Cybersecurity Law E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

About the Author

Acknowledgment and Disclaimers

Foreword to the Third Edition (2023)

Foreword to the Second Edition (2019)

Introduction to First Edition

Private Sector Data Security Laws (Chapters 1–4)

Anti‐Hacking Laws (Chapter 5)

Public–Private Security Efforts (Chapter 6)

Government Surveillance Laws (Chapter 7)

Cybersecurity Requirements for Government Contractors (Chapter 8)

Privacy Law (Chapter 9)

About the Companion Website

1 Data Security Laws and Enforcement Actions

1.1 FTC Data Security

1.2 State Data Breach Notification Laws

1.3 State Data Security Laws

1.4 State Data Disposal Laws

Notes

2 Cybersecurity Litigation

2.1 Article III Standing

2.2 Common Causes of Action Arising from Data Breaches

2.3 Class Action Certification in Data Breach Litigation

2.4 Insurance Coverage for Data Breaches

2.5 Protecting Cybersecurity Work Product and Communications from Discovery

Notes

3 Cybersecurity Requirements for Specific Industries

3.1 Financial Institutions: GLBA Safeguards Rule

3.2 New York Department of Financial Services Cybersecurity Regulations

3.3 Financial Institutions and Creditors: Red Flags Rule

3.4 Companies that Use Payment and Debit Cards: PCI DSS

3.5 IoT Cybersecurity Laws

3.6 Health Providers: HIPAA Security Rule

3.7 Electric Transmission: FERC Critical Infrastructure Protection Reliability Standards

3.8 NRC Cybersecurity Regulations

3.9 State Insurance Cybersecurity Laws

Notes

4 Cybersecurity and Corporate Governance

4.1 SEC Cybersecurity Expectations for Publicly Traded Companies

4.2 Fiduciary Duty to Shareholders and Derivative Lawsuits Arising from Data Breaches

4.3 CFIUS and Cybersecurity

4.4 Law Firms and Cybersecurity

Notes

5 Antihacking Laws

5.1 Computer Fraud and Abuse Act

5.2 State Computer Hacking Laws

5.3 Section 1201 of the Digital Millennium Copyright Act

5.4 Economic Espionage Act

5.5 Budapest Convention on Cybercrime

Notes

6 U.S. Government Cyber Structure and Public–Private Cybersecurity Partnerships

6.1 U.S. Government's Civilian Cybersecurity Organization

6.2 Department of Homeland Security Information Sharing under the Cybersecurity Act of 2015

6.3 Critical Infrastructure Executive Order and the NIST Cybersecurity Framework

6.4 U.S. Military Involvement in Cybersecurity and the Posse Comitatus Act

6.5 Vulnerabilities Equities Process

6.6 Executive Order 14028

Notes

7 Surveillance and Cyber

7.1 Fourth Amendment

7.2 Electronic Communications Privacy Act

7.3 Communications Assistance for Law Enforcement Act (CALEA)

7.4 Encryption and the All Writs Act

7.5 Encrypted Devices and the Fifth Amendment

Notes

8 Cybersecurity and Federal Government Contractors

8.1 Federal Information Security Management Act

8.2 NIST Information Security Controls for Government Agencies and Contractors

8.3 Classified Information Cybersecurity

8.4 Covered Defense Information, CUI, and the Cybersecurity Maturity Model Certification

Notes

9 Privacy Laws

9.1 Section 5 of the FTC Act and Privacy

9.2 Health Insurance Portability and Accountability Act

9.3 Gramm–Leach–Bliley Act and California Financial Information Privacy Act

9.4 CAN‐SPAM Act

9.5 Video Privacy Protection Act

9.6 Children's Online Privacy Protection Act

9.7 California Online Privacy Laws

9.8 California Consumer Privacy Act

9.9 Illinois Biometric Information Privacy Act

9.10 NIST Privacy Framework

Notes

10 International Cybersecurity Law

10.1 European Union

10.2 Canada

10.3 China

10.4 Mexico

10.5 Japan

Notes

11 Cyber and the Law of War

11.1 Was the Cyberattack a “Use of Force” that Violates International Law?

11.2 If the Attack Was a Use of Force, Was that Force Attributable to a State?

11.3 Did the Use of Force Constitute an “Armed Attack” that Entitles the Target to Self‐defense?

11.4 If the Use of Force Was an Armed Attack, What Types of Self‐defense Are Justified?

11.5 If the Nation Experiences Hostile Cyber Actions that Fall Short of Use of Force or Armed Attacks, What Options Are Available?

Notes

12 Ransomware

12.1 Defining Ransomware

12.2 Ransomware‐related Litigation

12.3 Insurance Coverage for Ransomware

12.4 Ransomware Payments and Sanctions

12.5 Ransomware Prevention and Response Guidelines from Government Agencies

Notes

Appendix A: Text of Section 5 of the FTC Act

[15 U.S.C.] §45. Unfair methods of competition unlawful; prevention by Commission

