Cybersecurity Law, Standards and Regulations (2nd Edition) by Tari Schreider

$89.99

COMING APRIL, 2020. PRE-ORDER NOW!

Cybersecurity practitioners, attorneys and privacy managers now have a single, comprehensive resource on cybersecurity law plus the latest international standards and regulations. Cybersecurity Law, Standards and Regulations (2nd Edition) by Tari Schreider is the FIRST book to provide a foundation resource for understanding cybersecurity and privacy law, regulations and standards at the state, federal and international levels. The extensive coverage of cyber law topics includes discussions of the foundation of law as it applies to the cyberworld; privacy; judicial rulings; cryptography and forensics law; cyber insurance; future developments in cybersecurity law; and much more.

Tari Schreider also addresses the legal implications of big data, cloud, data breaches, IoT, ethical hacking and personal digital assistants. Many legal case citations are included throughout the book as well as practical recommendations and templates for building a cybersecurity law program as part of your governance, risk and compliance efforts. Plus, the latest national and international standards and their implications are covered in depth. Cybersecurity Law, Standards and Regulations (2nd Edition) is the first book on this critical subject with something for everyone concerned about cybersecurity law and its foundation.

2020, 280 pages (approx.).

 

Description

COMING APRIL, 2020. PRE-ORDER NOW!

In today’s litigious business world, cyber-related matters could land you in court. As a computer security professional, you are protecting your data, but are you protecting your company? While you know industry standards and regulations, you may not be a legal expert. Fortunately, in a few hours of reading, rather than months of classroom study, Tari Schreider’s Cybersecurity Law, Standards and Regulations (2nd Edition), lets you integrate legal issues into your security program.

Tari Schreider, a board-certified information security practitioner with a criminal justice administration background, has written a much-needed book that bridges the gap between cybersecurity programs and cybersecurity law. He says, “My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective façade or false sense of security.”

In a friendly style, offering real-world business examples from his own experience supported by a wealth of court cases, Schreider covers the range of practical information you will need as you explore – and prepare to apply – cybersecurity law. His practical, easy-to-understand explanations help you to:

  • Understand your legal duty to act reasonably and responsibly to protect assets and information.
  • Identify which cybersecurity laws have the potential to impact your cybersecurity program.
  • Upgrade cybersecurity policies to comply with state, federal, and regulatory statutes.
  • Communicate effectively about cybersecurity law with corporate legal department and counsel.
  • Understand the implications of emerging legislation for your cybersecurity program.
  • Know how to avoid losing a cybersecurity court case on procedure – and develop strategies to handle a dispute out of court.
  • Develop an international view of cybersecurity and data privacy – and international legal frameworks.

Schreider takes you beyond security standards and regulatory controls to ensure that your current or future cybersecurity program complies with all laws and legal jurisdictions.  Hundreds of citations and references allow you to dig deeper as you explore specific topics relevant to your organization or your studies. This book needs to be required reading before your next discussion with your corporate legal department.
This new edition responds to the rapid changes in the cybersecurity industry, threat landscape and providers. It addresses the increasing risk of zero-day attacks, growth of state-sponsored adversaries and consolidation of cybersecurity products and services in addition to the substantial updates of standards, source links and cybersecurity products.

What’s new in the 2nd edition?

This new edition responds to the rapid changes in the cybersecurity industry, threat landscape and providers. It addresses the increasing risk of zero-day attacks, growth of state-sponsored adversaries and consolidation of cybersecurity products and services in addition to the substantial updates of standards, source links and cybersecurity products.

Here is what’s new in the second edition:

  • 50+ callout boxes highlighting cyber law cases and important legal resources.
  • 60 self-study questions to hone your knowledge.
  • 8 cyberlaw program models to guide program design efforts.
  • 10 powerful templates to document your cybersecurity law program.
  • Addition of CISO, IoT, Data Broker, Cloud, and Event Data Recorder cybersecurity laws.
  • Addition of digital assistant privacy issues.
  • Impact of Calif. A.B.5 on bug bounty programs.
  • Coverage of Act of War cyber insurance clauses.
  • Expanded Fourth and Fifth Amendment coverage.
  • Updated coverage of cybersecurity treaties.
  • Addition of social media privacy laws.
  • Addition of cybercrime on tribal lands.
  • Addition of cybersecurity whistleblower protections.

2020, 322 page.Comprehensive index.

