Cover Page

Cybersecurity Law

 

 

Jeff Kosseff

 

 

 

 

Wiley Logo

 

 

 

This book is dedicated to my two biggest supporters, my wife, Crystal Zeh, and my daughter, Julia Kosseff.

About the Author

Jeff Kosseff is an Assistant Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He practiced cybersecurity and privacy law at Covington & Burling LLP, and clerked for Judge Milan D. Smith, Jr. of the U.S. Court of Appeals for the Ninth Circuit and for Judge Leonie M. Brinkema of the U.S. District Court for the Eastern District of Virginia. Mr. Kosseff is a graduate of Georgetown University Law Center and the University of Michigan. Before becoming a lawyer, he was a journalist for The Oregonian and was a finalist for the Pulitzer Prize for national reporting.

Acknowledgment

The author would like to extend his gratitude and recognize the contribution of copyeditor Z. Dana Andrus for her excellence in editing this book.

About the Companion Website

This book is accompanied by a companion website:

www.wiley.com/go/kosseff/cybersecurity

The website includes:

Introduction

In recent years, cybersecurity has become not only a rapidly growing industry, but an increasingly vital consideration for nearly every company and government agency in the United States. A data breach can lead to high-stakes lawsuits, significant business disruptions, intellectual property theft, and national security vulnerabilities. Just ask any executive from Sony, Target, Home Depot, or the scores of other companies that experienced costly data breaches or the top officials at the U.S. Office of Personnel Management, which suffered a breach that exposed millions of federal workers' highly confidential security clearance applications. In short, it is abundantly clear that companies, governments, and individuals need to do more to improve cybersecurity.

Many articles and books have been written about the technical steps that are necessary to improve cybersecurity. However, there is much less material available about the legal rules that require – and, in some cases, restrict – specific cybersecurity measures. Legal obligations and restrictions should be considered at the outset of any cybersecurity strategy, just as a company would consider reputational harm and budgetary issues. Failure to comply with the law could lead to significant financial harms, negative publicity, and, in some cases, criminal charges.

Unfortunately, the United States does not have a single “cybersecurity law” that can easily apply to all circumstances. Rather, the United States has a patchwork of hundreds of state and federal statutes, regulations, binding guidelines, and court-created rules regarding data security, privacy, and other issues commonly considered to fall under the umbrella of “cybersecurity.” On top of that, if U.S. companies have customers or employees in other countries, they must consider the privacy and data security laws and regulations of those nations.

This book aims to synthesize the cybersecurity laws that are most likely to affect U.S. corporate and government operations. The book is intended for a wide range of audiences that seek to learn more about cybersecurity law: undergraduate, graduate, and law school students; technology professionals; corporate executives; and lawyers. For lawyers who use this book as a reference treatise, this book contains detailed footnotes to the primary source materials, such as statutes and case citations. However, this book is not intended only for those with law degrees; it is written with the intent of being a guide for lawyers and nonlawyers alike. Similarly, in addition to being a desk reference, this book can be used as a primary or supplemental text in a cybersecurity law class.

The book focuses on the cybersecurity obligations of U.S. companies, but because cyberspace involves global private and public infrastructure, the book does not focus only on U.S. legal obligations of private companies. The book examines the efforts of the public sector and private sector to work together on cybersecurity, as well as the limits on government cyber operations under the U.S. Constitution and various statutes. Moreover, the book discusses some of the foreign cybersecurity laws that U.S. companies are most likely to encounter.

At the outset, it is important to define the term “cybersecurity law.” Unlike more established legal fields, such as copyright, contracts, and torts, cybersecurity law is relatively new and not clearly defined. Indeed, some people think of cybersecurity law as consisting only of data security requirements for companies that are designed to reduce the likelihood of data breaches. Others think of cybersecurity law as anti-hacking laws. And to some, cybersecurity law is a subset of privacy law.

To all of those suggestions, I say “yes.” Cybersecurity encompasses all of those subjects and more. The U.S. Department of Homeland Security's National Initiative for Cybersecurity Careers and Studies defines cybersecurity as “[t]he activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.” This definition is a good – and largely complete – starting point for the purposes of this book. The DHS definition captures the “CIA Triad” – confidentiality, integrity, and availability – that typically is associated with cybersecurity. Under this definition, we should be concerned with data security laws, data breach litigation, and anti-hacking laws. However, I have two additions to the DHS definition. First, it is impossible to fully evaluate cybersecurity without understanding the limits on the government's ability to conduct electronic surveillances. Accordingly, the Fourth Amendment to the U.S. Constitution and statutes that restrict government surveillance must be considered as part of an examination of cybersecurity law. Second, cybersecurity law is heavily intertwined with privacy law, which restricts the ability of companies and governments to collect, use, and disclose individuals' personal information.