Note

Appendix B: Summary of State Data Breach Notification Laws

Alabama

Alaska

Arizona

Arkansas

California

Colorado

Connecticut

Delaware

District of Columbia

Florida

Georgia

Hawaii

Idaho

Illinois

Indiana

Iowa

Kansas

Kentucky

Louisiana

Maine

Maryland

Massachusetts

Michigan

Minnesota

Mississippi

Missouri

Montana

Nebraska

Nevada

New Hampshire

New Jersey

New Mexico

New York

North Carolina

North Dakota

Ohio

Oklahoma

Oregon

Pennsylvania

Rhode Island

South Carolina

South Dakota

Tennessee

Texas

Utah

Vermont

Virginia

Washington State

West Virginia

Wisconsin

Wyoming

Appendix C: Text of Section 1201 of the Digital Millennium Copyright Act

17 U.S.C. §1201. Circumvention of copyright protection systems

Notes

Appendix D: Text of the Computer Fraud and Abuse Act

§ 1030. Fraud and related activity in connection with computers

Appendix E: Text of the Electronic Communications Privacy Act

Title I (Wiretap Act), 18 U.S.C §§ 2510–2523

Title II (Stored Communications Act), 18 U.S.C. §§ 2701–2713

Title III (Pen Registers and Trap and Trace Devices), 18 U.S.C. §§ 3121–3127

Notes

Appendix F: Key Cybersecurity Court Opinions

Appendix G: Hacking Cybersecurity Law

I. Introduction

II. The Broad Scope of Cybersecurity Law

III. Guiding Principles for Hacking Cybersecurity Law

IV. Conclusion

Notes

Index

End User License Agreement

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

About the Author

Acknowledgment and Disclaimers

Foreword to the Third Edition (2023)

Foreword to the Second Edition (2019)

Introduction to First Edition

About the Companion Website

Begin Reading

Appendix A: Text of Section 5 of the FTC Act

Appendix B: Summary of State Data Breach Notification Laws

Appendix C: Text of Section 1201 of the Digital Millennium Copyright Act

Appendix D: Text of the Computer Fraud and Abuse Act

Appendix E: Text of the Electronic Communications Privacy Act

Appendix F: Key Cybersecurity Court Opinions

Appendix G: Hacking Cybersecurity Law

Index

End User License Agreement

Pages

iii

iv

v

xvii

xix

xxi

xxii

xxiii

xxiv

xxv

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

293

294

295

296

297

298

299

300

301

302

303

304

305

308

309

310

311

312

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

439

440

441

442

443

444

445

446

447

448

449

450

451

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

752

753

754

755

756

757

758

759

760

761

762

763

764

765

766

767

768

769

770

771

772

773

774

775

776

777

778

779

780

781

782

783

784

785

786

787

788

789

790

791

792

793

794

795

796

797

798

799

800

801

802

803

804

805

806

807

808

809

810

811

812

813

814

815

816

817

818

819

820

821

822

823

824

825

826

827

828

829

830

831

832

833

834

835

836

837

Cybersecurity Law

Third Edition

This third edition first published in 2023© 2023 John Wiley & Sons, Inc.

Edition HistoryWiley (1e, 2017; 2e, 2019)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

The right of Jeff Kosseff to be identified as the author of this work has been asserted in accordance with law.

Registered OfficeJohn Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print‐on‐demand. Some content that appears in standard print versions of this book may not be available in other formats.

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of WarrantyIn view of ongoing research, equipment modifications, changes in governmental regulations, and the constant flow of information relating to the use of experimental reagents, equipment, and devices, the reader is urged to review and evaluate the information provided in the package insert or instructions for each chemical, piece of equipment, reagent, or device for, among other things, any changes in the instructions or indication of usage and for added warnings and precautions. While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging‐in‐Publication Data Applied for:

Names: Kosseff, Jeff, 1978‐ author.Title: Cybersecurity law / Jeff Kosseff.Description: Third Edition. | Hoboken : Wiley, 2022. | Includes bibliographical references and index.Identifiers: LCCN 2022044953 (print) | LCCN 2022044954 (ebook) | ISBN 9781119822165 (hardback) | ISBN 9781119822189 (adobe pdf) | ISBN 9781119822172 (epub)Subjects: LCSH: Data protection‐‐Law and legislation‐‐United States. | Computer security‐‐Law and legislation‐‐United States.Classification: LCC KF1263.C65 K67 2022 (print) | LCC KF1263.C65 (ebook) | DDC 343.7309/99‐‐dc23/eng/20220930LC record available at https://lccn.loc.gov/2022044953LC ebook record available at https://lccn.loc.gov/2022044954

Cover image: @ The Rise/ShutterstockCover Design: Wiley

This book is dedicated to my two biggest supporters, my wife, Crystal Zeh, and my daughter, Julia Kosseff.

About the Author

Jeff Kosseff is an Associate Professor of Cybersecurity Law in the Cyber Science Department at United States Naval Academy in Annapolis, Maryland. He has practiced cybersecurity and privacy law, and clerked for Judge Milan D. Smith, Jr. of the U.S. Court of Appeals for the Ninth Circuit and for Judge Leonie M. Brinkema of the U.S. District Court for the Eastern District of Virginia. He is a graduate of Georgetown University Law Center and the University of Michigan. Before becoming a lawyer, he was a journalist for The Oregonian and was a finalist for the Pulitzer Prize for national reporting.

Acknowledgment and Disclaimers

First and foremost, I'd like to thank my colleagues at the United States Naval Academy, and the hundreds of midshipmen whom I have taught in the Academy's cyber operations major. My daily discussions and debates with them have shaped how I think about the emerging field of cybersecurity law, and working with them every day is an inspiration.

