Cybersecurity Law, by Jeff Kosseff

Cybersecurity Law

Second Edition

Jeff Kosseff

Wiley Logo

About the Author

Jeff Kosseff is an Assistant Professor of Cybersecurity Law in the Cyber Science Department at United States Naval Academy in Annapolis, Maryland. He has practiced cybersecurity and privacy law, and clerked for Judge Milan D. Smith, Jr. of the U.S. Court of Appeals for the Ninth Circuit and for Judge Leonie M. Brinkema of the U.S. District Court for the Eastern District of Virginia. Mr. Kosseff is a graduate of Georgetown University Law Center and the University of Michigan. Before becoming a lawyer, he was a journalist for The Oregonian and was a finalist for the Pulitzer Prize for national reporting.


Acknowledgment and Disclaimers

First and foremost, I'd like to thank my colleagues at the United States Naval Academy, and the hundreds of midshipmen whom I have taught in the Academy's cyber operations major. My daily discussions and debates with them have shaped how I think about the emerging field of cybersecurity law, and working with them every day is an inspiration.

Thanks to Wiley for seeing the need for a book that examines the many areas of the law that are related to the evolving world of cybersecurity.

I'd also like to thank the many people who have provided feedback, particularly as I have substantially revised the second edition of the book. They include Marc Blitz, Matt Bodman, Amit Elazari Bar On, Ashden Fein, Eric Goldman, Ido Kilovaty, Kurt Sanger, and Armin Tadayon. Special thanks to Brooke Graves for outstanding editing. Thanks to Liz Seif for excellent proofreading.

Any views expressed in this book are only my own, and do not represent the Naval Academy, Department of Navy, or Department of Defense. In this book, I present legal conclusions and facts as stated in judicial opinions and other court documents. By doing so, I am not necessarily endorsing those conclusions or factual claims.

This book is intended as a textbook and casebook for classes at the undergraduate, graduate, and law school levels, as well as a desk reference. However, due to the rapidly changing nature of cybersecurity law, this is not a substitute for legal advice or research on the current state of the law.


Foreword to the Second Edition (2019)

In the two years since the publication of the first edition of this book in early 2017, much has changed in the world of cybersecurity law. Legislators at the state, federal, and international levels enacted sweeping new laws to address cybersecurity. Courts issued significant new opinions in just about every area covered by the first edition. The U.S. government reorganized its civilian cybersecurity efforts amid unprecedented challenges.

I wrote the second edition to incorporate these new developments, and to make this book even more useful both in the classroom and in the workplace. Before I provide an overview of the changes to particular content, I'd like to highlight three significant additions to the book:

First, the book adds Appendix F, which includes 15 edited court opinions that cover the range of legal issues discussed in the text. I've been pleased to observe the number of professors in undergraduate, graduate, and law school programs who have assigned the book as a primary text. Some professors—particularly at the law school level—incorporate the case method into their teaching, in which their students learn about the legal rules by reading important statutes and court opinions and discussing them in class. Although the appendices to the first edition contained the text of some of the leading cybersecurity‐related statutes, the first edition did not include the text of court opinions. Appendix F provides edited opinions that cover FTC data security authority, private data breach litigation, shareholder derivative data breach litigation, the Computer Fraud and Abuse Act, and the Fourth Amendment. By combining these edited cases with the narrative text, I hope that the book will be useful as both a traditional textbook and a casebook. The edited court opinions also will be useful to those using the book as a treatise, as it provides a more detailed look at some of the cases discussed in the main text.

Second, the new edition adds Chapter 11, which covers some aspects of the international law of cyberwarfare. As we have seen in the past few years, many cybersecurity threats have originated from state actors in other nations. This requires us to examine, under international law, what options a target country has to defend itself.

Third, Wiley offers a new, instructor‐only website, which has suggested questions for class discussion, and model exam questions.

