws Also Can Be Misleading 40
1.1.6.3.4 Companies Must Abide by Promises for Security-related Consent Choices 40
1.1.6.3.5 Companies That Promise Security Must Ensure Adequate Authentication Procedures 41
1.1.6.3.6 Adhere to Promises About Encryption 42
1.1.6.3.7 Promises About Security Extend to Vendors’ Practices 43
1.1.6.3.8 Companies Cannot Hide Vulnerable Software in Products 43
1.1.7 FTC Internet of Things Security Guidance 43
1.2 State Data Breach Notification Laws 46
1.2.1 When Consumer Notifications Are Required 47
1.2.1.1 Definition of Personal Information 48
1.2.1.2 Encrypted Data 49
1.2.1.3 Risk of Harm 49
1.2.1.4 Safe Harbors and Exceptions to Notice Requirement 49
1.2.2 Notice to Individuals 50
1.2.2.1 Timing of Notice 50
1.2.2.2 Form of Notice 50
1.2.2.3 Content of Notice 51
1.2.3 Notice to Regulators and Consumer Reporting Agencies 51
1.2.4 Penalties for Violating State Breach Notification Laws 52
1.3 State Data Security Laws 52
1.3.1 Oregon 54
1.3.2 Rhode Island 55
1.3.3 Nevada 56
1.3.4 Massachusetts 57
1.3.5 Ohio 59
1.3.6 Alabama 60
1.3.7 New York 61
1.4 State Data Disposal Laws 61
2 Cybersecurity Litigation 63
2.1 Article III Standing 64
2.1.1 Applicable Supreme Court Rulings on Standing 66
2.1.2 Lower Court Rulings on Standing in Data Breach Cases 71
2.1.2.1 Injury-in-fact 71
2.1.2.1.1 Broad View of Injury-in-fact 71
2.1.2.1.2 Narrow View of Injury-in-fact 76
2.1.2.1.3 Attempts at Finding a Middle Ground for Injury-in-fact 81
2.1.2.2 Fairly Traceable 82
2.1.2.3 Redressability 83
2.2 Common Causes of Action Arising from Data Breaches 84
2.2.1 Negligence 84
2.2.1.1 Legal Duty and Breach of Duty 85
2.2.1.2 Cognizable Injury 87
2.2.1.3 Causation 90
2.2.2 Negligent Misrepresentation or Omission 92
2.2.3 Breach of Contract 95
2.2.4 Breach of Implied Warranty 101
2.2.5 Invasion of Privacy 105
2.2.6 Unjust Enrichment 107
2.2.7 State Consumer Protection Laws 109
2.3 Class Action Certification in Data Breach Litigation 112
2.4 Insurance Coverage for Data Breaches 120
2.5 Protecting Cybersecurity Work Product and Communications from Discovery 124
2.5.1 Attorney-client Privilege 126
2.5.2 Work Product Doctrine 129
2.5.3 Nontestifying Expert Privilege 131
2.5.4 Genesco v. Visa 132
2.5.5 In re Experian Data Breach Litigation 135
2.5.6 In re Premera 136
2.5.7 In re United Shore Financial Services 138
2.5.8 In re Dominion Dental Services USA, Inc. Data Breach Litigation 138
2.5.9 In re Capital One Consumer Data Security Breach Litigation 140
3 Cybersecurity Requirements for Specific Industries 141
3.1 Financial Institutions: GLBA Safeguards Rule 142
3.1.1 Interagency Guidelines 142
3.1.2 SEC’s Regulation S-P 144
3.1.3 FTC Safeguards Rule 146
3.2 New York Department of Financial Services Cybersecurity Regulations 149
3.3 Financial Institutions and Creditors: Red Flags Rule 151
3.3.1 Financial Institutions or Creditors 155
3.3.2 Covered Accounts 156
3.3.3 Requirements for a Red Flags Identity Theft Prevention Program 157
3.4 Companies that Use Payment and Debit Cards: PCI DSS 157
3.5 IoT Cybersecurity Laws 160
3.6 Health Providers: HIPAA Security Rule 161
3.7 Electric Transmission: FERC Critical Infrastructure Protection Reliability Standards 167
3.7.1 CIP-003-6: Cybersecurity - Security Management Controls 167
3.7.2 CIP-004-6: Personnel and Training 168
3.7.3 CIP-006-6: Physical Security of Cyber Systems 168
3.7.4 CIP-007-6: Systems Security Management 168
3.7.5 CIP-009-6: Recovery Plans for Cyber Systems 169
3.7.6 CIP-010-2: Configuration Change Management and Vulnerability Assessments 169
3.7.7 CIP-011-2: Information Protection 170
3.8 NRC Cybersecurity Regulations 170
3.9 State Insurance Cybersecurity Laws 171
4 Cybersecurity and Corporate Governance 175
