Cybersecurity Law, Standards and Regulations (2nd Edition) by Tari Schreider

$89.99

COMING JANUARY, 2020. PRE-ORDER NOW!

Security practitioners now have a single comprehensive source of cybersecurity law information. Cybersecurity Law, Standards and Regulations (2nd Edition) covers information and privacy law at the state, federal and international levels. This comprehensive book of cybersecurity law offers a tremendous amount of information of utmost relevance to security and privacy managers.

The diversity of cybersecurity law topics include discussions of the foundation of law as it applies to the cyberworld, privacy, judicial rulings, cryptography and forensics law, cyber insurance, future developments in cybersecurity law and much more. Tari Schreider addresses the legal implications of big data, cloud, data breaches, IoT, ethical hacking,  and personal digital assistants. Many legal case citations are included throughout the book as well as practical recommendations and templates for building a cybersecurity law program as part of your GRC efforts. Chapters include numerous self-study assignments.

2020, 280 pages (approx.).

 

Description

COMING JANUARY, 2020. PRE-ORDER NOW!

In today’s litigious business world, cyber-related matters could land you in court. As a computer security professional, you are protecting your data, but are you protecting your company? While you know industry standards and regulations, you may not be a legal expert. Fortunately, in a few hours of reading, rather than months of classroom study, Tari Schreider’s Cybersecurity Law, Standards and Regulations (2nd Edition), lets you integrate legal issues into your security program.

Tari Schreider, a board-certified information security practitioner with a criminal justice administration background, has written a much-needed book that bridges the gap between cybersecurity programs and cybersecurity law. He says, “My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective façade or false sense of security.”

In a friendly style, offering real-world business examples from his own experience supported by a wealth of court cases, Schreider covers the range of practical information you will need as you explore – and prepare to apply – cybersecurity law. His practical, easy-to-understand explanations help you to:

  • Understand your legal duty to act reasonably and responsibly to protect assets and information.
  • Identify which cybersecurity laws have the potential to impact your cybersecurity program.
  • Upgrade cybersecurity policies to comply with state, federal, and regulatory statutes.
  • Communicate effectively about cybersecurity law with corporate legal department and counsel.
  • Understand the implications of emerging legislation for your cybersecurity program.
  • Know how to avoid losing a cybersecurity court case on procedure – and develop strategies to handle a dispute out of court.
  • Develop an international view of cybersecurity and data privacy – and international legal frameworks.

Schreider takes you beyond security standards and regulatory controls to ensure that your current or future cybersecurity program complies with all laws and legal jurisdictions.  Hundreds of citations and references allow you to dig deeper as you explore specific topics relevant to your organization or your studies. This book needs to be required reading before your next discussion with your corporate legal department.
This new edition responds to the rapid changes in the cybersecurity industry, threat landscape and providers. It addresses the increasing risk of zero-day attacks, growth of state-sponsored adversaries and consolidation of cybersecurity products and services in addition to the substantial updates of standards, source links and cybersecurity products.

What’s new in the 2nd edition?

This new edition responds to the rapid changes in the cybersecurity industry, threat landscape and providers. It addresses the increasing risk of zero-day attacks, growth of state-sponsored adversaries and consolidation of cybersecurity products and services in addition to the substantial updates of standards, source links and cybersecurity products.

Here is what’s new in the second edition:

  • 50+ callout boxes highlighting cyber law cases and important legal resources.
  • 60 self-study questions to hone your knowledge.
  • 8 cyberlaw program models to guide program design efforts.
  • 10 powerful templates to document your cybersecurity law program.
  • Addition of CISO, IoT, Data Broker, Cloud, and Event Data Recorder cybersecurity laws.
  • Addition of digital assistant privacy issues.
  • Impact of Calif. A.B.5 on bug bounty programs.
  • Coverage of Act of War cyber insurance clauses.
  • Expanded Fourth and Fifth Amendment coverage.
  • Updated coverage of cybersecurity treaties.
  • Addition of social media privacy laws.
  • Addition of cybercrime on tribal lands.
  • Addition of cybersecurity whistleblower protections.

2020, 280 pages (approx.).

