Cybersecurity Law, Standards and Regulations (2nd Edition) by Tari Schreider
$89.99
ASIS INTERNATIONAL 2021 RUNNER-UP BOOK OF THE YEAR!!!
(The winning BOOK OF THE YEAR was ALSO a Rothstein Publishing title!)
Cybersecurity practitioners, attorneys and privacy managers now have a single, comprehensive resource on cybersecurity law plus the latest international standards and regulations. Cybersecurity Law, Standards and Regulations (2nd Edition) by Tari Schreider is the FIRST book to provide a foundation resource for understanding cybersecurity and privacy law, regulations and standards at the state, federal and international levels. The extensive coverage of cyber law topics includes discussions of the foundation of law as it applies to the cyberworld; privacy; judicial rulings; cryptography and forensics law; cyber insurance; future developments in cybersecurity law; and much more.
Instructional Materials (300+ Powerpoint slides) available to qualified college and university course adoptions.
Comprehensive Instructional Materials is now available!
“You can have confidence in Tari, as he serves as your cybersecurity law guide, identifying current and coming cyber regulations, standards and laws, delivering the roadmap for creating a cybersecurity law program. It is now in your hands to act on this intelligence.”
“This book bridges the gap between cybersecurity and legal and gives you the proper tools and common language to communicate with your board effectively so that money spent on cybersecurity is spent wisely.”
“Since it is not a matter of “if” but “when” your company will be involved in a cyber lawsuit, reading Tari Schreider’s book will help you stay within the guardrails of the constantly morphing dynamic of doing business. “
“Imagine putting 40 years of knowledge into one textbook and then being able to recall all of the important highlights… One would be hard pressed to do so while simultaneously navigating legal implications of big data.”
“The book not only helped make cybersecurity law accessible to me, but it has become the basis for the way we are building cybersecurity and privacy practices into the very DNA of our culture, products, and services… Tari’s book has been a godsend.”
“Tari Schreider is the right author for Cybersecurity Law, Standards and Regulations. He imparts knowledge, enthusiasm and most importantly, experience. I recommend this book to any cybersecurity enthusiast as the laws, standards and regulations of cybersecurity play a crucial role in any modern security discussion… Tari Schreider has delivered a truly comprehensive reference to cyber law.”
“As a former CISO, I certainly wished I had access to this document to help me be more adept at the cybersecurity law, standards, and regulations domain.”
Tari Schreider also addresses the legal implications of big data, cloud, data breaches, IoT, ethical hacking and personal digital assistants. Many legal case citations are included throughout the book as well as practical recommendations and templates for building a cybersecurity law program as part of your governance, risk and compliance efforts. Plus, the latest national and international standards and their implications are covered in depth. Cybersecurity Law, Standards and Regulations (2nd Edition) is the first book on this critical subject with something for everyone concerned about cybersecurity law and its foundation.
ASIS INTERNATIONAL 2021 RUNNER-UP BOOK OF THE YEAR!!!
(The winning BOOK OF THE YEAR was ALSO a Rothstein Publishing title!)
In today’s litigious business world, cyber-related matters could land you in court. As a computer security professional, you are protecting your data, but are you protecting your company? While you know industry standards and regulations, you may not be a legal expert. Fortunately, in a few hours of reading, rather than months of classroom study, Tari Schreider’s Cybersecurity Law, Standards and Regulations (2nd Edition), lets you integrate legal issues into your security program.
Tari Schreider, a board-certified information security practitioner with a criminal justice administration background, has written a much-needed book that bridges the gap between cybersecurity programs and cybersecurity law. He says, “My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective façade or false sense of security.”
Instructional Materials (300+ Powerpoint slides) available to qualified college and university course adoptions.
The making of Cybersecurity Law, Standards and Regulations (2nd Edition)
In a friendly style, offering real-world business examples from his own experience supported by a wealth of court cases, Schreider covers the range of practical information you will need as you explore – and prepare to apply – cybersecurity law. With this in mind, he goes over practical, easy-to-understand explanations help you to:
Understand your legal duty to act reasonably and responsibly to protect assets and information.
Identify which cybersecurity laws have the potential to impact your cybersecurity program.
Upgrade cybersecurity policies to comply with state, federal, and regulatory statutes.
Communicate effectively about cybersecurity law with corporate legal department and counsel.
Understand the implications of emerging legislation for your cybersecurity program.
