Atnaujinkite slapukų nuostatas

Cybersecurity Law 3rd edition [Kietas viršelis]

4.29/5 (7 ratings by Goodreads)
(United States Naval Academy, Annapolis, MD)
  • Formatas: Hardback, 880 pages, aukštis x plotis x storis: 231x160x38 mm, weight: 1157 g
  • Išleidimo metai: 04-Nov-2022
  • Leidėjas: John Wiley & Sons Inc
  • ISBN-10: 1119822165
  • ISBN-13: 9781119822165
Kitos knygos pagal šią temą:
Cybersecurity Law 3rd editionDidesnis paveikslėlis
  • Formatas: Hardback, 880 pages, aukštis x plotis x storis: 231x160x38 mm, weight: 1157 g
  • Išleidimo metai: 04-Nov-2022
  • Leidėjas: John Wiley & Sons Inc
  • ISBN-10: 1119822165
  • ISBN-13: 9781119822165
Kitos knygos pagal šią temą:
Pastovi nuoroda: https://www.kriso.lt/db/9781119822165.html
Raktažodžiai:
"Cybersecurity is the process of applying security measures to ensure confidentiality, integrity, and availability of data. The goal of cybersecurity is to protect assets, which includes data, desktops, servers, buildings, and most importantly, humans"--

Learn to protect your clients with this definitive guide to cybersecurity law in this fully-updated third edition

Cybersecurity is an essential facet of modern society and as a result, the application of security measures that ensure the confidentiality, integrity, and availability of data is crucial. Cybersecurity can be used to protect assets of all kinds, including data, desktops, servers, buildings, and most importantly, humans. Understanding the ins and outs of the legal rules governing this important field is vital for any lawyer or other professionals looking to protect these interests.

The thoroughly revised and updated Cybersecurity Law offers an authoritative guide to the key statutes, regulations, and court rulings that pertain to cybersecurity, reflecting the latest legal developments on the subject. This comprehensive text deals with all aspects of cybersecurity law, from data security and enforcement actions to anti-hacking laws, from surveillance and privacy laws to national and international cybersecurity law. New material in this latest edition includes many expanded sections, such as the addition of more recent FTC data security consent decrees, including Zoom, SkyMed, and LifeLock.

Readers of the third edition of Cybersecurity Law will also find:

  • All-new chapter focused on laws related to ransomware and the latest attacks that compromise the availability of data and systems
  • New and updated sections on new data security laws in New York and Alabama, President Biden’s cybersecurity executive order, the Supreme Court’s first opinion interpreting the Computer Fraud and Abuse Act, American Bar Association guidance on law firm cybersecurity, Internet of Things cybersecurity laws and guidance, the Cybersecurity Maturity Model Certification, the NIST Privacy Framework, and more
  • New cases that feature the latest findings in the constantly evolving cybersecurity law space
  • An article by the author of this textbook, assessing the major gaps in U.S. cybersecurity law
  • A companion website for instructors that features expanded case studies, discussion questions by chapter, and exam questions by chapter

Cybersecurity Law is an ideal textbook for undergraduate and graduate level courses in cybersecurity, cyber operations, management-oriented information technology (IT), and computer science. It is also a useful reference for IT professionals, government personnel, business managers, auditors, cybersecurity insurance agents, and academics in these fields, as well as academic and corporate libraries that support these professions.