ISBN 9781944480561 PRINT
ISBN 9781944480585 PDF
ISBN 9781944480578 EPUB

 

Additional information

Weight 3 lbs

Tari Schreider is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. Schreider is an instructor for EC-Council where he teaches advanced CISO certification and risk management courses.

Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the world’s largest oil and gas companies, an NERC CIP compliance program for one of Canada’s largest electric utility companies, an integrated security control management program for one of the largest 911 systems in the US and designed a cybersecurity service architecture for one of the largest retailers in the US. He has advised organizations worldwide including Brazil, China, India and South Africa on how to improve their cybersecurity programs.tari-schreider-rothstein-publishing

Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting companies affected during the 1992 Los Angeles riots and 1993 World Trade Center bombing. His most unique experience came during the Gulf War helping a New York financial institution recover after becoming separated from its data center in Kuwait.

Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines, including Business Week, New York Times, SC Magazine, The Wall Street Journal and many others. He is the author of Building an Effective Cybersecurity Program 2nd Edition (Rothstein Publishing, 2020) and is a co-author of the US patent Method for Analyzing Risk.

He studied Criminal Justice at the College of Social & Behavioral Sciences at the University of Phoenix and holds the following certifications in security and disaster recovery:

  • American College of Forensic Examiners, CHS-III
  • Certified CISO (C|CISO)
  • Certified in Risk and Information Systems Control (CRISC)
  • ITIL® v3 Foundation Certified
  • System Security Certified Practitioner (SSCP)
  • Member of the Business Continuity Institute (MBCI)
  • University of Richmond – Master Certified Recovery Planner (MCRP)

