Cybersecurity Law, Standards and Regulations

Cover
Title page
Copyright
Dedication
Acknowledgments
Foreword
Foreword 2
Contents
Introduction to the 2nd Edition
Chapter 1 - Introduction to Cybersecurity Law
1.1 Infamous Cybercrimes
1.2 Cybercrime Taxonomy
1.3 Civil vs. Criminal Cybersecurity Offenses
1.3.1 Clarifying the Definition of Cybercrime
1.3.2 Challenging Your Current Definition of Cybercrime
1.3.3 Creating a Strong Cybercrime Definition
1.3.4 Cybercrime Categories in the Incident Response Plan
1.4 Understanding the Four Basic Elements of Criminal Law It would be nearly impossible to build connections to the law in your cybersecurity plan without at least knowing the fundamentals of criminal law. If you know how the legal system determines g...
1.4.1 Mens Rea
1.4.2 Actus Reus
1.4.3 Concurrence
1.4.4 Causation
1.5 Branches of Law
1.6 Tort Law
1.6.2 Strict Liability Tort
1.6.3 Tort Precedents
1.7 Cyberlaw Enforcement
1.7.1 Regulatory Enforcement
1.7.2 Local Enforcement
1.7.3 State Enforcement
1.7.4 Federal Enforcement
1.7.5 International Enforcement
1.8 Cybersecurity Law Jurisdiction
1.8.1 Challenging Jurisdiction
1.8.2 Extradition
1.9 Cybercrime and Cyber Tort Punishment
1.9.1 Cybercrime Punishment
1.9.2 Cyber Tort Punishment
Chapter 2 - Overview of US Cybersecurity Law
2.1 Brief History of Resolving Cybersecurity Disputes
2.1.1 Computer Crime Laws in the Public Sector
2.1.2 Computer Crime Laws in the Private Sector
2.1.3 Application of Laws to Cybersecurity
2.2 Alternative Dispute Resolution (ADR)
2.1 Cybersecurity Case Mediation Law
2.2.2 Cybersecurity Case Arbitration Law
2.2.3 Cybersecurity Case Dispositive Motion Law
2.3 Successful Data Breach Lawsuits
2.4 Duty of Care Doctrine
2.4.1 Duty to Provide Reasonable Security
2.4.2 Duty to Reveal Security Breaches
2.4.3 Duty to Accurately Disclose Safeguards
2.4.4 Duty to Protect Information
2.4.5 State-Based Duty of Care Laws
2.5 Failure to Act Doctrine
2.5.1 Failure to Act Duty
2.5.2 Failure to Warn Duty
2.5.3 Cybersecurity Good Samaritan Law
2.6 Reasonable Person Doctrine
2.7 Common Law Duty
2.8 Criminal Cyberlaw
2.8.1 Cybercrime Penalties
2.9 Federal Computer Crime Statutes
2.9.1 Federal Laws Addressing Computer Security
2.9.2 The US Code
2.10 Procedural Law
2.10.1 Rules of Criminal Procedure
2.10.2 Rules of Civil Procedure (Cyber Tort)
2.11 State Computer Crime Laws
2.11.1 State Ransomware Laws
2.11.2 Federal Ransomware Laws
2.11.3 State Cyber Reserve Laws
2.11.4 State Denial of Service Laws
2.11.5 State Election Security Legislation
2.11.6 State Anti-Phishing Laws
2.11.7 Identity Theft Laws
2.11.8 State Cyberbullying Laws
2.12 False Claims Act (FCA)
Chapter 3 - Cyber Privacy and Data Protection Law
3.1 Common Law of Privacy
3.2 Privacy Laws
3.2.1 Children's Privacy Laws
3.2.2 Healthcare Data Privacy Laws
3.2.3 Federal Privacy Laws
3.2.4 Cybercrime on Tribal Lands
3.2.5 State Privacy Laws
3.2.6 State Chief Information Privacy Officer (CIPO) Laws
3.2.7 International Privacy Laws
3.3 Data Breach Laws
3.3.1 State Data Breach Laws
3.3.2 Federal Data Breach Laws
3.3.3 International Data Breach Laws
3.3.4 General Data Protection Regulation (GDPR)
3.4 Data Breach Litigation
3.4.1 Injury vs. No-Injury Class Action Lawsuits
3.4.2 Data Privacy and the US Supreme Court
3.4.3 Shareholder Derivative Lawsuits
3.4.4 Securities Fraud Lawsuits
3.5 Privacy Notice Law
3.6 Personal Liability
3.6.1 Directors and Officers Insurance
3.6.2 Preemptive Liability Protection
3.6.3 Cybersecurity Whistleblower Protections
3.7 Data Disposal Laws
3.8 Electronic Wiretap Laws
3.9 Digital Assistant Privacy Issues
3.10 Social Media Privacy
3.11 Event Data Recorder (EDR) Privacy
3.12 Automated License Plate Reader (ALPR) Privacy
Chapter 4 - Cryptography and Digital Forensics Law
4.1 Brief Overview of Cryptography
4.2 Cryptography Law
4.2.1 Export Control Laws
4.2.2 Import Control Laws
4.2.3 Cryptography Patent Infringement
4.2.4 Search and Seizure of Encrypted Data
4.2.5 Encryption Personal Use Exemption
4.3 State Encryption Laws
4.3.1 State Encryption Safe Harbor Provision
4.4 Fifth Amendment and Data Encryption
4.5 Laws and Regulations Requiring Encryption
4.6 International Cryptography Law Perspective
4.7 International Key Disclosure Law
4.8 Legal Aspects of Digital Forensics
4.8.1 Preservation Order
4.8.2 Digital Best Evidence Rule
4.8.3 Digital Chain of Custody
4.8.4 Digital Data Admissibility in Court
4.8.5 Digital Evidence Spoliation
4.8.6 Fourth Amendment Rights and Digital Evidence
4.8.7 Expert Witnesses
4.8.8 Security Consultant Client Privilege
4.9 State Digital Forensics Law
4.10 The CLOUD Act
 U.S. Access to Foreign Stored Data – The Act authorizes U.S. law enforcement to unilaterally demand access to data stored outside the U.S. When the U.S. orders a company to produce communications data, the Act provides a mechanism for a communicatio...
