Cybersecurity Law

Cybersecurity Law

Kosseff, Jeff

John Wiley & Sons Inc

11/2022

880

Dura

Inglês

9781119822165

15 a 20 dias

1394

About the Author xvii

Acknowledgment and Disclaimers xix

Foreword to the Third Edition (2022) xxi

Foreword to the Second Edition (2019) xxiii

Introduction to First Edition xxvii

About the Companion Website xxxv

1 Data Security Laws and Enforcement Actions 1

1.1 FTC Data Security 2

1.1.1 Overview of Section 5 of the FTC Act 2

1.1.2 Wyndham: Does the FTC Have Authority to Regulate Data Security Under Section 5 of the FTC Act? 6

1.1.3 LabMD: What Constitutes "Unfair" Data Security? 10

1.1.4 FTC June 2015 Guidance on Data Security, and 2017 Updates 13

1.1.5 FTC Data Security Expectations and the NIST Cybersecurity Framework 18

1.1.6 Lessons from FTC Cybersecurity Complaints 18

1.1.6.1 Failure to Secure Highly Sensitive Information 19

1.1.6.1.1 Use Industry-standard Encryption for Sensitive Data 20

1.1.6.1.2 Routine Audits and Penetration Testing Are Expected 20

1.1.6.1.3 Health-related Data Requires Especially Strong Safeguards 21

1.1.6.1.4 Data Security Protection Extends to Paper Documents 23

1.1.6.1.5 Business-to-business Providers Also Are Accountable to the FTC for Security of Sensitive Data 25

1.1.6.1.6 Companies Are Responsible for the Data Security Practices of Their Contractors 27

1.1.6.1.7 Make Sure that Every Employee Receives Regular Data Security Training for Processing Sensitive Data 28

1.1.6.1.8 Privacy Matters, Even in Data Security 28

1.1.6.1.9 Limit the Sensitive Information Provided to Third Parties 29

1.1.6.1.10 Children's Data Requires Special Protection 29

1.1.6.2 Failure to Secure Payment Card Information 30

1.1.6.2.1 Adhere to Security Claims about Payment Card Data 30

1.1.6.2.2 Always Encrypt Payment Card Data 31

1.1.6.2.3 Payment Card Data Should Be Encrypted Both in Storage and at Rest 31

1.1.6.2.4 In-store Purchases Pose Significant Cybersecurity Risks 32

1.1.6.2.5 Minimize Duration of Storage of Payment Card Data 34

1.1.6.2.6 Monitor Systems and Networks for Unauthorized Software 35

1.1.6.2.7 Apps Should Never Override Default App Store Security Settings 35

1.1.6.3 Failure to Adhere to Security Claims 36

1.1.6.3.1 Companies Must Address Commonly Known Security Vulnerabilities 36

1.1.6.3.2 Ensure That Security Controls Are Sufficient to Abide by Promises About Security and Privacy 37

1.1.6.3.3 Omissions about Key Security Flaws Also Can Be Misleading 40

1.1.6.3.4 Companies Must Abide by Promises for Security-related Consent Choices 40

1.1.6.3.5 Companies That Promise Security Must Ensure Adequate Authentication Procedures 41

1.1.6.3.6 Adhere to Promises About Encryption 42

1.1.6.3.7 Promises About Security Extend to Vendors' Practices 43

1.1.6.3.8 Companies Cannot Hide Vulnerable Software in Products 43

1.1.7 FTC Internet of Things Security Guidance 43

1.2 State Data Breach Notification Laws 46

1.2.1 When Consumer Notifications Are Required 47

1.2.1.1 Definition of Personal Information 48

1.2.1.2 Encrypted Data 49

1.2.1.3 Risk of Harm 49

1.2.1.4 Safe Harbors and Exceptions to Notice Requirement 49

1.2.2 Notice to Individuals 50

1.2.2.1 Timing of Notice 50