Know how to avoid losing a cybersecurity court case on procedure – and then develop strategies to handle a dispute out of court.
Develop an international view of cybersecurity and data privacy – and then create an international legal frameworks.
Schreider takes you beyond security standards and regulatory controls to ensure that your current or future cybersecurity program complies with all laws and legal jurisdictions. Hundreds of citations and references will also allow you to dig deeper as you explore specific topics relevant to your organization or your studies. This book also needs to be required reading before your next discussion with your corporate legal department.
This new edition also responds to the rapid changes in the cybersecurity industry, threat landscape and providers. It addresses the increasing risk of zero-day attacks, growth of state-sponsored adversaries and consolidation of cybersecurity products and services in addition to the substantial updates of standards, source links and cybersecurity products.
What’s new in the 2nd edition of Cybersecurity Law, Standards and Regulations?
This new edition responds to the rapid changes in the cybersecurity industry, threat landscape and providers. It addresses the increasing risk of zero-day attacks, growth of state-sponsored adversaries and consolidation of cybersecurity products and services in addition to the substantial updates of standards, source links and cybersecurity products.
Here is what’s new in the second edition:
50+ callout boxes highlighting cyber law cases as well as important legal resources.
60 self-study questions to hone your knowledge.
8 cyberlaw program models to guide program design efforts.
10 powerful templates to document your cybersecurity law program.
Addition of CISO, IoT, Data Broker, Cloud, and Event Data Recorder cybersecurity laws.
Addition of digital assistant privacy issues.
Impact of Calif. A.B.5 on bug bounty programs.
Coverage of Act of War/cyber insurance clauses.
Expanded Fourth and Fifth Amendment coverage.
Updated coverage of cybersecurity treaties.
Added privacy laws on social media
Addition of cybercrime on tribal lands.
Addition of cybersecurity whistleblower protections.
Comprehensive index.
2020, 324 pages. Comprehensive index.
Comprehensive Instructional Materials is now available!
Tari Schreider is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. Schreider is an instructor for EC-Council where he teaches advanced CISO certification and risk management courses.
Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the world’s largest oil and gas companies, an NERC CIP compliance program for one of Canada’s largest electric utility companies, an integrated security control management program for one of the largest 911 systems in the US and designed a cybersecurity service architecture for one of the largest retailers in the US. He has advised organizations worldwide including Brazil, China, India and South Africa on how to improve their cybersecurity programs.
Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting companies affected during the 1992 Los Angeles riots and 1993 World Trade Center bombing. His most unique experience came during the Gulf War helping a New York financial institution recover after becoming separated from its data center in Kuwait.
Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines, including Business Week, New York Times, SC Magazine, The Wall Street Journal and many others. He is the author of Building an Effective Cybersecurity Program 2nd Edition (Rothstein Publishing, 2020) and is a co-author of the US patent Method for Analyzing Risk.
He studied Criminal Justice at the College of Social & Behavioral Sciences at the University of Phoenix and holds the following certifications in security and disaster recovery:
American College of Forensic Examiners, CHS-III
Certified CISO (C|CISO)
Certified in Risk and Information Systems Control (CRISC)
ITIL® v3 Foundation Certified
System Security Certified Practitioner (SSCP)
Member of the Business Continuity Institute (MBCI)
University of Richmond – Master Certified Recovery Planner (MCRP)
