Cybersecurity Law
eBook - ePub

Cybersecurity Law

Jeff Kosseff

Share book
  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Cybersecurity Law

Jeff Kosseff

Book details
Book preview
Table of contents
Citations

About This Book

A definitive guide to cybersecurity law

Expanding on the author's experience as a cybersecurity lawyer and law professor, Cybersecurity Law is the definitive guide to cybersecurity law, with an in-depth analysis of U.S. and international laws that apply to data security, data breaches, sensitive information safeguarding, law enforcement surveillance, cybercriminal combat, privacy, and many other cybersecurity issues. Written in an accessible manner, the book provides real-world examples and case studies to help readers understand the practical applications of the presented material. The book begins by outlining the legal requirements for data security, which synthesizes the Federal Trade Commission's cybersecurity cases in order to provide the background of the FTC's views on data security. The book also examines data security requirements imposed by a growing number of state legislatures and private litigation arising from data breaches. Anti-hacking laws, such as the federal Computer Fraud and Abuse Act, Economic Espionage Act, and the Digital Millennium Copyright Act, and how companies are able to fight cybercriminals while ensuring compliance with the U.S. Constitution and statutes are discussed thoroughly. Featuring an overview of the laws that allow coordination between the public and private sectors as well as the tools that regulators have developed to allow a limited amount of collaboration, this book also:

ā€¢ Addresses current U.S. and international laws, regulations, and court opinions that define the field of cybersecurity including the security of sensitive information, such as financial data and health information

ā€¢ Discusses the cybersecurity requirements of the largest U.S. trading partners in Europe, Asia, and Latin America, and specifically addresses how these requirements are similar to (and differ from) those in the U.S.

ā€¢ Provides a compilation of many of the most important cybersecurity statutes and regulations

ā€¢ Emphasizes the compliance obligations of companies with in-depth analysis of crucial U.S. and international laws that apply to cybersecurity issues

ā€¢ Examines government surveillance laws and privacy laws that affect cybersecurity as well as each of the data breach notification laws in 47 states and the District of Columbia

ā€¢ Includes numerous case studies and examples throughout to aid in classroom use and to help readers better understand the presented material

ā€¢ Supplemented with a companion website that features in-class discussion questions and timely and recent updates on recent legislative developments as well as information on interesting cases on relevant and significant topics

Cybersecurity Law is appropriate as a textbook for undergraduate and graduate-level courses in cybersecurity, cybersecurity law, cyber operations, management-oriented information technology (IT), and computer science. This book is also an ideal reference for lawyers, IT professionals, government personnel, business managers, IT management personnel, auditors, and cybersecurity insurance providers.

JEFF KOSSEFF is Assistant Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He frequently speaks and writes about cybersecurity and was a journalist covering technology and politics at The Oregonian, a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting.

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on ā€œCancel Subscriptionā€ - itā€™s as simple as that. After you cancel, your membership will stay active for the remainder of the time youā€™ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoā€™s features. The only differences are the price and subscription period: With the annual plan youā€™ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Cybersecurity Law an online PDF/ePUB?
Yes, you can access Cybersecurity Law by Jeff Kosseff in PDF and/or ePUB format, as well as other popular books in Computer Science & Cryptography. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Wiley
Year
2017
ISBN
9781119232025
Edition
1
Topic
Computer Science
Subtopic
Cryptography
Index
Computer Science

Chapter 1
Data Security Laws and Enforcement Actions

CHAPTER MENU
  1. FTC Data Security
  2. State Data Breach Notification Laws
  3. State Data Security Laws
  4. State Data Disposal Laws
The United States does not have a national law that prescribes specific data security standards for all industries. The only federal data security laws apply to companies that handle specific types of data, such as financial information or health records (discussed in Chapter 3). This comes as a surprise to many, and is frustrating to businesses that want to assure customers and regulators that they comply with all legal requirements, particularly for securing customers' personal information. Likewise, consumer advocates and privacy groups criticize the federal government for failing to enact data security requirements. In recent years, members of Congress and the White House have introduced legislation to set minimum data security standards, but, as of publication of this book, Congress has not enacted any such legislation.
Despite the lack of a statute that sets minimum data security requirements, the Federal Trade Commission aggressively polices data security. In recent years, the FTC has brought dozens of enforcement actions against companies that it believes have failed to take reasonable steps to secure the personal data of their customers. The FTC brings these actions under Section 5 of the FTC Act, a century-old law that was designed to protect consumers and competitors from unfair business practices. Although the law does not explicitly address cybersecurity, it is one of the primary tools that the government uses to bring enforcement actions against companies that failed to take adequate steps to protect consumer information.
This chapter provides an overview of data security requirements under Section 5 of the FTC Act, as well as under state data security laws and private tort claims.
First, we examine what the FTC considers to constitute ā€œunfairā€ trade practices that violate Section 5. Next, we pay special attention to challenges to the FTC's cybersecurity authority. These challenges have been raised by two companies, Wyndham Worldwide Resorts and LabMD, and we conclude that, for now, it is largely accepted that the FTC has some authority to bring Section 5 complaints against companies that fail to adequately secure customer data. We then review how the FTC has applied that reasoning to cybersecurity, both in guidance and the dozens of complaints that it has filed against companies that allegedly failed to adequately secure personal information.
After reviewing the FTC's data security guidance and enforcement actions, we review the laws of 47 states and the District of Columbia that require companies to notify individuals, regulators, and credit bureaus after certain types of personal information are disclosed in a data breach. These laws are fairly complex, and the notification requirements vary by state. Failure to comply with the requirements in each of these statutes could lead to significant regulatory penalties and, in some cases, private lawsuits.
This chapter also provides an overview of the dozen state laws that require companies to implement reasonable data security programs and policies, and the 31 state laws that require companies to securely dispose of personal information.