1.2.2.2 Form of Notice 50

1.2.2.3 Content of Notice 51

1.2.3 Notice to Regulators and Consumer Reporting Agencies 51

1.2.4 Penalties for Violating State Breach Notification Laws 52

1.3 State Data Security Laws 52

1.3.1 Oregon 54

1.3.2 Rhode Island 55

1.3.3 Nevada 56

1.3.4 Massachusetts 57

1.3.5 Ohio 59

1.3.6 Alabama 60

1.3.7 New York 61

1.4 State Data Disposal Laws 61

2 Cybersecurity Litigation 63

2.1 Article III Standing 64

2.1.1 Applicable Supreme Court Rulings on Standing 66

2.1.2 Lower Court Rulings on Standing in Data Breach Cases 71

2.1.2.1 Injury-in-fact 71

2.1.2.1.1 Broad View of Injury-in-fact 71

2.1.2.1.2 Narrow View of Injury-in-fact 76

2.1.2.1.3 Attempts at Finding a Middle Ground for Injury-in-fact 81

2.1.2.2 Fairly Traceable 82

2.1.2.3 Redressability 83

2.2 Common Causes of Action Arising from Data Breaches 84

2.2.1 Negligence 84

2.2.1.1 Legal Duty and Breach of Duty 85

2.2.1.2 Cognizable Injury 87

2.2.1.3 Causation 90

2.2.2 Negligent Misrepresentation or Omission 92

2.2.3 Breach of Contract 95

2.2.4 Breach of Implied Warranty 101

2.2.5 Invasion of Privacy 105

2.2.6 Unjust Enrichment 107

2.2.7 State Consumer Protection Laws 109

2.3 Class Action Certification in Data Breach Litigation 112

2.4 Insurance Coverage for Data Breaches 120

2.5 Protecting Cybersecurity Work Product and Communications from Discovery 124

2.5.1 Attorney-client Privilege 126

2.5.2 Work Product Doctrine 129

2.5.3 Nontestifying Expert Privilege 131

2.5.4 Genesco v. Visa 132

2.5.5 In re Experian Data Breach Litigation 135

2.5.6 In re Premera 136

2.5.7 In re United Shore Financial Services 138

2.5.8 In re Dominion Dental Services USA, Inc. Data Breach Litigation 138

2.5.9 In re Capital One Consumer Data Security Breach Litigation 140

3 Cybersecurity Requirements for Specific Industries 141

3.1 Financial Institutions: GLBA Safeguards Rule 142

3.1.1 Interagency Guidelines 142

3.1.2 SEC's Regulation S-P 144

3.1.3 FTC Safeguards Rule 146

3.2 New York Department of Financial Services Cybersecurity Regulations 149

3.3 Financial Institutions and Creditors: Red Flags Rule 151

3.3.1 Financial Institutions or Creditors 155

3.3.2 Covered Accounts 156

3.3.3 Requirements for a Red Flags Identity Theft Prevention Program 157

3.4 Companies that Use Payment and Debit Cards: PCI DSS 157

3.5 IoT Cybersecurity Laws 160

3.6 Health Providers: HIPAA Security Rule 161

3.7 Electric Transmission: FERC Critical Infrastructure Protection Reliability Standards 167

3.7.1 CIP-003-6: Cybersecurity- Security Management Controls 167

3.7.2 CIP-004-6: Personnel and Training 168

3.7.3 CIP-006-6: Physical Security of Cyber Systems 168

3.7.4 CIP-007-6: Systems Security Management 168

3.7.5 CIP-009-6: Recovery Plans for Cyber Systems 169

3.7.6 CIP-010-2: Configuration Change Management and Vulnerability Assessments 169

3.7.7 CIP-011-2: Information Protection 170

3.8 NRC Cybersecurity Regulations 170

3.9 State Insurance Cybersecurity Laws 171

4 Cybersecurity and Corporate Governance 175

4.1 SEC Cybersecurity Expectations for Publicly Traded Companies 176

4.1.1 10-K Disclosures: Risk Factors 178

4.1.2 10-K Disclosures: Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A) 179

