Cybersecurity Law (eBook)
John Wiley & Sons (Verlag)
978-1-119-82217-2 (ISBN)
Learn to protect your clients with this definitive guide to cybersecurity law in this fully-updated third edition
Cybersecurity is an essential facet of modern society, and as a result, the application of security measures that ensure the confidentiality, integrity, and availability of data is crucial. Cybersecurity can be used to protect assets of all kinds, including data, desktops, servers, buildings, and most importantly, humans. Understanding the ins and outs of the legal rules governing this important field is vital for any lawyer or other professionals looking to protect these interests.
The thoroughly revised and updated Cybersecurity Law offers an authoritative guide to the key statutes, regulations, and court rulings that pertain to cybersecurity, reflecting the latest legal developments on the subject. This comprehensive text deals with all aspects of cybersecurity law, from data security and enforcement actions to anti-hacking laws, from surveillance and privacy laws to national and international cybersecurity law. New material in this latest edition includes many expanded sections, such as the addition of more recent FTC data security consent decrees, including Zoom, SkyMed, and InfoTrax.
Readers of the third edition of Cybersecurity Law will also find:
- An all-new chapter focused on laws related to ransomware and the latest attacks that compromise the availability of data and systems
- New and updated sections on new data security laws in New York and Alabama, President Biden's cybersecurity executive order, the Supreme Court's first opinion interpreting the Computer Fraud and Abuse Act, American Bar Association guidance on law firm cybersecurity, Internet of Things cybersecurity laws and guidance, the Cybersecurity Maturity Model Certification, the NIST Privacy Framework, and more
- New cases that feature the latest findings in the constantly evolving cybersecurity law space
- An article by the author of this textbook, assessing the major gaps in U.S. cybersecurity law
- A companion website for instructors that features expanded case studies, discussion questions by chapter, and exam questions by chapter
Cybersecurity Law is an ideal textbook for undergraduate and graduate level courses in cybersecurity, cyber operations, management-oriented information technology (IT), and computer science. It is also a useful reference for IT professionals, government personnel, business managers, auditors, cybersecurity insurance agents, and academics in these fields, as well as academic and corporate libraries that support these professions.
Jeff Kosseff, JD, MPP, is Associate Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He frequently speaks and writes about cybersecurity and was a journalist covering technology and politics at The Oregonian, a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting.
Jeff Kosseff, JD, MPP, is Associate Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He frequently speaks and writes about cybersecurity and was a journalist covering technology and politics at The Oregonian, a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting.
Introduction to First Edition
In recent years, cybersecurity has become not only a rapidly growing industry, but an increasingly vital consideration for nearly every company and government agency in the United States. A data breach can lead to high‐stakes lawsuits, significant business disruptions, intellectual property theft, and national security vulnerabilities. Just ask any executive from Sony, Target, Home Depot, or the scores of other companies that experienced costly data breaches or the top officials at the U.S. Office of Personnel Management, which suffered a breach that exposed millions of federal workers’ highly confidential security clearance applications. In short, it is abundantly clear that companies, governments, and individuals need to do more to improve cybersecurity.
Many articles and books have been written about the technical steps that are necessary to improve cybersecurity. However, there is much less material available about the legal rules that require—and, in some cases, restrict—specific cybersecurity measures. Legal obligations and restrictions should be considered at the outset of any cybersecurity strategy, just as a company would consider reputational harm and budgetary issues. Failure to comply with the law could lead to significant financial harms, negative publicity, and, in some cases, criminal charges.
Unfortunately, the United States does not have a single “cybersecurity law” that can easily apply to all circumstances. Rather, the United States has a patchwork of hundreds of state and federal statutes, regulations, binding guidelines, and court‐created rules regarding data security, privacy, and other issues commonly considered to fall under the umbrella of “cybersecurity.” On top of that, if U.S. companies have customers or employees in other countries, they must consider the privacy and data security laws and regulations of those nations.
This book aims to synthesize the cybersecurity laws that are most likely to affect U.S. corporate and government operations. The book is intended for a wide range of audiences that seek to learn more about cybersecurity law: undergraduate, graduate, and law school students; technology professionals; corporate executives; and lawyers. For lawyers who use this book as a reference treatise, this book contains detailed footnotes to the primary source materials, such as statutes and case citations. However, this book is not intended only for those with law degrees; it is written with the intent of being a guide for lawyers and nonlawyers alike. Similarly, in addition to being a desk reference, this book can be used as a primary or supplemental text in a cybersecurity law class.
The book focuses on the cybersecurity obligations of U.S. companies, but because cyberspace involves global private and public infrastructure, the book does not focus only on U.S. legal obligations of private companies. The book examines the efforts of the public sector and private sector to work together on cybersecurity, as well as the limits on government cyber operations under the U.S. Constitution and various statutes. Moreover, the book discusses some of the foreign cybersecurity laws that U.S. companies are most likely to encounter.
At the outset, it is important to define the term “cybersecurity law.” Unlike more established legal fields, such as copyright, contracts, and torts, cybersecurity law is relatively new and not clearly defined. Indeed, some people think of cybersecurity law as consisting only of data security requirements for companies that are designed to reduce the likelihood of data breaches. Others think of cybersecurity law as anti‐hacking laws. And to some, cybersecurity law is a subset of privacy law.
