Cybersecurity Law, Second Edition

Read more

Informationen zum Autor JEFF KOSSEFF is Assistant Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He was a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting. Klappentext The second edition of the definitive guide to cybersecurity law, updated to reflect recent legal developmentsThe revised and updated second edition of Cybersecurity Law offers an authoritative guide to the key statutes, regulations, and court rulings that pertain to cybersecurity. Written by an experienced cybersecurity lawyer and law professor, the second edition includes new and expanded information that reflects the latest changes in laws and regulations. The book includes material on recent FTC data security consent decrees and data breach litigation.Topics covered reflect new laws, regulations, and court decisions that address financial sector cybersecurity, the law of war as applied to cyberspace, and recently updated guidance for public companies' disclosure of cybersecurity risks. This important guide:* Provides a new appendix, with 15 edited opinions covering a wide range of cybersecurity-related topics, for students learning via the caselaw method* Includes new sections that cover topics such as: compelled access to encrypted devices, New York's financial services cybersecurity regulations, South Carolina's insurance sector cybersecurity law, the Internet of Things, bug bounty programs, the vulnerability equities process, international enforcement of computer hacking laws, the California Consumer Privacy Act, and the European Union's Network and Information Security Directive* Contains a new chapter on the critical topic of law of cyberwar* Presents a comprehensive guide written by a noted expert on the topic* Offers a companion Instructor-only website that features discussion questions for each chapter and suggested exam questions for each chapterWritten for students and professionals of cybersecurity, cyber operations, management-oriented information technology (IT), and computer science, Cybersecurity Law, Second Edition is the up-to-date guide that covers the basic principles and the most recent information on cybersecurity laws and regulations.JEFF KOSSEFF is Assistant Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He was a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting. Zusammenfassung The second edition of the definitive guide to cybersecurity law! updated to reflect recent legal developmentsThe revised and updated second edition of Cybersecurity Law offers an authoritative guide to the key statutes! regulations! and court rulings that pertain to cybersecurity. Written by an experienced cybersecurity lawyer and law professor! the second edition includes new and expanded information that reflects the latest changes in laws and regulations. The book includes material on recent FTC data security consent decrees and data breach litigation.Topics covered reflect new laws! regulations! and court decisions that address financial sector cybersecurity! the law of war as applied to cyberspace! and recently updated guidance for public companies' disclosure of cybersecurity risks. This important guide:* Provides a new appendix! with 15 edited opinions covering a wide range of cybersecurity-related topics! for students learning via the caselaw method* Includes new sections that cover topics such as: compelled access to encrypted devices! New York's financial services cybersecurity regulations! South Carolina's insurance sector cybersecurity law! the Internet of Things! bug bounty programs! the vulnerability equities process! international enforcement of computer hacking laws! the California Consumer Privacy Act! and the European Union's Network and Information Security Directive* Contains a new chapter on the critical topic of ...

List of contents