Thanks to Wiley for seeing the need for a book that examines the many areas of the law that are related to the evolving world of cybersecurity.

I'd also like to thank the many people who have provided feedback, particularly as I have substantially revised the second edition of the book. They include Marc Blitz, Matt Bodman, Amit Elazari Bar On, Ashden Fein, Eric Goldman, Ido Kilovaty, Kurt Sanger, and Armin Tadayon. Special thanks to Brooke Graves for outstanding editing. Thanks to Liz Seif for excellent proofreading, and to Tim Bettsworth for his copyediting of the third edition of the book.

Any views expressed in this book are only my own, and do not represent the Naval Academy's, Department of Navy's, or Department of Defense's. In this book, I present legal conclusions and facts as stated in judicial opinions and other court documents. By doing so, I am not necessarily endorsing those conclusions or factual claims.

This book is intended as a textbook and casebook for classes at the undergraduate, graduate, and law school levels, as well as a desk reference. However, due to the rapidly changing nature of cybersecurity law, this is not a substitute for legal advice or research on the current state of the law.

Foreword to the Third Edition (2023)

The three years since the publication of the second edition have seen a markedly more complex legal environmental in the cybersecurity world, with state, federal, and foreign governments attempting to adapt their legal systems to new threats. Moreover, courts have released important new rulings that apply existing laws such as the Computer Fraud and Abuse Act to modern cybersecurity challenges. This edition captures the key developments.

The most substantial change in this third edition is the addition of Chapter 12, which examines the increasingly important and complex world of laws related to ransomware. The book examines ransomware litigation, insurance coverage disputes, potential sanctions issues, and ransomware guidance provided by federal agencies. In addition to Chapter 12, below is a summary of the key changes from the second edition:

Chapter 1

discusses new FTC data security enforcement actions, including in high‐profile cases against companies such as Zoom. It incorporates amendments to various state data breach notification laws, and examines the new data security laws in New York and Alabama.

Chapter 2

examines the many developments in data breach litigation, including the impact of the Supreme Court's June 2021 Article III standing ruling in

TransUnion v. Ramirez

. It also examines new data breach class action certification decisions, and the growing field of cases that evaluate claims of attorney–client privilege and work product doctrine for cybersecurity consultants’ reports and communications.

Chapter 3

discusses the FTC's updates to its Safeguards Rule under the Gramm–Leach–Bliley Act, and Oregon's new Internet of Things cybersecurity law. The chapter also updates the growing field of state insurance cybersecurity laws.

Chapter 4

includes discussions of new shareholder litigation regarding data breaches, and adds a section about the cybersecurity obligations of lawyers and law firms.

Chapter 5

examines the potential impact of the 2021 opinion

Van Buren v. United States

, the U.S. Supreme Court's first substantive interpretation of the Computer Fraud and Abuse Act (CFAA). It also adds discussion of new opinions decided under the CFAA, Section 1201 of the Digital Millennium Copyright Act, and Defend Trade Secrets Act, and the Librarian of Congress's October 2021 triennial rulemaking for DMCA Section 1201 exceptions. The chapter also examines computer researchers’ ongoing First Amendment challenge to Section 1201.

Chapter 6

describes the major updates to the U.S. government's cybersecurity organization, including the creation of the Office of National Cyber Director, and breaks down the components of Executive Order 14028, which President Biden issued in May 2021.

Chapter 7

examines the impact of

Carpenter v. United States

on Fourth Amendment constraints of electronic searches, and discusses other key developments in Fourth and Fifth Amendment constraints on government surveillance.

Chapter 8

describes the Defense Department's Cybersecurity Maturity Model Certification for defense contractors.

Chapter 9

examines changes to privacy laws, including California's 2020 revisions to its data protection statute, and also outlines the key elements of the NIST Privacy Framework.

Chapter 10

discusses the Court of Justice of the European Union's decision to strike down the Privacy Shield, and also provides guidance on Canadian regulators’ cybersecurity expectations based on recent enforcement cases.

Chapter 11

adds discussions about the statements of the Netherlands and United Kingdom regarding the application of the law of armed conflict to cyberspace.

Appendix B

updates the requirements of state data breach notice laws.

Appendix F

includes an edited version of

Van Buren v. United States

.

Appendix G

is an article about principles for cybersecurity reform, written by the author of this book.

Foreword to the Second Edition (2019)

In the two years since the publication of the first edition of this book in early 2017, much has changed in the world of cybersecurity law. Legislators at the state, federal, and international levels enacted sweeping new laws to address cybersecurity. Courts issued significant new opinions in just about every area covered by the first edition. The U.S. government reorganized its civilian cybersecurity efforts amid unprecedented challenges.

I wrote the second edition to incorporate these new developments, and to make this book even more useful both in the classroom and in the workplace. Before I provide an overview of the changes to particular content, I'd like to highlight three significant additions to the book:

First, the book adds Appendix F, which includes 15 edited court opinions that cover the range of legal issues discussed in the text. I've been pleased to observe the number of professors in undergraduate, graduate, and law school programs who have assigned the book as a primary text. Some professors—particularly at the law school level—incorporate the case method into their teaching, in which their students learn about the legal rules by reading important statutes and court opinions and discussing them in class. Although the appendices to the first edition contained the text of some of the leading cybersecurity‐related statutes, the first edition did not include the text of court opinions. Appendix F provides edited opinions that cover FTC data security authority, private data breach litigation, shareholder derivative data breach litigation, the Computer Fraud and Abuse Act, and the Fourth Amendment. By combining these edited cases with the narrative text, I hope that the book will be useful as both a traditional textbook and a casebook. The edited court opinions also will be useful to those using the book as a treatise, as it provides a more detailed look at some of the cases discussed in the main text.

