TreatiseTreatise

Cybersecurity: A Practical Guide to the Law of Cyber Risk

 by Edward R McNicholas, Vivek K Mohan, Sidley Austin LLP
 
 Copyright: 2015

 Product Details >> 

Product Details

  • ISBN Number: 9781402424106
  • Page Count: 562
  • Number of Volumes: 1
  •  
  • The purchase of PLI titles may include Basic Upkeep Service, whereby supplements, replacement pages and new editions may be shipped to you immediately upon publication for a 30-day examination. This service is cancelable at any time.

PLI’s new Cybersecurity: A Practical Guide to the Law of Cyber Risk, authored by 20 experts in the field (learn more), provides the practical steps that can be taken to help your clients understand and mitigate today’s cyber risk and to build the most resilient response capabilities possible. 

Cybersecurity: A Practical Guide to the Law of Cyber Risk provides a comprehensive discussion of the complex quilt of federal and state statutes, Executive Orders, regulations, contractual norms, and ambiguous tort duties that can apply to this crucial new area of the law. For example, it describes in detail:

  • The leading regulatory role the Federal Trade Commission has played, acting on its authority to regulate “unfair” or “deceptive” trade practices;
  • The guidance issued by the SEC interpreting existing disclosure rules to require registrants to disclose cybersecurity risks under certain circumstances;
  • The varying roles of other regulators in sector-specific regulation, such as healthcare, energy, and transportation; and
  • The impact of preexisting statutes, such as the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act, on current cybersecurity issues.

In addition, the authors of Cybersecurity: A Practical Guide to the Law of Cyber Risk have supplemented these more traditional sources of law with industry practices and the most important sources of soft law:

  • An explanation of the National Institute of Standards and Technology (NIST) Cybersecurity Framework and information sharing environments from a former Department of Homeland Security official,
  • The views of the U.S. Secret Service on partnering with federal law enforcement and effective information-sharing,
  • The guidance of leading consultants about the appropriate steps to prepare for cybersecurity incidents,
  • The perspective of a leading insurance company on the evolving role of insurance in protecting companies from the financial losses associated with a successful cyber breach, and
  • The views of one of the most sophisticated incident response organizations on the proper elements of effective incident response.

Throughout the book, Cybersecurity: A Practical Guide to the Law of Cyber Risk includes practice tools developed during the hundreds of breaches that the authors have weathered with their clients. These valuable practice aids include checklists, an overview of the legal consequences of a breach, and a tabletop exercise.

