Cybersecurity Law

AvJeff Kosseff

Inbunden, Engelska, 2025

1 197 kr

Beställningsvara. Skickas inom 7-10 vardagar. Fri frakt över 249 kr.

Fler format och utgåvor

Inbunden

Tillf. slut

Beskrivning

Comprehensive textbook covering the latest developments in the field of cybersecurity law Cybersecurity Law offers an authoritative guide to the key statutes, regulations, and court rulings that pertain to cybersecurity, reflecting the latest legal developments for this constantly evolving subject since the previous edition was released in 2022. This comprehensive text deals with all aspects of cybersecurity law, including data security and enforcement actions, anti-hacking laws, surveillance and privacy laws, and national and international cybersecurity law. In this new edition, readers will find insights on revisions to regulations and guidance concerning cybersecurity from federal agencies, such as 2023 SEC cybersecurity regulations for all publicly traded companies, and the Cyber Incident Reporting for Critical Infrastructure Act and its impact on the obligations of companies across the United States. Other recent developments discussed in this book include litigation from customers against companies after data breaches and the resulting legal articulation of companies’ duties to secure personal information, the increased focus from lawmakers and regulators on the Internet of Things (IoT), and the FDA’s guidelines for medical device cyber security. Readers of Cybersecurity Law will also find new information on: Litigation cases where courts ruled on whether plaintiffs stated viable causes of action in data breach cases, including the Eleventh Circuit’s opinion in Ramirez v. Paradies ShopsFourth Amendment opinions involving geofence warrants and keyword search warrantsCourts’ applications of the Supreme Court’s first Computer Fraud and Abuse Act opinion, Van Buren v. United StatesNIST’s 2024 revisions to its popular Cybersecurity FrameworkVersion 2 of the Cybersecurity Maturity Model CertificationCybersecurity Law is an ideal textbook for undergraduate and graduate level courses in cybersecurity, cyber operations, management-oriented information technology (IT), and computer science. It is also a useful reference for IT professionals, government personnel, business managers, auditors, cybersecurity insurance agents, and academics in these fields.

Produktinformation

Utgivningsdatum:2025-10-06
Mått:160 x 231 x 38 mm
Vikt:1 202 g
Format:Inbunden
Språk:Engelska
Antal sidor:928
Upplaga:4
Förlag:John Wiley & Sons Inc
ISBN:9781394265893

Utforska kategorier

IT-säkerhet inom Data och IT

Mer om författaren

Jeff Kosseff, JD, MPP, is a cybersecurity and privacy lawyer. He frequently speaks and writes about cybersecurity and was a journalist covering technology and politics at The Oregonian, a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting.