Contents
CONTENTS
Dedication iii Acknowledgments iii Foreword v Foreword vii Contents 1 Introduction to the 2nd Edition 9 Chapter 1 Introduction to Cybersecurity Law 13
1.1 Infamous Cybercrimes 14
1.2 Cybercrime Taxonomy 15
1.3 Civil vs. Criminal Cybersecurity Offenses 16
1.3.1 Clarifying the Definition of Cybercrime 17
1.3.2 Challenging Your Current Definition of Cybercrime 18
1.3.3 Creating a Strong Cybercrime Definition 18
1.3.4 Cybercrime Categories in the Incident Response Plan 19
1.4 Understanding the Four Basic Elements of Criminal Law 20
1.4.1 Mens Rea 20
1.4.2 Actus Reus 20
1.4.3 Concurrence 21
1.4.4 Causation 21
1.5 Branches of Law 22
1.6 Tort Law 22
1.6.2 Strict Liability Tort 23
1.6.3 Tort Precedents 24
1.7 Cyberlaw Enforcement 24
1.7.1 Regulatory Enforcement 25
1.7.2 Local Enforcement 26
1.7.3 State Enforcement 26
1.7.4 Federal Enforcement 27
1.7.5 International Enforcement 27
1.8 Cybersecurity Law Jurisdiction 28
1.8.1 Challenging Jurisdiction 29
1.8.2 Extradition 30
1.9 Cybercrime and Cyber Tort Punishment 32
1.9.1 Cybercrime Punishment 32
1.9.2 Cyber Tort Punishment 32 Chapter 2 Overview of US Cybersecurity Law 37
2.1 Brief History of Resolving Cybersecurity Disputes 38
2.1.1 Computer Crime Laws in the Public Sector 38
2.1.2 Computer Crime Laws in the Private Sector 39
2.1.3 Application of Laws to Cybersecurity 39
2.2 Alternative Dispute Resolution (ADR) 40
2.1 Cybersecurity Case Mediation Law 41
2.2.2 Cybersecurity Case Arbitration Law 42
2.2.3 Cybersecurity Case Dispositive Motion Law 43
2.3 Successful Data Breach Lawsuits 47
2.4 Duty of Care Doctrine 48
2.4.1 Duty to Provide Reasonable Security 49
2.4.2 Duty to Reveal Security Breaches 49
2.4.3 Duty to Accurately Disclose Safeguards 51
2.4.4 Duty to Protect Information 51
2.4.5 State-Based Duty of Care Laws 52
2.5 Failure to Act Doctrine 52
2.5.1 Failure to Act Duty 52
2.5.2 Failure to Warn Duty 53
2.5.3 Cybersecurity Good Samaritan Law 53
2.6 Reasonable Person Doctrine 54
2.7 Common Law Duty 54
2.8 Criminal Cyberlaw 55
2.8.1 Cybercrime Penalties 55
2.9 Federal Computer Crime Statutes 56
2.9.1 Federal Laws Addressing Computer Security 56
2.9.2 The US Code 58
2.10 Procedural Law 59
2.10.1 Rules of Criminal Procedure 60
2.10.2 Rules of Civil Procedure (Cyber Tort) 60
2.11 State Computer Crime Laws 62
2.11.1 State Ransomware Laws 63
2.11.2 Federal Ransomware Laws 64
2.11.3 State Cyber Reserve Laws 65
2.11.4 State Denial of Service Laws 65
2.11.5 State Election Security Legislation 66
2.11.6 State Anti-Phishing Laws 67
2.11.7 Identity Theft Laws 67
2.11.8 State Cyberbullying Laws 68
2.12 False Claims Act (FCA) 69 Chapter 3 Cyber Privacy and Data Protection Law 75
3.1 Common Law of Privacy 76
3.2 Privacy Laws 76
3.2.1 Children’s Privacy Laws 77
3.2.2 Healthcare Data Privacy Laws 80
3.2.3 Federal Privacy Laws 87
3.2.4 Cybercrime on Tribal Lands 89
3.2.5 State Privacy Laws 91
3.2.6 State Chief Information Privacy Officer (CIPO) Laws 91
3.2.7 International Privacy Laws 92
3.3 Data Breach Laws 93
3.3.1 State Data Breach Laws 94
3.3.2 Federal Data Breach Laws 95
3.3.3 International Data Breach Laws 99
3.3.4 General Data Protection Regulation (GDPR) 102
3.4 Data Breach Litigation 105
3.4.1 Injury vs. No-Injury Class Action Lawsuits 105
3.4.2 Data Privacy and the US Supreme Court 107
3.4.3 Shareholder Derivative Lawsuits 109
3.4.4 Securities Fraud Lawsuits 110
3.5 Privacy Notice Law 111
3.6 Personal Liability 112
3.6.1 Directors and Officers Insurance 113
3.6.2 Preemptive Liability Protection 113
3.6.3 Cybersecurity Whistleblower Protections 114
3.7 Data Disposal Laws 115
3.8 Electronic Wiretap Laws 116
3.9 Digital Assistant Privacy Issues 117
3.10 Social Media Privacy 117
3.11 Event Data Recorder (EDR) Privacy 118
3.12 Automated License Plate Reader (ALPR) Privacy 120 Chapter 4 Cryptography and Digital Forensics Law 127
4.1 Brief Overview of Cryptography 128
4.2 Cryptography Law 129
4.2.1 Export Control Laws 130
4.2.2 Import Control Laws 132
4.2.3 Cryptography Patent Infringement 133
4.2.4 Search and Seizure of Encrypted Data 136
4.2.5 Encryption Personal Use Exemption 138
4.3 State Encryption Laws 139