  Table of Contents
  Preface
  Glossary of Acronyms
Chapter 1: An Introduction to the Law of Cyber Risk
  • § 1:1 : In General1-1
  • § 1:2 : General Duties: Reasonable Conduct and Notice of Cybersecurity Incidents1-3
  • § 1:3 : Executive Actions and the Approach of Law Enforcement1-5
  • § 1:4 : General Duties: State Approaches1-8
  • § 1:5 : The Role of Litigation1-9
  • § 1:6 : Legal Considerations and the Use of Emerging Cybersecurity Technologies1-10
  • § 1:7 : Privacy, Cybersecurity, and Surveillance1-12
  • § 1:8 : Open Questions1-13
Chapter 2: The General Legal Landscape for Information Security
  • § 2:1 : Overview2-3
  • § 2:2 : Federal Constitutional Restrictions2-6
  • § 2:3 : Federal Regulatory Initiatives2-9
    • § 2:3.1 : The Federal Trade Commission’s Development of Affirmative Information Security Requirements2-9
      • [A] : Section 5 of the FTC Act2-9
      • [B] : Challenges to FTC’s Cybersecurity Authority2-11
    • § 2:3.2 : Securities and Exchange Commission Cybersecurity Enforcement2-13
      • [A] : Disclosure Guidance2-13
      • [B] : Enforcement Actions Against Public Companies2-14
  • § 2:4 : Federal Statutory Provisions2-16
    • § 2:4.1 : Computer Fraud and Abuse Act (CFAA)2-17
    • § 2:4.2 : Electronic Communications Privacy Act (ECPA)2-18
      • [A] : Wiretap Act2-22
      • [B] : Stored Communications Act2-23
      • [C] : Pen Register Act2-25
      • [D] : Service Provider and Ordinary Course of Business Exceptions2-26
      • [E] : Computer Trespasser Exception2-27
      • [F] : Consent Exception2-28
      • [G] : Service Provider Immunities and Penalties2-30
    • § 2:4.3 : Economic Espionage Act (EAA)2-31
    • § 2:4.4 : Foreign Intelligence Surveillance Act (FISA)2-31
  • § 2:5 : Industry Self-Regulation2-33
    • § 2:5.1 : Payment Card Industry Data Security Standard (PCI DSS)2-33
  • § 2:6 : State Laws2-35
    • § 2:6.1 : State Constitutional Provisions2-36
    • § 2:6.2 : State Data Breach Notification Laws2-36
  • § 2:7 : A Taxonomy of State Cybersecurity Laws2-41
    • § 2:7.1 : Data Security Statutes2-42
    • § 2:7.2 : Social Security Number Protections2-43
    • § 2:7.3 : Unfair and Deceptive Acts and Practices and State Attorneys General2-44
    • § 2:7.4 : Unauthorized Access/Computer Crime Statutes2-45
  • § 2:8 : Influential State Laws2-47
    • § 2:8.1 : Massachusetts2-47
    • § 2:8.2 : California2-49
    • § 2:8.3 : Nevada2-51
  • § 2:9 : Common Law and Litigation2-52
    • § 2:9.1 : Common Tort Causes of Action2-52
    • § 2:9.2 : Standing to Assert Tort Claims2-55
    • § 2:9.3 : Other Litigation Challenges2-58
    • § 2:9.4 : Securities Concerns2-60
    • § 2:9.5 : Duty to Warn of Cyber Threats2-62
      • [A] : Target Financial Institution Litigation2-63
      • [B] : Communications Decency Act2-64
      • [C] : Economic Loss Doctrine2-66
  • § 2:10 : A Case Study of the Types of Legal Issues That Arise After a Retailer Cyber Incident2-67
    • § 2:10.1 : Core Issues2-67
    • § 2:10.2 : Counseling the Client2-68
      • [A] : Privileged Forensic Investigation and Factual Development2-68
      • [B] : Card Brand Notification and PCI Forensic Investigation2-68
      • [C] : State Data-Breach Notification Laws2-69
      • [D] : Board Oversight2-69
      • [E] : Public Relations and Communication2-69
      • [F] : Interaction with Criminal Law Enforcement/Investigators2-69
      • [G] : Insurance Coverage2-70
    • § 2:10.3 : Governmental Investigations2-70
      • [A] : Congress2-70
      • [B] : Securities and Exchange Commission2-70
      • [C] : Federal Trade Commission2-71
      • [D] : State Attorneys General2-71
    • § 2:10.4 : Litigation2-72
      • [A] : Consumer Class Actions2-72
      • [B] : Shareholders Lawsuits/Derivative Actions2-72
      • [C] : Financial Institution Litigation2-73
      • [D] : Insurance Coverage2-73
Chapter 3: The Executive Framework for Cybersecurity: Executive Orders, the NIST Framework, and the SAFETY Act; and Appendix 3A
  • § 3:1 : Overview3-2
  • § 3:2 : The Argument for Federal Standards3-5
  • § 3:3 : Executive Order 136363-6
    • § 3:3.1 : Defining Critical Infrastructure3-6
    • § 3:3.2 : Information Sharing3-7
    • § 3:3.3 : Privacy and Civil Liberties3-8
    • § 3:3.4 : Standard Setting3-8
    • § 3:3.5 : Incentives3-9
    • § 3:3.6 : Regulations3-10