To simplify, this book categorizes cybersecurity law as consisting of six broad areas of law:

Private Sector Data Security Laws (Chapters 1–4)

Among the most complex – and rapidly changing – areas of cybersecurity are the many requirements that apply to U.S. companies' handling of customers' and employees' personal data. A number of state and federal laws require companies to implement specific data security safeguards, and if a company faces a data breach, it may be required to notify customers, regulators, and credit bureaus. Breaches also could expose companies to costly regulatory actions and class action lawsuits.

Chapter 1 provides an overview of the state and federal laws that generally apply to data security and data breaches. Unlike other nations, the United States does not have a general law that imposes specific privacy and data security requirements on all companies. The closest analogue in the United States is Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive trade practices. Chapter 1 examines dozens of complaints that the Federal Trade Commission has filed under this statute arising from allegedly inadequate data security. The chapter next examines the laws in nearly every state that require companies to notify regulators, customers, and credit bureaus of data breaches in certain circumstances. Finally, the chapter examines the dozen state laws that impose specific data security requirements for personal information.

Chapter 2 examines the various types of private class action lawsuits that companies could face after they experience data breaches. First, the chapter examines a concept known as Article III standing, which is among the most significant barriers to plaintiffs' lawsuits arising from data breaches. In short, Article III standing requires that plaintiffs demonstrate that they suffered an injury-in-fact that is fairly traceable to the defendant's conduct and redressable by a lawsuit. Courts are divided as to what types of injuries a data breach plaintiff must demonstrate to have Article III standing. The chapter then reviews common legal claims that arise from data breaches, including negligence, misrepresentation, breach of contract, invasion of privacy, unjust enrichment, and state consumer protection laws. The chapter also reviews the procedural requirements that data breach plaintiffs must satisfy to be permitted to sue on behalf of a larger class of plaintiffs. It examines whether commercial insurance coverage helps cover companies' liability in data breach lawsuits. Finally, the chapter examines how companies can reduce the likelihood that their internal cybersecurity communications and reports will be subject to discovery and used against them in litigation.

Chapter 3 examines the additional data security requirements that U.S. companies face if they handle particularly sensitive personal information. The Gramm-Leach-Bliley Act requires financial institutions to adopt specific security safeguards for customers' nonpublic financial information. The Payment Card Industry Data Security Standard contractually imposes data security safeguards for companies that handle credit and debit card information. Doctors, health insurers, and other healthcare companies and their business associates face stringent data security requirements under the Health Insurance Portability and Accountability Act. Finally, the chapter examines the cybersecurity requirements for electric utilities and nuclear licensees.

Chapter 4 provides an overview of data security requirements that affect corporations. The Securities and Exchange Commission expects publicly traded companies to disclose material risks, and in recent years, it has urged companies to be transparent about their cybersecurity vulnerabilities and explain how those vulnerabilities might affect shareholders. This chapter examines the level of disclosure that the SEC expects in publicly traded companies' public filings, and provides examples of various levels of transparency and disclosure. The chapter also examines the possibility of shareholders suing executives and directors if the company experiences a costly data breach. Next, the chapter explores the cybersecurity expectations of the Committee on Foreign Investment in the United States, which must approve any foreign investments in U.S. companies. Finally, the chapter examines how the ongoing debate over corporate export controls could make it more difficult for U.S. companies to conduct cybersecurity research.

Anti-Hacking Laws (Chapter 5)

Anti-hacking laws – notably the federal Computer Fraud and Abuse Act (CFAA) – are intended to help promote cybersecurity. However, some critics argue that these laws are outdated and not only fail to help protect private and government computers but also penalize individuals for conducting entirely legitimate activities, such as cybersecurity research.

Chapter 5 reviews the seven offenses that are prohibited by the CFAA, such as hacking computers to obtain information and damaging computers. The CFAA applies to activities that are conducted “without authorization” or “exceed[ing] authorized access,” and the chapter examines how different courts have applied these rather ambiguous terms. The chapter briefly reviews state hacking laws that are based on the CFAA. The chapter then examines Section 1201 of the Digital Millennium Copyright Act, which restricts the ability of individuals to circumvent access controls that protect copyrighted material, and therefore imposes significant limits on cybersecurity vulnerability research. Finally, the chapter examines the Economic Espionage Act, a criminal law that companies increasingly see as a tool to penalize individuals that steal trade secrets. In 2016, Congress amended the Economic Espionage Act to allow companies to file civil lawsuits against hackers and others who steal trade secrets.

Public–Private Security Efforts (Chapter 6)

Cybersecurity law often is associated with punitive measures, such as FTC investigations and data breach class action lawsuits. While those considerations surely are an important component of cybersecurity law, the federal government also has taken a number of proactive steps to work with companies to improve cybersecurity throughout the public and private sectors. Such collaboration is particularly necessary and common in cybersecurity because public and private cyber infrastructure often is interconnected.