4.3.1 State Encryption Safe Harbor Provision 139
4.4 Fifth Amendment and Data Encryption 140
4.5 Laws and Regulations Requiring Encryption 141
4.6 International Cryptography Law Perspective 142
4.7 International Key Disclosure Law 143
4.8 Legal Aspects of Digital Forensics 144
4.8.1 Preservation Order 144
4.8.2 Digital Best Evidence Rule 145
4.8.3 Digital Chain of Custody 146
4.8.4 Digital Data Admissibility in Court 147
4.8.5 Digital Evidence Spoliation 147
4.8.6 Fourth Amendment Rights and Digital Evidence 148
4.8.7 Expert Witnesses 149
4.8.8 Security Consultant Client Privilege 149
4.9 State Digital Forensics Law 150
4.10 The CLOUD Act 151
4.11 Emerging Data Encryption Laws 152
4.11.1 Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act 152
4.11.2 Secure Data Act 152
4.12 Biometrics Law 152
4.13 Genetic Information Privacy Laws 154 Chapter 5 Acts, Standards & Regulations 159
5.1 Basel III Accord 160
5.2 Chemical Facility Anti-Terrorism Standards (CFATS) Act 161
5.3 Defense Federal Acquisition Regulations Supplement (DFARS) 163
5.3.1 Minimum Requirements for DFARS 164
5.3.2 Termination of Contracts and Penalties for Non-Compliance 165
5.4 Directive on Security of Network and Information Systems NIS Directive 165
5.5 European Union Cybersecurity Act 166
5.6 Family Educational Rights and Privacy Act (FERPA) 167
5.7 Federal Financial Institutions Examination Council (FFIEC) 168
5.8 Federal Information Security Management Act (FISMA) 168
5.9 Financial Industry Regulatory Authority (FINRA) Rules 169
5.10 Food and Drug Administration Code of Federal Regulations Title 21 Part 11 170
5.10.1 ALCOA Model 171
5.11 Health Information Technology for Economic and Clinical Health Act (HITECH) 172
5.12 Health Insurance Portability and Accountability Act (HIPAA) 173
5.13 Joint Commission on the Accreditation of Healthcare Organizations (JCAHO) 173
5.14 North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) 176
5.15 Payment Card Industry – Data Security Standard (PCI- DSS) 177
5.16 Sarbanes Oxley Act (SOX) 178
5.16.1 Cybersecurity Flaw Whistleblower Protection 179
5.17 Standards 179
5.17.1 International Organization of Standardization (ISO) Security Standards 180 Chapter 6 Creating a Cybersecurity Law Program 195
6.1 Cybersecurity Law Program 196
6.1.1 Model 196
6.1.2 Architecture 199
6.1.3 Program Staffing and Roles 200
6.1.4 Program Policies 203
6.1.5 Program Procedures 206
6.1.6 Program Technology 208
6.1.7 Mapping Legal Requirements to Controls 212
6.1.8 ISO/IEC 27002 on Compliance Controls 214
6.2 Cyber Liability Insurance 214
6.2.1 Coverage Categories 215
6.2.2 Policy Restrictions 217
6.2.3 Policy Value 217
6.2.4 Policy Cost 218
6.2.5 Policy Claims 218
6.2.6 Policy Claim Disputes 219
6.2.7 Policy Lawsuits 219
6.2.8 Act of War Defense 222
6.2.9 Insurable vs Uninsurable Risk 222
6.2.10 Cyber Risk Insurance Pools 223
6.2.11 Silent Cyber Risk Insurance 223
6.3 Data Breach Worksheet 224
6.3.1 Data Breach Calculators 224
6.4 Compliance Auditing 225
6.4.1 Critical Audit Matters (CAM) 226
6.4.2 Internal vs. External Auditing 227
6.4.3 Auditing Associations 229 Chapter 7 Future Developments in Cybersecurity Law 235
7.1 Future of Cybersecurity Legislation 236
7.1.1 Constutionality of Cybersecurity Law 236
7.2 Impact of Technology on Cybersecurity Law 237
7.2.1 Legal Implications of the Internet of Things (IoT) 237
7.2.2 Legal Implications of Big Data 238
7.2.3 Legal Implications of Cloud Computing 239
7.2.4 Legal Implications of Security Testing 240
7.3 Future US Cybersecurity Legislation 242
7.4 US Foreign Policy on Cybersecurity 244
7.5 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law 246
7.6 Harmonization of International Cybersecurity Laws 248
7.6.1 Cybersecurity Law and Trade Pacts 249
7.6.2 Harmonization of Cybersecurity and Privacy Law 249
7.6.3 Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) Cybersecurity Framework 250
7.6.4 Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System 252
7.6.5 US-Mexico-Canada Agreement (USMCA) 254
7.6.6 Cyberbalkanization Laws 255
7.6.7 Data Localization Laws 255
7.6.8 Singapore Payment Services Act 257
7.7 Aligning the Law of the Sea to Cybersecurity Law 258