ISBN 9781944480561 PRINT
ISBN 9781944480585 PDF
ISBN 9781944480578 EPUB

 

Additional information

Weight 3 lbs

Tari Schreider is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. Schreider is an instructor for EC-Council where he teaches advanced CISO certification and risk management courses.

Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the world’s largest oil and gas companies, an NERC CIP compliance program for one of Canada’s largest electric utility companies, an integrated security control management program for one of the largest 911 systems in the US and designed a cybersecurity service architecture for one of the largest retailers in the US. He has advised organizations worldwide including Brazil, China, India and South Africa on how to improve their cybersecurity programs.tari-schreider-rothstein-publishing

Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting companies affected during the 1992 Los Angeles riots and 1993 World Trade Center bombing. His most unique experience came during the Gulf War helping a New York financial institution recover after becoming separated from its data center in Kuwait.

Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines, including Business Week, New York Times, SC Magazine, The Wall Street Journal and many others. He is the author of Building an Effective Cybersecurity Program 2nd Edition (Rothstein Publishing, 2020) and is a co-author of the US patent Method for Analyzing Risk.

He studied Criminal Justice at the College of Social & Behavioral Sciences at the University of Phoenix and holds the following certifications in security and disaster recovery:

  • American College of Forensic Examiners, CHS-III
  • Certified CISO (C|CISO)
  • Certified in Risk and Information Systems Control (CRISC)
  • ITIL® v3 Foundation Certified
  • System Security Certified Practitioner (SSCP)
  • Member of the Business Continuity Institute (MBCI)
  • University of Richmond – Master Certified Recovery Planner (MCRP)

CONTENTS

 

Dedication …………………………………………………………………………………………………………………………………. iii
Acknowledgments ………………………………………………………………………………………………………………………. iii
Foreword ……………………………………………………………………………………………………………………………………. v
Foreword ………………………………………………………………………………………………………………………………….. vii
Contents …………………………………………………………………………………………………………………………………….. 1
Introduction to the 2nd Edition ………………………………………………………………………………………………………. 8
Chapter 1 ……………………………………………………………………………………………………………………………………. 9
Introduction to Cybersecurity Law ………………………………………………………………………………………………… 9
1.1 Infamous Cybercrimes ……………………………………………………………………………………………………. 10
1.2 Cybercrime Taxonomy ……………………………………………………………………………………………………… 11
1.3 Civil vs. Criminal Cybersecurity Offenses …………………………………………………………………………… 12
1.3.1 Clarifying the Definition of Cybercrime ………………………………………………………………………… 13
1.3.2 Challenging Your Current Definition of Cybercrime ………………………………………………………. 14