4.1.3 10-K Disclosures: Description of Business 180

4.1.4 10-K Disclosures: Legal Proceedings 180

4.1.5 10-K Disclosures: Financial Statements 181

4.1.6 10K Disclosures: Board Oversight of Cybersecurity 181

4.1.7 Disclosing Data Breaches to Investors 182

4.1.8 Yahoo! Data Breach 185

4.1.9 Cybersecurity and Insider Trading 185

4.2 Fiduciary Duty to Shareholders and Derivative Lawsuits Arising from Data Breaches 186

4.3 CFIUS and Cybersecurity 189

4.4 Law Firms and Cybersecurity 191

5 Antihacking Laws 193

5.1 Computer Fraud and Abuse Act 194

5.1.1 Origins of the CFAA 194

5.1.2 Access Without Authorization and Exceeding Authorized Access 195

5.1.2.1 Narrow View of "Exceeds Authorized Access" and "Without Authorization" 198

5.1.2.2 Broader View of "Exceeds Authorized Access" and "Without Authorization" 203

5.1.2.3 Finding Some Clarity: Van Buren v. United States 205

5.1.3 The Seven Sections of the CFAA 208

5.1.3.1 CFAA Section (a)(1): Hacking to Commit Espionage 209

5.1.3.2 CFAA Section (a)(2): Hacking to Obtain Information 210

5.1.3.3 CFAA Section (a)(3): Hacking a Federal Government Computer 214

5.1.3.4 CFAA Section (a)(4): Hacking to Commit Fraud 216

5.1.3.5 CFAA Section (a)(5): Hacking to Damage a Computer 218

5.1.3.5.1 CFAA Section (a)(5)(A): Knowing Transmission that Intentionally Damages a Computer Without Authorization 219

5.1.3.5.2 CFAA Section (a)(5)(B): Intentional Access Without Authorization that Recklessly Causes Damage 222

5.1.3.5.3 CFAA Section (a)(5)(C): Intentional Access Without Authorization that Causes Damage and Loss 223

5.1.3.5.4 CFAA Section (a)(5): Requirements for Felony and Misdemeanor Cases 224

5.1.3.6 CFAA Section (a)(6): Trafficking in Passwords 226

5.1.3.7 CFAA Section (a)(7): Threatening to Damage or Obtain Information from a Computer 228

5.1.4 Civil Actions Under the CFAA 231

5.1.5 Criticisms of the CFAA 235

5.1.6 CFAA and Coordinated Vulnerability Disclosure Programs 237

5.2 State Computer Hacking Laws 240

5.3 Section 1201 of the Digital Millennium Copyright Act 243

5.3.1 Origins of Section 1201 of the DMCA 244

5.3.2 Three Key Provisions of Section 1201 of the DMCA 245

5.3.2.1 DMCA Section 1201(a)(1) 245

5.3.2.2 DMCA Section 1201(a)(2) 250

5.3.2.2.1 Narrow Interpretation of Section (a)(2): Chamberlain Group v. Skylink Technologies 251

5.3.2.2.2 Broad Interpretation of Section (a)(2): MDY Industries, LLC v. Blizzard Entertainment 254

5.3.2.3 DMCA Section 1201(b)(1) 258

5.3.3 Section 1201 Penalties 261

5.3.4 Section 1201 Exemptions 262

5.3.5 The First Amendment and DMCA Section 1201 269

5.4 Economic Espionage Act 274

5.4.1 Origins of the EEA 274

5.4.2 Criminal Prohibitions on Economic Espionage and Theft of Trade Secrets 275

5.4.2.1 Definition of "Trade Secret" 276

5.4.2.2 "Knowing" Violations of the EEA 279

5.4.2.3 Purpose and Intent Required under Section 1831: Economic Espionage 279

5.4.2.4 Purpose and Intent Required under Section 1832: Theft of Trade Secrets 281

5.4.3 Civil Actions for Trade Secret Misappropriation: The Defend Trade Secrets Act of 2016 284

5.4.3.1 Definition of "Misappropriation" 285

5.4.3.2 Civil Seizures 288

5.4.3.3 Injunctions 289

5.4.3.4 Damages 289

5.4.3.5 Statute of Limitations 290

5.5 Budapest Convention on Cybercrime 291

6 U.S. Government Cyber Structure and Public-Private Cybersecurity Partnerships 293

6.1 U.S. Government's Civilian Cybersecurity Organization 293

6.2 Department of Homeland Security Information Sharing under the Cybersecurity Act of 2015 297

6.3 Critical Infrastructure Executive Order and the NIST Cybersecurity Framework 301

6.4 U.S. Military Involvement in Cybersecurity and the Posse Comitatus Act 309

6.5 Vulnerabilities Equities Process 311

6.6 Executive Order 14028 314

7 Surveillance and Cyber 317

7.1 Fourth Amendment 318

7.1.1 Was the Search or Seizure Conducted by a Government Entity or Government Agent? 319