CONTENTS

Dedication iii
Acknowledgments iii
Foreword v
Foreword vii
Contents 1
Introduction to the 2nd Edition 9
Chapter 1 Introduction to Cybersecurity Law 13
1.1 Infamous Cybercrimes 14
1.2 Cybercrime Taxonomy 15
1.3 Civil vs. Criminal Cybersecurity Offenses 16
1.3.1 Clarifying the Definition of Cybercrime 17
1.3.2 Challenging Your Current Definition of Cybercrime 18
1.3.3 Creating a Strong Cybercrime Definition 18
1.3.4 Cybercrime Categories in the Incident Response Plan 19
1.4 Understanding the Four Basic Elements of Criminal Law 20
1.4.1 Mens Rea 20
1.4.2 Actus Reus 20
1.4.3 Concurrence 21
1.4.4 Causation 21
1.5 Branches of Law 22
1.6 Tort Law 22
1.6.2 Strict Liability Tort 23
1.6.3 Tort Precedents 24
1.7 Cyberlaw Enforcement 24
1.7.1 Regulatory Enforcement 25
1.7.2 Local Enforcement 26
1.7.3 State Enforcement 26
1.7.4 Federal Enforcement 27
1.7.5 International Enforcement 27
1.8 Cybersecurity Law Jurisdiction 28
1.8.1 Challenging Jurisdiction 29
1.8.2 Extradition 30
1.9 Cybercrime and Cyber Tort Punishment 32
1.9.1 Cybercrime Punishment 32
1.9.2 Cyber Tort Punishment 32
Chapter 2 Overview of US Cybersecurity Law 37
2.1 Brief History of Resolving Cybersecurity Disputes 38
2.1.1 Computer Crime Laws in the Public Sector 38
2.1.2 Computer Crime Laws in the Private Sector 39
2.1.3 Application of Laws to Cybersecurity 39
2.2 Alternative Dispute Resolution (ADR) 40
2.1 Cybersecurity Case Mediation Law 41
2.2.2 Cybersecurity Case Arbitration Law 42
2.2.3 Cybersecurity Case Dispositive Motion Law 43
2.3 Successful Data Breach Lawsuits 47
2.4 Duty of Care Doctrine 48
2.4.1 Duty to Provide Reasonable Security 49
2.4.2 Duty to Reveal Security Breaches 49
2.4.3 Duty to Accurately Disclose Safeguards 51
2.4.4 Duty to Protect Information 51
2.4.5 State-Based Duty of Care Laws 52
2.5 Failure to Act Doctrine 52
2.5.1 Failure to Act Duty 52
2.5.2 Failure to Warn Duty 53
2.5.3 Cybersecurity Good Samaritan Law 53
2.6 Reasonable Person Doctrine 54
2.7 Common Law Duty 54
2.8 Criminal Cyberlaw 55
2.8.1 Cybercrime Penalties 55
2.9 Federal Computer Crime Statutes 56
2.9.1 Federal Laws Addressing Computer Security 56
2.9.2 The US Code 58
2.10 Procedural Law 59
2.10.1 Rules of Criminal Procedure 60
2.10.2 Rules of Civil Procedure (Cyber Tort) 60
2.11 State Computer Crime Laws 62
2.11.1 State Ransomware Laws 63
2.11.2 Federal Ransomware Laws 64
2.11.3 State Cyber Reserve Laws 65
2.11.4 State Denial of Service Laws 65
2.11.5 State Election Security Legislation 66
2.11.6 State Anti-Phishing Laws 67
2.11.7 Identity Theft Laws 67
2.11.8 State Cyberbullying Laws 68
2.12 False Claims Act (FCA) 69
Chapter 3 Cyber Privacy and Data Protection Law 75
3.1 Common Law of Privacy 76
3.2 Privacy Laws 76
3.2.1 Children’s Privacy Laws 77
3.2.2 Healthcare Data Privacy Laws 80
3.2.3 Federal Privacy Laws 87
3.2.4 Cybercrime on Tribal Lands 89
3.2.5 State Privacy Laws 91
3.2.6 State Chief Information Privacy Officer (CIPO) Laws 91
3.2.7 International Privacy Laws 92
3.3 Data Breach Laws 93
3.3.1 State Data Breach Laws 94
3.3.2 Federal Data Breach Laws 95
3.3.3 International Data Breach Laws 99
3.3.4 General Data Protection Regulation (GDPR) 102
3.4 Data Breach Litigation 105
3.4.1 Injury vs. No-Injury Class Action Lawsuits 105
3.4.2 Data Privacy and the US Supreme Court 107
3.4.3 Shareholder Derivative Lawsuits 109
3.4.4 Securities Fraud Lawsuits 110
3.5 Privacy Notice Law 111
3.6 Personal Liability 112
3.6.1 Directors and Officers Insurance 113
3.6.2 Preemptive Liability Protection 113
3.6.3 Cybersecurity Whistleblower Protections 114
3.7 Data Disposal Laws 115
3.8 Electronic Wiretap Laws 116
3.9 Digital Assistant Privacy Issues 117
3.10 Social Media Privacy 117
3.11 Event Data Recorder (EDR) Privacy 118
3.12 Automated License Plate Reader (ALPR) Privacy 120
Chapter 4 Cryptography and Digital Forensics Law 127
4.1 Brief Overview of Cryptography 128
4.2 Cryptography Law 129
4.2.1 Export Control Laws 130
4.2.2 Import Control Laws 132
4.2.3 Cryptography Patent Infringement 133
4.2.4 Search and Seizure of Encrypted Data 136
4.2.5 Encryption Personal Use Exemption 138
4.3 State Encryption Laws 139
4.3.1 State Encryption Safe Harbor Provision 139
4.4 Fifth Amendment and Data Encryption 140
4.5 Laws and Regulations Requiring Encryption 141
4.6 International Cryptography Law Perspective 142
4.7 International Key Disclosure Law 143
4.8 Legal Aspects of Digital Forensics 144