Second, the new edition adds Chapter 11, which covers some aspects of the international law of cyberwarfare. As we have seen in the past few years, many cybersecurity threats have originated from state actors in other nations. This requires us to examine, under international law, what options a target country has to defend itself.

Third, Wiley offers a new, instructor‐only website, which has suggested questions for class discussion, and model exam questions.

In addition to these three significant structural additions, the second edition adds new sections and substantively updates existing sections to incorporate the many new developments in cybersecurity law in the past few years. Among some of the additions and changes:

Chapter 1

adds new FTC data security enforcement actions, and the outcome of the LabMD litigation that challenged the FTC's data security enforcement authority. It also updates FTC guidance on data security practices, and new state data security laws. Since the first edition, Alabama, New Mexico, and South Dakota became the last of the 50 states to adopt data breach notification laws, and many states expanded their breach notice requirements. The new edition adds and updates the breach notification statute, and

Appendix B

summarizes all of these notification laws.

Chapter 2

incorporates many new court rulings on Article III standing in private data breach litigation, common claims in data breach lawsuits, and the attorney–client privilege in cybersecurity litigation.

Chapter 3

includes a new section on the New York Department of Financial Service's recently enacted cybersecurity regulations, which are among the most rigorous in the United States and affect a wide range of companies. It also adds sections on South Carolina's new cybersecurity requirements for insurance companies, and California's new Internet of Things cybersecurity law.

Chapter 4

discusses cybersecurity guidance for publicly traded companies that the Securities and Exchange Commission released in 2018, as well as the SEC's settlement with Yahoo over a massive data breach.

Chapter 5

adds a number of new Computer Fraud and Abuse Act cases, including the Ninth Circuit's second ruling in the landmark

United States v. Nosal

. It also includes new sections on bug bounty/vulnerability disclosure programs and the Budapest Convention on Cybercrime.

Chapter 6

describes the Department of Homeland Security's reorganization of its cybersecurity program, as well as the allocation of cybersecurity duties among federal departments under Presidential Policy Directive 41. It includes a new section about the November 2017 announcement of the federal government's vulnerability equities process.

Chapter 7

updates developments in Fourth Amendment caselaw, most notably the Supreme Court's 2018 opinion in

Carpenter v. United States

. The chapter also includes a new section on cases in which criminal suspects or defendants have claimed a Fifth Amendment self‐incrimination privilege to challenge orders requiring them to assist law enforcement with accessing encrypted devices and computers. It also describes the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which sets new rules for extraterritorial enforcement of Stored Communications Act orders.

Chapter 8

updates the cybersecurity requirements for federal government contractors, most notably the recently enacted regulations for the security of controlled unclassified information.

Chapter 9

examines the California Consumer Privacy Act, an extensive series of data protection rules enacted in 2018 and effective in 2020.

Chapter 10

expands the discussion of the European Union's General Data Protection Regulation, and examines China's new comprehensive cybersecurity law.

Introduction to First Edition

In recent years, cybersecurity has become not only a rapidly growing industry, but an increasingly vital consideration for nearly every company and government agency in the United States. A data breach can lead to high‐stakes lawsuits, significant business disruptions, intellectual property theft, and national security vulnerabilities. Just ask any executive from Sony, Target, Home Depot, or the scores of other companies that experienced costly data breaches or the top officials at the U.S. Office of Personnel Management, which suffered a breach that exposed millions of federal workers’ highly confidential security clearance applications. In short, it is abundantly clear that companies, governments, and individuals need to do more to improve cybersecurity.

Many articles and books have been written about the technical steps that are necessary to improve cybersecurity. However, there is much less material available about the legal rules that require—and, in some cases, restrict—specific cybersecurity measures. Legal obligations and restrictions should be considered at the outset of any cybersecurity strategy, just as a company would consider reputational harm and budgetary issues. Failure to comply with the law could lead to significant financial harms, negative publicity, and, in some cases, criminal charges.

Unfortunately, the United States does not have a single “cybersecurity law” that can easily apply to all circumstances. Rather, the United States has a patchwork of hundreds of state and federal statutes, regulations, binding guidelines, and court‐created rules regarding data security, privacy, and other issues commonly considered to fall under the umbrella of “cybersecurity.” On top of that, if U.S. companies have customers or employees in other countries, they must consider the privacy and data security laws and regulations of those nations.

This book aims to synthesize the cybersecurity laws that are most likely to affect U.S. corporate and government operations. The book is intended for a wide range of audiences that seek to learn more about cybersecurity law: undergraduate, graduate, and law school students; technology professionals; corporate executives; and lawyers. For lawyers who use this book as a reference treatise, this book contains detailed footnotes to the primary source materials, such as statutes and case citations. However, this book is not intended only for those with law degrees; it is written with the intent of being a guide for lawyers and nonlawyers alike. Similarly, in addition to being a desk reference, this book can be used as a primary or supplemental text in a cybersecurity law class.