In addition to these three significant structural additions, the second edition adds new sections and substantively updates existing sections to incorporate the many new developments in cybersecurity law in the past few years. Among some of the additions and changes:

  • Chapter 1 adds new FTC data security enforcement actions, and the outcome of the LabMD litigation that challenged the FTC's data security enforcement authority. It also updates FTC guidance on data security practices, and new state data security laws. Since the first edition, Alabama, New Mexico, and South Dakota became the last of the 50 states to adopt data breach notification laws, and many states expanded their breach notice requirements. The new edition adds and updates the breach notification statute, and Appendix B summarizes all of these notification laws.
  • Chapter 2 incorporates many new court rulings on Article III standing in private data breach litigation, common claims in data breach lawsuits, and the attorney‐client privilege in cybersecurity litigation.
  • Chapter 3 includes a new section on the New York Department of Financial Service's recently enacted cybersecurity regulations, which are among the most rigorous in the United States and affect a wide range of companies. It also adds sections on South Carolina's new cybersecurity requirements for insurance companies, and California's new Internet of Things cybersecurity law.
  • Chapter 4 discusses cybersecurity guidance for publicly traded companies that the Securities and Exchange Commission released in 2018, as well as the SEC's settlement with Yahoo over a massive data breach.
  • Chapter 5 adds a number of new Computer Fraud and Abuse Act cases, including the Ninth Circuit's second ruling in the landmark United States v. Nosal. It also includes new sections on bug bounty/vulnerability disclosure programs and the Budapest Convention on Cybercrime.
  • Chapter 6 describes the Department of Homeland Security's reorganization of its cybersecurity program, as well as the allocation of cybersecurity duties among federal departments under Presidential Policy Directive 41. It includes a new section about the November 2017 announcement of the federal government's vulnerability equities process.
  • Chapter 7 updates developments in Fourth Amendment caselaw, most notably the Supreme Court's 2018 opinion in Carpenter v. United States. The chapter also includes a new section on cases in which criminal suspects or defendants have claimed a Fifth Amendment self‐incrimination privilege to challenge orders requiring them to assist law enforcement with accessing encrypted devices and computers. It also describes the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which sets new rules for extraterritorial enforcement of Stored Communications Act orders.
  • Chapter 8 updates the cybersecurity requirements for federal government contractors, most notably the recently enacted regulations for the security of controlled unclassified information.
  • Chapter 9 examines the California Consumer Privacy Act, an extensive series of data protection rules enacted in 2018 and effective in 2020.
  • Chapter 10 expands the discussion of the European Union's General Data Protection Regulation, and examines China's new comprehensive cybersecurity law.


Introduction to First Edition

In recent years, cybersecurity has become not only a rapidly growing industry, but an increasingly vital consideration for nearly every company and government agency in the United States. A data breach can lead to high‐stakes lawsuits, significant business disruptions, intellectual property theft, and national security vulnerabilities. Just ask any executive from Sony, Target, Home Depot, or the scores of other companies that experienced costly data breaches or the top officials at the U.S. Office of Personnel Management, which suffered a breach that exposed millions of federal workers' highly confidential security clearance applications. In short, it is abundantly clear that companies, governments, and individuals need to do more to improve cybersecurity.

Many articles and books have been written about the technical steps that are necessary to improve cybersecurity. However, there is much less material available about the legal rules that require—and, in some cases, restrict—specific cybersecurity measures. Legal obligations and restrictions should be considered at the outset of any cybersecurity strategy, just as a company would consider reputational harm and budgetary issues. Failure to comply with the law could lead to significant financial harms, negative publicity, and, in some cases, criminal charges.

Unfortunately, the United States does not have a single “cybersecurity law” that can easily apply to all circumstances. Rather, the United States has a patchwork of hundreds of state and federal statutes, regulations, binding guidelines, and court‐created rules regarding data security, privacy, and other issues commonly considered to fall under the umbrella of “cybersecurity.” On top of that, if U.S. companies have customers or employees in other countries, they must consider the privacy and data security laws and regulations of those nations.

