Cybersecurity Law

Read more

Informationen zum Autor Jeff Kosseff, JD, MPP, is Associate Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He frequently speaks and writes about cybersecurity and was a journalist covering technology and politics at The Oregonian , a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting. Klappentext CYBERSECURITY LAWLearn to protect your clients with this definitive guide to cybersecurity law in this fully-updated third editionCybersecurity is an essential facet of modern society, and as a result, the application of security measures that ensure the confidentiality, integrity, and availability of data is crucial. Cybersecurity can be used to protect assets of all kinds, including data, desktops, servers, buildings, and most importantly, humans. Understanding the ins and outs of the legal rules governing this important field is vital for any lawyer or other professionals looking to protect these interests.The thoroughly revised and updated Cybersecurity Law offers an authoritative guide to the key statutes, regulations, and court rulings that pertain to cybersecurity, reflecting the latest legal developments on the subject. This comprehensive text deals with all aspects of cybersecurity law, from data security and enforcement actions to anti-hacking laws, from surveillance and privacy laws to national and international cybersecurity law. New material in this latest edition includes many expanded sections, such as the addition of more recent FTC data security consent decrees, including Zoom, SkyMed, and InfoTrax.Readers of the third edition of Cybersecurity Law will also find:* An all-new chapter focused on laws related to ransomware and the latest attacks that compromise the availability of data and systems* New and updated sections on new data security laws in New York and Alabama, President Biden's cybersecurity executive order, the Supreme Court's first opinion interpreting the Computer Fraud and Abuse Act, American Bar Association guidance on law firm cybersecurity, Internet of Things cybersecurity laws and guidance, the Cybersecurity Maturity Model Certification, the NIST Privacy Framework, and more* New cases that feature the latest findings in the constantly evolving cybersecurity law space* An article by the author of this textbook, assessing the major gaps in U.S. cybersecurity law* A companion website for instructors that features expanded case studies, discussion questions by chapter, and exam questions by chapterCybersecurity Law is an ideal textbook for undergraduate and graduate level courses in cybersecurity, cyber operations, management-oriented information technology (IT), and computer science. It is also a useful reference for IT professionals, government personnel, business managers, auditors, cybersecurity insurance agents, and academics in these fields, as well as academic and corporate libraries that support these professions. Zusammenfassung CYBERSECURITY LAWLearn to protect your clients with this definitive guide to cybersecurity law in this fully-updated third editionCybersecurity is an essential facet of modern society, and as a result, the application of security measures that ensure the confidentiality, integrity, and availability of data is crucial. Cybersecurity can be used to protect assets of all kinds, including data, desktops, servers, buildings, and most importantly, humans. Understanding the ins and outs of the legal rules governing this important field is vital for any lawyer or other professionals looking to protect these interests.The thoroughly revised and updated Cybersecurity Law offers an authoritative guide to the key statutes, regulations, and court rulings that pertain to cybersecurity, reflecting the latest legal developments on the subject. This comprehensive text deals with all aspects of cybersecurity law, from data security an...

List of contents

About the Author xvii
 
Acknowledgment and Disclaimers xix
 
Foreword to the Third Edition (2022) xxi
 
Foreword to the Second Edition (2019) xxiii
 
Introduction to First Edition xxvii
 
About the Companion Website xxxv
 
1 Data Security Laws and Enforcement Actions 1
 
1.1 FTC Data Security 2
 
1.1.1 Overview of Section 5 of the FTC Act 2
 
1.1.2 Wyndham: Does the FTC Have Authority to Regulate Data Security Under Section 5 of the FTC Act? 6
 
1.1.3 LabMD: What Constitutes "Unfair" Data Security? 10
 
1.1.4 FTC June 2015 Guidance on Data Security, and 2017 Updates 13
 
1.1.5 FTC Data Security Expectations and the NIST Cybersecurity Framework 18
 
1.1.6 Lessons from FTC Cybersecurity Complaints 18
 
1.1.6.1 Failure to Secure Highly Sensitive Information 19
 
1.1.6.1.1 Use Industry-standard Encryption for Sensitive Data 20
 
1.1.6.1.2 Routine Audits and Penetration Testing Are Expected 20
 
1.1.6.1.3 Health-related Data Requires Especially Strong Safeguards 21
 
1.1.6.1.4 Data Security Protection Extends to Paper Documents 23
 
1.1.6.1.5 Business-to-business Providers Also Are Accountable to the FTC for Security of Sensitive Data 25
 
1.1.6.1.6 Companies Are Responsible for the Data Security Practices of Their Contractors 27
 
1.1.6.1.7 Make Sure that Every Employee Receives Regular Data Security Training for Processing sensitive Data 28
 
1.1.6.1.8 Privacy Matters, Even in Data Security 28
 
1.1.6.1.9 Limit the Sensitive Information Provided to Third Parties 29
 
1.1.6.1.10 Children's Data Requires Special Protection 29
 
1.1.6.2 Failure to Secure Payment Card Information 30
 
1.1.6.2.1 Adhere to Security Claims about Payment Card Data 30
 
1.1.6.2.2 Always Encrypt Payment Card Data 31
 
1.1.6.2.3 Payment Card Data Should Be Encrypted Both in Storage and at Rest 31
 
1.1.6.2.4 In-store Purchases Pose Significant Cybersecurity Risks 32
 
1.1.6.2.5 Minimize Duration of Storage of Payment Card Data 34
 
1.1.6.2.6 Monitor Systems and Networks for Unauthorized Software 35
 
1.1.6.2.7 Apps Should Never Override Default App Store Security Settings 35
 
1.1.6.3 Failure to Adhere to Security Claims 36
 
1.1.6.3.1 Companies Must Address Commonly Known Security Vulnerabilities 36
 
1.1.6.3.2 Ensure That Security Controls Are Sufficient to Abide by Promises About Security and Privacy 37
 
1.1.6.3.3 Omissions about Key Security Flaws Also Can Be Misleading 40
 
1.1.6.3.4 Companies Must Abide by Promises for Security-related Consent Choices 40
 
1.1.6.3.5 Companies That Promise Security Must Ensure Adequate Authentication Procedures 41
 
1.1.6.3.6 Adhere to Promises About Encryption 42
 
1.1.6.3.7 Promises About Security Extend to Vendors' Practices 43
 
1.1.6.3.8 Companies Cannot Hide Vulnerable Software in Products 43
 
1.1.7 FTC Internet of Things Security Guidance 43
 
1.2 State Data Breach Notification Laws 46
 
1.2.1 When Consumer Notifications Are Required 47
 
1.2.1.1 Definition of Personal Information 48
 
1.2.1.2 Encrypted Data 49
 
1.2.1.3 Risk of Harm 49
 
1.2.1.4 Safe Harbors and Exceptions to Notice Requirement 49
 
1.2.2 Notice to Individuals 50
 
1.2.2.1 Timing of Notice 50
 
1.2.2.2 Form of Notice 50
 
1.2.2.3 Content of Notice 51
 
1.2.3 Notice to Regulators and Consumer Reporting Agencies 51
 
1.2.4 Penalties for Violating State Breach Notification Laws 52
 
1.3 State Data Security Laws 52
 
1.3.1 Oregon 54