The book focuses on the cybersecurity obligations of U.S. companies, but because cyberspace involves global private and public infrastructure, the book does not focus only on U.S. legal obligations of private companies. The book examines the efforts of the public sector and private sector to work together on cybersecurity, as well as the limits on government cyber operations under the U.S. Constitution and various statutes. Moreover, the book discusses some of the foreign cybersecurity laws that U.S. companies are most likely to encounter.

At the outset, it is important to define the term “cybersecurity law.” Unlike more established legal fields, such as copyright, contracts, and torts, cybersecurity law is relatively new and not clearly defined. Indeed, some people think of cybersecurity law as consisting only of data security requirements for companies that are designed to reduce the likelihood of data breaches. Others think of cybersecurity law as anti‐hacking laws. And to some, cybersecurity law is a subset of privacy law.

To all of those suggestions, I say “yes.” Cybersecurity encompasses all of those subjects and more. The U.S. Department of Homeland Security's National Initiative for Cybersecurity Careers and Studies defines cybersecurity as “[t]he activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.” This definition is a good—and largely complete—starting point for the purposes of this book. The DHS definition captures the “CIA Triad”—confidentiality, integrity, and availability—that typically is associated with cybersecurity. Under this definition, we should be concerned with data security laws, data breach litigation, and anti‐hacking laws. However, I have two additions to the DHS definition. First, it is impossible to fully evaluate cybersecurity without understanding the limits on the government's ability to conduct electronic surveillances. Accordingly, the Fourth Amendment to the U.S. Constitution and statutes that restrict government surveillance must be considered as part of an examination of cybersecurity law. Second, cybersecurity law is heavily intertwined with privacy law, which restricts the ability of companies and governments to collect, use, and disclose individuals’ personal information.

To simplify, this book categorizes cybersecurity law as consisting of six broad areas of law:

Private sector data security laws

Anti‐hacking laws

Public–private cybersecurity efforts

Government surveillance laws

Cybersecurity requirements for government contractors

Privacy law

Private Sector Data Security Laws (Chapters 1–4)

Among the most complex—and rapidly changing—areas of cybersecurity are the many requirements that apply to U.S. companies’ handling of customers’ and employees’ personal data. A number of state and federal laws require companies to implement specific data security safeguards, and if a company faces a data breach, it may be required to notify customers, regulators, and credit bureaus. Breaches also could expose companies to costly regulatory actions and class action lawsuits.

Chapter 1 provides an overview of the state and federal laws that generally apply to data security and data breaches. Unlike other nations, the United States does not have a general law that imposes specific privacy and data security requirements on all companies. The closest analogue in the United States is Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive trade practices. Chapter 1 examines dozens of complaints that the Federal Trade Commission has filed under this statute arising from allegedly inadequate data security. The chapter next examines the laws in nearly every state that require companies to notify regulators, customers, and credit bureaus of data breaches in certain circumstances. Finally, the chapter examines the dozen state laws that impose specific data security requirements for personal information.

Chapter 2 examines the various types of private class action lawsuits that companies could face after they experience data breaches. First, the chapter examines a concept known as Article III standing, which is among the most significant barriers to plaintiffs’ lawsuits arising from data breaches. In short, Article III standing requires that plaintiffs demonstrate that they suffered an injury‐in‐fact that is fairly traceable to the defendant's conduct and redressable by a lawsuit. Courts are divided as to what types of injuries a data breach plaintiff must demonstrate to have Article III standing. The chapter then reviews common legal claims that arise from data breaches, including negligence, misrepresentation, breach of contract, invasion of privacy, unjust enrichment, and state consumer protection laws. The chapter also reviews the procedural requirements that data breach plaintiffs must satisfy to be permitted to sue on behalf of a larger class of plaintiffs. It examines whether commercial insurance coverage helps cover companies’ liability in data breach lawsuits. Finally, the chapter examines how companies can reduce the likelihood that their internal cybersecurity communications and reports will be subject to discovery and used against them in litigation.

Chapter 3 examines the additional data security requirements that U.S. companies face if they handle particularly sensitive personal information. The Gramm–Leach–Bliley Act requires financial institutions to adopt specific security safeguards for customers’ nonpublic financial information. The Payment Card Industry Data Security Standard contractually imposes data security safeguards for companies that handle credit and debit card information. Doctors, health insurers, and other healthcare companies and their business associates face stringent data security requirements under the Health Insurance Portability and Accountability Act. Finally, the chapter examines the cybersecurity requirements for electric utilities and nuclear licensees.

Chapter 4 provides an overview of data security requirements that affect corporations. The Securities and Exchange Commission expects publicly traded companies to disclose material risks, and in recent years, it has urged companies to be transparent about their cybersecurity vulnerabilities and explain how those vulnerabilities might affect shareholders. This chapter examines the level of disclosure that the SEC expects in publicly traded companies’ public filings, and provides examples of various levels of transparency and disclosure. The chapter also examines the possibility of shareholders suing executives and directors if the company experiences a costly data breach. Next, the chapter explores the cybersecurity expectations of the Committee on Foreign Investment in the United States, which must approve any foreign investments in U.S. companies. Finally, the chapter examines how the ongoing debate over corporate export controls could make it more difficult for U.S. companies to conduct cybersecurity research.