7.1.2 Did the Search or Seizure Involve an Individual's Reasonable Expectation of Privacy? 324

7.1.3 Did the Government Have a Warrant? 332

7.1.4 If the Government Did Not Have a Warrant, Did an Exception to the Warrant Requirement Apply? 335

7.1.5 Was the Search or Seizure Reasonable Under the Totality of the Circumstances? 337

7.2 Electronic Communications Privacy Act 338

7.2.1 Stored Communications Act 340

7.2.1.1 Section 2701: Third-party Hacking of Stored Communications 344

7.2.1.2 Section 2702: Restrictions on Service Providers' Ability to Disclose Stored Communications and Records to the Government and Private Parties 345

7.2.1.3 Section 2703: Government's Ability to Require Service Providers to Turn Over Stored Communications and Customer Records 349

7.2.2 Wiretap Act 354

7.2.3 Pen Register Act 358

7.2.4 National Security Letters 359

7.3 Communications Assistance for Law Enforcement Act (CALEA) 361

7.4 Encryption and the All Writs Act 362

7.5 Encrypted Devices and the Fifth Amendment 364

8 Cybersecurity and Federal Government Contractors 369

8.1 Federal Information Security Management Act 370

8.2 NIST Information Security Controls for Government Agencies and Contractors 372

8.3 Classified Information Cybersecurity 376

8.4 Covered Defense Information, CUI, and the Cybersecurity Maturity Model Certification 377

9 Privacy Laws 385

9.1 Section 5 of the FTC Act and Privacy 386

9.2 Health Insurance Portability and Accountability Act 388

9.3 Gramm-Leach-Bliley Act and California Financial Information Privacy Act 390

9.4 CAN-SPAM Act 391

9.5 Video Privacy Protection Act 392

9.6 Children's Online Privacy Protection Act 394

9.7 California Online Privacy Laws 396

9.7.1 California Online Privacy Protection Act (CalOPPA) 396

9.7.2 California Shine the Light Law 398

9.7.3 California Minor "Online Eraser" Law 400

9.8 California Consumer Privacy Act 401

9.9 Illinois Biometric Information Privacy Act 404

9.10 NIST Privacy Framework 406

10 International Cybersecurity Law 409

10.1 European Union 410

10.2 Canada 420

10.3 China 425

10.4 Mexico 430

10.5 Japan 434

11 Cyber and the Law of War 439

11.1 Was the Cyberattack a "Use of Force" that Violates International Law? 441

11.2 If the Attack Was a Use of Force, Was that Force Attributable to a State? 444

11.3 Did the Use of Force Constitute an "Armed Attack" that Entitles the Target to Self-defense? 445

11.4 If the Use of Force Was an Armed Attack, What Types of Selfdefense Are Justified? 448

11.5 If the Nation Experiences Hostile Cyber Actions that Fall Short of Use of Force or Armed Attacks, What Options Are Available? 449

12 Ransomware 453

12.1 Defining Ransomware 454

12.2 Ransomware-related Litigation 455

12.3 Insurance Coverage for Ransomware 462

12.4 Ransomware Payments and Sanctions 466

12.5 Ransomware Prevention and Response Guidelines from Government Agencies 467

12.5.1 Department of Homeland Security 467

12.5.2 Federal Trade Commission 469

12.5.3 Federal Interagency Guidance for Information Security Executives 470

12.5.4 New York Department of Financial Services Guidance 472

Appendix A: Text of Section 5 of the FTC Act 473

Appendix B: Summary of State Data Breach Notification Laws 483

Appendix C: Text of Section 1201 of the Digital Millennium Copyright Act 545

Appendix D: Text of the Computer Fraud and Abuse Act 557

Appendix E: Text of the Electronic Communications Privacy Act 565

Appendix F: Key Cybersecurity Court Opinions 629

Appendix G: Hacking Cybersecurity Law 781

Index 825
Este título pertence ao(s) assunto(s) indicados(s). Para ver outros títulos clique no assunto desejado.
FTC data security consent decree; Zoom; SkyMed; LifeLock; cyber operation; management-oriented information technology; Internet of Things; ransomware; data security law; anti-hacking law; privacy law; ransomware; surveillance and cyber