7.8 Cybersecurity Law in Outer Space 259
7.9 The Law of Armed Conflict in Cyberwar 260
7.10 North Atlanta Treaty Organization (NATO) Cyberlaw Stance 261
7.11 United Nations – Universal Cybersecurity Legal Framework 262
7.12 International Treaties on Cybersecurity 263
7.13 Brexit Impact on European Union Cybersecurity Law 264
7.14 G7 Perspective on Cybercrime 265 Appendix A 273 Useful Checklists and Information 273 Index 282 Credits 298 About the Author 300
Introduction to the 2nd Edition
Introduction to the 2nd Edition
Think about building your organization’s cybersecurity law program much like taking a trip to the law library. Would you know which law books you would most need? Generally, security professionals don’t. Further imagine the librarian walking you through the aisles of mahogany bookcases of case law and legal precedents pointing out exactly which books to check out. Then imagine having a virtual paralegal to conduct research on the legal subject pertinent to your cybersecurity program. I think you would agree that would be ideal. Well, that is the experience this book is designed to provide you.
Although I am not an attorney, I have spent nearly forty years researching, studying and applying legal and regulatory statutes to security programs. It is these lessons learned and curation of the most applicable legal information that I am passing on to you in order to make your job as a security manager just a little bit easier. One cannot create an effective cybersecurity program without aligning to cybersecurity laws, standards and regulations.
The information in this book has been organized in order of importance to security managers and practitioners. The book by design doesn’t republish laws, regulations and standards in their entirety; I did not want to load the book up with information that is easily acquired elsewhere. I have provided many hyperlinks (digital version) and URLs (print version) to guide you to the authoritative sources of the statutes covered within the book. I wanted this book to be as concise as possible, yet jam packed with information you can use now and often going forward.
I have integrated a “Did You Know” series of callout boxes that highlight interesting and relevant legal cases, precedents or events that bring to life the information discussed in order to show you that what I am presenting has actually happened. To help you retain the information within this book and hone your cyberlaw skills, each chapter has ten self-study questions. You should use this book as your virtual cybersecurity law reference library and on-call cyberlaw paralegal.
The following is an overview of each chapter:
Chapter 1: Introduction to Cybersecurity Law – To establish a foundation in cybersecurity law, this chapter walks you through just enough legal foundation to provide you with insight into the basics of cyber law, how cybersecurity statutes have evolved, and how cybercrimes are enforced and prosecuted. This information won’t allow you to pass the bar exam, but it will allow you to have substantive conversations with your organization’s legal counsel and to understand the difference between criminal and civil offenses as well as how cybercriminals are prosecuted. Equally important, this information will help you to understand the cybersecurity laws and regulations that you will undoubtedly encounter without having to run down the hall and ask your in-house legal counsel how they apply to cybersecurity within your organization.
Chapter 2: Overview of US Cybersecurity Law – Armed with a solid understanding of legal basics, you can begin reading about US cybersecurity law. This chapter introduces you to computer crime laws in the private and public sector, how crimes are litigated, and walks you through data breach lawsuits and how they get started. Essential doctrines such as duty of care, failure to act, reasonable person, and common law are also covered. You will learn about the rules of criminal and civil procedure used in cybercrime and data breach cases. The chapter presents an overview US Federal computer crime statutes and state computer crime laws.
