Description
Tari Schreider, a board-certified information security practitioner with a criminal justice administration background, has written a much-needed book that bridges the gap between cybersecurity programs and cybersecurity law.
He says, “My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective façade or false sense of security.”
While he does not dispense legal advice here, his goal is to provide awareness of various legal considerations that managers should embrace. He strongly recommends that after you have read this book, you sit with your legal department to begin the discussion of creating a closer relationship between your organization’s cybersecurity policies and practices and the law. We live in a litigious world and therefore must prepare ourselves for the eventuality of a cyber-related lawsuit.
In a friendly style, offering real-world business examples from his own experience supported by a wealth of court cases, Schreider covers the range of practical information you will need as you explore – and prepare to apply – cybersecurity law.
His practical, easy-to-understand explanations help you to:
- Understand your legal duty to act reasonably and responsibly to protect assets and information.
- Identify which cybersecurity laws have the potential to impact your cybersecurity program.
- Upgrade cybersecurity policies to comply with state, federal, and regulatory statutes.
- Communicate effectively about cybersecurity law with corporate legal department and counsel.
- Understand the implications of emerging legislation for your cybersecurity program.
- Know how to avoid losing a cybersecurity court case on procedure – and develop strategies to handle a dispute out of court.
- Develop an international view of cybersecurity and data privacy – and international legal frameworks.
Schreider takes you beyond security standards and regulatory controls to ensure that your current or future cybersecurity program complies with all laws and legal jurisdictions. Hundreds of citations and references allow you to dig deeper as you explore specific topics relevant to your organization or your studies. This book needs to be required reading before your next discussion with your corporate legal department.
Because you have responsibility in your company to protect your company adequately against future cyber liability, you have a duty to think past security standards and regulatory controls to ensure your cybersecurity program complies with all laws and legal jurisdictions.
2017, 165 Pages.
2017, 164 pages.
Contents
Copyright
Dedication
Foreword
Preface
Chapter 1: Introduction to Cybersecurity Law
1.1 Infamous Cybercrimes
1.2 Civil vs. Criminal Cybersecurity Offenses
1.2.1 Clarifying the Definition of Cybercrime
1.2.2 Challenging Your Current Definition of Cybercrime
1.2.3 Creating a Strong Cybercrime Definition
1.2.4 Cybercrime Categories in the Incident Response Plan
1.3 Understanding the Four Basic Elements of Criminal Law
1.3.1 Mens Rea
1.3.2 Actus Reus
1.3.3 Concurrence
1.3.4 Causation
1.4 Branches of Law
1.5 Tort Law
1.5.1 Cyber Tort
1.5.2 Strict Liability Tort
1.5.3 Tort Precedents
1.6 Cyberlaw Enforcement
1.6.1 Regulatory Enforcement
1.6.2 Local Enforcement
1.6.3 State Enforcement
1.6.3.1 Computer Crime Cases
1.6.3.2 Data Breach Cases
1.6.4 Federal Enforcement
1.6.5 International Enforcement