Anti‐Hacking Laws (Chapter 5)

Anti‐hacking laws—notably the federal Computer Fraud and Abuse Act (CFAA)—are intended to help promote cybersecurity. However, some critics argue that these laws are outdated and not only fail to help protect private and government computers but also penalize individuals for conducting entirely legitimate activities, such as cybersecurity research.

Chapter 5 reviews the seven offenses that are prohibited by the CFAA, such as hacking computers to obtain information and damaging computers. The CFAA applies to activities that are conducted “without authorization” or “exceed[ing] authorized access,” and the chapter examines how different courts have applied these rather ambiguous terms. The chapter briefly reviews state hacking laws that are based on the CFAA. The chapter then examines Section 1201 of the Digital Millennium Copyright Act, which restricts the ability of individuals to circumvent access controls that protect copyrighted material, and therefore imposes significant limits on cybersecurity vulnerability research. Finally, the chapter examines the Economic Espionage Act, a criminal law that companies increasingly see as a tool to penalize individuals that steal trade secrets. In 2016, Congress amended the Economic Espionage Act to allow companies to file civil lawsuits against hackers and others who steal trade secrets.

Public–Private Security Efforts (Chapter 6)

Cybersecurity law often is associated with punitive measures, such as FTC investigations and data breach class action lawsuits. While those considerations surely are an important component of cybersecurity law, the federal government also has taken a number of proactive steps to work with companies to improve cybersecurity throughout the public and private sectors. Such collaboration is particularly necessary and common in cybersecurity because public and private cyber infrastructure often is interconnected.

Chapter 6 provides an overview of the organization of the federal government's cybersecurity efforts, with the Department of Homeland Security taking an increasingly large and central role in the government's collaboration with the private sector. The chapter examines private–public information sharing, which likely will expand due to the Cybersecurity Act of 2015. The chapter examines the National Institute of Standards and Technology's 2014 cybersecurity framework, which many companies voluntarily adopt as the basis of their own cybersecurity plans. Finally, the chapter briefly examines the U.S. military's involvement with private sector cybersecurity, and the limits imposed by the Posse Comitatus Act.

Government Surveillance Laws (Chapter 7)

Government surveillance laws often restrict the government's ability to increase the security of cyberspace. By “security,” what is meant is more than merely preventing the transmission of malware and other harmful programs. Security also encompasses government efforts to fight cybercrime, such as child pornography, terrorist recruitment, and other harmful online activities. The government—and, in some cases, the private sector—often is restricted by constitutional provisions and statutes.

Chapter 7 begins with an examination of how the Fourth Amendment's prohibition on unreasonable searches and seizures applies to electronic surveillance. The chapter then examines the Electronic Communications Privacy Act, a comprehensive statute that limits the ability of the government to obtain stored communications, use wiretaps to obtain data in transit, and obtain metadata via pen registers. The chapter further examines the government's ability to issue National Security Letters to obtain certain information regarding electronic communications, and the obligations of communications companies to assist law enforcement under the Communications Assistance for Law Enforcement Act. The chapter concludes with an examination of law enforcement's attempts, using the All Writs Act, to compel technology companies to help them access encrypted communications.

Cybersecurity Requirements for Government Contractors (Chapter 8)

Many small and large companies rely on the federal government as a significant client for a wide range of products and services. Increasingly, the federal government is expecting these companies to implement specific standards for cybersecurity.

Chapter 8 examines the key cybersecurity requirements for U.S. government contractors. First, the chapter examines the Federal Information Security Management Act (FISMA), the primary statute that governs data security for the federal government and its contractors. The chapter next provides an overview of the information security controls that the National Institute of Standards and Technology has developed for government agencies and their contractors as part of FISMA. The chapter then examines specific cybersecurity requirements for government contractors that handle classified information, controlled unclassified information, and covered defense information.

Privacy Law (Chapter 9)

Any examination of cybersecurity law would be incomplete without an overview of privacy law. Privacy law restricts the ability of companies to use, share, collect, and retain personal information. While data security laws traditionally focus on the measures that companies take to prevent unauthorized access to information, privacy laws restrict the ability of companies to voluntarily use or disclose customers’ personal information. Privacy law should be considered alongside data security and other cybersecurity laws because they form a company's overall approach to handling personal information. Moreover, a company's statements about its data security in its privacy policy can lead to significant liability under various privacy laws.

Chapter 9 begins with an overview of the FTC's approach to privacy regulation. As with data security, the FTC uses Section 5 of the Federal Trade Commission Act to bring complaints against companies that violate their consumers’ privacy rights or fail to meet the guarantees of their privacy policies.

The chapter then examines the privacy laws that restrict healthcare providers and insurers and financial institutions. The chapter describes the CAN‐SPAM Act, which limits the ability of companies to send email marketing materials. It explores the Video Privacy Protection Act, which restricts the ability of companies to share online and offline video viewing information, and the Children's Online Privacy Protection Act, which limits the collection of information from children under 13 years old. Finally, the chapter examines state laws in California and Illinois that require website privacy policies, require the deletion of certain information provided by minors, and restrict the use of biometric information, including facial recognition.

Chapters 1 through 9 therefore focus primarily on the U.S. federal and state cybersecurity laws that bind U.S. companies. However, very few U.S. companies can operate without considering the cybersecurity requirements of other countries. If the companies have employees, customers, or business partners in other countries, they may also be bound by those countries’ cybersecurity laws. And many countries—particularly those in the European Union—have enacted privacy and data security laws that are much more restrictive than those in the United States. For that reason, Chapter 10 examines the primary privacy and data security legal requirements of the five largest trading partners of the United States: the European Union, Canada, Mexico, China, and Japan.