Chapter 6 provides an overview of the organization of the federal government's cybersecurity efforts, with the Department of Homeland Security taking an increasingly large and central role in the government's collaboration with the private sector. The chapter examines private–public information sharing, which likely will expand due to the Cybersecurity Act of 2015. The chapter examines the National Institute of Standards and Technology's 2014 cybersecurity framework, which many companies voluntarily adopt as the basis of their own cybersecurity plans. Finally, the chapter briefly examines the U.S. military's involvement with private sector cybersecurity, and the limits imposed by the Posse Comitatus Act.

Government Surveillance Laws (Chapter 7)

Government surveillance laws often restrict the government's ability to increase the security of cyberspace. By “security,” what is meant is more than merely preventing the transmission of malware and other harmful programs. Security also encompasses government efforts to fight cybercrime, such as child pornography, terrorist recruitment, and other harmful online activities. The government – and, in some cases, the private sector – often is restricted by constitutional provisions and statutes.

Chapter 7 begins with an examination of how the Fourth Amendment's prohibition on unreasonable searches and seizures applies to electronic surveillance. The chapter then examines the Electronic Communications Privacy Act, a comprehensive statute that limits the ability of the government to obtain stored communications, use wiretaps to obtain data in transit, and obtain metadata via pen registers. The chapter further examines the government's ability to issue National Security Letters to obtain certain information regarding electronic communications, and the obligations of communications companies to assist law enforcement under the Communications Assistance for Law Enforcement Act. The chapter concludes with an examination of law enforcement's attempts, using the All Writs Act, to compel technology companies to help them access encrypted communications.

Cybersecurity Requirements for Government Contractors (Chapter 8)

Many small and large companies rely on the federal government as a significant client for a wide range of products and services. Increasingly, the federal government is expecting these companies to implement specific standards for cybersecurity.

Chapter 8 examines the key cybersecurity requirements for U.S. government contractors. First, the chapter examines the Federal Information Security Management Act (FISMA), the primary statute that governs data security for the federal government and its contractors. The chapter next provides an overview of the information security controls that the National Institute of Standards and Technology has developed for government agencies and their contractors as part of FISMA. The chapter then examines specific cybersecurity requirements for government contractors that handle classified information, controlled unclassified information, and covered defense information.

Privacy Law (Chapter 9)

Any examination of cybersecurity law would be incomplete without an overview of privacy law. Privacy law restricts the ability of companies to use, share, collect, and retain personal information. While data security laws traditionally focus on the measures that companies take to prevent unauthorized access to information, privacy laws restrict the ability of companies to voluntarily use or disclose customers' personal information. Privacy law should be considered alongside data security and other cybersecurity laws because they form a company's overall approach to handling personal information. Moreover, a company's statements about its data security in its privacy policy can lead to significant liability under various privacy laws.

Chapter 9 begins with an overview of the FTC's approach to privacy regulation. As with data security, the FTC uses Section 5 of the Federal Trade Commission Act to bring complaints against companies that violate their consumers' privacy rights or fail to meet the guarantees of their privacy policies. The chapter then examines the privacy laws that restrict healthcare providers and insurers and financial institutions. The chapter describes the CAN-SPAM Act, which limits the ability of companies to send email marketing materials. It explores the Video Privacy Protection Act, which restricts the ability of companies to share online and offline video viewing information, and the Children's Online Privacy Protection Act, which limits the collection of information from children under 13 years old. Finally, the chapter examines state laws in California and Illinois that require website privacy policies, require the deletion of certain information provided by minors, and restrict the use of biometric information, including facial recognition.

Chapters 1 through 9 therefore focus primarily on the U.S. federal and state cybersecurity laws that bind U.S. companies. However, very few U.S. companies can operate without considering the cybersecurity requirements of other countries. If the companies have employees, customers, or business partners in other countries, they may also be bound by those countries' cybersecurity laws. And many countries – particularly those in the European Union – have enacted privacy and data security laws that are much more restrictive than those in the United States. For that reason, Chapter 10 examines the primary privacy and data security legal requirements of the five largest trading partners of the United States: the European Union, Canada, Mexico, China, and Japan.

As with all emerging areas of the law, cybersecurity law is rapidly evolving. At any time, legislatures, regulators, and courts may change some of the laws that are described in this book. Accordingly, this book is not intended to be a substitute for legal advice from qualified counsel.

Cybersecurity law is a complex, nascent, and rapidly changing field. As we continue to define and build this exciting new area of law, this book attempts to provide a reference for students, lawyers, information technology professionals, and others who are interested in helping companies and government agencies improve the security of their computers, systems, and networks.