1.3.3 Creating a Strong Cybercrime Definition ………………………………………………………………………. 14
1.3.4 Cybercrime Categories in the Incident Response Plan …………………………………………………….. 15
1.4.1 Mens Rea ………………………………………………………………………………………………………………….. 16
1.4.2 Actus Reus ………………………………………………………………………………………………………………… 16
1.4.3 Concurrence ………………………………………………………………………………………………………………. 17
1.4.4 Causation …………………………………………………………………………………………………………………… 17
1.5 Branches of Law ……………………………………………………………………………………………………………… 18
1.6 Tort Law………………………………………………………………………………………………………………………….. 18
1.6.2 Strict Liability Tort …………………………………………………………………………………………………….. 20
1.6.3 Tort Precedents ………………………………………………………………………………………………………….. 20
1.7 Cyberlaw Enforcement ……………………………………………………………………………………………………… 21
1.7.1 Regulatory Enforcement ……………………………………………………………………………………………… 21
1.7.2 Local Enforcement ……………………………………………………………………………………………………… 22
1.7.3 State Enforcement ………………………………………………………………………………………………………. 22
1.7.4 Federal Enforcement …………………………………………………………………………………………………… 23
1.7.5 International Enforcement ……………………………………………………………………………………………. 24
1.8 Cybersecurity Law Jurisdiction ………………………………………………………………………………………….. 24
1.8.1 Challenging Jurisdiction ……………………………………………………………………………………………… 24
1.8.2 Extradition …………………………………………………………………………………………………………………. 26
1.9 Cybercrime and Cyber Tort Punishment ……………………………………………………………………………… 27
1.9.1 Cybercrime Punishment ………………………………………………………………………………………………. 28
1.9.2 Cyber Tort Punishment ……………………………………………………………………………………………….. 28
Chapter 2 ………………………………………………………………………………………………………………………………….. 33
Overview of US Cybersecurity Law …………………………………………………………………………………………….. 33
2.1 Brief History of Resolving Cybersecurity Disputes……………………………………………………………….. 34
2.1.1 Computer Crime Laws in the Public Sector ……………………………………………………………….. 34
2.1.2 Computer Crime Laws in the Private Sector…………………………………………………………………… 35
2.1.3 Application of Laws to Cybersecurity …………………………………………………………………………… 35
2.2 Resolving Cybersecurity Disputes Outside of Court ……………………………………………………………… 36
2.2.2 Cybersecurity Case Arbitration Law ……………………………………………………………………………… 38
2.2.3 Cybersecurity Case Dispositive Motion Law …………………………………………………………………. 39
2.3 Successful Databreach Lawsuits …………………………………………………………………………………………. 43
2.4 Duty of Care Doctrine ……………………………………………………………………………………………………….. 44
2.4.1 Duty to Provide Reasonable Security ……………………………………………………………………………. 45
2.4.2 Duty to Reveal Security Breaches…………………………………………………………………………………. 45
2.4.3 Duty to Accurately Disclose Safeguards ………………………………………………………………………… 46
2.4.4 Duty to Protect Information …………………………………………………………………………………………. 47
2.4.5 State-Based Duty of Care Laws ……………………………………………………………………………………. 47
2.5 Failure to Act Doctrine ……………………………………………………………………………………………………… 48
2.5.1 Failure to Act Duty …………………………………………………………………………………………………….. 48
2.5.2 Failure to Warn Duty ………………………………………………………………………………………………….. 48