This book aims to synthesize the cybersecurity laws that are most likely to affect U.S. corporate and government operations. The book is intended for a wide range of audiences that seek to learn more about cybersecurity law: undergraduate, graduate, and law school students; technology professionals; corporate executives; and lawyers. For lawyers who use this book as a reference treatise, this book contains detailed footnotes to the primary source materials, such as statutes and case citations. However, this book is not intended only for those with law degrees; it is written with the intent of being a guide for lawyers and nonlawyers alike. Similarly, in addition to being a desk reference, this book can be used as a primary or supplemental text in a cybersecurity law class.

The book focuses on the cybersecurity obligations of U.S. companies, but because cyberspace involves global private and public infrastructure, the book does not focus only on U.S. legal obligations of private companies. The book examines the efforts of the public sector and private sector to work together on cybersecurity, as well as the limits on government cyber operations under the U.S. Constitution and various statutes. Moreover, the book discusses some of the foreign cybersecurity laws that U.S. companies are most likely to encounter.

At the outset, it is important to define the term “cybersecurity law.” Unlike more established legal fields, such as copyright, contracts, and torts, cybersecurity law is relatively new and not clearly defined. Indeed, some people think of cybersecurity law as consisting only of data security requirements for companies that are designed to reduce the likelihood of data breaches. Others think of cybersecurity law as anti‐hacking laws. And to some, cybersecurity law is a subset of privacy law.

To all of those suggestions, I say “yes.” Cybersecurity encompasses all of those subjects and more. The U.S. Department of Homeland Security's National Initiative for Cybersecurity Careers and Studies defines cybersecurity as “[t]he activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.” This definition is a good—and largely complete—starting point for the purposes of this book. The DHS definition captures the “CIA Triad”—confidentiality, integrity, and availability—that typically is associated with cybersecurity. Under this definition, we should be concerned with data security laws, data breach litigation, and anti‐hacking laws. However, I have two additions to the DHS definition. First, it is impossible to fully evaluate cybersecurity without understanding the limits on the government's ability to conduct electronic surveillances. Accordingly, the Fourth Amendment to the U.S. Constitution and statutes that restrict government surveillance must be considered as part of an examination of cybersecurity law. Second, cybersecurity law is heavily intertwined with privacy law, which restricts the ability of companies and governments to collect, use, and disclose individuals' personal information.

To simplify, this book categorizes cybersecurity law as consisting of six broad areas of law:

  • Private sector data security laws
  • Anti‐hacking laws
  • Public–private cybersecurity efforts
  • Government surveillance laws
  • Cybersecurity requirements for government contractors
  • Privacy law

Private Sector Data Security Laws (Chapters 1–4)

Among the most complex—and rapidly changing—areas of cybersecurity are the many requirements that apply to U.S. companies' handling of customers' and employees' personal data. A number of state and federal laws require companies to implement specific data security safeguards, and if a company faces a data breach, it may be required to notify customers, regulators, and credit bureaus. Breaches also could expose companies to costly regulatory actions and class action lawsuits.

Chapter 1 provides an overview of the state and federal laws that generally apply to data security and data breaches. Unlike other nations, the United States does not have a general law that imposes specific privacy and data security requirements on all companies. The closest analogue in the United States is Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive trade practices. Chapter 1 examines dozens of complaints that the Federal Trade Commission has filed under this statute arising from allegedly inadequate data security. The chapter next examines the laws in nearly every state that require companies to notify regulators, customers, and credit bureaus of data breaches in certain circumstances. Finally, the chapter examines the dozen state laws that impose specific data security requirements for personal information.

Chapter 2 examines the various types of private class action lawsuits that companies could face after they experience data breaches. First, the chapter examines a concept known as Article III standing, which is among the most significant barriers to plaintiffs' lawsuits arising from data breaches. In short, Article III standing requires that plaintiffs demonstrate that they suffered an injury‐in‐fact that is fairly traceable to the defendant's conduct and redressable by a lawsuit. Courts are divided as to what types of injuries a data breach plaintiff must demonstrate to have Article III standing. The chapter then reviews common legal claims that arise from data breaches, including negligence, misrepresentation, breach of contract, invasion of privacy, unjust enrichment, and state consumer protection laws. The chapter also reviews the procedural requirements that data breach plaintiffs must satisfy to be permitted to sue on behalf of a larger class of plaintiffs. It examines whether commercial insurance coverage helps cover companies' liability in data breach lawsuits. Finally, the chapter examines how companies can reduce the likelihood that their internal cybersecurity communications and reports will be subject to discovery and used against them in litigation.

