About the Author xviiAcknowledgment and Disclaimers xixForeword to the Third Edition (2022) xxiForeword to the Second Edition (2019) xxiiiIntroduction to First Edition xxviiAbout the Companion Website xxxv1 Data Security Laws and Enforcement Actions 11.1 FTC Data Security 21.1.1 Overview of Section 5 of the FTC Act 21.1.2 Wyndham: Does the FTC Have Authority to Regulate Data Security Under Section 5 of the FTC Act? 61.1.3 LabMD: What Constitutes "Unfair" Data Security? 101.1.4 FTC June 2015 Guidance on Data Security, and 2017 Updates 131.1.5 FTC Data Security Expectations and the NIST Cybersecurity Framework 181.1.6 Lessons from FTC Cybersecurity Complaints 181.1.6.1 Failure to Secure Highly Sensitive Information 191.1.6.1.1 Use Industry-standard Encryption for Sensitive Data 201.1.6.1.2 Routine Audits and Penetration Testing Are Expected 201.1.6.1.3 Health-related Data Requires Especially Strong Safeguards 211.1.6.1.4 Data Security Protection Extends to Paper Documents 231.1.6.1.5 Business-to-business Providers Also Are Accountable to the FTC for Security of Sensitive Data 251.1.6.1.6 Companies Are Responsible for the Data Security Practices of Their Contractors 271.1.6.1.7 Make Sure that Every Employee Receives Regular Data Security Training for Processing sensitive Data 281.1.6.1.8 Privacy Matters, Even in Data Security 281.1.6.1.9 Limit the Sensitive Information Provided to Third Parties 291.1.6.1.10 Children's Data Requires Special Protection 291.1.6.2 Failure to Secure Payment Card Information 301.1.6.2.1 Adhere to Security Claims about Payment Card Data 301.1.6.2.2 Always Encrypt Payment Card Data 311.1.6.2.3 Payment Card Data Should Be Encrypted Both in Storage and at Rest 311.1.6.2.4 In-store Purchases Pose Significant Cybersecurity Risks 321.1.6.2.5 Minimize Duration of Storage of Payment Card Data 341.1.6.2.6 Monitor Systems and Networks for Unauthorized Software 351.1.6.2.7 Apps Should Never Override Default App Store Security Settings 351.1.6.3 Failure to Adhere to Security Claims 361.1.6.3.1 Companies Must Address Commonly Known Security Vulnerabilities 361.1.6.3.2 Ensure That Security Controls Are Sufficient to Abide by Promises About Security and Privacy 371.1.6.3.3 Omissions about Key Security Flaws Also Can Be Misleading 401.1.6.3.4 Companies Must Abide by Promises for Security-related Consent Choices 401.1.6.3.5 Companies That Promise Security Must Ensure Adequate Authentication Procedures 411.1.6.3.6 Adhere to Promises About Encryption 421.1.6.3.7 Promises About Security Extend to Vendors' Practices 431.1.6.3.8 Companies Cannot Hide Vulnerable Software in Products 431.1.7 FTC Internet of Things Security Guidance 431.2 State Data Breach Notification Laws 461.2.1 When Consumer Notifications Are Required 471.2.1.1 Definition of Personal Information 481.2.1.2 Encrypted Data 491.2.1.3 Risk of Harm 491.2.1.4 Safe Harbors and Exceptions to Notice Requirement 491.2.2 Notice to Individuals 501.2.2.1 Timing of Notice 501.2.2.2 Form of Notice 501.2.2.3 Content of Notice 511.2.3 Notice to Regulators and Consumer Reporting Agencies 511.2.4 Penalties for Violating State Breach Notification Laws 521.3 State Data Security Laws 521.3.1 Oregon 541.3.2 Rhode Island 551.3.3 Nevada 561.3.4 Massachusetts 571.3.5 Ohio 591.3.6 Alabama 601.3.7 New York 611.4 State Data Disposal Laws 612 Cybersecurity Litigation 632.1 Article III Standing 642.1.1 Applicable