Principles of Cybersecurity Law
Authors:
Mireles, Michael / Hobaugh Jr., Jack L.
Edition:
1st
Copyright Date:
2021
18 chapters
have results for cybersecurity
Chapter One 48 results (showing 5 best matches)
- The goal of this book is to provide law students, practicing attorneys, and in-house counsel with the necessary background to counsel others in the area of cybersecurity and cybersecurity law. The expansive and everchanging area of cybersecurity law requires an understanding of the intersection and interaction of cybersecurity, cybersecurity law, and privacy law. These three areas often overlap but never fully converge. To fully understand cybersecurity law, one must understand the relationships between cybersecurity, cybersecurity law, and privacy law. Throughout this book, the authors will identify and discuss those relationships. Moreover, we will delve into the various substantive areas of cybersecurity, cybersecurity law, and privacy law where those areas are coextensive, but sometimes where they are not.
- We chose the term Cybersecurity Counselor over Cybersecurity Attorney because a counselor is a broader term that designates providing advice beyond just cybersecurity legalities. A cybersecurity counselor will have the opportunity to advise clients across a broad swath of cybersecurity-related issues. The cybersecurity counselor may be involved in all aspects of a company’s cybersecurity lifecycle, including but not limited to the creation of initial cybersecurity policies, controls, guidance and procedure, risk analysis under a risk analysis framework, business continuity planning, disaster recovery planning, training, and incident response. A competent cybersecurity counselor can become a liaison or bridge between the C-suite or General Counsel’s office and the cybersecurity professional.
- Often, cybersecurity and cybersecurity law deficiencies do not become apparent until a privacy law enforcement action has been triggered. For example, a data breach that negatively affects persons can trigger tort negligence actions, federal agency cybersecurity enforcement, state data breach notification (privacy) laws, and state AG cybersecurity investigation and enforcement actions. These events often disclose underlying cybersecurity deficiencies and cybersecurity law infractions that would have gone unnoticed without the breach, such as lack of encryption or “reasonable security measures” to safeguard data. It is often only after the discovery of the privacy infraction, that the underlying and arguably, more important cybersecurity law infractions surface.
- So, what is cybersecurity law and how does it relate to cybersecurity and privacy law? Although the term has been quickly adopted as an oft-used legal buzz word and big law is quickly adding cybersecurity law as a practice area, a well-adopted definition does not yet exist. As Professor Jeff Kosseff noted in his 2018 law review article, “Defining Cybersecurity Law”, “the U.S. legal system lacks a consistent definition of the term ‘cybersecurity law’.”
- We expect the definition of cybersecurity law to morph over time as regulatory bodies continue to struggle with the term as they attempt to promulgate cybersecurity laws to protect their citizens. For the purposes of this book we define
- Open Chapter
Chapter Seven 8 results (showing 5 best matches)
- The following materials include some private right of action cases that demonstrate confusion by the courts concerning how to deal with cybersecurity deficiencies and demonstrate the need for state cybersecurity laws that provide a right of action to adequately protect its citizens from data breaches. Indeed, citizens and their data are not protected by poorly conceived or drafted cybersecurity laws, or a failure to enact cybersecurity laws.
- As discussed in the preceding chapters, the United States does not have one overarching cybersecurity law but instead relies on a collection of privacy and cybersecurity laws that each cover a specific area. For example, the Health Insurance Portability and Accountability Act (HIPAA) focuses on an individual’s protected health information and the medical industry. In contrast, the Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, focuses on the financial industry. The states have been able to promulgate cybersecurity and privacy laws where the federal government has left a void. There are basically two types of laws enacted in this space: 1) data breach notification laws; and 2) cybersecurity laws concerning standards for the security of data, networks and computers. This chapter will review some select data breach notification and more specific cybersecurity laws promulgated by the states.
- California continues to lead the nation on protecting the consumer and has recently promulgated the California Consumer Privacy Act (CCPA). This law along with the European General Data Protection (GDPR) have changed the way companies do business. The CCPA is primarily a privacy law that gives individual customers rights to control how their data is collected, used, and disposed of. But the CCPA also gives a private right of action to hold companies accountable regarding reasonable cybersecurity measures. The California Privacy Rights Act, which was passed by the California voters on November 3, 2020, maintains the cybersecurity portion of the CCPA with some slight modifications and creates a new privacy agency. The following section of the California Privacy Rights Act has a focus on cybersecurity measures.
- Alabama was one of the last two states to adopt a data breach notification law. Because they were late to the table in promulgating a notification law, they were able to add cybersecurity measures in addition to just breach notification requirements.