About the Author xvii
Acknowledgment and Disclaimers xix
Foreword to the Third Edition (2022) xxi
Foreword to the Second Edition (2019) xxiii
Introduction to First Edition xxvii
About the Companion Website xxxv
1 Data Security Laws and Enforcement Actions
1(62)
1.1 FTC Data Security
2(44)
1.1.1 Overview of Section 5 of the FTC Act
2(4)
1.1.2 Wyndham: Does the FTC Have Authority to Regulate Data Security Under Section 5 of the FTC Act?
6(4)
1.1.3 LabMD: What Constitutes "Unfair" Data Security?
10(3)
1.1.4 FTC June 2015 Guidance on Data Security, and 2017 Updates
13(5)
1.1.5 FTC Data Security Expectations and the NIST Cybersecurity Framework
18(1)
1.1.6 Lessons from FTC Cybersecurity Complaints
18(1)
1.1.6.1 Failure to Secure Highly Sensitive Information
19(1)
1.1.6.1.1 Use Industry-standard Encryption for Sensitive Data
20(1)
1.1.6.1.2 Routine Audits and Penetration Testing Are Expected
20(1)
1.1.6.1.3 Health-related Data Requires Especially Strong Safeguards
21(2)
1.1.6.1.4 Data Security Protection Extends to Paper Documents
23(2)
1.1.6.1.5 Business-to-business Providers Also Are Accountable to the FTC for Security of Sensitive Data
25(2)
1.1.6.1.6 Companies Are Responsible for the Data Security Practices of Their Contractors
27(1)
1.1.6.1.7 Make Sure that Every Employee Receives Regular Data Security Training for Processing Sensitive Data
28(1)
1.1.6.1.8 Privacy Matters, Even in Data Security
28(1)
1.1.6.1.9 Limit the Sensitive Information Provided to Third Parties
29(1)
1.1.6.1.10 Children's Data Requires Special Protection
29(1)
1.1.6.2 Failure to Secure Payment Card Information
30(1)
1.1.6.2.1 Adhere to Security Claims about Payment Card Data
30(1)
1.1.6.2.2 Always Encrypt Payment Card Data
31(1)
1.1.6.2.3 Payment Card Data Should Be Encrypted Both in Storage and at Rest
31(1)
1.1.6.2.4 In-store Purchases Pose Significant Cybersecurity Risks
32(2)
1.1.6.2.5 Minimize Duration of Storage of Payment Card Data
34(1)
1.1.6.2.6 Monitor Systems and Networks for Unauthorized Software
35(1)
1.1.6.2.7 Apps Should Never Override Default App Store Security Settings
35(1)
1.1.6.3 Failure to Adhere to Security Claims
36(1)
1.1.6.3.1 Companies Must Address Commonly Known Security Vulnerabilities
36(1)
1.1.6.3.2 Ensure That Security Controls Are Sufficient to Abide by Promises About Security and Privacy
37(3)
1.1.6.3.3 Omissions about Key Security Flaws Also Can Be Misleading
40(1)
1.1.6.3.4 Companies Must Abide by Promises for Security-related Consent Choices
40(1)
1.1.6.3.5 Companies That Promise Security Must Ensure Adequate Authentication Procedures
41(1)
1.1.6.3.6 Adhere to Promises About Encryption
42(1)
1.1.6.3.7 Promises About Security Extend to Vendors' Practices
43(1)
1.1.6.3.8 Companies Cannot Hide Vulnerable Software in Products
43(1)
1.1.7 FTC Internet of Things Security Guidance
43(3)
1.2 State Data Breach Notification Laws
46(6)
1.2.1 When Consumer Notifications Are Required
47(1)
1.2.1.1 Definition of Personal Information
48(1)
1.2.1.2 Encrypted Data
49(1)
1.2.1.3 Risk of Harm
49(1)
1.2.1.4 Safe Harbors and Exceptions to Notice Requirement
49(1)
1.2.2 Notice to Individuals
50(1)
1.2.2.1 Timing of Notice
50(1)
1.2.2.2 Form of Notice
50(1)
1.2.2.3 Content of Notice
51(1)
1.2.3 Notice to Regulators and Consumer Reporting Agencies
51(1)
1.2.4 Penalties for Violating State Breach Notification Laws
52(1)
1.3 State Data Security Laws
52(9)
1.3.1 Oregon
54(1)
1.3.2 Rhode Island
55(1)
1.3.3 Nevada
56(1)
1.3.4 Massachusetts
57(2)
1.3.5 Ohio
59(1)
1.3.6 Alabama
60(1)
1.3.7 New York
61(1)
1.4 State Data Disposal Laws
61(2)
2 Cybersecurity Litigation
63(78)
2.1 Article III Standing
64(20)