Innehållsförteckning

About the Author xviiForeword to the Fourth Edition (2026) xixForeword to the Third Edition (2023) xxiForeword to the Second Edition (2019) xxiiiAcknowledgment and Disclaimers xxviiIntroduction to First Edition xxix1 Data Security Laws and Enforcement Actions 11.1 FTC Data Security 21.1.1 Overview of Section 5 of the FTC Act 21.1.2 Wyndham: Does the FTC Have Authority to Regulate Data Security Under Section 5 of the FTC Act? 61.1.3 LabMD: What Constitutes “Unfair” Data Security? 101.1.4 FTC June 2015 Guidance on Data Security, and 2017 Updates 131.1.5 FTC Data Security Expectations and the NIST Cybersecurity Framework 181.1.6 Lessons from FTC Cybersecurity Complaints 181.1.6.1 Failure to Secure Highly Sensitive Information 191.1.6.1.1 Use Industry- standard Encryption for Sensitive Data 201.1.6.1.2 Routine Audits and Penetration Testing Are Expected 201.1.6.1.3 Health- Related Data Requires Especially Strong Safeguards 211.1.6.1.4 Data Security Protection Extends to Paper Documents 231.1.6.1.5 Business- to- Business Providers Also Are Accountable to the FTC for Security of Sensitive Data 251.1.6.1.6 Companies Are Responsible for the Data Security Practices of Their Contractors 271.1.6.1.7 Make Sure that Every Employee Receives Regular Data Security Training for Processing Sensitive Data 281.1.6.1.8 Privacy Matters, Even in Data Security 281.1.6.1.9 Limit the Sensitive Information Provided to Third Parties 291.1.6.1.10 Children’s Data Requires Special Protection 291.1.6.1.11 Promptly Notify Customers of Breaches of Sensitive Data 301.1.6.2 Failure to Secure Payment Card Information 311.1.6.2.1 Adhere to Security Claims about Payment Card Data 311.1.6.2.2 Always Encrypt Payment Card Data 321.1.6.2.3 Payment Card Data Should Be Encrypted Both in Storage and at Rest 321.1.6.2.4 In- store Purchases Pose Significant Cybersecurity Risks 331.1.6.2.5 Minimize Duration of Storage of Payment Card Data 351.1.6.2.6 Monitor Systems and Networks for Unauthorized Software 351.1.6.2.7 Apps Should Never Override Default App Store Security Settings 361.1.6.3 Failure to Adhere to Security Claims 361.1.6.3.1 Companies Must Address Commonly Known Security Vulnerabilities 371.1.6.3.2 Ensure That Security Controls Are Sufficient to Abide by Promises About Security and Privacy 381.1.6.3.3 Omissions about Key Security Flaws Also Can Be Misleading 401.1.6.3.4 Companies Must Abide by Promises for Security- related Consent Choices 411.1.6.3.5 Companies That Promise Security Must Ensure Adequate Authentication Procedures 421.1.6.3.6 Adhere to Promises About Encryption 431.1.6.3.7 Promises About Security Extend to Vendors’ Practices 441.1.6.3.8 Companies Cannot Hide Vulnerable Software in Products 441.1.7 FTC and Software Patching 441.2 State Data Breach Notification Laws 451.2.1 When Consumer Notifications Are Required 461.2.1.1 Definition of Personal Information 471.2.1.2 Encrypted Data 481.2.1.3 Risk of Harm 481.2.1.4 Safe Harbors and Exceptions to Notice Requirement 491.2.2 Notice to Individuals 491.2.2.1 Timing of Notice 491.2.2.2 Form of Notice 501.2.2.3 Content of Notice 501.2.3 Notice to Regulators and Consumer Reporting Agencies 511.2.4 Penalties for Violating State Breach Notification Laws 511.3 State Data Security Laws 511.3.1 Oregon 531.3.2 Rhode Island 541.3.3 Nevada 551.3.4 Massachusetts 561.3.5 Ohio 581.3.6 Alabama 591.3.7 New York 601.4 State Data Disposal Laws 602 Cybersecurity Litigation 632.1 Article III Standing 642.1.1 Applicable Supreme Court Rulings on Standing 662.1.2 Lower Court Rulings on Standing in Data Breach Cases 712.1.2.1 Injury- in- fact 712.1.2.1.1 Broad View of Injury- in- fact 712.1.2.1.2 Narrow View of Injury- in- fact 762.1.2.1.3 Attempts at Finding a Middle Ground for Injury- in- fact 802.1.2.2 Fairly Traceable 