 Executive Agreements –The Act permits federal officials to enter into executive agreements granting foreign access to data stored in the U.S., even if that data would otherwise be protected under The Electronic Communications Privacy Act (ECPA). Pri...
4.11 Emerging Data Encryption Laws
When encryption was originally envisioned it was primarily designed to protect information from being used by bad actors once stolen. Authors of original encryption algorithms never really thought that governments would want to have access to their en...
In an effort to bring sanity to the uncontrolled growth of encryption regulations, two important laws have been introduced. One is essentially to have one national encryption law applicable to all states and the other is to keep government from interf...
4.11.1 Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act
For the second time, H.R. 4170 – Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act was introduced in the US Congress in August of 2019. The ENCRYPT Act would trump state and local government encryption laws to p...
4.11.2 Secure Data Act
4.12 Biometrics Law
4.13 Genetic Information Privacy Laws
Chapter 5 - Acts, Standards & Regulations
5.1 Basel III Accord
5.2 Chemical Facility Anti-Terrorism Standards (CFATS) Act
5.3 Defense Federal Acquisition Regulations Supplement (DFARS)
5.3.1 Minimum Requirements for DFARS
5.3.2 Termination of Contracts and Penalties for Non-Compliance
5.4 Directive on Security of Network and Information Systems NIS Directive
5.5 European Union Cybersecurity Act
5.6 Family Educational Rights and Privacy Act (FERPA)
5.7 Federal Financial Institutions Examination Council (FFIEC)
5.8 Federal Information Security Management Act (FISMA)
5.9 Financial Industry Regulatory Authority (FINRA) Rules
5.10 Food and Drug Administration Code of Federal Regulations Title 21 Part 11
5.10.1 ALCOA Model
5.11 Health Information Technology for Economic and Clinical Health Act (HITECH)
5.12 Health Insurance Portability and Accountability Act (HIPAA)
5.13 Joint Commission on the Accreditation of Healthcare Organizations (JCAHO)
5.14 North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)
5.15 Payment Card Industry – Data Security Standard (PCI- DSS)
5.16 Sarbanes Oxley Act (SOX)
5.16.1 Cybersecurity Flaw Whistleblower Protection
5.17 Standards
5.17.1 International Organization for Standardization (ISO) Security Standards
5.17.2 National Institute of Standards & Technology (NIST)
5.17.3 Center for Internet Security® (CIS) Controls
5.17.4 Industry-Specific Cyber Security Standards
Chapter 6 - Creating a Cybersecurity Law Program
6.1 Cybersecurity Law Program
6.1.1 Model
6.1.2 Architecture
6.1.3 Program Staffing and Roles
6.1.4 Program Policies
6.1.5 Program Procedures
6.1.6 Program Technology
6.1.7 Mapping Legal Requirements to Controls
6.1.8 ISO/IEC 27002 on Compliance Controls
6.2 Cyber Liability Insurance
6.2.1 Coverage Categories
6.2.2 Policy Restrictions
6.2.3 Policy Value
6.2.4 Policy Cost
6.2.5 Policy Claims
6.2.6 Policy Claim Disputes
6.2.7 Policy Lawsuits
6.2.8 Act of War Defense
6.2.9 Insurable vs Uninsurable Risk
6.2.10 Cyber Risk Insurance Pools
6.2.11 Silent Cyber Risk Insurance
6.3 Data Breach Worksheet
6.3.1 Data Breach Calculators
6.4 Compliance Auditing
6.4.1 Critical Audit Matters (CAM)
6.4.2 Internal vs. External Auditing
6.4.3 Auditing Associations
Chapter 7 - Future Developments in Cybersecurity Law
7.1 Future of Cybersecurity Legislation
7.1.1 Constutionality of Cybersecurity Law
7.2 Impact of Technology on Cybersecurity Law
7.2.1 Legal Implications of the Internet of Things (IoT)
7.2.2 Legal Implications of Big Data
7.2.3 Legal Implications of Cloud Computing
7.2.4 Legal Implications of Security Testing
7.3 Future US Cybersecurity Legislation
7.4 US Foreign Policy on Cybersecurity
7.5 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law
7.6 Harmonization of International Cybersecurity Laws
7.6.1 Cybersecurity Law and Trade Pacts
7.6.2 Harmonization of Cybersecurity and Privacy Law
7.6.3 Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) Cybersecurity Framework
7.6.4 Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System
7.6.5 US-Mexico-Canada Agreement (USMCA)
7.6.6 Cyberbalkanization Laws
7.6.7 Data Localization Laws
7.6.8 Singapore Payment Services Act
7.7 Aligning the Law of the Sea to Cybersecurity Law
7.8 Cybersecurity Law in Outer Space
7.9 The Law of Armed Conflict in Cyberwar
7.10 North Atlantic Treaty Organization (NATO) Cyberlaw Stance
7.11 United Nations – Universal Cybersecurity Legal Framework
7.12 International Treaties on Cybersecurity
7.13 Brexit Impact on European Union Cybersecurity Law
7.14 G7 Perspective on Cybercrime
Appendix A
Useful Checklists and Information
Index
Credits
About the Author