Chapter 3: Cyber Privacy and Data Protection Law – The origin of many cybersecurity lawsuits is the loss of a person or person’s personal information. This chapter dives deep into all the types of laws that govern the protection of personally identifiable information. I begin with a discussion of the common law of privacy to establish a baseline of understanding. I then walk you through children’s, healthcare, Federal, state and international privacy statutes. Data breach litigation is broadly covered with insight into injury vs no-injury cases and shareholder lawsuits. I also look at emerging legal privacy issues relating to digital wiretaps, digital assistants, and social media and potential impacts to the Fourth Amendment.
Chapter 4: Cryptology and Digital Forensics Law – Here I cover two of the more complex aspects of cybersecurity law: cryptography and digital forensics. I delve into cryptography as it is the premier method of securing data from intentional or accidental disclosure. It is important to understand how the law views data encryption and its relationship to the fifth amendment. Digital forensics is integral to prosecuting cybercrime cases as all evidence is gathered digitally and must follow the rules of civil and criminal procedure. You will also learn about cryptology and forensics legislation.
Chapter 5: Acts, Standards and Regulations – Throughout the book I introduce you to many different statutes as they align to the topics presented within their respective chapters. In this chapter, I cover over 20 national and international statutes that apply to various industries. I introduce you to some cybersecurity acts and regulations that are not as widely known. The Center for Internet Security (CIS), International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) and other leading cybersecurity standards are covered in some detail as they’re used to comply with the acts and regulations shown throughout the book as well as within this chapter.
Chapter 6: Cybersecurity Law Program – Now that you have read the previous chapters and have gained a working understanding of cyberlaw, it’s time to build your cyberlaw program. In this chapter I provide you with a cybersecurity law program model and a supporting set of development templates. I also show you how you can hedge your cybersecurity program results through the adoption of a cyber insurance policy
Chapter 7: Future Developments in Cybersecurity Law – Laws evolve over time and in the world of cybersecurity emerging technology is a key driver in the evolution of cybersecurity legislation. In this chapter I discuss the legal implications of big data, cloud computing, Internet of Things, and security testing. This chapter provides a forum for me to discuss cybersecurity law in of all places outer space and the sea. Treaties, international legal frameworks, and trade pacts are covered here.
Appendix A: As if the chapters didn’t provide you with enough information, I provide you with a rich appendix of useful sources of tools, resources and checklists.
Excerpt from the Foreword by Susan Richmond Johnson, MBA, MPM/CIPM
Excerpt from the Foreword by Susan Richmond Johnson, MBA, MPM/CIPM
Those of us of a certain generation remember where we were the morning of September 11, 2001. For me, that was in my office at the US Department of Justice headquarters in Washington, DC, a stone’s throw from the Pentagon. The shocking images on TV of planes flying into the World Trade Center were surpassed for me only by the plumes of black smoke I saw from my office window as they rose above the burning Pentagon. On that day, 19 terrorists hijacked a technology meant to improve our way of life and bring the world closer together – passenger aircraft – and weaponized it for an evil and destructive purpose. As then-Attorney General John Ashcroft and my boss would state, our paradigm for anti-terrorism efforts necessarily changed overnight from prosecution to prevention.
Just as terrorists weaponized passenger aircraft on September 11th and forced a paradigm shift in America’s anti-terrorism efforts, so too have “digital terrorists” forced a shift in our approach to cybersecurity by declaring cyberwar on corporations. As a manager or key executive, you know that in this new world of cyberattacks, data breaches, and data intrusion, prevention is the necessary paradigm. In Cybersecurity Law, Standards and Regulations (2nd Edition), Tari Schreider helps you take clear, methodical, practical steps in your organization to address the explosion of cybersecurity laws and regulations of the past few years. Tari emphasizes that you not only must defend against bad actors, but also defend against legal actions resulting from a data breach.
As the former Chief Security Architect for Fortune 100 company and cybersecurity strategist and instructor, Tari draws on his years of experience in both the technical development of security programs and the compliance assessment of the same to articulate the full spectrum of operationalizing cybersecurity in your organization. From helping you understand the basics of cybersecurity law, to outlining the key elements of regulations and statutes required to ensure the privacy of information, Tari – in the words of a cybersecurity colleague – “turns the obscure into the obvious in a manner that precludes any misunderstanding.”
You can have confidence in Tari, as he serves as your cybersecurity law guide, identifying current and coming cyber regulations, standards and laws, delivering the roadmap for creating a cybersecurity law program. It is now in your hands to act on this intelligence.