812.1.2.3 Redressability 832.2 Common Causes of Action Arising from Data Breaches 842.2.1 Negligence 842.2.1.1 Legal Duty and Breach of Duty 842.2.1.2 Cognizable Injury 872.2.1.3 Causation 912.2.2 Negligent Misrepresentation or Omission 932.2.3 Breach of Contract 952.2.4 Breach of Implied Warranty 1022.2.5 Invasion of Privacy 1062.2.6 Unjust Enrichment 1082.2.7 State Consumer Protection Laws 1102.3 Class Action Certification in Data Breach Litigation 1132.3.1 Kostka v. Dickey’s Barbecue Restaurants, Case No. 3:20- cv- 3424 (N.D. Tex. Oct. 14, 2022) 1152.3.2 In re Wawa, Inc. Data Security Litigation, No. 19- cv- 6019 (E.D. Pa. July 30, 2021) 1162.3.3 In re Hannaford Bros. Co. Customer Data Security Breach Litigation, No. 2:08- MD- 1954 (D. Me. Mar. 13, 2013) 1172.3.4 In re Heartland Payment Systems, Inc. Customer Data Security Breach Litigation: Consumer Track Litigation, 851 F. Supp. 2d 1040 (S.D. Tex. 2012) 1202.4 Insurance Coverage for Data Breaches 1222.5 Protecting Cybersecurity Work Product and Communications from Discovery 1262.5.1 Attorney– Client Privilege 1282.5.2 Work Product Doctrine 1312.5.3 Nontestifying Expert Privilege 1332.5.4 Genesco v. Visa 1342.5.5 In re Experian Data Breach Litigation 1372.5.6 In re Premera 1382.5.7 In re United Shore Financial Services 1402.5.8 In re Dominion Dental Services USA, Inc. Data Breach Litigation 1402.5.9 In re Capital One Consumer Data Security Breach Litigation 1422.5.10 Securities and Exchange Commission v. Covington & Burling 1423 Cybersecurity Requirements for Specific Industries 1453.1 Financial Institutions: GLBA Safeguards Rule 1463.1.1 Interagency Guidelines 1463.1.2 SEC’s Regulation S- P 1483.1.3 FTC Safeguards Rule 1503.2 Financial Institutions: Banking Organization Computer- Security Incident Notification Regulation 1533.3 New York Department of Financial Services Cybersecurity Regulations 1533.4 Financial Institutions and Creditors: Red Flags Rule 1563.4.1 Financial Institutions or Creditors 1593.4.2 Covered Accounts 1603.4.3 Requirements for a Red Flags Identity Theft Prevention Program 1613.4.4 Enforcement of the Red Flags Rule 1623.5 Companies that Use Payment and Debit Cards: PCI DSS 1623.6 Health Providers: HIPAA Security Rule 1653.7 Electric Transmission: FERC Critical Infrastructure Protection Reliability Standards 1713.7.1 CIP- 003- 8: Cybersecurity— Security Management Controls 1713.7.2 CIP- 004- 7: Personnel and Training 1723.7.3 CIP- 005- 7: Electronic Security Perimeters 1723.7.4 CIP- 006- 6: Physical Security of Cyber Systems 1723.7.5 CIP- 007- 6: Systems Security Management 1733.7.6 CIP- 008- 6: Incident Reporting and Response Planning 1733.7.7 CIP- 009- 6: Recovery Plans for Cyber Systems 1733.7.8 CIP- 010- 4: Configuration Change Management and Vulnerability Assessments 1743.7.9 CIP- 011- 2: Information Protection 1743.7.10 CIP- 012- 1: Communications Between Control Centers 1743.7.11 CIP- 013- 2: Supply Chain Risk Management 1743.7.12 CIP- 14- 3: Physical Security of Cyber Systems 1753.8 NRC Cybersecurity Regulations 1753.9 State Insurance Cybersecurity Laws 1763.10 Cyber Incident Reporting for Critical Infrastructure Act (circia) 1794 Cybersecurity and Corporate Governance 1814.1 SEC Cybersecurity Expectations for Publicly Traded Companies 1824.1.1 Example of SEC Expectations: Yahoo! Data Breach 1854.2 Fiduciary Duty to Shareholders and Derivative Lawsuits Arising from Data Breaches 1864.3 CFIUS and Cybersecurity 1904.4 Law Firms and Cybersecurity 1925 Antihacking Laws 1955.1 Computer Fraud and Abuse Act 1965.1.1 Origins of the CFAA 1965.1.2 Access Without Authorization and Exceeding Authorized Access 1975.1.2.1 Narrow View of “Exceeds Authorized Access” and “Without Authorization” 2005.1.2.2 Broader View of “Exceeds Authorized Access” and “Without Authorization” 