About the Author xvAcknowledgment and Disclaimers xviiForeword to the Second Edition (2019) xixIntroduction to First Edition xxiiiAbout the Companion Website xxxi1 Data Security Laws and Enforcement Actions 11.1 FTC Data Security 21.1.1 Overview of Section 5 of the FTC Act 21.1.2 Wyndham: Does the FTC Have Authority to Regulate Data Security under Section 5 of the FTC Act? 61.1.3 LabMD: What Constitutes "Unfair" Data Security? 101.1.4 FTC June 2015 Guidance on Data Security, and 2017 Updates 131.1.5 FTC Data Security Expectations and the NIST Cybersecurity Framework 171.1.6 Lessons from FTC Cybersecurity Complaints 181.1.6.1 Failure to Secure Highly Sensitive Information 191.1.6.1.1 Use Industry-Standard Encryption for Sensitive Data 191.1.6.1.2 Routine Audits and Penetration Testing Are Expected 201.1.6.1.3 Health-Related Data Requires Especially Strong Safeguards 211.1.6.1.4 Data Security Protection Extends to Paper Documents 221.1.6.1.5 Business-to-Business Providers Also Are Accountable to the FTC for Security of Sensitive Data 241.1.6.1.6 Companies Are Responsible for the Data Security Practices of Their Contractors 251.1.6.1.7 Make Sure that Every Employee Receives Regular Data Security Training for Processing Sensitive Data 261.1.6.1.8 Privacy Matters, Even in Data Security 261.1.6.1.9 Limit the Sensitive Information Provided to Third Parties 271.1.6.1.10 Children's Data Requires Special Protection 271.1.6.2 Failure to Secure Payment Card Information 281.1.6.2.1 Adhere to Security Claims about Payment Card Data 281.1.6.2.2 Always Encrypt Payment Card Data 291.1.6.2.3 Payment Card Data Should Be Encrypted Both in Storage and at Rest 301.1.6.2.4 In-Store Purchases Pose Significant Cybersecurity Risks 311.1.6.2.5 Minimize Duration of Storage of Payment Card Data 331.1.6.2.6 Monitor Systems and Networks for Unauthorized Software 331.1.6.2.7 Apps Should Never Override Default App Store Security Settings 331.1.6.3 Failure to Adhere to Security Claims 341.1.6.3.1 Companies Must Address Commonly Known Security Vulnerabilities 341.1.6.3.2 Ensure that Security Controls Are Sufficient to Abide by Promises about Security and Privacy 351.1.6.3.3 Omissions about Key Security Flaws Also Can Be Misleading 381.1.6.3.4 Companies Must Abide by Promises for Security-Related Consent Choices 381.1.6.3.5 Companies that Promise Security Must Ensure Adequate Authentication Procedures 391.1.6.3.6 Adhere to Promises about Encryption 401.1.6.3.7 Promises About Security Extend to Vendors' Practices 411.1.6.3.8 Companies Cannot Hide Vulnerable Software in Products 411.2 State Data Breach Notification Laws 421.2.1 When Consumer Notifications Are Required 431.2.1.1 Definition of Personal Information 441.2.1.2 Encrypted Data 451.2.1.3 Risk of Harm 451.2.1.4 Safe Harbors and Exceptions to Notice Requirement 451.2.2 Notice to Individuals 461.2.2.1 Timing of Notice 461.2.2.2 Form of Notice 461.2.2.3 Content of Notice 471.2.3 Notice to Regulators and Consumer Reporting Agencies 471.2.4 Penalties for Violating State Breach Notification Laws 481.3 State Data Security Laws 481.3.1 Oregon 501.3.2 Rhode Island 511.3.3 Nevada 511.3.4 Massachusetts 521.3.5 Ohio 551.4 State Data Disposal Laws 562 Cybersecurity Litigation 572.1 Article III Standing 582.1.1 Applicable Supreme Court Rulings on Standing 592.1.2 Lower Court Rulings on Standing in Data Breach Cases 642.1.2.1 Injury-in-Fact 642.1.2.1.1 Broad View of Injury-in-Fact 642.1.2.1.2 Narrow View of Injury-in-Fact 682.1.2.2 Fairly Traceable 722.1.2.3 Redressability 722.2 Common Causes of Action Arising from Data Breaches 732.2.1 Negligence 742.2.1.1 Legal Duty and Breach of Duty 752.2.1.2 Cognizable Injury 762.2.1.3 Causation 792.2.2 Negligent Misrepresentation or Omission 802.2.3 Breach of Contract 822.2.4 Breach of Implied Warranty 882.2.5 Invasion of Privacy by Publication of Private Facts 922.2.6 Unjust Enrichment 932.2.7 State Consumer Protection Laws 952.3 Class Action Certification in Data Breach Litigation 972.4 Insurance Coverage for Cybersecurity Incidents 1042.5 Protecting Cybersecurity Work Product and Communications from Discovery 1082.5.1 Attorney-Client Privilege 1102.5.2 Work Product Doctrine 1122.5.3 Nontestifying Expert Privilege 1152.5.4 Genesco v. Visa 1162.5.5 In re Experian Data Breach Litigation 1192.5.6 In re Premera 1202.5.7 In re United Shore Financial Services 1213 Cybersecurity Requirements for Specific Industries 1233.1 Financial