Chapter 3 examines the additional data security requirements that U.S. companies face if they handle particularly sensitive personal information. The Gramm‐Leach‐Bliley Act requires financial institutions to adopt specific security safeguards for customers' nonpublic financial information. The Payment Card Industry Data Security Standard contractually imposes data security safeguards for companies that handle credit and debit card information. Doctors, health insurers, and other healthcare companies and their business associates face stringent data security requirements under the Health Insurance Portability and Accountability Act. Finally, the chapter examines the cybersecurity requirements for electric utilities and nuclear licensees.

Chapter 4 provides an overview of data security requirements that affect corporations. The Securities and Exchange Commission expects publicly traded companies to disclose material risks, and in recent years, it has urged companies to be transparent about their cybersecurity vulnerabilities and explain how those vulnerabilities might affect shareholders. This chapter examines the level of disclosure that the SEC expects in publicly traded companies' public filings, and provides examples of various levels of transparency and disclosure. The chapter also examines the possibility of shareholders suing executives and directors if the company experiences a costly data breach. Next, the chapter explores the cybersecurity expectations of the Committee on Foreign Investment in the United States, which must approve any foreign investments in U.S. companies. Finally, the chapter examines how the ongoing debate over corporate export controls could make it more difficult for U.S. companies to conduct cybersecurity research.

Anti‐Hacking Laws (Chapter 5)

Anti‐hacking laws—notably the federal Computer Fraud and Abuse Act (CFAA)—are intended to help promote cybersecurity. However, some critics argue that these laws are outdated and not only fail to help protect private and government computers but also penalize individuals for conducting entirely legitimate activities, such as cybersecurity research.

Chapter 5 reviews the seven offenses that are prohibited by the CFAA, such as hacking computers to obtain information and damaging computers. The CFAA applies to activities that are conducted “without authorization” or “exceed[ing] authorized access,” and the chapter examines how different courts have applied these rather ambiguous terms. The chapter briefly reviews state hacking laws that are based on the CFAA. The chapter then examines Section 1201 of the Digital Millennium Copyright Act, which restricts the ability of individuals to circumvent access controls that protect copyrighted material, and therefore imposes significant limits on cybersecurity vulnerability research. Finally, the chapter examines the Economic Espionage Act, a criminal law that companies increasingly see as a tool to penalize individuals that steal trade secrets. In 2016, Congress amended the Economic Espionage Act to allow companies to file civil lawsuits against hackers and others who steal trade secrets.

Public–Private Security Efforts (Chapter 6)

Cybersecurity law often is associated with punitive measures, such as FTC investigations and data breach class action lawsuits. While those considerations surely are an important component of cybersecurity law, the federal government also has taken a number of proactive steps to work with companies to improve cybersecurity throughout the public and private sectors. Such collaboration is particularly necessary and common in cybersecurity because public and private cyber infrastructure often is interconnected.

Chapter 6 provides an overview of the organization of the federal government's cybersecurity efforts, with the Department of Homeland Security taking an increasingly large and central role in the government's collaboration with the private sector. The chapter examines private–public information sharing, which likely will expand due to the Cybersecurity Act of 2015. The chapter examines the National Institute of Standards and Technology's 2014 cybersecurity framework, which many companies voluntarily adopt as the basis of their own cybersecurity plans. Finally, the chapter briefly examines the U.S. military's involvement with private sector cybersecurity, and the limits imposed by the Posse Comitatus Act.

Government Surveillance Laws (Chapter 7)

Government surveillance laws often restrict the government's ability to increase the security of cyberspace. By “security,” what is meant is more than merely preventing the transmission of malware and other harmful programs. Security also encompasses government efforts to fight cybercrime, such as child pornography, terrorist recruitment, and other harmful online activities. The government—and, in some cases, the private sector—often is restricted by constitutional provisions and statutes.