2.1.1 Applicable Supreme Court Rulings on Standing
66(5)
2.1.2 Lower Court Rulings on Standing in Data Breach Cases
71(1)
2.1.2.1 Injury-in-fact
71(1)
2.1.2.1.1 Broad View of Injury-in-fact
71(5)
2.1.2.1.2 Narrow View of Injury-in-fact
76(5)
2.1.2.1.3 Attempts at Finding a Middle Ground for Injury-in-fact
81(1)
2.1.2.2 Fairly Traceable
82(1)
2.1.2.3 Redressability
83(1)
2.2 Common Causes of Action Arising from Data Breaches
84(28)
2.2.1 Negligence
84(1)
2.2.1.1 Legal Duty and Breach of Duty
85(2)
2.2.1.2 Cognizable Injury
87(3)
2.2.1.3 Causation
90(2)
2.2.2 Negligent Misrepresentation or Omission
92(3)
2.2.3 Breach of Contract
95(6)
2.2.4 Breach of Implied Warranty
101(4)
2.2.5 Invasion of Privacy
105(2)
2.2.6 Unjust Enrichment
107(2)
2.2.7 State Consumer Protection Laws
109(3)
2.3 Class Action Certification in Data Breach Litigation
112(8)
2.4 Insurance Coverage for Data Breaches
120(4)
2.5 Protecting Cybersecurity Work Product and Communications from Discovery
124(17)
2.5.1 Attorney--client Privilege
126(3)
2.5.2 Work Product Doctrine
129(2)
2.5.3 Nontestifying Expert Privilege
131(1)
2.5.4 Genesco v. Visa
132(3)
2.5.5 In re Experian Data Breach Litigation
135(1)
2.5.6 In re Premera
136(2)
2.5.7 In re United Shore Financial Services
138(1)
2.5.8 In re Dominion Dental Services USA, Inc. Data Breach Litigation
138(2)
2.5.9 In re Capital One Consumer Data Security Breach Litigation
140(1)
3 Cybersecurity Requirements for Specific Industries
141(34)
3.1 Financial Institutions: GLBA Safeguards Rule
142(7)
3.1.1 Interagency Guidelines
142(2)
3.1.2 SEC's Regulation S-P
144(2)
3.1.3 FTC Safeguards Rule
146(3)
3.2 New York Department of Financial Services Cybersecurity Regulations
149(2)
3.3 Financial Institutions and Creditors: Red Flags Rule
151(6)
3.3.1 Financial Institutions or Creditors
155(1)
3.3.2 Covered Accounts
156(1)
3.3.3 Requirements for a Red Flags Identity Theft Prevention Program
157(1)
3.4 Companies that Use Payment and Debit Cards: PCI DSS
157(3)
3.5 IoT Cybersecurity Laws
160(1)
3.6 Health Providers: HIPAA Security Rule
161(6)
3.7 Electric Transmission: FERC Critical Infrastructure Protection Reliability Standards
167(3)
3.7.1 CIP-003-6: Cybersecurity---Security Management Controls
167(1)
3.7.2 CIP-004-6: Personnel and Training
168(1)
3.7.3 CIP-006-6: Physical Security of Cyber Systems
168(1)
3.7.4 CIP-007-6: Systems Security Management
168(1)
3.7.5 CIP-009-6: Recovery Plans for Cyber Systems
169(1)
3.7.6 CIP-010-2: Configuration Change Management and Vulnerability Assessments
169(1)
3.7.7 CIP-011-2: Information Protection
170(1)
3.8 NRC Cybersecurity Regulations
170(1)
3.9 State Insurance Cybersecurity Laws
171(4)
4 Cybersecurity and Corporate Governance
175(18)
4.1 SEC Cybersecurity Expectations for Publicly Traded Companies
176(10)
4.1.1 10-K Disclosures: Risk Factors
178(1)
4.1.2 10-K Disclosures: Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A)
179(1)
4.1.3 10-K Disclosures: Description of Business
180(1)
4.1.4 10-K Disclosures: Legal Proceedings
180(1)
4.1.5 10-K Disclosures: Financial Statements
181(1)
4.1.6 10K Disclosures: Board Oversight of Cybersecurity
181(1)
4.1.7 Disclosing Data Breaches to Investors
182(3)
4.1.8 Yahoo! Data Breach
185(1)
4.1.9 Cybersecurity and Insider Trading
185(1)
4.2 Fiduciary Duty to Shareholders and Derivative Lawsuits Arising from Data Breaches
186(3)
4.3 CFIUS and Cybersecurity
189(2)
4.4 Law Firms and Cybersecurity
191(2)
5 Antihacking Laws
193(100)
5.1 Computer Fraud and Abuse Act
194(46)
5.1.1 Origins of the CFAA
194(1)
5.1.2 Access Without Authorization and Exceeding Authorized Access
195(3)