Institutions: Gramm-Leach-Bliley Act Safeguards Rule 1243.1.1 Interagency Guidelines 1243.1.2 Securities and Exchange Commission Regulation S-P 1263.1.3 FTC Safeguards Rule 1283.2 New York Department of Financial Services Cybersecurity Regulations 1303.3 Financial Institutions and Creditors: Red Flags Rule 1333.3.1 Financial Institutions or Creditors 1363.3.2 Covered Accounts 1373.3.3 Requirements for a Red Flag Identity Theft Prevention Program 1383.4 Companies that Use Payment and Debit Cards: Payment Card Industry Data Security Standard (PCI DSS) 1393.5 California Internet of Things Cybersecurity Law 1413.6 Health Providers: Health Insurance Portability and Accountability Act (HIPAA) Security Rule 1423.7 Electric Transmission: Federal Energy Regulatory Commission Critical Infrastructure Protection Reliability Standards 1473.7.1 CIP-003-6: Cybersecurity--Security Management Controls 1483.7.2 CIP-004-6: Personnel and Training 1483.7.3 CIP-006-6: Physical Security of Cyber Systems 1493.7.4 CIP-007-6: Systems Security Management 1493.7.5 CIP-009-6: Recovery Plans for Cyber Systems 1493.7.6 CIP-010-2: Configuration Change Management and Vulnerability Assessments 1503.7.7 CIP-011-2: Information Protection 1503.8 Nuclear Regulatory Commission Cybersecurity Regulations 1503.9 South Carolina Insurance Cybersecurity Law 1514 Cybersecurity and Corporate Governance 1554.1 Securities and Exchange Commission Cybersecurity Expectations for Publicly Traded Companies 1564.1.1 10-K Disclosures: Risk Factors 1584.1.2 10-K Disclosures: Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A) 1594.1.3 10-K Disclosures: Description of Business 1604.1.4 10-K Disclosures: Legal Proceedings 1604.1.5 10-K Disclosures: Financial Statements 1614.1.6 10K Disclosures: Board Oversight of Cybersecurity 1614.1.7 Disclosing Data Breaches to Investors 1614.1.8 Yahoo Data Breach 1644.1.9 Cybersecurity and Insider Trading 1654.2 Fiduciary Duty to Shareholders and Derivative Lawsuits Arising from Data Breaches 1664.3 Committee on Foreign Investment in the United States and Cybersecurity 1685 Anti-Hacking Laws 1715.1 Computer Fraud and Abuse Act 1725.1.1 Origins of the CFAA 1725.1.2 Access Without Authorization and Exceeding Authorized Access 1735.1.2.1 Narrow View of "Exceeds Authorized Access" and "Without Authorization" 1765.1.2.2 Broader View of "Exceeds Authorized Access" and "Without Authorization" 1815.1.2.3 Attempts to Find a Middle Ground 1835.1.3 The Seven Sections of the CFAA 1845.1.3.1 CFAA Section (a)(1): Hacking to Commit Espionage 1865.1.3.2 CFAA Section (a)(2): Hacking to Obtain Information 1875.1.3.3 CFAA Section (a)(3): Hacking a Federal Government Computer 1915.1.3.4 CFAA Section (a)(4): Hacking to Commit Fraud 1925.1.3.5 CFAA Section (a)(5): Hacking to Damage a Computer 1955.1.3.5.1 CFAA Section (a)(5)(A): Knowing Transmission that Intentionally Damages a Computer Without Authorization 1955.1.3.5.2 CFAA Section (a)(5)(B): Intentional Access Without Authorization that Recklessly Causes Damage 1985.1.3.5.3 CFAA Section (a)(5)(C): Intentional Access Without Authorization that Causes Damage and Loss 2005.1.3.5.4 CFAA Section (a)(5): Requirements for Felony and Misdemeanor Cases 2005.1.3.6 CFAA Section (a)(6): Trafficking in Passwords 2035.1.3.7 CFAA Section (a)(7): Threatening to Damage or Obtain Information from a Computer 2055.1.4 Civil Actions Under the CFAA 2085.1.5 Criticisms of the CFAA 2125.1.6 CFAA and Coordinated Vulnerability Disclosure Programs 2145.2 State Computer Hacking Laws 2185.3 Section 1201 of the Digital Millennium Copyright Act 2205.3.1 Origins of Section 1201 of the DMCA 2215.3.2 Three Key Provisions of Section 1201 of the DMCA 2225.3.2.1 DMCA Section 1201(a)(1) 2225.3.2.2 DMCA Section 1201(a)(2) 2275.3.2.2.1 Narrow Interpretation of Section (a)(2): Chamberlain Group v. Skylink Technologies 2285.3.2.2.2 Broad Interpretation of Section (a)(2): MDY Industries, LLC v. Blizzard Entertainment 2315.3.2.3 DMCA Section 1201(b)(1) 2365.3.3 Section 1201 Penalties 2385.3.4 Section 1201 Exemptions 2395.3.5 The First Amendment and DMCA Section 1201 2465.4 Economic Espionage Act 2505.4.1 Origins