1.1 FTC Data Security

The FTC is the closest thing that the U.S. federal government has to a centralized data security regulator. Many other agencies ā€“ including the Department of Health and Human Services, Education Department, and Federal Communications Commission ā€“ have jurisdiction to regulate privacy and data security for particular sectors. However, only the FTC has the authority to regulate companies in a wide range of sectors, provided that they engage in interstate commerce.

1.1.1 Overview of Section 5 of the FTC Act

The FTC claims its data security authority under Section 5 of the Federal Trade Commission Act,1 which declares illegal ā€œunfair or deceptive acts or practices in or affecting commerce.ā€2 The statute does not explicitly mention data security. The FTC commonly claims authority for data security enforcement actions under the ā€œunfairnessā€ prong of Section 5.
Throughout the 1960s and 1970s, the FTC was criticized for broadly imposing its own value judgments when determining whether a practice is unfair. The Commission considered:
(1) whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise ā€“ whether, in other words, it is within at least the penumbra of some common-law, statutory, or other established concept of unfairness; (2) whether it is immoral, unethical, oppressive, or unscrupulous; (3) whether it causes substantial injury to consumers (or competitors or other businessmen).3
This three-part test became known as the Cigarette Rule because the Commission articulated it as it was considering how to regulate cigarette advertising. Although the FTC did not frequently use this authority, the United States Supreme Court quoted it with approval in 1972, describing the three prongs as ā€œthe factors it considers in determining whether a practice that is neither in violation of the antitrust laws nor deceptive is nonetheless unfair.ā€4
The FTC recognized the need to clarify the Cigarette Rule to focus more specifically on the injury to customers and benefits to society, rather than value judgments about whether the practice ā€œoffends public policy,ā€ is immoral, or unscrupulous. In 1980, the Commission issued the Unfairness Policy Statement, which the Commission wrote provides a ā€œmore detailed sense of both the definition and the limits of these criteria.ā€5 The statement articulates a new three-part test for unfairness claims: (1) ā€œthe injury must be substantial,ā€ (2) ā€œthe injury must not be outweighed by any offsetting consumer or competitive benefits that the sales practice also produces,ā€ and (3) ā€œthe injury must be one which consumers could not reasonably have avoided.ā€6
In 1994, Congress amended the FTC Act to codify the 1980 Unfairness Policy Statement into law, Section 5(n) of the FTC Act. The statute states that ā€œunfairā€ practices are those that cause or are likely to cause ā€œsubstantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.ā€7 This has created a three-part test that the FTC (and courts) must conduct to assess a trade practice.
First, has the trade practice caused or is likely to cause substantial injury to customers? In other words, a minor injury will not constitute an unfair trade practice. The FTC has stated that a substantial injury often ā€œinvolves monetary harm, as when sellers coerce consumers into purchasing unwanted goods or services or when consumers buy defective goods or services on credit but are unable to assert against the creditor claims or defenses arising from the transaction.ā€8 Emotional harm, and nothing more, likely will not constitute unfairness, according to the Commission.9 In the cybersecurity world, this means that a company is more likely to face an FTC action if the Commission finds that a data breach led to actual consumer harm, such as identity theft. Absent such actual harm, the FTC is less likely to bring an action for a data breach.
Second, do benefits to consumers outweigh the injury?10 The FTC states that it ā€œwill not find that a practice unfairly injures consumers unless it is injurious in its net effects.ā€11 The Commission states that it considers ā€œthe various costs that a remedy would entail,ā€ including:
  • direct costs to the parties;
  • paperwork;
  • restrictions on information flows;
  • reduced innovation; and
  • restrictions on capital formation.
This means that if a company suffers a data breach that leads to substantial consumer in...

Table of contents