4.1 SEC Cybersecurity Expectations for Publicly Traded Companies 176
4.1.1 10-K Disclosures: Risk Factors 178
4.1.2 10-K Disclosures: Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) 179
4.1.3 10-K Disclosures: Description of Business 180
4.1.4 10-K Disclosures: Legal Proceedings 180
4.1.5 10-K Disclosures: Financial Statements 181
4.1.6 10K Disclosures: Board Oversight of Cybersecurity 181
4.1.7 Disclosing Data Breaches to Investors 182
4.1.8 Yahoo! Data Breach 185
4.1.9 Cybersecurity and Insider Trading 185
4.2 Fiduciary Duty to Shareholders and Derivative Lawsuits Arising from Data Breaches 186
4.3 CFIUS and Cybersecurity 189
4.4 Law Firms and Cybersecurity 191
5 Antihacking Laws 193
5.1 Computer Fraud and Abuse Act 194
5.1.1 Origins of the CFAA 194
5.1.2 Access Without Authorization and Exceeding Authorized Access 195
5.1.2.1 Narrow View of “Exceeds Authorized Access” and “Without Authorization” 198
5.1.2.2 Broader View of “Exceeds Authorized Access” and “Without Authorization” 203
5.1.2.3 Finding Some Clarity: Van Buren v. United States 205
5.1.3 The Seven Sections of the CFAA 208
5.1.3.1 CFAA Section (a)(1): Hacking to Commit Espionage 209
5.1.3.2 CFAA Section (a)(2): Hacking to Obtain Information 210
5.1.3.3 CFAA Section (a)(3): Hacking a Federal Government Computer 214
5.1.3.4 CFAA Section (a)(4): Hacking to Commit Fraud 216
5.1.3.5 CFAA Section (a)(5): Hacking to Damage a Computer 218
5.1.3.5.1 CFAA Section (a)(5)(A): Knowing Transmission that Intentionally Damages a Computer Without Authorization 219
5.1.3.5.2 CFAA Section (a)(5)(B): Intentional Access Without Authorization that Recklessly Causes Damage 222
5.1.3.5.3 CFAA Section (a)(5)(C): Intentional Access Without Authorization that Causes Damage and Loss 223
5.1.3.5.4 CFAA Section (a)(5): Requirements for Felony and Misdemeanor Cases 224
5.1.3.6 CFAA Section (a)(6): Trafficking in Passwords 226
5.1.3.7 CFAA Section (a)(7): Threatening to Damage or Obtain Information from a Computer 228
5.1.4 Civil Actions Under the CFAA 231
5.1.5 Criticisms of the CFAA 235
5.1.6 CFAA and Coordinated Vulnerability Disclosure Programs 237
5.2 State Computer Hacking Laws 240
5.3 Section 1201 of the Digital Millennium Copyright Act 243
5.3.1 Origins of Section 1201 of the DMCA 244
5.3.2 Three Key Provisions of Section 1201 of the DMCA 245
5.3.2.1 DMCA Section 1201(a)(1) 245
5.3.2.2 DMCA Section 1201(a)(2) 250
5.3.2.2.1 Narrow Interpretation of Section (a)(2): Chamberlain Group v. Skylink Technologies 251
5.3.2.2.2 Broad Interpretation of Section (a)(2): MDY Industries, LLC v. Blizzard Entertainment 254
5.3.2.3 DMCA Section 1201(b)(1) 258
5.3.3 Section 1201 Penalties 261
5.3.4 Section 1201 Exemptions 262
5.3.5 The First Amendment and DMCA Section 1201 269
5.4 Economic Espionage Act 274
5.4.1 Origins of the EEA 274
5.4.2 Criminal Prohibitions on Economic Espionage and Theft of Trade Secrets 275
5.4.2.1 Definition of “Trade Secret” 276
5.4.2.2 “Knowing” Violations of the EEA 279
5.4.2.3 Purpose and Intent Required under Section 1831: Economic Espionage 279
5.4.2.4 Purpose and Intent Required under Section 1832: Theft of Trade Secrets 281
5.4.3 Civil Actions for Trade Secret Misappropriation: The Defend Trade Secrets Act of 2016 284
5.4.3.1 Definition of “Misappropriation” 285
5.4.3.2 Civil Seizures 288
5.4.3.3 Injunctions 289
5.4.3.4 Damages 289
5.4.3.5 Statute of Limitations 290
5.5 Budapest Convention on Cybercrime 291
6 U.S. Government Cyber Structure and Public-Private Cybersecurity Partnerships 293
6.1 U.S. Government’s Civilian Cybersecurity Organization 293
6.2 Department of Homeland Security Information Sharing under the Cybersecurity Act of 2015 297
6.3 Critical Infrastructure Executive Order and the NIST Cybersecurity Framework 301