- Massachusetts Regulations Concerning Cybersecurity
- Open Chapter
Chapter Twelve 14 results (showing 5 best matches)
- It is unclear whether a multi-lateral comprehensive treaty on cybersecurity will be adopted. The United Nations recently released a report that is designed to start the discussion concerning such a treaty. An issue concerning the treaty includes the responsibility of state actors for cybersecurity breaches. It is common knowledge that governments, including the United States, engage in the collection of cybersecurity vulnerabilities and cybersecurity espionage. This may result in serious reluctance on behalf of governments to handicap their own ability to engage in cybersecurity espionage to address issues such as terrorism. Any adopted treaty would likely include broad exemptions for certain types of conduct and, thus, may minimize any true effectiveness of the treaty to address some cybersecurity-related issues.
- For an overview of trade and cybersecurity, the reader is directed to the Joshua P. Meltzer and Cameron F. Kerry article,
- 1. The Parties recognize that threats to cybersecurity undermine confidence in digital trade. Accordingly, the Parties shall endeavor to: (a) build the capabilities of their respective national entities responsible for cybersecurity incident response; and (b) strengthen existing collaboration mechanisms for cooperating to identify and mitigate malicious intrusions or dissemination of malicious code that affect electronic networks, and use those mechanisms to swiftly address cybersecurity incidents, as well as for the sharing of information for awareness and best practices.
- 2. Given the evolving nature of cybersecurity threats, the Parties recognize that risk-based approaches may be more effective than prescriptive regulation in addressing those threats. Accordingly, each Party shall endeavor to employ, and encourage enterprises within its jurisdiction to use, risk-based approaches that rely on consensus-based standards and risk management best practices to identify and protect against cybersecurity risks and to detect, respond to, and recover from cybersecurity events.
- Cybersecurity and Digital Trade: Getting It Right
- Open Chapter
Chapter Eleven 12 results (showing 5 best matches)
- “The purpose of this publication is to give manufacturers recommendations for improving how securable the IoT devices they make are. This means the IoT devices offer device cybersecurity capabilities—cybersecurity features or functions the devices provide through their own technical means (i.e., device hardware and software)—that customers, both organizations and individuals, need to secure the devices when used within their systems and environments. IoT device manufacturers will also often need to perform actions or provide services that their customers expect and/or need to plan for and maintain the cybersecurity of the device within their systems and environments. From this publication, IoT device manufacturers will learn how they can help to create a baseline of cybersecurity capabilities for IoT devices, and to publish cybersecurity practices for IoT device manufacturers. IoT device customers by carefully considering which device cybersecurity capabilities to design into their...
- The NIST released a guidance document titled, “Foundational Cybersecurity Activities for IOT Device Manufacturers,” in May 2020. The document provides cybersecurity counseling for IOT device manufacturers concerning the development of devices to be sold to consumers. The Executive Summary provides, in relevant part:
- This chapter reviews cybersecurity issues related to the Internet of Things (IoT). In prior chapters, we have reviewed cases involving internet connected devices such as WiFi routers. Indeed, with the advent of the ubiquitous home WiFi router, “things” have been connected to the internet for a long time in the form of laptops, pads, and smart phones. Today, those “things” have exponentially increased with the continuous rising adoption of smart home devices. In this chapter, we review materials specifically directed to the IoT such as NIST documents and the Complaint filed against Ring concerning cybersecurity deficiencies.
- “Cybersecurity and privacy risks for IoT devices can be thought of in terms of three high-level risk mitigation goals:
- NIST Guidance Document: Foundational Cybersecurity Activities for IOT Device Manufacturers
- Open Chapter
Chapter Eight 2 results
- In Chapter 4 U.S. Securities and Exchange Commission Cybersecurity, , there is a discussion of a case concerning a securities action related to cybersecurity.
- From a counseling perspective, attorneys should protect their clients’ interests by including carefully drafted merger clauses, warranty clauses, indemnification provisions, choice of law and forum clauses, binding arbitration clauses, clauses prohibiting oral modification and limitations of liability provisions. Notably, attorneys should ensure that clients have secured cybersecurity insurance and can verify that service providers, such as cloud services, have adopted reasonable and appropriate cybersecurity measures.
- Open Chapter
Chapter Four 16 results (showing 5 best matches)
- Congress created the SEC through the Securities Act of 1934. Congress also passed the Securities Act of 1933. These congressional actions were designed to restore confidence during the Great Depression. As one might expect, cybersecurity was not on the minds of Congress during these actions. But with the advent of computers and computerized trading, the SEC has had to address cybersecurity.