2.5.3 Cybersecurity Good Samaritan Law ……………………………………………………………………………… 49
2.6 Reasonable Person Doctrine ………………………………………………………………………………………………. 50
2.7 Common Law Duty …………………………………………………………………………………………………………… 50
2.8 Criminal Cyberlaw ……………………………………………………………………………………………………………. 51
2.8.1 Cybercrime Penalties ………………………………………………………………………………………………….. 51
2.9 Federal Computer Crime Statutes ……………………………………………………………………………………….. 52
2.9.1 Federal Laws Addressing Computer Security …………………………………………………………………. 52
2.9.2 The US Code ……………………………………………………………………………………………………………… 54
2.10 Procedural Law ………………………………………………………………………………………………………………. 55
2.10.1 Rules of Criminal Procedure ………………………………………………………………………………………. 55
2.10.2 Rules of Civil Procedure (Cyber Tort) …………………………………………………………………………. 56
2.11 State Computer Crime Laws …………………………………………………………………………………………….. 57
Chapter 3 ………………………………………………………………………………………………………………………………….. 63
Cyber Privacy and Data Protection Law ……………………………………………………………………………………….. 63
3.1 Common Law of Privacy …………………………………………………………………………………………………… 64
3.2 Privacy Laws ……………………………………………………………………………………………………………………. 64
3.2.1 Children’s Privacy Laws ……………………………………………………………………………………………… 65
3.2.2 Healthcare Data Privacy Laws ……………………………………………………………………………………… 68
3.2.3 Federal Privacy Laws ………………………………………………………………………………………………….. 75
3.2.4 Cybercrime on Tribal Lands ………………………………………………………………………………………… 77
3.2.5 State Privacy Laws ……………………………………………………………………………………………………… 78
3.2.6 State Chief Information Privacy Officer (CIPO) Laws …………………………………………………….. 79
3.2.7 International Privacy Laws ………………………………………………………………………………………….. 80
3.3 Data Breach Laws …………………………………………………………………………………………………………….. 80
3.3.1 State Data Breach Laws ………………………………………………………………………………………………. 81
3.3.2 Federal Data Breach Laws …………………………………………………………………………………………… 82
3.3.3 International Data Breach Laws ……………………………………………………………………………………. 86
3.3.4 General Data Protection Regulation (GDPR) …………………………………………………………………. 88
3.4 Data Breach Litigation ………………………………………………………………………………………………………. 91
3.4.1 Injury vs. No-Injury Class Action Lawsuits …………………………………………………………………… 92
3.4.2 Data Privacy and the US Supreme Court ……………………………………………………………………….. 93
3.4.3 Shareholder Derivative Lawsuits ………………………………………………………………………………….. 96
3.4.4 Securities Fraud Lawsuits ……………………………………………………………………………………………. 97
3.5 Privacy Notice Law …………………………………………………………………………………………………………… 98
3.6 Personal Liability ……………………………………………………………………………………………………………… 99
3.6.2 Preemptive Liability Protection ………………………………………………………………………………….. 100
3.6.3 Cybersecurity Whistleblower Protections …………………………………………………………………….. 101
3.7 Data Disposal Laws ………………………………………………………………………………………………………… 102
3.8 Electronic Wiretap Laws ………………………………………………………………………………………………….. 103
3.9 Digital Assistant Privacy Issues ………………………………………………………………………………………… 104
3.10 Social Media Privacy …………………………………………………………………………………………………….. 104
3.11 Event Data Recorder (EDR) Privacy ……………………………………………………………………………….. 105
3.12 Automated License Plate Reader (ALPR) Privacy …………………………………………………………….. 107
Chapter 4 ………………………………………………………………………………………………………………………………… 115
Cryptography and Digital Forensics Law ……………………………………………………………………………………. 115
4.1 Brief Overview of Cryptography ………………………………………………………………………………………. 116
4.2 Cryptography Law ………………………………………………………………………………………………………….. 117
4.2.1 Export Control Laws …………………………………………………………………………………………………. 118
4.2.2 Import Control Laws …………………………………………………………………………………………………. 120
4.2.3 Cryptography Patent Infringement ………………………………………………………………………………. 121
4.2.4 Search and Seizure of Encrypted Data …………………………………………………………………………. 124
4.2.5 Encryption Personal Use Exemption …………………………………………………………………………… 126
4.3 State Encryption Laws …………………………………………………………………………………………………….. 127
4.3.1 State Encryption Safe Harbor Provision ………………………………………………………………………. 127
4.4 Fifth Amendment and Data Encryption ……………………………………………………………………………… 127
4.5 Laws and Regulations Requiring Encryption ……………………………………………………………………… 129
4.6 International Cryptography Law Perspective………………………………………………………………………. 130
4.7 International Key Disclosure Law …………………………………………………………………………………….. 131
4.8 Legal Aspects of Digital Forensics ……………………………………………………………………………………. 132
4.8.1 Preservation Order ……………………………………………………………………………………………………. 132
4.8.2 Digital Best Evidence Rule ………………………………………………………………………………………… 133
4.8.3 Digital Chain of Custody …………………………………………………………………………………………… 134
4.8.4 Digital Data Admissibility in Court …………………………………………………………………………….. 134
4.8.5 Digital Evidence Spoliation ……………………………………………………………………………………….. 135
4.8.6 Fourth Amendment Rights and Digital Evidence ………………………………………………………….. 136
4.8.7 Expert Witnesses ………………………………………………………………………………………………………. 136