To all of those suggestions, I say “yes.” Cybersecurity encompasses all of those subjects and more. The U.S. Department of Homeland Security's National Initiative for Cybersecurity Careers and Studies defines cybersecurity as “[t]he activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.” This definition is a good—and largely complete—starting point for the purposes of this book. The DHS definition captures the “CIA Triad”—confidentiality, integrity, and availability—that typically is associated with cybersecurity. Under this definition, we should be concerned with data security laws, data breach litigation, and anti‐hacking laws. However, I have two additions to the DHS definition. First, it is impossible to fully evaluate cybersecurity without understanding the limits on the government's ability to conduct electronic surveillances. Accordingly, the Fourth Amendment to the U.S. Constitution and statutes that restrict government surveillance must be considered as part of an examination of cybersecurity law. Second, cybersecurity law is heavily intertwined with privacy law, which restricts the ability of companies and governments to collect, use, and disclose individuals’ personal information.
To simplify, this book categorizes cybersecurity law as consisting of six broad areas of law:
- Private sector data security laws
- Anti‐hacking laws
- Public–private cybersecurity efforts
- Government surveillance laws
- Cybersecurity requirements for government contractors
- Privacy law
Private Sector Data Security Laws (Chapters 1–4)
Among the most complex—and rapidly changing—areas of cybersecurity are the many requirements that apply to U.S. companies’ handling of customers’ and employees’ personal data. A number of state and federal laws require companies to implement specific data security safeguards, and if a company faces a data breach, it may be required to notify customers, regulators, and credit bureaus. Breaches also could expose companies to costly regulatory actions and class action lawsuits.
Chapter 1 provides an overview of the state and federal laws that generally apply to data security and data breaches. Unlike other nations, the United States does not have a general law that imposes specific privacy and data security requirements on all companies. The closest analogue in the United States is Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive trade practices. Chapter 1 examines dozens of complaints that the Federal Trade Commission has filed under this statute arising from allegedly inadequate data security. The chapter next examines the laws in nearly every state that require companies to notify regulators, customers, and credit bureaus of data breaches in certain circumstances. Finally, the chapter examines the dozen state laws that impose specific data security requirements for personal information.
Chapter 2 examines the various types of private class action lawsuits that companies could face after they experience data breaches. First, the chapter examines a concept known as Article III standing, which is among the most significant barriers to plaintiffs’ lawsuits arising from data breaches. In short, Article III standing requires that plaintiffs demonstrate that they suffered an injury‐in‐fact that is fairly traceable to the defendant's conduct and redressable by a lawsuit. Courts are divided as to what types of injuries a data breach plaintiff must demonstrate to have Article III standing. The chapter then reviews common legal claims that arise from data breaches, including negligence, misrepresentation, breach of contract, invasion of privacy, unjust enrichment, and state consumer protection laws. The chapter also reviews the procedural requirements that data breach plaintiffs must satisfy to be permitted to sue on behalf of a larger class of plaintiffs. It examines whether commercial insurance coverage helps cover companies’ liability in data breach lawsuits. Finally, the chapter examines how companies can reduce the likelihood that their internal cybersecurity communications and reports will be subject to discovery and used against them in litigation.
Chapter 3 examines the additional data security requirements that U.S. companies face if they handle particularly sensitive personal information. The Gramm–Leach–Bliley Act requires financial institutions to adopt specific security safeguards for customers’ nonpublic financial information. The Payment Card Industry Data Security Standard contractually imposes data security safeguards for companies that handle credit and debit card information. Doctors, health insurers, and other healthcare companies and their business associates face stringent data security requirements under the Health Insurance Portability and Accountability Act. Finally, the chapter examines the cybersecurity requirements for electric utilities and nuclear licensees.
Chapter 4 provides an overview of data security requirements that affect corporations. The Securities and Exchange Commission expects publicly traded companies to disclose material risks, and in recent years, it has urged companies to be transparent about their cybersecurity vulnerabilities and explain how those vulnerabilities might affect shareholders. This chapter examines the level of disclosure that the SEC expects in publicly traded companies’ public filings, and provides examples of various levels of transparency and disclosure. The chapter also examines the possibility of...
| Erscheint lt. Verlag | 10.11.2022 |
|---|---|
| Sprache | englisch |
| Themenwelt | Mathematik / Informatik ► Informatik ► Theorie / Studium |
| Schlagworte | anti-hacking law • Computer Criminal Law • Computerkriminalität • Computer Science • Computer Security & Cryptography • Computersicherheit • Computersicherheit u. Kryptographie • cryptography • cyber operation • data security law • FTC data security consent decree • Informatik • internet of things • Kryptographie • Law • LifeLock • management-oriented information technology • Mathematics • Mathematik • Privacy Law • Ransomware • Rechtswissenschaft • SkyMed • surveillance and cyber • Zoom |
| ISBN-10 | 1-119-82217-3 / 1119822173 |
| ISBN-13 | 978-1-119-82217-2 / 9781119822172 |
| Informationen gemäß Produktsicherheitsverordnung (GPSR) | |
| Haben Sie eine Frage zum Produkt? |
EPUB (Adobe DRM)Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