As with all emerging areas of the law, cybersecurity law is rapidly evolving. At any time, legislatures, regulators, and courts may change some of the laws that are described in this book. Accordingly, this book is not intended to be a substitute for legal advice from qualified counsel.

Cybersecurity law is a complex, nascent, and rapidly changing field. As we continue to define and build this exciting new area of law, this book attempts to provide a reference for students, lawyers, information technology professionals, and others who are interested in helping companies and government agencies improve the security of their computers, systems, and networks.

About the Companion Website

This book is accompanied by a companion website:

www.wiley.com/go/kosseff/cybersecurity3e

  The website includes materials for instructors and students:

  Instructors

Suggested points of discussion for the class discussion questions at the end of each chapter.

Bank of potential exam questions.

1Data Security Laws and Enforcement Actions

The United States does not have a national law that explicitly prescribes specific data security standards for all industries. The only explicit federal data security laws apply to companies that handle specific types of data, such as financial information or health records (discussed in Chapter 3). This comes as a surprise to many, and is frustrating to businesses that want to assure customers and regulators that they comply with all legal requirements, particularly for securing customers' personal information. Likewise, consumer advocates and privacy groups criticize the federal government for failing to enact data security requirements. In recent years, members of Congress and the White House have introduced legislation to set minimum data security standards, but, as of the publication of this book, Congress has not enacted any such legislation.

Despite the lack of a statute that sets minimum data security requirements, the Federal Trade Commission (FTC) aggressively polices data security. In recent years, the FTC has brought dozens of enforcement actions against companies that it believes have failed to take reasonable steps to secure the personal data of their customers. The FTC brings these actions under Section 5 of the FTC Act, a century‐old law that was designed to protect consumers and competitors from unfair or deceptive business practices. Although the law does not explicitly address cybersecurity, it is one of the primary tools that the government uses to bring enforcement actions against companies that failed to take adequate steps to protect consumer information.

This chapter provides an overview of data security requirements under Section 5 of the FTC Act, as well as under state data security laws and private tort claims.

First, we examine what the FTC considers to constitute “unfair” or “deceptive” trade practices that violate Section 5. Next, we pay special attention to challenges to the FTC's cybersecurity authority. These challenges have been raised by two companies, Wyndham Worldwide Resorts and LabMD, and we conclude that, for now, it is largely accepted that the FTC has some authority to bring Section 5 complaints against companies that fail to adequately secure customer data, though judges may impose some limits on this authority. We then review how the FTC has applied that reasoning to cybersecurity, both in guidance and the dozens of complaints that it has filed against companies that allegedly failed to adequately secure personal information.

After reviewing the FTC's data security guidance and enforcement actions, we review the laws of 50 states and the District of Columbia that require companies to notify individuals, regulators, and credit bureaus after certain types of personal information are disclosed in a data breach. These laws are fairly complex, and the notification requirements vary by state. Failure to comply with the requirements in each of these statutes could lead to significant regulatory penalties and, in some cases, private lawsuits.

This chapter also provides an overview of the state laws that require companies to implement reasonable data security programs and policies, and the state laws that require companies to securely dispose of personal information.

1.1 FTC Data Security

The FTC is the closest thing that the U.S. federal government has to a centralized data security regulator. Many other agencies—including the Department of Health and Human Services, Education Department, and Federal Communications Commission—have jurisdiction to regulate privacy and data security for particular sectors. However, only the FTC has the authority to regulate companies in a wide range of sectors, provided that they engage in interstate commerce.

1.1.1 Overview of Section 5 of the FTC Act

The FTC claims its data security authority under Section 5 of the FTC Act,1 which declares illegal “unfair or deceptive acts or practices in or affecting commerce.”2 The statute does not explicitly mention data security.

In 1983, the FTC released a policy statement that elaborates on the elements necessary for it to bring a case against a company for violating the “deception” prong of Section 5. These factors are general and not unique to data security actions:

First, there must be a representation, omission or practice that is likely to mislead the consumer. Practices that have been found misleading or deceptive in specific cases include false oral or written representations, misleading price claims, sales of hazardous or systematically defective products or services without adequate disclosures, failure to disclose information regarding pyramid sales, use of bait and switch techniques, failure to perform promised services, and failure to meet warranty obligations.

Second, we examine the practice from the perspective of a consumer acting reasonably in the circumstances. If the representation or practice affects or is directed primarily to a particular group, the Commission examines reasonableness from the perspective of that group.

Third, the representation, omission, or practice must be a “material” one. The basic question is whether the act or practice is likely to affect the consumer's conduct or decision with regard to a product or service. If so, the practice is material, and consumer injury is likely, because consumers are likely to have chosen differently but for the deception. In many instances, materiality, and hence injury, can be presumed from the nature of the practice. In other instances, evidence of materiality may be necessary.3

The FTC will bring data security‐related claims against companies under the “deception” prong if they have misrepresented their security practices.4 For instance, if a company were to state in its privacy policy that “we guarantee absolute security of your data and we promise we will never have a data breach,” and that company subsequently experienced a breach, the FTC might assert that the privacy policy was deceptive.