5
4.8.8 Security Consultant Client Privilege ……………………………………………………………………………. 137
4.9 State Digital Forensics Law ……………………………………………………………………………………………… 138
4.10 The CLOUD Act …………………………………………………………………………………………………………… 139
4.11 Emerging Data Encryption Laws …………………………………………………………………………………….. 140
4.11.1 Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act ………………………………………………………………………………………………………………………………….. 140
4.11.2 Secure Data Act ……………………………………………………………………………………………………… 140
Chapter 5 ………………………………………………………………………………………………………………………………… 145
Future Developments in Cybersecurity Law ……………………………………………………………………………….. 145
5.1 Future of Cybersecurity Legislation ………………………………………………………………………………….. 145
5.1.1 Constutionality of Cybersecurity Law …………………………………………………………………………. 146
5.2 Impact of Technology on Cybersecurity Law ……………………………………………………………………… 146
5.2.1 Legal Implications of the Internet of Things (IoT) ………………………………………………………… 147
5.2.2 Legal Implications of Big Data …………………………………………………………………………………… 148
5.2.3 Legal Implications of Cloud Computing………………………………………………………………………. 149
5.2.4 Legal Implications of Security Testing ………………………………………………………………………… 150
5.3 Future US Cybersecurity Legislation …………………………………………………………………………………. 152
5.4 US Foreign Policy on Cybersecurity …………………………………………………………………………………. 154
5.5 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law ……………. 155
5.6 Harmonization of International Cybersecurity Laws ……………………………………………………………. 157
5.6.1 Cybersecurity Law and Trade Pacts …………………………………………………………………………….. 158
5.6.2 Harmonization of Cybersecurity and Privacy Law ………………………………………………………… 158
5.7 Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) Cybersecurity Framework ………………………………………………………………………………………………………………………….. 159
5.8 Aligning the Law of the Sea to Cybersecurity Law ……………………………………………………………… 162
5.9 Cybersecurity Law in Outer Space ……………………………………………………………………………………. 163
5.10 The Law of Armed Conflict in Cyberwar …………………………………………………………………………. 164
5.11 North Atlanta Treaty Organization (NATO) Cyberlaw Stance ……………………………………………. 165
5.12 United Nations – Universal Cybersecurity Legal Framework ……………………………………………… 165
5.13 International Treaties on Cybersecurity ……………………………………………………………………………. 167
5.14 Brexit Impact on European Union Cybersecurity Law ………………………………………………….. 168
5.15 G7 Perspective on Cybercrime ……………………………………………………………………………………….. 169
6.1 Cybersecurity Law Program …………………………………………………………………………………………….. 176
6.1.1 Model ……………………………………………………………………………………………………………………… 176
6.1.2 Architecture ……………………………………………………………………………………………………………… 179
6.1.3 Program Staffing and Roles …………………………………………………………………………………….. 180
6.1.4 Program Policies …………………………………………………………………………………………………….. 183
6.1.5 Program Procedures ………………………………………………………………………………………………….. 186
6.1.6 Program Technology …………………………………………………………………………………………………. 188
6.1.7 Mapping Legal Requirements to Controls ……………………………………………………………………. 192
6.1.8 ISO/IEC 27002 on Compliance Controls ……………………………………………………………………… 194
6.2.1 Coverage Categories …………………………………………………………………………………………………. 195
6.2.2 Policy Restrictions ……………………………………………………………………………………………………. 197
6.2.2 Policy Value …………………………………………………………………………………………………………….. 197
6.2.3 Policy Cost ………………………………………………………………………………………………………………. 198
6.2.4 Policy Claims …………………………………………………………………………………………………………… 198
6.2.5 Policy Claim Disputes ……………………………………………………………………………………………….. 199
6.2.6 Policy Lawsuits ………………………………………………………………………………………………………… 199
6.2.7 Act of War Defense…………………………………………………………………………………………………… 202
6.2.8 Insurable vs Uninsurable Risk ……………………………………………………………………………………. 202
6.2.9 Cyber Risk Insurance Pools ……………………………………………………………………………………….. 203
6.2.10 Silent Cyber Risk Insurance ……………………………………………………………………………………… 203
6.3 Data Breach Worksheet …………………………………………………………………………………………………… 204
6.3.1 Data Breach Calculators …………………………………………………………………………………………….. 204
Appendix A …………………………………………………………………………………………………………………………….. 211
Useful Checklists and Information …………………………………………………………………………………………….. 211
INDEX …………………………………………………………………………………………………………………………………… 220
Credits ……………………………………………………………………………………………………………………………………. 226
About the Author …………………………………………………………………………………………………………………….. 228