    • § 3:3.7 : Confidential Identification of Critical Infrastructure3-10
  • § 3:4 : The NIST Cybersecurity Framework3-11
    • § 3:4.1 : The NIST Roadmap3-12
    • § 3:4.2 : Conducting an Internal Review Under the Framework3-13
  • § 3:5 : The Role of Agencies Under the NIST Framework3-15
    • § 3:5.1 : Incentives3-15
    • § 3:5.2 : Framework Implementation by Federal Agencies3-17
  • § 3:6 : Further Cybersecurity Executive Orders3-20
    • § 3:6.1 : Executive Order 13691: “Promoting Private Sector Cybersecurity Information Sharing”3-20
    • § 3:6.2 : Executive Order 13694: “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”3-21
  • § 3:7 : The SAFETY Act3-22
    • § 3:7.1 : “Designations” and “Certifications” of Qualified Anti-Terrorism Technologies Under the SAFETY Act3-23
    • § 3:7.2 : Limited Liability Under the SAFETY Act3-24
      • [A] : “Seller” Defined3-25
      • [B] : Protections for Sellers3-25
    • § 3:7.3 : Application of the SAFETY Act to the Realm of Cybersecurity3-26
      • [A] : Cyberattacks Could Be Acts of Terrorism3-26
      • [B] : Potential Causes of Action Arising out of Cyber Acts of Terrorism3-27
      • [C] : Potential Limitations to Liability3-28
    • § 3:7.4 : Limitations of the SAFETY Act3-29
  • § 3:8 : Future Impact3-30
  • Appendix 3A : Practice Aid: Cybersecurity Diligence QuestionsApp. 3A-1
Chapter 4: Corporate-Government Engagement/Public-Private Partnerships
  • § 4:1 : Introduction4-1
  • § 4:2 : The Modern Transnational Cyber Crime Threat4-2
  • § 4:3 : Secret Service Strategy for Combating Cyber Crime4-5
  • § 4:4 : Electronic Crimes Task Forces4-8
  • § 4:5 : Proactive Engagement with Law Enforcement4-9
  • § 4:6 : Information Sharing4-10
  • § 4:7 : Federal Information Sharing Programs4-11
  • § 4:8 : Constraints on Information Sharing4-13
  • § 4:9 : Conclusion4-15
Chapter 5: Cybersecurity in Regulated Sectors
  • § 5:1 : In General5-3
  • § 5:2 : Financial Services5-6
    • § 5:2.1 : Gramm-Leach-Bliley Act5-7
    • § 5:2.2 : The Fair and Accurate Credit Transactions Act and Red Flags Rules5-12
    • § 5:2.3 : SEC Regulation of Cybersecurity5-14
    • § 5:2.4 : Federal Financial Institutions Examination Council5-17
    • § 5:2.5 : Office of the Comptroller of the Currency5-18
    • § 5:2.6 : Commodity Futures Trading Commission5-20
    • § 5:2.7 : Financial Industry Regulatory Authority5-23
    • § 5:2.8 : New York State Department of Financial Services5-26
  • § 5:3 : Healthcare5-27
    • § 5:3.1 : The HIPAA Privacy Rule5-30
    • § 5:3.2 : The HIPAA Security Rule5-31
    • § 5:3.3 : Breach Notification Rule5-33
    • § 5:3.4 : HIPAA Enforcement5-34
    • § 5:3.5 : State Health Provisions5-38
    • § 5:3.6 : Medical Devices5-39
  • § 5:4 : Energy5-41
    • § 5:4.1 : The Department of Energy5-43
    • § 5:4.2 : Electricity Sector5-45
      • [A] : The Electricity Subsector Cybersecurity Capability Maturity Model5-45
      • [B] : Federal Energy Regulatory Commission and North American Electric Reliability Corporation5-46
      • [C] : The Electricity Sector Information Sharing and Analysis Center5-47
      • [D] : Critical Infrastructure Protection Reliability Standards5-48
      • [E] : Enforcement5-49
      • [F] : Nuclear Regulatory Commission5-51
      • [G] : State Public Utility Commissions5-53
    • § 5:4.3 : Oil and Natural Gas Industry5-54
      • [A] : Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model5-55
      • [B] : Oil and Natural Gas Information Sharing and Analysis Center5-56
    • § 5:4.4 : Smart Grid/Advanced Metering Infrastructure Security5-57
  • § 5:5 : Defense Contractors5-60
    • § 5:5.1 : The Federal Risk and Authorization Management Program (FedRAMP)5-60
    • § 5:5.2 : The Defense Industrial Base Voluntary Cyber Security and Information Assurance Program5-61
    • § 5:5.3 : Select Defense Federal Acquisition Regulation Supplement (DFARS) Amendments5-63
      • [A] : Security & Privacy for Computer Systems (DFARS 239.7102-1)5-63
      • [B] : Safeguarding of Unclassified Technical Information (DFARS 204.7300)5-64
      • [C] : Supply Chain Risk (DFARS 239.7300)5-67
    • § 5:5.4 : “Rapid Reporting” for Breaches of “Covered” Networks (Section 941, NDAA for Fiscal Year 2013)5-68
    • § 5:5.5 : Defense and Intelligence Contractors: Incident Reporting5-69
  • § 5:6 : Cybersecurity in the Communications Sector5-71