5.1.2.1 Narrow View of "Exceeds Authorized Access" and "Without Authorization"
198(5)
5.1.2.2 Broader View of "Exceeds Authorized Access" and "Without Authorization"
203(2)
5.1.2.3 Finding Some Clarity: Van Buren v. United States
205(3)
5.1.3 The Seven Sections of the CFAA
208(1)
5.1.3.1 CFAA Section (a)(1): Hacking to Commit Espionage
209(1)
5.1.3.2 CFAA Section (a)(2): Hacking to Obtain Information
210(4)
5.1.3.3 CFAA Section (a)(3): Hacking a Federal Government Computer
214(2)
5.1.3.4 CFAA Section (a)(4): Hacking to Commit Fraud
216(2)
5.1.3.5 CFAA Section (a)(5): Hacking to Damage a Computer
218(1)
5.1.3.5.1 CFAA Section (a)(5)(A): Knowing Transmission that Intentionally Damages a Computer Without Authorization
219(3)
5.1.3.5.2 CFAA Section (a)(5)(B): Intentional Access Without Authorization that Recklessly Causes Damage
222(1)
5.1.3.5.3 CFAA Section (a)(5)(C): Intentional Access Without Authorization that Causes Damage and Loss
223(1)
5.1.3.5.4 CFAA Section (a)(5): Requirements for Felony and Misdemeanor Cases
224(2)
5.1.3.6 CFAA Section (a)(6): Trafficking in Passwords
226(2)
5.1.3.7 CFAA Section (a)(7): Threatening to Damage or Obtain Information from a Computer
228(3)
5.1.4 Civil Actions Under the CFAA
231(4)
5.1.5 Criticisms of the CFAA
235(2)
5.1.6 CFAA and Coordinated Vulnerability Disclosure Programs
237(3)
5.2 State Computer Hacking Laws
240(3)
5.3 Section 1201 of the Digital Millennium Copyright Act
243(31)
5.3.1 Origins of Section 1201 of the DMCA
244(1)
5.3.2 Three Key Provisions of Section 1201 of the DMCA
245(1)
5.3.2.1 DMCA Section 1201(a)(1)
245(5)
5.3.2.2 DMCA Section 1201(a)(2)
250(1)
5.3.2.2.1 Narrow Interpretation of Section (a)(2): Chamberlain Group v. Skylink Technologies
251(3)
5.3.2.2.2 Broad Interpretation of Section (a)(2): MDY Industries, LLC v. Blizzard Entertainment
254(4)
5.3.2.3 DMCA Section 1201(b)(1)
258(3)
5.3.3 Section 1201 Penalties
261(1)
5.3.4 Section 1201 Exemptions
262(7)
5.3.5 The First Amendment and DMCA Section 1201
269(5)
5.4 Economic Espionage Act
274(17)
5.4.1 Origins of the EEA
274(1)
5.4.2 Criminal Prohibitions on Economic Espionage and Theft of Trade Secrets
275(1)
5.4.2.1 Definition of "Trade Secret"
276(3)
5.4.2.2 "Knowing" Violations of the EEA
279(1)
5.4.2.3 Purpose and Intent Required under Section 1831: Economic Espionage
279(2)
5.4.2.4 Purpose and Intent Required under Section 1832: Theft of Trade Secrets
281(3)
5.4.3 Civil Actions for Trade Secret Misappropriation: The Defend Trade Secrets Act of 2016
284(1)
5.4.3.1 Definition of "Misappropriation"
285(3)
5.4.3.2 Civil Seizures
288(1)
5.4.3.3 Injunctions
289(1)
5.4.3.4 Damages
289(1)
5.4.3.5 Statute of Limitations
290(1)
5.5 Budapest Convention on Cybercrime
291(2)
6 U.S. Government Cyber Structure and Public--Private Cybersecurity Partnerships
293(24)
6.1 U.S. Government's Civilian Cybersecurity Organization
293(4)
6.2 Department of Homeland Security Information Sharing under the Cybersecurity Act of 2015
297(4)
6.3 Critical Infrastructure Executive Order and the NIST Cybersecurity Framework
301(8)
6.4 U.S. Military Involvement in Cybersecurity and the Posse Comitatus Act
309(2)
6.5 Vulnerabilities Equities Process
311(3)
6.6 Executive Order 14028
314(3)
7 Surveillance and Cyber
317(52)
7.1 Fourth Amendment
318(20)
7.1.1 Was the Search or Seizure Conducted by a Government Entity or Government Agent?
319(5)
7.1.2 Did the Search or Seizure Involve an Individual's Reasonable Expectation of Privacy?
324(8)
7.1.3 Did the Government Have a Warrant?
332(3)
7.1.4 If the Government Did Not Have a Warrant, Did an Exception to the Warrant Requirement Apply?
335(2)
7.1.5 Was the Search or Seizure Reasonable Under the Totality of the Circumstances?