Susan Richmond Johnson, MBA, MPM/CIPM
Managing Principal, The Ashcroft Group LLC
Washington, DC
February, 2020
Excerpt from the Foreword by Karen Lawrence Öqvist
Excerpt from the Foreword by Karen Lawrence Öqvist
When reading the book to write this foreword, I found Tari’s wisdom woven into every page. He has mapped cybersecurity law into a practical application across every silo of an organization. Why he had asked me to provide the foreword became evident when I was taken on a round-the-world trip, an investigation into the privacy and data protection laws in the U.S., Canada, Brazil, to the EU, Thailand, India, even China and Australia, and more.
When thinking on who should read this book, my initial thoughts were any cybersecurity professional. This book provides the tools they need to create a solid business case on why an organisation should invest in cybersecurity. The book explains how the laws work, including for each section a goodie bag of hard facts and real examples on the consequences and costs of doing nothing, Hence this book for the cybersecurity professional is a tool to map cybersecurity risk into something concrete the board can understand.
As I progressed through the book, my thoughts shifted over to the legal professional. Attorneys or barristers may know their legal niche but likely lack the experience on how to map this to an organisation’s operations. IT has always been something of black magic for non-technical individuals, but now nearly all data is digital, and technology has become increasingly pervasive. What this book does for them is map cybersecurity laws to operational mitigations and remediations, i.e. what needs to be done on a practical level. This knowledge can be used to get a decent conversation between the technical and cybersecurity crew.
Where does this take us? Well if both cybersecurity and legal experts read this book, between them they’d be in a strong position to do what is right, as prescribed by Tari in the final part of the book, creating your Cybersecurity Law Program. This book bridges the gap between cybersecurity and legal and gives you the proper tools and common language to communicate with your board effectively so that money spent on cybersecurity is spent wisely.
Karen Lawrence Öqvist
MBA MSc CIPP/E CIPT CIPM
CEO Privasee AB
Author of Virtual Shadows & A Hands-on Approach to GDPR Compliance
Stockholm, Sweden
February, 2020
Additional information
Weight
3 lbs
Course Adoption
Cybersecurity Law, Standards and Regulations (2nd Edition) by Tari Schreider is available for evaluation for course adoption for colleges and universities.
Close your eyes and take a deep breath before diving into Tari Schreider’s latest edition of Cybersecurity Law, Standards and Regulations. Imagine putting 40 years of knowledge into one textbook and then being able to recall all of the important highlights in a “Did you Know” format. One would be hard pressed to do so while simultaneously navigating legal implications of big data. So this doesn’t happen to you, I recommend reading this 2nd edition in order to stay up to date on the latest developments in Cybersecurity Law. Be prepared for the presentation to Senior executives and stay relevant. You definitely do not want to be on the other side of the law in this case. No pun intended!
– Vanessa Fulton, Assistant Director of Loans, Georgia Institute Technology
As I worked with my team to launch our first product EvergreenLearners.com – cyber security and privacy were absolutely top of mind, given the nature of our service (engaging K12 students and their caregivers). Tari’s book Cybersecurity Laws, Standards and Regulations was a great resource for us to ensure our (new) company were aware of on-line privacy laws especially COPAA. The book not only helped make cybersecurity law accessible to me, but it has become the basis for the way we are building cybersecurity and privacy practices into the very DNA of our culture, products, and services.
Our vision for delivering academic coaching to K12 students on a 1:1 basis is intertwined with cybersecurity and privacy. Tari’s book has been a godsend.
– Stanley St-Fleur, Founder & Chief Experience Officer, EvergreenLearners.com
I must admit that this book’s bland but accurate title intimidated me at first but as soon as I opened it, I found it to actually be fun. I’m not talking about trashy novel fun but fun like attending an energetic classroom or viewing a great documentary film. As soon as you realize the teacher or filmmaker is knowledgeable and excited to share what they know, you can’t help but to experience some of their enthusiasm. Tari Schreider is the right author for Cybersecurity Law, Standards and Regulations. He imparts knowledge, enthusiasm and most importantly, experience.
While not a lawyer himself, Schrieder’s text underscores his knowledge of the law that comes through his experience and expertise in designing and overseeing complex cybersecurity programs for large energy and tech companies. In fact, the author has also published another book entitled Building an Effective Cybersecurity Program, but between you and me, this book contains enough practical tips to serve as a foundation that anyone might face who is building their own cybersecurity program.