4.8.1 Preservation Order 144
4.8.2 Digital Best Evidence Rule 145
4.8.3 Digital Chain of Custody 146
4.8.4 Digital Data Admissibility in Court 147
4.8.5 Digital Evidence Spoliation 147
4.8.6 Fourth Amendment Rights and Digital Evidence 148
4.8.7 Expert Witnesses 149
4.8.8 Security Consultant Client Privilege 149
4.9 State Digital Forensics Law 150
4.10 The CLOUD Act 151
4.11 Emerging Data Encryption Laws 152
4.11.1 Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act 152
4.11.2 Secure Data Act 152
4.12 Biometrics Law 152
4.13 Genetic Information Privacy Laws 154
Chapter 5 Acts, Standards & Regulations 159
5.1 Basel III Accord 160
5.2 Chemical Facility Anti-Terrorism Standards (CFATS) Act 161
5.3 Defense Federal Acquisition Regulations Supplement (DFARS) 163
5.3.1 Minimum Requirements for DFARS 164
5.3.2 Termination of Contracts and Penalties for Non-Compliance 165
5.4 Directive on Security of Network and Information Systems NIS Directive 165
5.5 European Union Cybersecurity Act 166
5.6 Family Educational Rights and Privacy Act (FERPA) 167
5.7 Federal Financial Institutions Examination Council (FFIEC) 168
5.8 Federal Information Security Management Act (FISMA) 168
5.9 Financial Industry Regulatory Authority (FINRA) Rules 169
5.10 Food and Drug Administration Code of Federal Regulations Title 21 Part 11 170
5.10.1 ALCOA Model 171
5.11 Health Information Technology for Economic and Clinical Health Act (HITECH) 172
5.12 Health Insurance Portability and Accountability Act (HIPAA) 173
5.13 Joint Commission on the Accreditation of Healthcare Organizations (JCAHO) 173
5.14 North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) 176
5.15 Payment Card Industry – Data Security Standard (PCI- DSS) 177
5.16 Sarbanes Oxley Act (SOX) 178
5.16.1 Cybersecurity Flaw Whistleblower Protection 179
5.17 Standards 179
5.17.1 International Organization of Standardization (ISO) Security Standards 180
Chapter 6 Creating a Cybersecurity Law Program 195
6.1 Cybersecurity Law Program 196
6.1.1 Model 196
6.1.2 Architecture 199
6.1.3 Program Staffing and Roles 200
6.1.4 Program Policies 203
6.1.5 Program Procedures 206
6.1.6 Program Technology 208
6.1.7 Mapping Legal Requirements to Controls 212
6.1.8 ISO/IEC 27002 on Compliance Controls 214
6.2 Cyber Liability Insurance 214
6.2.1 Coverage Categories 215
6.2.2 Policy Restrictions 217
6.2.3 Policy Value 217
6.2.4 Policy Cost 218
6.2.5 Policy Claims 218
6.2.6 Policy Claim Disputes 219
6.2.7 Policy Lawsuits 219
6.2.8 Act of War Defense 222
6.2.9 Insurable vs Uninsurable Risk 222
6.2.10 Cyber Risk Insurance Pools 223
6.2.11 Silent Cyber Risk Insurance 223
6.3 Data Breach Worksheet 224
6.3.1 Data Breach Calculators 224
6.4 Compliance Auditing 225
6.4.1 Critical Audit Matters (CAM) 226
6.4.2 Internal vs. External Auditing 227
6.4.3 Auditing Associations 229
Chapter 7 Future Developments in Cybersecurity Law 235
7.1 Future of Cybersecurity Legislation 236
7.1.1 Constutionality of Cybersecurity Law 236
7.2 Impact of Technology on Cybersecurity Law 237
7.2.1 Legal Implications of the Internet of Things (IoT) 237
7.2.2 Legal Implications of Big Data 238
7.2.3 Legal Implications of Cloud Computing 239
7.2.4 Legal Implications of Security Testing 240
7.3 Future US Cybersecurity Legislation 242
7.4 US Foreign Policy on Cybersecurity 244
7.5 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law 246
7.6 Harmonization of International Cybersecurity Laws 248
7.6.1 Cybersecurity Law and Trade Pacts 249
7.6.2 Harmonization of Cybersecurity and Privacy Law 249
7.6.3 Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) Cybersecurity Framework 250
7.6.4 Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System 252
7.6.5 US-Mexico-Canada Agreement (USMCA) 254
7.6.6 Cyberbalkanization Laws 255
7.6.7 Data Localization Laws 255
7.6.8 Singapore Payment Services Act 257
7.7 Aligning the Law of the Sea to Cybersecurity Law 258
7.8 Cybersecurity Law in Outer Space 259
7.9 The Law of Armed Conflict in Cyberwar 260
7.10 North Atlanta Treaty Organization (NATO) Cyberlaw Stance 261
7.11 United Nations – Universal Cybersecurity Legal Framework 262
7.12 International Treaties on Cybersecurity 263
7.13 Brexit Impact on European Union Cybersecurity Law 264
7.14 G7 Perspective on Cybercrime 265
Appendix A 273
Useful Checklists and Information 273
Index 282
Credits 298
About the Author 300