1.7 Cybersecurity Law Jurisdiction
1.7.1 Challenging Jurisdiction
1.7.2 Extradition
1.8 Cybercrime and Cyber Tort Punishment
1.8.1 Cybercrime Punishment
1.8.2 Cyber Tort Punishment
References
Chapter 2: Overview of US Cybersecurity Law
2.1 Brief History of Resolving Cybersecurity Disputes
2.1.1 Computer Crime Laws in the Public Sector
2.1.2 Computer Crime Laws in the Private Sector
2.1.3 Application of Laws to Cybersecurity
2.2 Resolving Cybersecurity Disputes Outside of Court
2.2.1 Cybersecurity Case Mediation Law
2.2.2 Cybersecurity Case Arbitration Law
2.2.3 Cybersecurity Case Dispositive Motion Law
2.2.4 Cybersecurity Case Summary Judgments
2.3 Duty of Care Doctrine
2.3.1 Duty to Provide Reasonable Security
2.3.2 Duty to Reveal Security Breaches
2.3.3 Duty to Accurately Disclose Safeguards
2.3.4 Duty to Protect Information
2.3.5 State-Based Duty of Care Laws
2.4 Failure to Act Doctrine
2.4.1 Failure to Act Duty
2.4.2 Failure to Warn Duty
2.4.3 Cybersecurity Good Samaritan Law
2.5 Reasonable Person Doctrine
2.6 Criminal Cyberlaw
2.6.1 Cybercrime Penalties
2.7 Federal Computer Crime Statutes
2.7.1 Significant Federal Laws Addressing Computer Security
2.7.2 The US Code
2.8 Procedural Law
2.8.1 Rules of Criminal Procedure
2.8.2 Rules of Civil Procedure (Cyber Tort)
2.9 State Computer Crime Laws
References
Chapter 3: Cyber Privacy and Data Protection Law
3.1 Common Law of Privacy
3.2 Privacy Laws
3.2.1 Children’s Privacy Laws
3.2.1.1 Federal Children’s Privacy Law
3.2.1.2 State Children’s Privacy Laws
3.2.2 Healthcare Data Privacy Laws
3.2.2.1 HIPAA Privacy Rule
3.2.2.1.1 Law Enforcement HIPAA Disclosure
3.2.2.1.2 HITECH Act
3.2.2.1.3 HIPAA Breach Notification Rule
3.2.2.2 Veterans Benefits, Health Care, and Information Technology Act
3.2.3 Federal Privacy Laws
3.2.4 State Privacy Laws
3.2.5 International Privacy Laws
3.3 Data Breach Laws
3.3.1 State Data Breach Laws
3.3.2 Federal Data Breach Laws
3.3.3 International Data Breach Laws
3.4 Data Breach Litigation
3.4.1 Injury vs. No-Injury Class Action Lawsuits
3.4.2 Data Privacy and the US Supreme Court
3.4.2.1 City of Ontario, California, et al. v. Quon
3.4.2.2 Campbell-Ewald Co. v. Gomez
3.4.2.3 Tyson Foods, Inc. v. Bouaphakeo
3.4.3 Shareholder Derivative Lawsuits
3.4.4 Securities Fraud Lawsuits
3.5 Privacy Notice Law
3.6 Personal Liability
3.6.1 Directors and Officers Insurance
3.6.2 Preemptive Liability Protection
3.7 Data Disposal Laws
3.8 Electronic Wiretap Laws
References
Chapter 4: Cryptography and Digital Forensics Law
4.1 Brief Overview of Cryptography
4.2 Cryptography Law
4.2.1 Export Control Laws
4.2.2 Import Control Laws
4.2.3 Cryptography Patent Infringement
4.2.3.1 Patent Trolls
4.2.4 Search and Seizure of Encrypted Data
4.2.4.1 Digital Search Warrants
4.2.4.2 Forgone Conclusion Rule
4.2.5 Encryption Personal Use Exemption
4.3 State Encryption Laws
4.3.1 State Encryption Safe Harbor Provision
4.4 Fifth Amendment and Data Encryption
4.5 Laws and Regulations Requiring Encryption
4.6 International Cryptography Law Perspective
4.7 International Key Disclosure Law
4.8 Legal Aspects of Digital Forensics
4.8.1 Preservation Order
4.8.2 Digital Best Evidence Rule
4.8.3 Digital Chain of Custody
4.8.4 Digital Data Admissibility in Court
4.8.5 Digital Evidence Spoliation
4.8.6 Expert Witnesses
4.8.7 Security Consultant Client Privilege
4.9 State Digital Forensics Law