Supreme Court Rulings on Standing 662.1.2 Lower Court Rulings on Standing in Data Breach Cases 712.1.2.1 Injury-in-fact 712.1.2.1.1 Broad View of Injury-in-fact 712.1.2.1.2 Narrow View of Injury-in-fact 762.1.2.1.3 Attempts at Finding a Middle Ground for Injury-in-fact 812.1.2.2 Fairly Traceable 822.1.2.3 Redressability 832.2 Common Causes of Action Arising from Data Breaches 842.2.1 Negligence 842.2.1.1 Legal Duty and Breach of Duty 852.2.1.2 Cognizable Injury 872.2.1.3 Causation 902.2.2 Negligent Misrepresentation or Omission 922.2.3 Breach of Contract 952.2.4 Breach of Implied Warranty 1012.2.5 Invasion of Privacy 1052.2.6 Unjust Enrichment 1072.2.7 State Consumer Protection Laws 1092.3 Class Action Certification in Data Breach Litigation 1122.4 Insurance Coverage for Data Breaches 1202.5 Protecting Cybersecurity Work Product and Communications from Discovery 1242.5.1 Attorney-client Privilege 1262.5.2 Work Product Doctrine 1292.5.3 Nontestifying Expert Privilege 1312.5.4 Genesco v. Visa 1322.5.5 In re Experian Data Breach Litigation 1352.5.6 In re Premera 1362.5.7 In re United Shore Financial Services 1382.5.8 In re Dominion Dental Services USA, Inc. Data Breach Litigation 1382.5.9 In re Capital One Consumer Data Security Breach Litigation 1403 Cybersecurity Requirements for Specific Industries 1413.1 Financial Institutions: GLBA Safeguards Rule 1423.1.1 Interagency Guidelines 1423.1.2 SEC's Regulation S-P 1443.1.3 FTC Safeguards Rule 1463.2 New York Department of Financial Services Cybersecurity Regulations 1493.3 Financial Institutions and Creditors: Red Flags Rule 1513.3.1 Financial Institutions or Creditors 1553.3.2 Covered Accounts 1563.3.3 Requirements for a Red Flags Identity Theft Prevention Program 1573.4 Companies that Use Payment and Debit Cards: PCI DSS 1573.5 IoT Cybersecurity Laws 1603.6 Health Providers: HIPAA Security Rule 1613.7 Electric Transmission: FERC Critical Infrastructure Protection Reliability Standards 1673.7.1 CIP-003-6: Cybersecurity--Security Management Controls 1673.7.2 CIP-004-6: Personnel and Training 1683.7.3 CIP-006-6: Physical Security of Cyber Systems 1683.7.4 CIP-007-6: Systems Security Management 1683.7.5 CIP-009-6: Recovery Plans for Cyber Systems 1693.7.6 CIP-010-2: Configuration Change Management and Vulnerability Assessments 1693.7.7 CIP-011-2: Information Protection 1703.8 NRC Cybersecurity Regulations 1703.9 State Insurance Cybersecurity Laws 1714 Cybersecurity and Corporate Governance 1754.1 SEC Cybersecurity Expectations for Publicly Traded Companies 1764.1.1 10-K Disclosures: Risk Factors 1784.1.2 10-K Disclosures: Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A) 1794.1.3 10-K Disclosures: Description of Business 1804.1.4 10-K Disclosures: Legal Proceedings 1804.1.5 10-K Disclosures: Financial Statements 1814.1.6 10K Disclosures: Board Oversight of Cybersecurity 1814.1.7 Disclosing Data Breaches to Investors 1824.1.8 Yahoo! Data Breach 1854.1.9 Cybersecurity and Insider Trading 1854.2 Fiduciary Duty to Shareholders and Derivative Lawsuits Arising from Data Breaches 1864.3 CFIUS and Cybersecurity 1894.4 Law Firms and Cybersecurity 1915 Antihacking Laws 1935.1 Computer Fraud and Abuse Act 1945.1.1 Origins of the CFAA 1945.1.2 Access Without Authorization and Exceeding Authorized Access 1955.1.2.1 Narrow View of "Exceeds Authorized Access" and "Without Authorization" 1985.1.2.2 Broader View of "Exceeds Authorized Access" and "Without Authorization" 2035.1.2.3 Finding Some Clarity: Van Buren v. United States 2055.1.3 The Seven Sections of the CFAA 2085.1.3.1 CFAA Section (a) (1): Hacking to Commit Espionage 2095.1.3.2 CFAA Section (a) (2): Hacking to Obtain Information 2105.1.3.3 CFAA Section (a) (3): Hacking a Federal Government Computer 2145.1.3.4 CFAA Section (a) (4): Hacking to Commit Fraud 2165.1.3.5 CFAA Section (a) (5): Hacking to Damage a Computer 2185.1.3.5.1 CFAA Section (a) (5) (A): Knowing Transmission that Intentionally Damages a Computer Without Authorization 2195.1.3.5.2 CFAA Section (a) (5) (B): Intentional Access Without Authorization that Recklessly Causes Damage 2225.1.3.5.3 CFAA Section (a) (5) (C): Intentional Access Without Authorization that Causes Damage and Loss 2235.1.3.5.4 CFAA Section (a) (5): Requirements for Felony and Misdemeanor Cases 2245.1.3.6 CFAA Section (a) (6): Trafficking in Passwords 2265.1.3.7 CFAA Section (a) (7): Threatening to Damage or Obtain Information from a Computer 2285.1.4 Civil Actions Under the CFAA 2315.1.5 Criticisms of the CFAA 2355.1.6 CFAA and Coordinated Vulnerability Disclosure Programs 2375.2 State Computer Hacking Laws 2405.3 Section 1201 of the Digital Millennium Copyright Act 2435.3.1 Origins of Section 1201 of the DMCA 2445.3.2 Three Key Provisions of Section 1201 of the DMCA 2455.3.2.1 DMCA Section 1201(a) (1) 2455.3.2.2 DMCA Section 1201(a) (2) 2505.3.2.2.1 Narrow Interpretation of Section (a) (2): Chamberlain Group v. Skylink Technologies 2515.3.2.2.2 Broad Interpretation of Section (a) (2): MDY Industries, LLC v. Blizzard Entertainment 2545.3.2.3 DMCA Section 1201(b) (1) 2585.3.3 Section 1201 Penalties 2615.3.4 Section 1201 Exemptions 2625.3.5 The First Amendment and DMCA Section 1201 2695.4 Economic Espionage Act 2745.4.1 Origins of the EEA 2745.4.2 Criminal Prohibitions on Economic Espionage and Theft of Trade Secrets 2755.4.2.1 Definition of "Trade Secret" 2765.4.2.2 "Knowing" Violations of the EEA 2795.4.2.3 Purpose and Intent Required under Section 1831: Economic Espionage 2795.4.2.4 Purpose and Intent Required under Section 1832: Theft of Trade Secrets 2815.4.3 Civil Actions for Trade Secret Misappropriation: The Defend Trade Secrets Act of 2016 2845.4.3.1 Definition of "Misappropriation" 2855.4.3.2 Civil Seizures 2885.4.3.3 Injunctions 2895.4.3.4 Damages 2895.4.3.5 Statute of Limitations 2905.5 Budapest Convention on Cybercrime 2916 U.S. Government Cyber Structure and Public-Private Cybersecurity Partnerships 2936.1 U.S. Government's Civilian Cybersecurity Organization 2936.2 Department of Homeland Security Information Sharing under the Cybersecurity Act of 2015 2976.3 Critical Infrastructure Executive Order and the NIST Cybersecurity Framework 3016.4 U.S. Military Involvement in Cybersecurity and the Posse Comitatus Act 3096.5 Vulnerabilities Equities Process 3116.6 Executive Order 14028 3147 Surveillance and Cyber 3177.1 Fourth Amendment 3187.1.1 Was the Search or Seizure Conducted by a Government Entity or Government Agent? 3197.1.2 Did the Search or Seizure Involve an Individual's Reasonable Expectation of Privacy? 3247.1.3 Did the Government Have a Warrant? 3327.1.4 If the Government Did Not Have a Warrant, Did an Exception to the Warrant Requirement Apply? 3357.1.5 Was the Search or Seizure Reasonable Under the Totality of the Circumstances? 3377.2 Electronic Communications Privacy Act 3387.2.1 Stored Communications Act 3407.2.1.1 Section 2701: Third-party Hacking of Stored Communications 3447.2.1.2 Section 2702: Restrictions on Service Providers' Ability to Disclose Stored Communications and Records to the Government and Private Parties 3457.2.1.3 Section 2703: Government's Ability to Require Service Providers to Turn Over Stored Communications and Customer Records 3497.2.2 Wiretap Act 3547.2.3 Pen Register Act 3587.2.4 National Security Letters 3597.3 Communications Assistance for Law Enforcement Act (CALEA) 3617.4 Encryption and the All Writs Act 3627.5 Encrypted Devices and the Fifth Amendment 3648 Cybersecurity and Federal Government Contractors 3698.1 Federal Information Security Management Act 3708.2 NIST Information Security Controls for Government Agencies and Contractors 3728.3 Classified Information Cybersecurity 3768.4 Covered Defense Information, CUI, and the Cybersecurity Maturity Model Certification 3779 Privacy Laws 3859.1 Section 5 of the FTC Act and Privacy 3869.2 Health Insurance Portability and Accountability Act 3889.3 Gramm-Leach-Bliley Act and California Financial Information Privacy Act 3909.4 CAN-SPAM Act 3919.5 Video Privacy Protection Act 3929.6 Children's Online Privacy Protection Act 3949.7 California Online Privacy Laws 3969.7.1 California Online Privacy Protection Act (CalOPPA) 3969.7.2 California Shine the Light Law 3989.7.3 California Minor "Online Eraser" Law 4009.8 California Consumer Privacy Act 4019.9 Illinois Biometric Information Privacy Act 4049.10 NIST Privacy Framework 40610 International Cybersecurity Law 40910.1 European Union 41010.2 Canada 42010.3 China 42510.4 Mexico 43010.5 Japan 43411 Cyber and the Law of War 43911.1 Was the Cyberattack a "Use of Force" that Violates International Law? 44111.2 If the Attack Was a Use of Force, Was that Force Attributable to a State? 44411.3 Did the Use of Force Constitute an "Armed Attack" that Entitles the Target to Self-defense? 44511.4 If the Use of Force Was an Armed Attack, What Types of Selfdefense Are Justified? 44811.5 If the Nation Experiences Hostile Cyber Actions that Fall Short of Use of Force or Armed Attacks, What Options Are Available? 44912 Ransomware 45312.1 Defining Ransomware 45412.2 Ransomware-related Litigation 45512.3 Insurance Coverage for Ransomware 46212.4 Ransomware Payments and Sanctions 46612.5 Ransomware Prevention and Response Guidelines from Government Agencies 46712.5.1 Department of Homeland Security 46712.5.2 Federal Trade Commission 46912.5.3 Federal Interagency Guidance for Information Security Executives 47012.5.4 New York Department of Financial Services Guidance 472Appendix A: Text of Section 5 of the FTC Act 473Appendix B: Summary of State Data Breach Notification Laws 483Appendix C: Text of Section 1201 of the Digital Millennium Copyright Act 545Appendix D: Text of the Computer Fraud and Abuse Act 557Appendix E: Text of the Electronic Communications Privacy Act 565Appendix F: Key Cybersecurity Court Opinions 629Appendix G: Hacking Cybersecurity Law 781Index 825

Jeff Kosseff, JD, MPP, is Associate Professor of Cybersecurity Law at the United States Naval Academy in Annapolis, Maryland. He frequently speaks and writes about cybersecurity and was a journalist covering technology and politics at The Oregonian, a finalist for the Pulitzer Prize, and a recipient of the George Polk Award for national reporting.