In addition to tips, Cybersecurity Law, Standards and Regulations offers “Did you know?” interludes sprinkled throughout chapters which serve to break up sections nicely by offering practical, real world examples of cyber law in action as well as interesting trivia. Useful timelines cover the evolution of computer laws, ransomware and even breach law state by state. I also appreciated the Self-Study at the end of each chapter. These quick quizzes are a great refresher and review after reading through tons of material. They also contain actionable items for anyone considering to set up their own cybersecurity programs internally.
I recommend this book to any cybersecurity enthusiast as the laws, standards and regulations of cybersecurity play a crucial role in any modern security discussion, but I also recommend this book as a must-have reference to any tech or security writer like myself. Every time I flip through it and see a table or matrix of laws, fines, regulations or breaches, I get new ideas to write some new blogs and editorials. As a fellow author, I found the sections on GDPR, breach laws and cryptography packed with useful information and I will be returning to them regularly to study.
Tari Schreider has delivered a truly comprehensive reference to cyber law. My only regret is that this book cannot be updated and published on a more regular basis since cyber news and breaches seem to appear daily in my line of work but that is also what makes this a great reference book.
– Scott Schober, CEO Berkeley Varitronics Systems & Author of “Hacked Again.”
.
“Cybersecurity Law, Standards and Regulations” (2nd edition) by Tari Schreider is the most comprehensive guide I’ve found to what you need to know about cybersecurity law. I’m not an expert on cybersecurity, nor am I a lawyer – and that’s the point. Tari Schreider writes in a straightforward manner that makes very complex and very important information understandable and digestible for the layperson while still providing a comprehensive textbook for students of cyber law.
Since it is not a matter of “if” but “when” your company will be involved in a cyber lawsuit, reading Tari Schreider’s book will help you stay within the guardrails of the constantly morphing dynamic of doing business. It has exhaustive lists (and links) to pertinent laws and speaks to the direction those laws could take in the years to come as a result of current cases.
I found Chapter 2 particularly informative. Schreider dives down into the expectations of protecting consumer data that companies must comply with, as well as some of the loopholes that (frustratingly for the consumer) have resulted in case dismissals. He also cites some recent financial penalties for failure to uphold public trust and cautions companies not to stray too close to the line of what’s allowable vs. what is unacceptable because a misstep can result in millions of dollars in damages.
Schreider examines breaches of privacy – including healthcare and other sensitive information – as well as the encryption flip side to that. Although it would stand to reason that the need to encrypt data is a given, there are countries which prohibit bringing in laptops or smartphones with encryption installed. Key when traveling internationally.
Schreider includes plenty of illustrations to make the concepts easier to remember by making them easier to visualize. I also found the index of particular value because it allows the reader to use this book as an easy go-to resource for reading up on current regulations on any number of topics and easily searching countless case studies (including perhaps case studies involving your organization or industry).
“Cybersecurity Law, Standards and Regulations” offers lots of “did you know” snippet boxes which are a real treat. Do you know where the original hacker Robert Morris is now? Read Tari Schreider’s “Cybersecurity Law, Standards and Regulations” to find out!
– Dr. Jo Robertson
Having been a Chief Information Security Officer (CISO) on at least four occasions, I can say that one of my biggest challenges – besides protecting the data – was to understand and stay abreast of the current state of cybersecurity laws, standards, and regulations. Tari Schreider brings to bear an excellent desk reference on the subject useful for all CISOs.
At 325 pages, this book offers introductions to cyber security law and extends into deeper discussions on US cybersecurity law with some added reviews of international cybersecurity statutes and rulings. The book also enters into the world of cyber privacy and the different laws that exist in this ever-changing environment. Of course, there is the obligatory discussion on the European Union General Data Protection Regulation also known as GDPR.
Data encryption and the associated complexities are covered in Chapter 4 and offer a sweeping view of the international laws and regulations that may impact the implementer. Even United States state biometric laws are listed for reference and more research.
Tari brings to the reader multiple tables and graphics to help summarize the various rules and risk areas and different security models.
Chapter 6 is especially interesting to the CISO in that it aids the reader in creating a cybersecurity law program for the organization. This includes identifying the different roles and responsibilities as well as the suggested technologies to leverage during the program implementation.
Overall, this is a useful book for the CISO’s library and one that could be extremely helpful when faced with a new regulatory scheme or concept that requires rapid understanding. As a former CISO, I certainly wished I had access to this document to help me be more adept at the cybersecurity law, standards, and regulations domain.