References
Chapter 5: Future Developments in Cybersecurity Law
5.1 Future of Cybersecurity Legislation
5.2 Impact of Technology on Cybersecurity Law
5.2.1 Legal Implications of the Internet of Things (IoT)
5.2.2 Legal Implications of Big Data
5.2.3 Legal Implications of the Cloud
5.2.4 Legal Implications of Security Testing
5.3 Future US Cybersecurity Legislation
5.4 US Foreign Policy on Cybersecurity
5.5 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law
5.6 Harmonization of International Cybersecurity Laws
5.6.1 Cybersecurity Law and Trade Pacts
5.6.2 Harmonization of Cybersecurity and Privacy Law
5.7 Trans-Pacific Partnership (TPP) Cybersecurity Framework
5.8 Aligning the Law of the Sea to Cybersecurity Law
5.9 Cybersecurity Law in Outer Space
5.10 The Law of Armed Conflict in Cyberwar
5.11 North Atlanta Treaty Organization (NATO) Cyberlaw Stance
5.12 United Nations – Universal Cybersecurity Legal Framework
5.13 International Treaties on Cybersecurity
5.14 Brexit Impact on European Union Cybersecurity Law
5.15 G7 Perspective on Cybercrime
References
Chapter 6: Creating a Cybersecurity Law Program
6.1 Cybersecurity Law Program
6.1.1 Model
6.1.1.1 Components
6.1.1.2 Subcomponents
6.1.2 Architecture
6.1.3 Program Staffing and Roles
6.1.3.1 Accountability Matrix
6.1.4 Program Policies
6.1.5 Program Procedures
6.1.6 Program Technology
6.1.6.1 eDiscovery Software
6.1.6.2 Program Knowledgebase
6.1.6.3 Legal and Regulatory Update Subscription
6.1.6.4 Policy Compliance Scanning
6.1.6.5 Forensic Toolkits
6.1.7 Mapping Legal Requirements to Controls
6.1.8 ISO/IEC 27002 on Compliance Controls
6.2 Cyber Liability Insurance
6.2.1 Coverage Categories
6.2.2 Policy Restrictions
6.2.3 Policy Value
6.2.4 Policy Cost
6.2.5 Policy Claims
6.2.6 Policy Claim Disputes
6.2.7 Policy Lawsuits
6.2.7.1 P.F. Chang’s v. Travelers Indemnity Co.
6.2.7.2 Recall Total Information Management Inc. v. Federal Insurance Co.
6.2.7.3 Retail Ventures v. National Union Fire Insurance Co.
6.2.7.4 Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc., et al.
6.2.7.5 Universal Am. Corp. v. National Union Fire Ins. Co.
6.2.7.6 Zurich Insurance v. Sony
References
Appendix A: Useful Checklists and Information
Table A-1. eDiscovery Software
Table A-2. Cybercrime Reporting Agencies
Table A-3. Cyber Tort Readiness Checklist
Table A-4. Providers of Cyber Liability Insurance
Table A-5. Research Sources
Table A-6. Digital Forensics Toolkits
Table A-7. Cyber Liability Stress Test
Table A-8. Cybersecurity Law Program Bill of Materials
About the Author
Credits
More from the Publisher
Excerpt from the Foreword
Those of us of a certain generation remember where we were the morning of September 11, 2001. For me, that was in my office at the US Department of Justice headquarters in Washington, DC, a stone’s throw from the Pentagon. The shocking images on TV of planes flying into the World Trade Center were surpassed for me only by the plumes of black smoke I saw from my office window as they rose above the burning Pentagon. On that day, 19 terrorists hijacked a technology meant to improve our way of life and bring the world closer together – passenger aircraft – and weaponized it for an evil and destructive purpose. As then-Attorney General John Ashcroft would state, our paradigm for anti-terrorism efforts necessarily changed overnight from prosecution to prevention.
Just as terrorists weaponized passenger aircraft on September 11th and forced a paradigm shift in America’s anti-terrorism efforts, so too have “digital terrorists” forced a shift in our approach to cybersecurity. As a manager or key executive, you know that in this new world of cyberattacks, data breaches, and data intrusion, prevention is the necessary paradigm. In Manager’s Guide to Cybersecurity Law, Tari Schreider accomplishes much the same objective – that is, to help you take clear, methodical, practical steps in your organization to operationalize this new paradigm. And with the explosion of cybersecurity laws and regulations of the past few years, operationalize it you must!
As the former Chief Security Architect for Fortune 100 company Hewlett Packard, Tari Schreider draws on his years of experience in both the technical development of security programs and the compliance assessment of the same to articulate the full spectrum of operationalizing cybersecurity in your organization. From helping you understand the basics of cybersecurity law, to outlining the key elements of a cybersecurity law program, to describing tools for program implementation, Tari – in the words of a cybersecurity colleague – “turns the obscure into the obvious in a manner that precludes any misunderstanding.”
You can have confidence in Tari, as he serves as your guide and personal investigator, identifying the current and coming threats, delivering the roadmap for shifting to a prevention paradigm, and defining the actions necessary to operationalize the new paradigm. It is now in your hands to act on this intelligence.
Susan Richmond Johnson, MBA, MPM/CIPM
Managing Principal, The Ashcroft Group LLC
Washington, DC
January 2017
Excerpt from the Preface
My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective facade or false sense of security. You may be protecting your data, but you are not protecting your company. Showing you how to avoid the painful lesson of learning this truth too late is the reason I wrote this book.
This book shows you how to bridge the gap between cybersecurity programs and cybersecurity law. My vantage point is somewhat unique in that I am a board-certified information security practitioner with a criminal justice administration background. While I do not dispense legal advice here, my goal is to provide awareness of various legal considerations that managers should embrace. I do strongly recommend that after you have read this book, you sit with your legal department to begin the discussion of creating a closer relationship between your organization’s cybersecurity policies and practices and the law. We live in a litigious world and therefore must prepare ourselves for the eventuality of a cyber-related lawsuit.
Your company may have developed its cybersecurity program according to the letter of applicable security standards or industry regulations. But this usually leads to developing your program in a bubble when the law is not considered. My hope is that after reading this book, you will have a whole new way of thinking and approach to your company’s cybersecurity program. Applying what you learn about criminal and civil procedure as well as other lessons presented in this book will allow you to burst out of that bubble.
Because you have responsibility in your company to protect your company adequately against future cyber liability, you have a duty to think past security standards and regulatory controls to ensure your cybersecurity program complies with all laws and legal jurisdictions.
Finally, let me remind you that you should not act on any advice in this book without first seeking legal advice.
Tari Schreider
Atlanta, Georgia – Cheyenne, Wyoming
January 2017
About the Author
Tari Schreider, SSCP, CISM, C|CISO, ITIL Foundation, is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. Co-founder of Prescriptive Risk Solutions, LLC (PRS), he is former Chief Security Architect at Hewlett-Packard Enterprise. PRS designs custom solutions for companies with challenging legal and regulatory compliance issues that need to be solved quickly. PRS maintains one of the world’s largest databases of security and disaster recovery incidents with nearly 12,000 incidents covering 10.6 billion compromised records.
Mr. Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the largest oil and gas companies in the world, an NERC CIP compliance program for one of Canada’s largest electric utility companies, and an integrated security control management program for one of the US’ largest 911 systems. He has advised organizations from China to India on how to improve their cybersecurity programs through his Information Security Service Management – Reference Model (ISSM-RM).
Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting companies affected by the 1992 Los Angeles Rodney King Riots, and 1993 World Trade Center bombing. His unique experience came during the 1990 Gulf War, helping a New York financial institution recover after becoming separated from its data center in Kuwait.
Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines including Business Week, New York Times, SC Magazine, The Wall Street Journal, and many others.