337(1)
7.2 Electronic Communications Privacy Act
338(23)
7.2.1 Stored Communications Act
340(4)
7.2.1.1 Section 2701: Third-party Hacking of Stored Communications
344(1)
7.2.1.2 Section 2702: Restrictions on Service Providers' Ability to Disclose Stored Communications and Records to the Government and Private Parties
345(4)
7.2.1.3 Section 2703: Government's Ability to Require Service Providers to Turn Over Stored Communications and Customer Records
349(5)
7.2.2 Wiretap Act
354(4)
7.2.3 Pen Register Act
358(1)
7.2.4 National Security Letters
359(2)
7.3 Communications Assistance for Law Enforcement Act (CALEA)
361(1)
7.4 Encryption and the All Writs Act
362(2)
7.5 Encrypted Devices and the Fifth Amendment
364(5)
8 Cybersecurity and Federal Government Contractors
369(16)
8.1 Federal Information Security Management Act
370(2)
8.2 NIST Information Security Controls for Government Agencies and Contractors
372(4)
8.3 Classified Information Cybersecurity
376(1)
8.4 Covered Defense Information, CUI, and the Cybersecurity Maturity Model Certification
377(8)
9 Privacy Laws
385(24)
9.1 Section 5 of the FTC Act and Privacy
386(2)
9.2 Health Insurance Portability and Accountability Act
388(2)
9.3 Gramm--Leach--Bliley Act and California Financial Information Privacy Act
390(1)
9.4 CAN-SPAM Act
391(1)
9.5 Video Privacy Protection Act
392(2)
9.6 Children's Online Privacy Protection Act
394(2)
9.7 California Online Privacy Laws
396(5)
9.7.1 California Online Privacy Protection Act (CalOPPA)
396(2)
9.7.2 California Shine the Light Law
398(2)
9.7.3 California Minor "Online Eraser" Law
400(1)
9.8 California Consumer Privacy Act
401(3)
9.9 Illinois Biometric Information Privacy Act
404(2)
9.10 NIST Privacy Framework
406(3)
10 International Cybersecurity Law
409(30)
10.1 European Union
410(10)
10.2 Canada
420(5)
10.3 China
425(5)
10.4 Mexico
430(4)
10.5 Japan
434(5)
11 Cyber and the Law of War
439(14)
11.1 Was the Cyberattack a "Use of Force" that Violates International Law?
441(3)
11.2 If the Attack Was a Use of Force, Was that Force Attributable to a State?
444(1)
11.3 Did the Use of Force Constitute an "Armed Attack" that Entitles the Target to Self-defense?
445(3)
11.4 If the Use of Force Was an Armed Attack, What Types of Self-defense Are Justified?
448(1)
11.5 If the Nation Experiences Hostile Cyber Actions that Fall Short of Use of Force or Armed Attacks, What Options Are Available?
449(4)
12 Ransom ware
453(13)
12.1 Defining Ransomware
454(1)
12.2 Ransomware-related Litigation
455(7)
12.3 Insurance Coverage for Ransomware
462(4)
12 A Ransomware Payments and Sanctions
466(7)
12.5 Ransomware Prevention and Response Guidelines from Government Agencies
467(6)
12.5.1 Department of Homeland Security
467(2)
12.5.2 Federal Trade Commission
469(1)
12.5.3 Federal Interagency Guidance for Information Security Executives
470(2)
12.5.4 New York Department of Financial Services Guidance
472(1)
Appendix A Text of Section 5 of the FTC Act 473(10)
Appendix B Summary of State Data Breach Notification Laws 483(62)
Appendix C Text of Section 1201 of the Digital Millennium Copyright Act 545(12)
Appendix D Text of the Computer Fraud and Abuse Act 557(8)
Appendix E Text of the Electronic Communications Privacy Act 565(64)
Appendix F Key Cybersecurity Court Opinions 629(152)
Appendix G Hacking Cybersecurity Law 781(44)
Index 825
Jeff Kosseff, JD, MPP, is Associate Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He frequently speaks and writes about cybersecurity and was a journalist covering technology and politics at The Oregonian, a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting.