The Manager's Guide to Cybersecurity Law
Description
In today's litigious business world, cyber-related matters could land you in court. As a computer security professional, you are protecting your data, but are you protecting your company? While you know industry standards and regulations, you may not be a legal expert. Fortunately, in a few hours of reading, rather than months of classroom study, Tari Schreider's The Manager's Guide to Cybersecurity Law: Essentials for Today's Business, lets you integrate legal issues into your security program.
Tari Schreider, a board-certified information security practitioner with a criminal justice administration background, has written a much-needed book that bridges the gap between cybersecurity programs and cybersecurity law. He says, "My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective façade or false sense of security."
In a friendly style, offering real-world business examples from his own experience supported by a wealth of court cases, Schreider covers the range of practical information you will need as you explore - and prepare to apply - cybersecurity law. His practical, easy-to-understand explanations help you to:
- Understand your legal duty to act reasonably and responsibly to protect assets and information.
- Identify which cybersecurity laws have the potential to impact your cybersecurity program.
- Upgrade cybersecurity policies to comply with state, federal, and regulatory statutes.
- Communicate effectively about cybersecurity law with corporate legal department and counsel.
- Understand the implications of emerging legislation for your cybersecurity program.
- Know how to avoid losing a cybersecurity court case on procedure - and develop strategies to handle a dispute out of court.
- Develop an international view of cybersecurity and data privacy - and international legal frameworks.
Schreider takes you beyond security standards and regulatory controls to ensure that your current or future cybersecurity program complies with all laws and legal jurisdictions. Hundreds of citations and references allow you to dig deeper as you explore specific topics relevant to your organization or your studies. This book needs to be required reading before your next discussion with your corporate legal department.
More details
Persons
Tari Schreider, SSCP, CISM, C|CISO, ITIL Foundation, is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. Co-founder of Prescriptive Risk Solutions, LLC (PRS), he is former Chief Security Architect at Hewlett-Packard Enterprise. PRS designs custom solutions for companies with challenging legal and regulatory compliance issues that need to be solved quickly. PRS maintains one of the world's largest databases of security and disaster recovery incidents with nearly 12,000 incidents covering 10.6 billion compromised records.
Mr. Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the largest oil and gas companies in the world, an NERC CIP compliance program for one of Canada's largest electric utility companies, and an integrated security control management program for one of the US' largest 911 systems. He has advised organizations from China to India on how to improve their cybersecurity programs through his Information Security Service Management - Reference Model (ISSM-RM). Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting companies affected by the 1992 Los Angeles Rodney King Riots, and 1993 World Trade Center bombing. His unique experience came during the 1990 Gulf War, helping a New York financial institution recover after becoming separated from its data center in Kuwait.
Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines including Business Week, New York Times, SC Magazine, The Wall Street Journal, and many others.
He studied Criminal Justice at the College of Social & Behavioral Sciences at the University of Phoenix and holds the following certifications in security and disaster recovery:
. American College of Forensic Examiners, CHS-III . Certified CISO (C|CISO) . Certified Information Security Manager (CISM) . ITIL(TM) v3 Foundation Certified . System Security Certified Practitioner (SSCP) . The Business Continuity Institute, MBCI . University of Richmond - Master Certified Recovery Planner (MCRP)Content
- Cover
- Title Page
- Copyright
- Dedication
- Table of Contents
- Foreword
- Preface
- Chapter 1: Introduction to Cybersecurity Law
- 1.1 Infamous Cybercrimes
- 1.2 Civil vs. Criminal Cybersecurity Offenses
- 1.2.1 Clarifying the Definition of Cybercrime
- 1.2.2 Challenging Your Current Definition of Cybercrime
- 1.2.3 Creating a Strong Cybercrime Definition
- 1.2.4 Cybercrime Categories in the Incident Response Plan
- 1.3 Understanding the Four Basic Elements of Criminal Law
- 1.3.1 Mens Rea
- 1.3.2 Actus Reus
- 1.3.3 Concurrence
- 1.3.4 Causation
- 1.4 Branches of Law
- 1.5 Tort Law
- 1.5.1 Cyber Tort
- 1.5.2 Strict Liability Tort
- 1.5.3 Tort Precedents
- 1.6 Cyberlaw Enforcement
- 1.6.1 Regulatory Enforcement
- 1.6.2 Local Enforcement
- 1.6.3 State Enforcement
- 1.6.3.1 Computer Crime Cases
- 1.6.3.2 Data Breach Cases
- 1.6.4 Federal Enforcement
- 1.6.5 International Enforcement
- 1.7 Cybersecurity Law Jurisdiction
- 1.7.1 Challenging Jurisdiction
- 1.7.2 Extradition
- 1.8 Cybercrime and Cyber Tort Punishment
- 1.8.1 Cybercrime Punishment
- 1.8.2 Cyber Tort Punishment
- References
- Chapter 2: Overview of US Cybersecurity Law
- 2.1 Brief History of Resolving Cybersecurity Disputes
- 2.1.1 Computer Crime Laws in the Public Sector
- 2.1.2 Computer Crime Laws in the Private Sector
- 2.1.3 Application of Laws to Cybersecurity
- 2.2 Resolving Cybersecurity Disputes Outside of Court
- 2.2.1 Cybersecurity Case Mediation Law
- 2.2.2 Cybersecurity Case Arbitration Law
- 2.2.3 Cybersecurity Case Dispositive Motion Law
- 2.2.4 Cybersecurity Case Summary Judgments
- 2.3 Duty of Care Doctrine
- 2.3.1 Duty to Provide Reasonable Security
- 2.3.2 Duty to Reveal Security Breaches
- 2.3.3 Duty to Accurately Disclose Safeguards
- 2.3.4 Duty to Protect Information
- 2.3.5 State-Based Duty of Care Laws
- 2.4 Failure to Act Doctrine
- 2.4.1 Failure to Act Duty
- 2.4.2 Failure to Warn Duty
- 2.4.3 Cybersecurity Good Samaritan Law
- 2.5 Reasonable Person Doctrine
- 2.6 Criminal Cyberlaw
- 2.6.1 Cybercrime Penalties
- 2.7 Federal Computer Crime Statutes
- 2.7.1 Significant Federal Laws Addressing Computer Security
- 2.7.2 The US Code
- 2.8 Procedural Law
- 2.8.1 Rules of Criminal Procedure
- 2.8.2 Rules of Civil Procedure (Cyber Tort)
- 2.9 State Computer Crime Laws
- References
- Chapter 3: Cyber Privacy and Data Protection Law
- 3.1 Common Law of Privacy
- 3.2 Privacy Laws
- 3.2.1 Children's Privacy Laws
- 3.2.1.1 Federal Children's Privacy Law
- 3.2.1.2 State Children's Privacy Laws
- 3.2.2 Healthcare Data Privacy Laws
- 3.2.2.1 HIPAA Privacy Rule
- 3.2.2.1.1 Law Enforcement HIPAA Disclosure
- 3.2.2.1.2 HITECH Act
- 3.2.2.1.3 HIPAA Breach Notification Rule
- 3.2.2.2 Veterans Benefits, Health Care, and Information Technology Act
- 3.2.3 Federal Privacy Laws
- 3.2.4 State Privacy Laws
- 3.2.5 International Privacy Laws
- 3.3 Data Breach Laws
- 3.3.1 State Data Breach Laws
- 3.3.2 Federal Data Breach Laws
- 3.3.3 International Data Breach Laws
- 3.4 Data Breach Litigation
- 3.4.1 Injury vs. No-Injury Class Action Lawsuits
- 3.4.2 Data Privacy and the US Supreme Court
- 3.4.2.1 City of Ontario, California, et al. v. Quon
- 3.4.2.2 Campbell-Ewald Co. v. Gomez
- 3.4.2.3 Tyson Foods, Inc. v. Bouaphakeo
- 3.4.3 Shareholder Derivative Lawsuits
- 3.4.4 Securities Fraud Lawsuits
- 3.5 Privacy Notice Law
- 3.6 Personal Liability
- 3.6.1 Directors and Officers Insurance