He studied Criminal Justice at the College of Social & Behavioral Sciences at the University of Phoenix and holds the following certifications in security and disaster recovery:
- American College of Forensic Examiners, CHS-III
- Certified CISO (C|CISO)
- Certified Information Security Manager (CISM)
- ITIL™ v3 Foundation Certified
- System Security Certified Practitioner (SSCP)
- The Business Continuity Institute, MBCI
- University of Richmond – Master Certified Recovery Planner (MCRP)
Excerpt from Chapter 4: Cryptography and Digital Forensics Law
In the previous chapter you learned that the ability to keep secrets is a vital trait your company must have especially when those secrets include customers’ personally identifiable information. However, when those secrets are transmitted over the Internet or are left unattended on storage devices, they can seep into the wild. One of the ways you can ensure the secrecy of your company and customer information is cryptography, which scrambles data to prevent it from being read by prying eyes. But when things go wrong, you are going to want to know how and why it happened, which is where digital forensics comes in. Through the use of digital forensics, you can identify who is trying to take your customers’ secrets and, if they succeeded, you can detect how this was managed.
This chapter will help you to:
- Understand the nuances of encryption law.
- Recognize the role constitutional amendments play in data protection.
- Leverage safe harbor laws to insulate your company from data breach liability.
- Understand the legal implications of conducting a forensic investigation.
- Know how to avoid losing a cybersecurity court case on procedure.
…
4.2 Cryptography Law
Cryptography is universally applied throughout the world to protect business, government, and military information. Because cryptography can shape privacy, free speech, and in some cases human rights, many countries regulate cryptography. How can encryption have such an impact on our fundamental rights? Consider the fact that people living under an oppressive regime can use encryption to communicate securely without the threat of going to jail for exercising their freedom of speech. Encryption also enables anonymity of people to disclose the wrongs of their government or others by sharing information without fear of arrest.
The primary reason encryption has the attention of governing bodies revolves around its dual-use capability, meaning that it can be applied for both commercial and military purposes. Cryptography law or encryption law is legislation that prescribes the conditions and rules by which data should be stored or transmitted in a secure manner to prevent anyone other than the intended audience from gaining access to the data. Some laws even designate who is allowed to encrypt data. If your company is multinational, you will need to know which countries restrict the import or export of cryptographic technology; limit the import of encrypted data; and restrict or prohibit the use of encryption within their borders.
TIP: Hold a discussion with your cybersecurity program’s security architect or engineer to make sure your company is in alignment with cryptography laws and to understand the encryption key length used within your organization’s infrastructure components. Be aware that encryption will be found in hardware, software, applications, websites, and networks.
Reviews
From Security Management Magazine, January, 2018:
Noted cybersecurity lawyer Mark Rasch is credited with saying, “The rule is, ‘if it moves, sue it…If it doesn’t move, move it, then sue it.'” In today’s litigious society, it’s almost inevitable that a person or enterprise will be sued.
In The Manager’s Guide to Cyber-security Law: Essentials for Today’s Business, author Tari Schreider provides a helpful resource that can help IT managers stay on the correct side of the myriad cybersecurity laws. While the author is not a lawyer, he does a good job in showing the reader what due diligence requirements must be taken to protect data under their control.
The book covers a lot in a little over 200 pages, including topics such as regulations, jurisdiction, U.S. laws addressing computer security, and digital forensics law. In addition to listing a number of high-profile cases and lessons that can be learned from them, it also includes several helpful checklists.
Each topic is covered in a few paragraphs, so this is certainly not a comprehensive guide. That said, it offers external links for further information. For those in IT looking for a quick and thorough introduction to cybersecurity law, this useful guide can help them comply with cybersecurity law rather than break it.
Reviewer: Ben Rothke, CISSP (Certified Information Systems Security Professional), PCI QSA (Qualified Security Assessor), is a principal eGRC consultant with the Nettitude Group.
//sm.asisonline.org/Pages/Book-Review—Cybersecurity-Law.aspx