6.4 U.S. Military Involvement in Cybersecurity and the Posse Comitatus Act 309
6.5 Vulnerabilities Equities Process 311
6.6 Executive Order 14028 314
7 Surveillance and Cyber 317
7.1 Fourth Amendment 318
7.1.1 Was the Search or Seizure Conducted by a Government Entity or Government Agent? 319
7.1.2 Did the Search or Seizure Involve an Individual’s Reasonable Expectation of Privacy? 324
7.1.3 Did the Government Have a Warrant? 332
7.1.4 If the Government Did Not Have a Warrant, Did an Exception to the Warrant Requirement Apply? 335
7.1.5 Was the Search or Seizure Reasonable Under the Totality of the Circumstances? 337
7.2 Electronic Communications Privacy Act 338
7.2.1 Stored Communications Act 340
7.2.1.1 Section 2701: Third-party Hacking of Stored Communications 344
7.2.1.2 Section 2702: Restrictions on Service Providers’ Ability to Disclose Stored Communications and Records to the Government and Private Parties 345
7.2.1.3 Section 2703: Government’s Ability to Require Service Providers to Turn Over Stored Communications and Customer Records 349
7.2.2 Wiretap Act 354
7.2.3 Pen Register Act 358
7.2.4 National Security Letters 359
7.3 Communications Assistance for Law Enforcement Act (CALEA) 361
7.4 Encryption and the All Writs Act 362
7.5 Encrypted Devices and the Fifth Amendment 364
8 Cybersecurity and Federal Government Contractors 369
8.1 Federal Information Security Management Act 370
8.2 NIST Information Security Controls for Government Agencies and Contractors 372
8.3 Classified Information Cybersecurity 376
8.4 Covered Defense Information, CUI, and the Cybersecurity Maturity Model Certification 377
9 Privacy Laws 385
9.1 Section 5 of the FTC Act and Privacy 386
9.2 Health Insurance Portability and Accountability Act 388
9.3 Gramm-Leach-Bliley Act and California Financial Information Privacy Act 390
9.4 CAN-SPAM Act 391
9.5 Video Privacy Protection Act 392
9.6 Children’s Online Privacy Protection Act 394
9.7 California Online Privacy Laws 396
9.7.1 California Online Privacy Protection Act (CalOPPA) 396
9.7.2 California Shine the Light Law 398
9.7.3 California Minor “Online Eraser” Law 400
9.8 California Consumer Privacy Act 401
9.9 Illinois Biometric Information Privacy Act 404
9.10 NIST Privacy Framework 406
10 International Cybersecurity Law 409
10.1 European Union 410
10.2 Canada 420
10.3 China 425
10.4 Mexico 430
10.5 Japan 434
11 Cyber and the Law of War 439
11.1 Was the Cyberattack a “Use of Force” that Violates International Law? 441
11.2 If the Attack Was a Use of Force, Was that Force Attributable to a State? 444
11.3 Did the Use of Force Constitute an “Armed Attack” that Entitles the Target to Self-defense? 445
11.4 If the Use of Force Was an Armed Attack, What Types of Selfdefense Are Justified? 448
11.5 If the Nation Experiences Hostile Cyber Actions that Fall Short of Use of Force or Armed Attacks, What Options Are Available? 449
12 Ransomware 453
12.1 Defining Ransomware 454
12.2 Ransomware-related Litigation 455
12.3 Insurance Coverage for Ransomware 462
12.4 Ransomware Payments and Sanctions 466
12.5 Ransomware Prevention and Response Guidelines from Government Agencies 467
12.5.1 Department of Homeland Security 467
12.5.2 Federal Trade Commission 469
12.5.3 Federal Interagency Guidance for Information Security Executives 470
12.5.4 New York Department of Financial Services Guidance 472
Appendix A: Text of Section 5 of the FTC Act 473
Appendix B: Summary of State Data Breach Notification Laws 483
Appendix C: Text of Section 1201 of the Digital Millennium Copyright Act 545
Appendix D: Text of the Computer Fraud and Abuse Act 557
Appendix E: Text of the Electronic Communications Privacy Act 565
Appendix F: Key Cybersecurity Court Opinions 629
Appendix G: Hacking Cybersecurity Law 781
Index 825