Introduction to the 2nd Edition

Think about building your organization’s cybersecurity law program much like taking a trip to the law library. Would you know which law books you would most need? Generally, security professionals don’t. Further imagine the librarian walking you through the aisles of mahogany bookcases of case law and legal precedents pointing out exactly which books to check out. Then imagine having a virtual paralegal to conduct research on the legal subject pertinent to your cybersecurity program. I think you would agree that would be ideal. Well, that is the experience this book is designed to provide you.

Although I am not an attorney, I have spent nearly forty years researching, studying and applying legal and regulatory statutes to security programs. It is these lessons learned and curation of the most applicable legal information that I am passing on to you in order to make your job as a security manager just a little bit easier. One cannot create an effective cybersecurity program without aligning to cybersecurity laws, standards and regulations.

The information in this book has been organized in order of importance to security managers and practitioners. The book by design doesn’t republish laws, regulations and standards in their entirety; I did not want to load the book up with information that is easily acquired elsewhere. I have provided many hyperlinks (digital version) and URLs (print version) to guide you to the authoritative sources of the statutes covered within the book. I wanted this book to be as concise as possible, yet jam packed with information you can use now and often going forward.

I have integrated a “Did You Know” series of callout boxes that highlight interesting and relevant legal cases, precedents or events that bring to life the information discussed in order to show you that what I am presenting has actually happened. To help you retain the information within this book and hone your cyberlaw skills, each chapter has ten self-study questions. You should use this book as your virtual cybersecurity law reference library and on-call cyberlaw paralegal.

The following is an overview of each chapter:

Chapter 1: Introduction to Cybersecurity Law – To establish a foundation in cybersecurity law, this chapter walks you through just enough legal foundation to provide you with insight into the basics of cyber law, how cybersecurity statutes have evolved, and how cybercrimes are enforced and prosecuted. This information won’t allow you to pass the bar exam, but it will allow you to have substantive conversations with your organization’s legal counsel and to understand the difference between criminal and civil offenses as well as how cybercriminals are prosecuted. Equally important, this information will help you to understand the cybersecurity laws and regulations that you will undoubtedly encounter without having to run down the hall and ask your in-house legal counsel how they apply to cybersecurity within your organization.

Chapter 2: Overview of US Cybersecurity Law – Armed with a solid understanding of legal basics, you can begin reading about US cybersecurity law. This chapter introduces you to computer crime laws in the private and public sector, how crimes are litigated, and walks you through data breach lawsuits and how they get started. Essential doctrines such as duty of care, failure to act, reasonable person, and common law are also covered. You will learn about the rules of criminal and civil procedure used in cybercrime and data breach cases. The chapter presents an overview US Federal computer crime statutes and state computer crime laws.

Chapter 3: Cyber Privacy and Data Protection Law – The origin of many cybersecurity lawsuits is the loss of a person or person’s personal information. This chapter dives deep into all the types of laws that govern the protection of personally identifiable information. I begin with a discussion of the common law of privacy to establish a baseline of understanding. I then walk you through children’s, healthcare, Federal, state and international privacy statutes. Data breach litigation is broadly covered with insight into injury vs no-injury cases and shareholder lawsuits. I also look at emerging legal privacy issues relating to digital wiretaps, digital assistants, and social media and potential impacts to the Fourth Amendment.

Chapter 4: Cryptology and Digital Forensics Law – Here I cover two of the more complex aspects of cybersecurity law: cryptography and digital forensics. I delve into cryptography as it is the premier method of securing data from intentional or accidental disclosure. It is important to understand how the law views data encryption and its relationship to the fifth amendment. Digital forensics is integral to prosecuting cybercrime cases as all evidence is gathered digitally and must follow the rules of civil and criminal procedure. You will also learn about cryptology and forensics legislation.

Chapter 5: Acts, Standards and Regulations – Throughout the book I introduce you to many different statutes as they align to the topics presented within their respective chapters. In this chapter, I cover over 20 national and international statutes that apply to various industries. I introduce you to some cybersecurity acts and regulations that are not as widely known. The Center for Internet Security (CIS), International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) and other leading  cybersecurity standards are covered in some detail as they’re used to comply with the acts and regulations shown throughout the book as well as within this chapter.

Chapter 6: Cybersecurity Law Program – Now that you have read the previous chapters and have gained a working understanding of cyberlaw, it’s time to build your cyberlaw program. In this chapter I provide you with a cybersecurity law program model and a supporting set of development templates. I also show you how you can hedge your cybersecurity program results through the adoption of a cyber insurance policy

Chapter 7: Future Developments in Cybersecurity Law – Laws evolve over time and in the world of cybersecurity emerging technology is a key driver in the evolution of cybersecurity legislation. In this chapter I discuss the legal implications of big data, cloud computing, Internet of Things, and security testing. This chapter provides a forum for me to discuss cybersecurity law in of all places outer space and the sea. Treaties, international legal frameworks, and trade pacts are covered here.