 

Introduction to the 2nd Edition

Excerpt from the Foreword by Susan Richmond Johnson, MBA, MPM/CIPM

 

Those of us of a certain generation remember where we were the morning of September 11, 2001. For me, that was in my office at the US Department of Justice headquarters in Washington, DC, a stone’s throw from the Pentagon. The shocking images on TV of planes flying into the World Trade Center were surpassed for me only by the plumes of black smoke I saw from my office window as they rose above the burning Pentagon. On that day, 19 terrorists hijacked a technology meant to improve our way of life and bring the world closer together – passenger aircraft – and weaponized it for an evil and destructive purpose. As then-Attorney General John Ashcroft and my boss would state, our paradigm for anti-terrorism efforts necessarily changed overnight from prosecution to prevention.

Just as terrorists weaponized passenger aircraft on September 11th and forced a paradigm shift in America’s anti-terrorism efforts, so too have “digital terrorists” forced a shift in our approach to cybersecurity by declaring cyberwar on corporations. As a manager or key executive, you know that in this new world of cyberattacks, data breaches, and data intrusion, prevention is the necessary paradigm. In Cybersecurity Law, Standards and Regulations (2nd Edition), Tari Schreider helps you take clear, methodical, practical steps in your organization to address the explosion of cybersecurity laws and regulations of the past few years. Tari emphasizes that you not only must defend against bad actors, but also defend against legal actions resulting from a data breach.

As the former Chief Security Architect for Fortune 100 company and cybersecurity strategist and instructor, Tari draws on his years of experience in both the technical development of security programs and the compliance assessment of the same to articulate the full spectrum of operationalizing cybersecurity in your organization. From helping you understand the basics of cybersecurity law, to outlining the key elements of regulations and statutes required to ensure the privacy of information, Tari – in the words of a cybersecurity colleague – “turns the obscure into the obvious in a manner that precludes any misunderstanding.”

You can have confidence in Tari, as he serves as your cybersecurity law guide, identifying current and coming cyber regulations, standards and laws, delivering the roadmap for creating a cybersecurity law program. It is now in your hands to act on this intelligence.

Susan Richmond Johnson, MBA, MPM/CIPM
Managing Principal, The Ashcroft Group LLC
Washington, DC

January, 2020

Excerpt from the Foreword by Karen Lawrence Öqvist

When reading the book to write this foreword, I found Tari’s wisdom woven into every page. He has mapped cybersecurity law into a practical application across every silo of an organization. Why he had asked me to provide the foreword became evident when I was taken on a round-the-world trip, an investigation into the privacy and data protection laws in the U.S., Canada, Brazil, to the EU, Thailand, India, even China and Australia, and more.

When thinking on who should read this book, my initial thoughts were any cybersecurity professional. This book provides the tools they need to create a solid business case on why an organisation should invest in cybersecurity. The book explains how the laws work, including for each section a goodie bag of hard facts and real examples on the consequences and costs of doing nothing, Hence this book for the cybersecurity professional is a tool to map cybersecurity risk into something concrete the board can understand.

As I progressed through the book, my thoughts shifted over to the legal professional. Attorneys or barristers may know their legal niche but likely lack the experience on how to map this to an organisation’s operations. IT has always been something of black magic for non-technical individuals, but now nearly all data is digital, and technology has become increasingly pervasive. What this book does for them is map cybersecurity laws to operational mitigations and remediations, i.e. what needs to be done on a practical level. This knowledge can be used to get a decent conversation between the technical and cybersecurity crew.

Where does this take us? Well if both cybersecurity and legal experts read this book, between them they’d be in a strong position to do what is right, as prescribed by Tari in the final part of the book, creating your Cybersecurity Law Program. This book bridges the gap between cybersecurity and legal and gives you the proper tools and common language to communicate with your board effectively so that money spent on cybersecurity is spent wisely.

Karen Lawrence Öqvist
MBA MSc CIPP/E CIPT CIPM

CEO Privasee AB
Author of Virtual Shadows & A Hands-on Approach to GDPR Compliance
Stockholm, Sweden
December, 2019

 

Reviews

Cybersecurity Law, Standards and Regulations (2nd Edition) by Tari Schreider is available for evaluation for course adoption for colleges and universities.

For qualified college/university course adoptions: to obtain an eBook or print copy for course evaluation, click here and submit the simple request form.