Chapter 7 begins with an examination of how the Fourth Amendment's prohibition on unreasonable searches and seizures applies to electronic surveillance. The chapter then examines the Electronic Communications Privacy Act, a comprehensive statute that limits the ability of the government to obtain stored communications, use wiretaps to obtain data in transit, and obtain metadata via pen registers. The chapter further examines the government's ability to issue National Security Letters to obtain certain information regarding electronic communications, and the obligations of communications companies to assist law enforcement under the Communications Assistance for Law Enforcement Act. The chapter concludes with an examination of law enforcement's attempts, using the All Writs Act, to compel technology companies to help them access encrypted communications.

Cybersecurity Requirements for Government Contractors (Chapter 8)

Many small and large companies rely on the federal government as a significant client for a wide range of products and services. Increasingly, the federal government is expecting these companies to implement specific standards for cybersecurity.

Chapter 8 examines the key cybersecurity requirements for U.S. government contractors. First, the chapter examines the Federal Information Security Management Act (FISMA), the primary statute that governs data security for the federal government and its contractors. The chapter next provides an overview of the information security controls that the National Institute of Standards and Technology has developed for government agencies and their contractors as part of FISMA. The chapter then examines specific cybersecurity requirements for government contractors that handle classified information, controlled unclassified information, and covered defense information.

Privacy Law (Chapter 9)

Any examination of cybersecurity law would be incomplete without an overview of privacy law. Privacy law restricts the ability of companies to use, share, collect, and retain personal information. While data security laws traditionally focus on the measures that companies take to prevent unauthorized access to information, privacy laws restrict the ability of companies to voluntarily use or disclose customers' personal information. Privacy law should be considered alongside data security and other cybersecurity laws because they form a company's overall approach to handling personal information. Moreover, a company's statements about its data security in its privacy policy can lead to significant liability under various privacy laws.

Chapter 9 begins with an overview of the FTC's approach to privacy regulation. As with data security, the FTC uses Section 5 of the Federal Trade Commission Act to bring complaints against companies that violate their consumers' privacy rights or fail to meet the guarantees of their privacy policies. The chapter then examines the privacy laws that restrict healthcare providers and insurers and financial institutions. The chapter describes the CAN‐SPAM Act, which limits the ability of companies to send email marketing materials. It explores the Video Privacy Protection Act, which restricts the ability of companies to share online and offline video viewing information, and the Children's Online Privacy Protection Act, which limits the collection of information from children under 13 years old. Finally, the chapter examines state laws in California and Illinois that require website privacy policies, require the deletion of certain information provided by minors, and restrict the use of biometric information, including facial recognition.

Chapters 1 through 9 therefore focus primarily on the U.S. federal and state cybersecurity laws that bind U.S. companies. However, very few U.S. companies can operate without considering the cybersecurity requirements of other countries. If the companies have employees, customers, or business partners in other countries, they may also be bound by those countries' cybersecurity laws. And many countries—particularly those in the European Union—have enacted privacy and data security laws that are much more restrictive than those in the United States. For that reason, Chapter 10 examines the primary privacy and data security legal requirements of the five largest trading partners of the United States: the European Union, Canada, Mexico, China, and Japan.

As with all emerging areas of the law, cybersecurity law is rapidly evolving. At any time, legislatures, regulators, and courts may change some of the laws that are described in this book. Accordingly, this book is not intended to be a substitute for legal advice from qualified counsel.

Cybersecurity law is a complex, nascent, and rapidly changing field. As we continue to define and build this exciting new area of law, this book attempts to provide a reference for students, lawyers, information technology professionals, and others who are interested in helping companies and government agencies improve the security of their computers, systems, and networks.


About the Companion Website

This book is accompanied by a companion website:www.wiley.com/go/kosseff/cybersecurity2e

image

The website includes materials for Instructors and Students

Instructors:

  • Suggested points of discussion for the class discussion questions at the end of each chapter
  • Bank of potential exam questions

Students:

  • News updates
  • New cybersecurity laws
  • Recent cybersecurity policy developments