The FTC also has increasingly claimed authority for data security enforcement actions under the “unfairness” prong of Section 5.5 Throughout the 1960s and 1970s, the FTC was criticized for arbitrarily issuing unfairness rulings when determining whether a practice is unfair. The Commission considered:

(1) whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise—whether, in other words, it is within at least the penumbra of some common‐law, statutory, or other established concept of unfairness; (2) whether it is immoral, unethical, oppressive, or unscrupulous;(3) whether it causes substantial injury to consumers (or competitors or other businessmen).6

This three‐part test became known as the Cigarette Rule because the Commission articulated the rule as it was considering how to regulate cigarette advertising. Although the FTC did not frequently use this authority, the United States Supreme Court quoted it in 1972, describing the three prongs as “the factors [the FTC] considers in determining whether a practice that is neither in violation of the antitrust laws nor deceptive is nonetheless unfair.”7

The FTC recognized the need to clarify the Cigarette Rule to focus more specifically on the injury to customers and benefits to society, rather than judgments about whether the practice “offends public policy,” is immoral, or is unscrupulous. In 1980, the Commission issued the Unfairness Policy Statement, which the Commission claimed provides a “more detailed sense of both the definition and the limits of these criteria.”8 The statement articulates a three‐part test for unfairness claims: (1) “the injury must be substantial,” (2) “the injury must not be outweighed by any offsetting consumer or competitive benefits that the sales practice also produces,” and (3) “the injury must be one which consumers could not reasonably have avoided.”9

In 1994, Congress amended the FTC Act to codify the 1980 Unfairness Policy Statement into law, becoming Section 5(n) of the FTC Act. The statute states that “unfair” practices are those that cause or are likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”10 This causes the FTC (and courts) to apply the three‐part test of the 1980 Unfairness Policy Statement:

First, has the trade practice caused or is likely to cause substantial injury to customers? In other words, a minor injury will not constitute an unfair trade practice. The FTC has stated that a substantial injury often “involves monetary harm, as when sellers coerce consumers into purchasing unwanted goods or services or when consumers buy defective goods or services on credit but are unable to assert against the creditor claims or defenses arising from the transaction.”11 Emotional harm, and nothing more, likely will not constitute unfairness, according to the Commission.12 In the cybersecurity world, this means that a company is more likely to face an FTC action if the Commission finds that a data breach led to actual consumer harm, such as identity theft. Absent such actual harm, the FTC is less likely to bring an action for a data breach.

Second, do benefits to consumers outweigh the injury?13 The FTC states that it “will not find that a practice unfairly injures consumers unless it is injurious in its net effects.”14 The Commission states that it considers “the various costs that a remedy would entail,” including:

direct costs to the parties;

paperwork;

restrictions on information flows;

reduced innovation; and

restrictions on capital formation.

This means that, if a company suffers a data breach that leads to substantial consumer injury, a company may be able to avoid an FTC action if the company can demonstrate that it would have been very difficult for the company to avoid the data breach. Note that this is a very high bar; a company cannot merely argue that cybersecurity safeguards were too expensive. The company must be able to demonstrate that either the remedy would have been impossible or the costs would have been so high that customers would have suffered even more than they did because of the data breach.

Third, the Commission considers whether consumers, exercising reasonable care, could have avoided the injury in the first place.15 This prong reflects the FTC's market‐based approach to consumer protection. The Commission states that it relies on “consumer choice—the ability of individual consumers to make their own private purchasing decisions without regulatory intervention.”16 The Commission becomes more likely to find a practice to be unfair if the consumer was unable to reasonably avoid the harm.17 Applying this to cybersecurity, the FTC is less likely to take action against a company for a breach or other attack if customers could have taken simple steps to avoid harm. For instance, if a single customer's failure to install updates on an operating system led to a virus that deleted all of the customer's files from the hard drive, the FTC is not likely to bring an action against the maker of the operating system. In contrast, the FTC would be more likely to bring an action against a company whose internal servers were hacked, leading to disclosure of the customer's personal financial information and, subsequently, identity theft. In that circumstance, it is difficult to imagine how the customer could have reasonably avoided the harm.

The FTC has not issued binding regulations that explain how these three principles apply to cybersecurity. That has led a number of businesses, commentators, and industry groups to criticize the agency for failing to provide concrete standards.18 After all, they argue, a company will be more hesitant to invest significant time, money, and resources in cybersecurity measures if it is not even sure whether these investments would satisfy the FTC's expectations. The FTC and its defenders, however, argue that cybersecurity is not a one‐size‐fits‐all solution, and a company's safeguards should depend on its unique needs. For instance, a hospital likely stores vast amounts of highly confidential medical data; thus, it might be expected to take greater security precautions than a company that does not typically process or store personal information. Likewise, if a company has experienced a cybersecurity incident, it would be on notice of such vulnerabilities and expected to take reasonable steps to prevent future incidents.

1.1.2 Wyndham: Does the FTC Have Authority to Regulate Data Security Under Section 5 of the FTC Act?

An August 2015 opinion from the U.S. Court of Appeals for the Third Circuit—arising from a cybersecurity complaint that the FTC filed against the Wyndham hotel chain—is the most important court decision to date involving the Commission's cybersecurity authority. In short, the opinion provides the most compelling authority for the Commission to use Section 5 to bring cases against companies that have failed to adequately secure personal information.