- 3.6.2 Preemptive Liability Protection
- 3.7 Data Disposal Laws
- 3.8 Electronic Wiretap Laws
- References
- Chapter 4: Cryptography and Digital Forensics Law
- 4.1 Brief Overview of Cryptography
- 4.2 Cryptography Law
- 4.2.1 Export Control Laws
- 4.2.2 Import Control Laws
- 4.2.3 Cryptography Patent Infringement
- 4.2.3.1 Patent Trolls
- 4.2.4 Search and Seizure of Encrypted Data
- 4.2.4.1 Digital Search Warrants
- 4.2.4.2 Forgone Conclusion Rule
- 4.2.5 Encryption Personal Use Exemption
- 4.3 State Encryption Laws
- 4.3.1 State Encryption Safe Harbor Provision
- 4.4 Fifth Amendment and Data Encryption
- 4.5 Laws and Regulations Requiring Encryption
- 4.6 International Cryptography Law Perspective
- 4.7 International Key Disclosure Law
- 4.8 Legal Aspects of Digital Forensics
- 4.8.1 Preservation Order
- 4.8.2 Digital Best Evidence Rule
- 4.8.3 Digital Chain of Custody
- 4.8.4 Digital Data Admissibility in Court
- 4.8.5 Digital Evidence Spoliation
- 4.8.6 Expert Witnesses
- 4.8.7 Security Consultant Client Privilege
- 4.9 State Digital Forensics Law
- References
- Chapter 5: Future Developments in Cybersecurity Law
- 5.1 Future of Cybersecurity Legislation
- 5.2 Impact of Technology on Cybersecurity Law
- 5.2.1 Legal Implications of the Internet of Things (IoT)
- 5.2.2 Legal Implications of Big Data
- 5.2.3 Legal Implications of the Cloud
- 5.2.4 Legal Implications of Security Testing
- 5.3 Future US Cybersecurity Legislation
- 5.4 US Foreign Policy on Cybersecurity
- 5.5 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law
- 5.6 Harmonization of International Cybersecurity Laws
- 5.6.1 Cybersecurity Law and Trade Pacts
- 5.6.2 Harmonization of Cybersecurity and Privacy Law
- 5.7 Trans-Pacific Partnership (TPP) Cybersecurity Framework
- 5.8 Aligning the Law of the Sea to Cybersecurity Law
- 5.9 Cybersecurity Law in Outer Space
- 5.10 The Law of Armed Conflict in Cyberwar
- 5.11 North Atlanta Treaty Organization (NATO) Cyberlaw Stance
- 5.12 United Nations - Universal Cybersecurity Legal Framework
- 5.13 International Treaties on Cybersecurity
- 5.14 Brexit Impact on European Union Cybersecurity Law
- 5.15 G7 Perspective on Cybercrime
- References
- Chapter 6: Creating a Cybersecurity Law Program
- 6.1 Cybersecurity Law Program
- 6.1.1 Model
- 6.1.1.1 Components
- 6.1.1.2 Subcomponents
- 6.1.2 Architecture
- 6.1.3 Program Staffing and Roles
- 6.1.3.1 Accountability Matrix
- 6.1.4 Program Policies
- 6.1.5 Program Procedures
- 6.1.6 Program Technology
- 6.1.6.1 eDiscovery Software
- 6.1.6.2 Program Knowledgebase
- 6.1.6.3 Legal and Regulatory Update Subscription
- 6.1.6.4 Policy Compliance Scanning
- 6.1.6.5 Forensic Toolkits
- 6.1.7 Mapping Legal Requirements to Controls
- 6.1.8 ISO/IEC 27002 on Compliance Controls
- 6.2 Cyber Liability Insurance
- 6.2.1 Coverage Categories
- 6.2.2 Policy Restrictions
- 6.2.3 Policy Value
- 6.2.4 Policy Cost
- 6.2.5 Policy Claims
- 6.2.6 Policy Claim Disputes
- 6.2.7 Policy Lawsuits
- 6.2.7.1 P.F. Chang's v. Travelers Indemnity Co.
- 6.2.7.2 Recall Total Information Management Inc. v. Federal Insurance Co.
- 6.2.7.3 Retail Ventures v. National Union Fire Insurance Co.
- 6.2.7.4 Travelers Property Casualty Company of America, et al. v. FederalRecovery Services, Inc., et al.
- 6.2.7.5 Universal Am. Corp. v. National Union Fire Ins. Co.
- 6.2.7.6 Zurich Insurance v. Sony
- References
- Appendix A: Useful Checklists and Information
- Table A-1. eDiscovery Software
- Table A-2. Cybercrime Reporting Agencies
- Table A-3. Cyber Tort Readiness Checklist
- Table A-4. Providers of Cyber Liability Insurance
- Table A-5. Research Sources
- Table A-6. Digital Forensics Toolkits
- Table A-7. Cyber Liability Stress Test
- Table A-8. Cybersecurity Law Program Bill of Materials
- About the Author
- Credits
- More from Publisher