Appendix A: As if the chapters didn’t provide you with enough information, I provide you with a rich appendix of useful sources of tools, resources and checklists.

Excerpt from the Foreword by Susan Richmond Johnson, MBA, MPM/CIPM

Those of us of a certain generation remember where we were the morning of September 11, 2001. For me, that was in my office at the US Department of Justice headquarters in Washington, DC, a stone’s throw from the Pentagon. The shocking images on TV of planes flying into the World Trade Center were surpassed for me only by the plumes of black smoke I saw from my office window as they rose above the burning Pentagon. On that day, 19 terrorists hijacked a technology meant to improve our way of life and bring the world closer together – passenger aircraft – and weaponized it for an evil and destructive purpose. As then-Attorney General John Ashcroft and my boss would state, our paradigm for anti-terrorism efforts necessarily changed overnight from prosecution to prevention.

Just as terrorists weaponized passenger aircraft on September 11th and forced a paradigm shift in America’s anti-terrorism efforts, so too have “digital terrorists” forced a shift in our approach to cybersecurity by declaring cyberwar on corporations. As a manager or key executive, you know that in this new world of cyberattacks, data breaches, and data intrusion, prevention is the necessary paradigm. In Cybersecurity Law, Standards and Regulations (2nd Edition), Tari Schreider helps you take clear, methodical, practical steps in your organization to address the explosion of cybersecurity laws and regulations of the past few years. Tari emphasizes that you not only must defend against bad actors, but also defend against legal actions resulting from a data breach.

As the former Chief Security Architect for Fortune 100 company and cybersecurity strategist and instructor, Tari draws on his years of experience in both the technical development of security programs and the compliance assessment of the same to articulate the full spectrum of operationalizing cybersecurity in your organization. From helping you understand the basics of cybersecurity law, to outlining the key elements of regulations and statutes required to ensure the privacy of information, Tari – in the words of a cybersecurity colleague – “turns the obscure into the obvious in a manner that precludes any misunderstanding.”

You can have confidence in Tari, as he serves as your cybersecurity law guide, identifying current and coming cyber regulations, standards and laws, delivering the roadmap for creating a cybersecurity law program. It is now in your hands to act on this intelligence.

Susan Richmond Johnson, MBA, MPM/CIPM
Managing Principal, The Ashcroft Group LLC
Washington, DC

February, 2020

Excerpt from the Foreword by Karen Lawrence Öqvist

When reading the book to write this foreword, I found Tari’s wisdom woven into every page. He has mapped cybersecurity law into a practical application across every silo of an organization. Why he had asked me to provide the foreword became evident when I was taken on a round-the-world trip, an investigation into the privacy and data protection laws in the U.S., Canada, Brazil, to the EU, Thailand, India, even China and Australia, and more.

When thinking on who should read this book, my initial thoughts were any cybersecurity professional. This book provides the tools they need to create a solid business case on why an organisation should invest in cybersecurity. The book explains how the laws work, including for each section a goodie bag of hard facts and real examples on the consequences and costs of doing nothing, Hence this book for the cybersecurity professional is a tool to map cybersecurity risk into something concrete the board can understand.

As I progressed through the book, my thoughts shifted over to the legal professional. Attorneys or barristers may know their legal niche but likely lack the experience on how to map this to an organisation’s operations. IT has always been something of black magic for non-technical individuals, but now nearly all data is digital, and technology has become increasingly pervasive. What this book does for them is map cybersecurity laws to operational mitigations and remediations, i.e. what needs to be done on a practical level. This knowledge can be used to get a decent conversation between the technical and cybersecurity crew.

Where does this take us? Well if both cybersecurity and legal experts read this book, between them they’d be in a strong position to do what is right, as prescribed by Tari in the final part of the book, creating your Cybersecurity Law Program. This book bridges the gap between cybersecurity and legal and gives you the proper tools and common language to communicate with your board effectively so that money spent on cybersecurity is spent wisely.

Karen Lawrence Öqvist
MBA MSc CIPP/E CIPT CIPM

CEO Privasee AB
Author of Virtual Shadows & A Hands-on Approach to GDPR Compliance
Stockholm, Sweden
February, 2020

Reviews

Cybersecurity Law, Standards and Regulations (2nd Edition) by Tari Schreider is available for evaluation for course adoption for colleges and universities.

For qualified college/university course adoptions: to obtain an eBook or print copy for course evaluation, click here and submit the simple request form.