Cybersecurity Law
eBook - ePub

Cybersecurity Law

Jeff Kosseff

Share book
ePUB (mobile friendly)
Available on iOS & Android
eBook - ePub

Cybersecurity Law

Jeff Kosseff

Book details
Book preview
Table of contents

About This Book

The second edition of the definitive guide to cybersecurity law, updated to reflect recent legal developments

The revised and updated second edition of Cybersecurity Law offers an authoritative guide to the key statutes, regulations, and court rulings that pertain to cybersecurity. Written by an experienced cybersecurity lawyer and law professor, the second edition includes new and expanded information that reflects the latest changes in laws and regulations. The book includes material on recent FTC data security consent decrees and data breach litigation.

Topics covered reflect new laws, regulations, and court decisions that address financial sector cybersecurity, the law of war as applied to cyberspace, and recently updated guidance for public companies' disclosure of cybersecurity risks. This important guide:

  • Provides a new appendix, with 15 edited opinions covering a wide range of cybersecurity-related topics, for students learning via the caselaw method
  • Includes new sections that cover topics such as: compelled access to encrypted devices, New York's financial services cybersecurity regulations, South Carolina's insurance sector cybersecurity law, the Internet of Things, bug bounty programs, the vulnerability equities process, international enforcement of computer hacking laws, the California Consumer Privacy Act, and the European Union's Network and Information Security Directive
  • Contains a new chapter on the critical topic of law of cyberwar
  • Presents a comprehensive guide written by a noted expert on the topic
  • Offers a companion Instructor-only website that features discussion questions for each chapter and suggested exam questions for each chapter

Written for students and professionals of cybersecurity, cyber operations, management-oriented information technology (IT), and computer science, Cybersecurity Law, Second Edition is the up-to-date guide that covers the basic principles and the most recent information on cybersecurity laws and regulations.

JEFF KOSSEFF is Assistant Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He was a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting.

Frequently asked questions
How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Cybersecurity Law an online PDF/ePUB?
Yes, you can access Cybersecurity Law by Jeff Kosseff in PDF and/or ePUB format, as well as other popular books in Ciencia de la computación & Ciberseguridad. We have over one million books available in our catalogue for you to explore.



Data Security Laws and Enforcement Actions

The United States does not have a national law that explicitly prescribes specific data security standards for all industries. The only explicit federal data security laws apply to companies that handle specific types of data, such as financial information or health records (discussed in Chapter 3). This comes as a surprise to many, and is frustrating to businesses that want to assure customers and regulators that they comply with all legal requirements, particularly for securing customers' personal information. Likewise, consumer advocates and privacy groups criticize the federal government for failing to enact data security requirements. In recent years, members of Congress and the White House have introduced legislation to set minimum data security standards, but, as of publication of this book, Congress has not enacted any such legislation.
Despite the lack of a statute that sets minimum data security requirements, the Federal Trade Commission (FTC) aggressively polices data security. In recent years, the FTC has brought dozens of enforcement actions against companies that it believes have failed to take reasonable steps to secure the personal data of their customers. The FTC brings these actions under Section 5 of the FTC Act, a century‐old law that was designed to protect consumers and competitors from unfair or deceptive business practices. Although the law does not explicitly address cybersecurity, it is one of the primary tools that the government uses to bring enforcement actions against companies that failed to take adequate steps to protect consumer information.
This chapter provides an overview of data security requirements under Section 5 of the FTC Act, as well as under state data security laws and private tort claims.
First, we examine what the FTC considers to constitute “unfair” or “deceptive” trade practices that violate Section 5. Next, we pay special attention to challenges to the FTC's cybersecurity authority. These challenges have been raised by two companies, Wyndham Worldwide Resorts and LabMD, and we conclude that, for now, it is largely accepted that the FTC has some authority to bring Section 5 complaints against companies that fail to adequately secure customer data, though judges may impose some limits on this authority. We then review how the FTC has applied that reasoning to cybersecurity, both in guidance and the dozens of complaints that it has filed against companies that allegedly failed to adequately secure personal information.
After reviewing the FTC's data security guidance and enforcement actions, we review the laws of 50 states and the District of Columbia that require companies to notify individuals, regulators, and credit bureaus after certain types of personal information are disclosed in a data breach. These laws are fairly complex, and the notification requirements vary by state. Failure to comply with the requirements in each of these statutes could lead to significant regulatory penalties and, in some cases, private lawsuits.
This chapter also provides an overview of the state laws that require companies to implement reasonable data security programs and policies, and the state laws that require companies to securely dispose of personal information.