- This chapter includes an examination of regulations enforced by the SEC as well as that enforcement. This chapter also reviews private litigation involving securities fraud and cybersecurity and disclosure issues related to cybersecurity.
- See Spotlight on Cybersecurity, the SEC and You
- The Financial Industry Regulatory Authority (FINRA) is a nonprofit which Congress has authorized to regulate brokers and dealers, and enforces SEC regulations concerning cybersecurity. See FINRA, Cybersecurity, available at
- case centers around the September 7, 2017 disclosure of the hack of the Equifax computer network by criminal hackers that resulted in the compromise of personally identifiable information. Among other allegations, the plaintiff alleged that defendants “made false or misleading statements on Equifax’s website, in Equifax’s SEC filings, and at Equifax Investor Conferences and Presentations. According to the Plaintiff, these false or misleading statements concerned the state of Equifax’s cybersecurity, Equifax’s compliance with data protection laws, regulations, and industry best practices, and Equifax’s internal controls.” The defendants responded that plaintiff does not have a case for securities fraud because the allegations “concern mere corporate mismanagement.” The court did not find this response persuasive because “[t]he Plaintiff does not argue that the Defendants violated section 10(b) by failing to implement better cybersecurity practices. Instead, the Plaintiff contends...
- Open Chapter
Chapter Nine 26 results (showing 5 best matches)
- The NIST Risk Management Framework is widely recognized as a useful tool for analyzing and managing risk in the context of cybersecurity issues. The Framework provides cybersecurity professionals and counsel an analytical framework to address potential issues as those problems arise.
- The need for cybersecurity standards and best practices that address interoperability, usability and privacy continues to be critical for the nation. NIST’s cybersecurity programs seek to enable greater development and application of practical, innovative security technologies and methodologies that enhance the country’s ability to address current and future computer and information security challenges.
- The IC3 websites provides a web page for filing a complaint. But counsel should develop a relationship with the regional FBI cybersecurity agent so that counsel will have direct access during an incident. The agent can also be a good resource for keeping informed of potential cybersecurity risks. Indeed, the FBI encourages direct contact after a corporation has an incident.
- Cybersecurity, N
- Cybersecurity Framework Version 1.1. Overview
- Open Chapter
Chapter Two 12 results (showing 5 best matches)
- the Third Circuit decided that the FTC has authority to regulate cybersecurity based on the unfairness prong of the FTC Act and that Wyndham had sufficient notice that its deficient cybersecurity practices could violate the FTC Act
- As with the FTC cases, the above guidance is part of the normal best practices landscape practiced by cybersecurity professionals. It is also a clear signal that the FTC is and will be taking an active and proactive role in cybersecurity.
- This Chapter reviews the Federal Trade Commission (FTC) enforcement actions concerning cybersecurity. The FTC is a federal agency tasked with protecting consumers and promoting competition. In recent years the FTC has taken enforcement action against many companies, small and large, under “unfair or deceptive acts or practices in or affecting commerce” that have been clear-cut privacy enforcement actions. The “unfair or deceptive acts or practices in or affecting commerce” enforcement powers of the FTC come from Section 5 of the 1914 FTC Act. The FTC has been particularly successful in enforcing consumer privacy through the deceptive acts prong by pursuing companies that collect personal data beyond that which is disclosed in the companies’ privacy notices. Of course, in 1914 cybersecurity was not envisioned as something that would be covered by the Act. But with the proliferation of computers and the connection of computers with the internet, cybersecurity has become a hot topic,...
- bulletins. The FTC would have also likely followed up the leads with specific interrogatories to the company. At the end of this process, the FTC has compiled a long list of cybersecurity mistakes, missteps, and failures that it can list and compare against known industry cybersecurity practices to point out gaps in “reasonable security.” Basically, here is what a reasonable company does regarding cybersecurity practices and here is what you did. In the end, the company is left with no choice but to agree to a consent agreement with the FTC.
- In 2002, the FTC started asserting claims based on “unfair” cybersecurity practices. For the next 10 years, all actions brought by the FTC resulted in negotiated consent agreements, with no company testing the FTC’s statutory authority to regulate cybersecurity. While some companies questioned the FTC’s authority, they all settled rather than engage in an embarrassing legal battle. That changed when the FTC sued Wyndham Worldwide Corp. in 2012.
- Open Chapter
Table of Contents 16 results (showing 5 best matches)
- 1.1[b] Introduction to the Relationship Between Cybersecurity, Cybersecurity Law and Privacy Law and “Reasonable Security Measures”.
- 1.1[a] Brief History of Computing in the Cybersecurity Context
- 1.2 WHAT IS CYBERSECURITY LAW?