2055.1.2.3 Finding Some Clarity: Van Buren v. United States 2075.1.2.4 Impact of Van Buren 2105.1.3 The Seven Sections of the CFAA 2125.1.3.1 CFAA Section (a)(1): Hacking to Commit Espionage 2135.1.3.2 CFAA Section (a)(2): Hacking to Obtain Information 2145.1.3.3 CFAA Section (a)(3): Hacking a Federal Government Computer 2185.1.3.4 CFAA Section (a)(4): Hacking to Commit Fraud 2205.1.3.5 CFAA Section (a)(5): Hacking to Damage a Computer 2225.1.3.5.1 CFAA Section (a)(5)(A): Knowing Transmission that Intentionally Damages a Computer Without Authorization 2235.1.3.5.2 CFAA Section (a)(5)(B): Intentional Access Without Authorization that Recklessly Causes Damage 2265.1.3.5.3 CFAA Section (a)(5)(C): Intentional Access Without Authorization that Causes Damage and Loss 2275.1.3.5.4 CFAA Section (a)(5): Requirements for Felony and Misdemeanor Cases 2285.1.3.6 CFAA Section (a)(6): Trafficking in Passwords 2305.1.3.7 CFAA Section (a)(7): Threatening to Damage or Obtain Information from a Computer 2325.1.4 Civil Actions Under the CFAA 2355.1.5 Criticisms of the CFAA 2395.1.6 CFAA and Coordinated Vulnerability Disclosure Programs 2415.1.7 Justice Department’s 2022 CFAA Charging Policy 2445.2 State Computer Hacking Laws 2465.3 Section 1201 of the Digital Millennium Copyright Act 2485.3.1 Origins of Section 1201 of the DMCA 2495.3.2 Three Key Provisions of Section 1201 of the DMCA 2505.3.2.1 DMCA Section 1201(a)(1) 2505.3.2.2 DMCA Section 1201(a)(2) 2555.3.2.2.1 Narrow Interpretation of Section (a)(2): Chamberlain Group v. Skylink Technologies 2565.3.2.2.2 Broad Interpretation of Section (a)(2): MDY Industries, LLC v. Blizzard Entertainment 2595.3.2.3 DMCA Section 1201(b)(1) 2645.3.3 Section 1201 Penalties 2675.3.4 Section 1201 Exemptions 2675.3.5 The First Amendment and DMCA Section 1201 2755.4 Economic Espionage Act 2795.4.1 Origins of the EEA 2795.4.2 Criminal Prohibitions on Economic Espionage and Theft of Trade Secrets 2815.4.2.1 Definition of “Trade Secret” 2825.4.2.2 “Knowing” Violations of the EEA 2855.4.2.3 Purpose and Intent Required under Section 1831: Economic Espionage 2855.4.2.4 Purpose and Intent Required under Section 1832: Theft of Trade Secrets 2875.4.3 Civil Actions for Trade Secret Misappropriation: The Defend Trade Secrets Act of 2016 2905.4.3.1 Definition of “Misappropriation” 2905.4.3.2 Civil Seizures 2945.4.3.3 Injunctions 2945.4.3.4 Damages 2955.4.3.5 Statute of Limitations 2965.5 Budapest Convention on Cybercrime 2966 U.S. Government Cyber Structure and Public– Private Cybersecurity Partnerships 2996.1 U.S. Government’s Civilian Cybersecurity Organization 2996.2 Department of Homeland Security Information Sharing under the Cybersecurity Act of 2015 3036.3 Critical Infrastructure Executive Order and the NIST Cybersecurity Framework 3076.4 U.S. Military Involvement in Cybersecurity and the Posse Comitatus Act 3106.5 Vulnerabilities Equities Process 3126.6 Executive Order 14028 3156.6.1 Section 2: Removing Barriers to Sharing Threat Information 3156.6.2 Section 3: Modernizing Federal Government Cybersecurity 3166.6.3 Section 4: Enhancing Software Supply Chain Security 3166.6.4 Section 5: Establishing a Cyber Safety Review Board 3166.6.5 Section 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents 3176.6.6 Section 7: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks 3176.6.7 Section 8: Improving the Federal Government’s Investigative and Remediation Capabilities 3176.6.8 Section 9: National Security Systems 3177 Surveillance and Cyber 3197.1 Fourth Amendment 3207.1.1 Was the Search or Seizure Conducted by a Government Entity or Government Agent? 3217.1.2 Did the Search or Seizure Involve an Individual’s Reasonable Expectation of Privacy? 3267.1.3 Did the Government Have a Warrant? 