1.1 FTC Data Security

The FTC is the closest thing that the U.S. federal government has to a centralized data security regulator. Many other agencies—including the Department of Health and Human Services, Education Department, and Federal Communications Commission—have jurisdiction to regulate privacy and data security for particular sectors. However, only the FTC has the authority to regulate companies in a wide range of sectors, provided that they engage in interstate commerce.

1.1.1 Overview of Section 5 of the FTC Act

The FTC claims its data security authority under Section 5 of the Federal Trade Commission Act,1 which declares illegal “unfair or deceptive acts or practices in or affecting commerce.”2 The statute does not explicitly mention data security.
In 1983, the FTC released a policy statement that elaborates on the elements necessary for it to bring a case against a company for violating the “deception” prong of Section 5. These factors are general and not unique to data security actions:
First, there must be a representation, omission or practice that is likely to mislead the consumer. Practices that have been found misleading or deceptive in specific cases include false oral or written representations, misleading price claims, sales of hazardous or systematically defective products or services without adequate disclosures, failure to disclose information regarding pyramid sales, use of bait and switch techniques, failure to perform promised services, and failure to meet warranty obligations.
Second, we examine the practice from the perspective of a consumer acting reasonably in the circumstances. If the representation or practice affects or is directed primarily to a particular group, the Commission examines reasonableness from the perspective of that group.
Third, the representation, omission, or practice must be a “material” one. The basic question is whether the act or practice is likely to affect the consumer's conduct or decision with regard to a product or service. If so, the practice is material, and consumer injury is likely, because consumers are likely to have chosen differently but for the deception. In many instances, materiality, and hence injury, can be presumed from the nature of the practice. In other instances, evidence of materiality may be necessary.3
The FTC will bring data security‐related claims against companies under the “deception” prong if they have misrepresented their security practices.4 For instance, if a company were to state in its privacy policy that “we guarantee absolute security of your data and we promise we will never have a data breach,” and that company subsequently experienced a breach, the FTC might assert that the privacy policy was deceptive.
The FTC also has increasingly claimed authority for data security enforcement actions under the “unfairness” prong of Section 5.5 Throughout the 1960s and 1970s, the FTC was criticized for arbitrarily issuing unfairness rulings when determining whether a practice is unfair. The Commission considered:
(1) whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise—whether, in other words, it is within at least the penumbra of some common‐law, statutory, or other established concept of unfairness; (2) whether it is immoral, unethical, oppressive, or unscrupulous; (3) whether it causes substantial injury to consumers (or competitors or other businessmen).6
This three‐part test became known as the Cigarette Rule because the Commission articulated the rule as it was considering how to regulate cigarette advertising. Although the FTC did not frequently use this authority, the United States Supreme Court quoted it in 1972, describing the three prongs as “the factors [the FTC] considers in determining whether a practice that is neither in violation of the antitrust laws nor deceptive is nonetheless unfair.”7
The FTC recognized the need to clarify the Cigarette Rule to focus more specifically on the injury to customers and benefits to society, rather than judgments about whether the practice “offends public policy,” is immoral, or is unscrupulous. In 1980, the Commission issued the Unfairness Policy Statement, which the Commission claimed provides a “more detailed sense of both the definition and the limits of these criteria.”8 The statement articulates a three‐part test for unfairness claims: (1) “the injury must be substantial,” (2) “the injury must not be outweighed by any offsetting consumer or competitive benefits that the sales practice also produces,” and (3) “the injury must be one which consumers could not reasonably have avoided.”9
In 1994, Congress amended the FTC Act to codify the 1980 Unfairness Policy Statement into law, becoming Section 5(n) of the FTC Act. The statute states tha...

Table of contents

Citation styles for Cybersecurity Law
APA 6 Citation
Kosseff, J. (2019). Cybersecurity Law (2nd ed.). Wiley. Retrieved from (Original work published 2019)
Chicago Citation
Kosseff, Jeff. (2019) 2019. Cybersecurity Law. 2nd ed. Wiley.
Harvard Citation
Kosseff, J. (2019) Cybersecurity Law. 2nd edn. Wiley. Available at: (Accessed: 14 October 2022).
MLA 7 Citation
Kosseff, Jeff. Cybersecurity Law. 2nd ed. Wiley, 2019. Web. 14 Oct. 2022.