of the Economic Espionage Act 2505.4.2 Criminal Prohibitions on Economic Espionage and Theft of Trade Secrets 2515.4.2.1 Definition of "Trade Secret" 2525.4.2.2 "Knowing" Violations of the Economic Espionage Act 2555.4.2.3 Purpose and Intent Required under Section 1831: Economic Espionage 2555.4.2.4 Purpose and Intent Required under Section 1832: Theft of Trade Secrets 2575.4.3 Civil Actions for Trade Secret Misappropriation: The Defend Trade Secrets Act of 2016 2605.4.3.1 Definition of "Misappropriation" 2615.4.3.2 Civil Seizures 2635.4.3.3 Injunctions 2645.4.3.4 Damages 2655.4.3.5 Statute of Limitations 2655.5 Budapest Convention on Cybercrime 2666 U.S. Government Cyber Structure and Public-Private Cybersecurity Partnerships 2696.1 U.S. Government's Civilian Cybersecurity Organization 2696.2 Department of Homeland Security Information Sharing under the Cybersecurity Act of 2015 2726.3 Critical Infrastructure Executive Order and the National Institute of Standards and Technology's Cybersecurity Framework 2766.4 U.S. Military Involvement in Cybersecurity and the Posse Comitatus Act 2846.5 Vulnerabilities Equities Process 2867 Surveillance and Cyber 2917.1 Fourth Amendment 2927.1.1 Was the Search or Seizure Conducted by a Government Entity or Government Agent? 2937.1.2 Did the Search or Seizure Involve an Individual's Reasonable Expectation of Privacy? 2977.1.3 Did the Government Have a Warrant? 3057.1.4 If the Government Did Not Have a Warrant, Did an Exception to the Warrant Requirement Apply? 3087.1.5 Was the Search or Seizure Reasonable Under the Totality of the Circumstances? 3107.2 Electronic Communications Privacy Act 3117.2.1 Stored Communications Act 3137.2.1.1 Section 2701: Third-Party Hacking of Stored Communications 3177.2.1.2 Section 2702: Restrictions on Service Providers' Ability to Disclose Stored Communications and Records to the Government and Private Parties 3187.2.1.3 Section 2703: Government's Ability to Require Service Providers to Turn Over Stored Communications and Customer Records 3247.2.2 Wiretap Act 3287.2.3 Pen Register Act 3327.2.4 National Security Letters 3347.3 Communications Assistance for Law Enforcement Act (CALEA) 3357.4 Encryption and the All Writs Act 3367.5 Encrypted Devices and the Fifth Amendment 3398 Cybersecurity and Federal Government Contractors 3438.1 Federal Information Security Management Act 3448.2 NIST Information Security Controls for Government Agencies and Contractors 3468.3 Classified Information Cybersecurity 3508.4 Covered Defense Information and Controlled Unclassified Information 3539 Privacy Laws 3619.1 Section 5 of the FTC Act and Privacy 3629.2 Health Insurance Portability and Accountability Act 3669.3 Gramm-Leach-Bliley Act and California Financial Information Privacy Act 3689.4 CAN-SPAM Act 3699.5 Video Privacy Protection Act 3719.6 Children's Online Privacy Protection Act 3729.7 California Online Privacy Laws 3759.7.1 California Online Privacy Protection Act (CalOPPA) 3759.7.2 California Shine the Light Law 3769.7.3 California Minor "Eraser Law" 3789.8 California Consumer Privacy Act 3809.9 Illinois Biometric Information Privacy Act 38210 International Cybersecurity Law 38510.1 European Union 38610.2 Canada 39610.3 China 40010.4 Mexico 40510.5 Japan 40911 Cyber and the Law of War 41311.1 Was the Cyberattack a "Use of Force" that Violates International Law? 41411.2 If the Attack Was a Use of Force, Was that Force Attributable to a State? 41711.3 Did the Use of Force Constitute an "Armed Attack" that Entitles the Target to Self-Defense? 41811.4 If the Use of Force Was an Armed Attack, What Types of Self-Defense are Justified? 42011.5 If the Nation Experiences Hostile Cyber Actions that Fall Short of Use of Force or Armed Attacks, What Options Are Available? 422Appendix A: Text of Section 5 of the FTC Act 425Appendix B: Summary of State Data Breach Notification Laws 433Appendix C: Text of Section 1201 of the Digital Millennium Copyright Act 493Appendix D: Text of the Computer Fraud and Abuse Act 505Appendix E: Text of the Electronic Communications Privacy Act 513Appendix F: Key Cybersecurity Court Opinions 579Index 715