3367.1.4 If the Government Did Not Have a Warrant, Did an Exception to the Warrant Requirement Apply? 3397.1.5 Was the Search or Seizure Reasonable Under the Totality of the Circumstances? 3427.2 Electronic Communications Privacy Act 3437.2.1 Stored Communications Act 3447.2.1.1 Section 2701: Third-party Hacking of Stored Communications 3497.2.1.2 Section 2702: Restrictions on Service Providers’ Ability to Disclose Stored Communications and Records to the Government and Private Parties 3507.2.1.3 Section 2703: Government’s Ability to Require Service Providers to Turn Over Stored Communications and Customer Records 3547.2.2 Wiretap Act 3597.2.3 Pen Register Act 3637.2.4 National Security Letters 3647.3 Communications Assistance for Law Enforcement Act (calea) 3667.4 Encryption and the All Writs Act 3677.5 Encrypted Devices and the Fifth Amendment 3698 Cybersecurity and Federal Government Contractors 3758.1 Federal Information Security Management Act 3768.2 NIST Information Security Controls for Government Agencies and Contractors 3788.3 Classified Information Cybersecurity 3828.4 Covered Defense Information, CUI, and the Cybersecurity Maturity Model Certification 3839 Privacy Laws 3919.1 Section 5 of the FTC Act and Privacy 3929.2 Health Insurance Portability and Accountability Act 3949.3 Gramm–Leach–Bliley Act and California Financial Information Privacy Act 3969.4 CAN-SPAM Act 3979.5 Video Privacy Protection Act 3989.6 Children’s Online Privacy Protection Act 4009.7 California Online Privacy Laws 4029.7.1 California Online Privacy Protection Act (CalOPPA) 4029.7.2 California Shine the Light Law 4049.7.3 California Minor “Online Eraser” Law 4069.8 California Consumer Privacy Act and Other State Privacy Laws 4079.9 Illinois Biometric Information Privacy Act 4109.10 NIST Privacy Framework 41210 International Cybersecurity Law 41510.1 European Union 41610.2 Canada 42610.3 China 43110.4 Mexico 43710.5 Japan 44111 Cyber and the Law of War 44511.1 Was the Cyberattack a “Use of Force” that Violates International Law? 44711.2 If the Attack Was a Use of Force, Was that Force Attributable to a State? 45011.3 Did the Use of Force Constitute an “Armed Attack” that Entitles the Target to Self-defense? 45111.4 If the Use of Force Was an Armed Attack, What Types of Self-defense Are Justified? 45311.5 If the Nation Experiences Hostile Cyber Actions that Fall Short of Use of Force or Armed Attacks, What Options Are Available? 45512 Ransomware 45912.1 Defining Ransomware 45912.2 Ransomware- related Litigation 46112.3 Insurance Coverage for Ransomware 46912.4 Ransomware Payments and Sanctions 47312.5 Ransomware Prevention and Response Guidelines from Government Agencies 47412.5.1 Department of Homeland Security 47412.5.2 Federal Trade Commission 47612.5.3 Federal Interagency Guidance for Information Security Executives 47712.5.4 New York Department of Financial Services Guidance 47813 Internet of Things 47913.1 State Internet of Things Laws 48013.2 Internet of Things Cybersecurity Improvement Act of 2020 and NIST Guidance 48113.3 NIST Consumer IoT Cybersecurity Labelling 48213.4 FCC U.S. Cyber Trust Mark Program 48313.5 FTC Internet of Things Security Guidance 48413.6 Food and Drug Administration Cybersecurity Guidance 48613.7 National Highway Traffic Safety Administration’s Cybersecurity Guidelines 48813.8 Department of Homeland Security Internet Guidance 489Appendix A: Text of Section 5 of the FTC Act 491Appendix B: Summary of State Data Breach Notification Laws 501Appendix C: Text of Section 1201 of the Digital Millennium Copyright Act 563Appendix D: Text of the Computer Fraud and Abuse Act 575Appendix E: Text of the Electronic Communications Privacy Act 583Appendix F: Key Cybersecurity Court Opinions 647Appendix G: Hacking Cybersecurity Law 795Appendix H: Upgrading Cybersecurity Law 839Index 873