- 1.3 RESPONSIBILITIES OF A CYBERSECURITY PROFESSIONAL
- 1.3[b] Cybersecurity Tools
- Open Chapter
Chapter Three 13 results (showing 5 best matches)
- The United States relies on a patch work of federal and state cybersecurity and privacy laws. The Gramm-Leach-Bliley Act (GLBA) is one of those laws. One might normally think of the GLBA as primarily a financial privacy law. However, there is also an important cybersecurity requirement called the Safeguards Rule that is enforced by the FTC.
- The National Institute of Standards and Technology defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to attacks.” As part of cybersecurity, institutions should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from technology-based attacks.
- Cybersecurity Awareness
- The Equifax data breach received a lot of media exposure. It was on September 7, 2017 that Equifax announced the data breach that was one of the largest data breaches in history. “From mid-May through the end of July 2017, hackers stole the personal information of nearly 150 million Americans.” The data, classified as personally identifiable information (“PII”) included but was not limited to names, Social Security numbers, birth dates, addresses, driver’s license numbers, images of taxpayer ID cards and passports, photographs associated with government-issued identification, payment card information. The plaintiffs tied the data breach to “the direct result of Equifax’s disregard for cybersecurity.” Per the plaintiffs, Equifax had been repeatedly warned “that its cybersecurity was dangerously deficient, and that ...not an isolated incident.” “However, despite these warnings, Equifax did not take the necessary steps to improve its data security or prepare for the known cybersecurity...
- In June 2013, the FFIEC announced the creation of the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. In addition, the FFIEC began assessing and enhancing the state of the industry preparedness and identifying gaps in the regulators’ examination procedures and training that can be closed to strengthen the oversight of cybersecurity readiness.
- Open Chapter
Title Page 2 results
Principles of Cybersecurity Law Your search matches the chapter title
Index 11 results (showing 5 best matches)
Half-Title Page 1 result
Acknowledgements 1 result
Principles of Cybersecurity Law Part 2 Your search matches the chapter title
Chapter Six 1 result
- The Family Education Rights and Privacy Act (FERPA) is another act that appears on the surface to be all about privacy, but a closer look reveals a “reasonable methods” standard for cybersecurity controls. Some educational institutions are also governed by the Graham-Leach Bliley Act, which is mostly enforced by the Federal Trade Commission. Additionally, the Department of Education, Office of the Inspector General has overlapping responsibility concerning FERPA.
- Open Chapter
Chapter Five 3 results
- HIPAA is the Health Insurance Portability and Accountability Act of 1996. Most Americans are familiar with the term HIPAA and would probably classify it as a privacy law that protects their medical data. In addition to the privacy side of HIPAA, the U.S. Department of Health and Human Services (HHS) also provides a Security Rule for the protection of electronic health information. This chapter reviews the Security Rule, its enforcement and private litigation concerning HIPAA in the cybersecurity context.
- As we have seen with other federal agencies that enforce cybersecurity, the accused normally has the choice to come to terms
- (“Resource Guide”). NIST’s cybersecurity resources have evolved since SP 800-66, Revision 1, was published in 2008, and stakeholders will benefit from guidance that includes references to these updated resources. The public is invited to provide input by
- Open Chapter
- Publication Date: August 9th, 2021
- ISBN: 9781636590202
- Subject: Internet Law
- Series: Concise Hornbook Series
- Type: Hornbook Treatises
- Description: This book is for cybersecurity and privacy professionals, cybersecurity and privacy lawyers, law students, and anyone interested in learning the cybersecurity laws that apply to an entity based on the entity’s business model(s) and data collection model(s). For example, what is the applicable Securities and Exchange Commission (SEC) cybersecurity law if an entity provides an alternate trading platform (ATP) with a daily trading volume of 50,000? The authors combine years of technical and legal experience in providing a map for cybersecurity counseling based on an understanding of the CISO’s technical cybersecurity issues and how they fit into today’s cybersecurity law challenges. The authors explain the difference and overlap between privacy law, cybersecurity law, and cybersecurity. Those interested in speaking the same cybersecurity language as a Chief Information Security Officer (CISO) will benefit. The first chapter provides a review of cybersecurity. For example, key to any discussion on cybersecurity is the Confidentiality, Integrity, and Availability (CIA) of data. Learn how to implement policy-based “reasonable security measures” frameworks for your organization that form a legal defense to cybersecurity-based actions brought by U.S. agencies such as the Federal Trade Commission (FTC) and state Attorney Generals. A high-level discussion of the National Institute of Science and Technology (NIST) cybersecurity frameworks is included as well as data breach laws, anti-hacking related laws and some international issues.