    • § 5:6.1 : Communications Act and Customer Proprietary Network Information5-71
    • § 5:6.2 : FCC Regulation of Broadband Internet Access Service5-73
    • § 5:6.3 : Establishing Cybersecurity Best Practices: The Communications, Security, Reliability, and Interoperability Council5-74
      • [A] : United States Anti-Bot Code of Conduct for ISPs5-76
      • [B] : DNS Best Practices Report5-77
      • [C] : IP Route-Hijacking Industry Framework5-78
  • § 5:7 : Professional Services5-79
    • § 5:7.1 : Cybersecurity Regulation in the Legal Industry5-81
      • [A] : The American Bar Association’s Model Rules of Professional Conduct5-81
      • [B] : State Bar Association Ethics Opinions5-84
    • § 5:7.2 : Cybersecurity Regulation in the Accounting Industry5-86
      • [A] : The American Institute of CPAs5-87
      • [B] : Public Company Accounting Oversight Board5-88
    • § 5:7.3 : Data Breaches and Professional Malpractice5-89
    • § 5:7.4 : Cybersecurity Regulations from Outside Sectors That Impact Professional-Services Firms5-90
Chapter 6: Data Protection: Risk Management; and Appendices 6A-6B
  • § 6:1 : Has the Organization Become a Target?6-2
  • § 6:2 : Risk to the Organization6-3
  • § 6:3 : Leadership Commitment6-6
  • § 6:4 : Phase One: Profile6-7
    • § 6:4.1 : Context—The Why6-7
    • § 6:4.2 : Information Assets and Location6-8
    • § 6:4.3 : Technology Assets6-9
    • § 6:4.4 : Personnel6-11
    • § 6:4.5 : Tacit Knowledge6-11
    • § 6:4.6 : Security Controls6-12
    • § 6:4.7 : Vulnerabilities and Threats6-13
    • § 6:4.8 : Example of a Profile6-14
  • § 6:5 : Phase Two: Impact on the Organization6-15
    • § 6:5.1 : Risk Assessment Criteria6-15
    • § 6:5.2 : Threats to the Organization6-17
    • § 6:5.3 : Likelihood6-19
    • § 6:5.4 : Risk Calculation and Analysis6-20
  • § 6:6 : Phase Three: Respond6-21
    • § 6:6.1 : High-Level Response6-22
    • § 6:6.2 : Direct Response6-22
    • § 6:6.3 : Current vs. Target6-23
    • § 6:6.4 : Implementing Controls for Risk Mitigation6-24
    • § 6:6.5 : Human Controls6-24
    • § 6:6.6 : Applying Risk Treatment to External Parties6-25
  • § 6:7 : Phase Four: Learn—Defense by Layers6-25
    • § 6:7.1 : Black Market Economics6-25
    • § 6:7.2 : Digital Assets Sold6-26
    • § 6:7.3 : Acquiring Digital Assets6-27
  • § 6:8 : Incident Response6-27
  • § 6:9 : Final Considerations6-28
  • Appendix 6A : Drug Trial Attack: A Pharmaceutical Hacking Incident Tabletop Exercise-App.6A-1
  • Appendix 6B : Cyber Legal PreparednessApp. 6B-1
Chapter 7: Cyber Insurance
  • § 7:1 : The Case for Cyber Insurance7-2
    • § 7:1.1 : Unavoidable Nature of Cyber Risk7-2
    • § 7:1.2 : Dynamics: Cyber Risk Is Evolving, Rapidly7-4
    • § 7:1.3 : Dynamics: Business Innovation7-4
    • § 7:1.4 : Fear, Risk and Reputation7-4
    • § 7:1.5 : Heightened Focus on/for Leadership7-5
    • § 7:1.6 : The Advent of Cyber Insurance7-6
  • § 7:2 : Insurance Needs7-10
    • § 7:2.1 : Severity: How Much Insurance Should We Buy?7-10
  • § 7:3 : Insuring Information Security and Privacy (a/k/a “Cyber”) Risks7-12
    • § 7:3.1 : A Brief History of Cyber Insurance Products7-12
  • § 7:4 : Modern Cyber Insurance Policies7-16
    • § 7:4.1 : First-Party Coverage7-17
    • § 7:4.2 : Third-Party Coverage7-19
    • § 7:4.3 : Crisis/Event Management Coverage7-22
    • § 7:4.4 : Bodily Injury and Property Damage7-23
  • § 7:5 : Industry-Wide Cyber Insurance Capacity and Market Penetration7-24
  • § 7:6 : Traditional Commercial General Liability (CGL) Policies7-25
    • § 7:6.1 : Cyber Risks As “Property Damage” Under a Traditional CGL Policy7-25
    • § 7:6.2 : Cyber Risks As “Personal and Advertising Injury” Under a Traditional CGL Policy7-26
  • § 7:7 : Employment Practices Liability Insurance7-30
  • § 7:8 : Directors’ and Officers’ Insurance7-30
  • § 7:9 : Fiduciary and Liability Insurance7-33
  • § 7:10 : Crime Insurance7-34
  • § 7:11 : The Global Reach of Cyber Risks and Dedicated Insurance Products7-35
Chapter 8: Incident Response; and Appendix 8A
  • § 8:1 : Introduction8-2
  • § 8:2 : Information Security Risk Assessments8-4
  • § 8:3 : Information Governance8-5
  • § 8:4 : Encryption8-6
  • § 8:5 : Developing an Incident Response Plan8-9
    • § 8:5.1 : Identifying Key Team Members from Inside Your Organization8-10
    • § 8:5.2 : Identifying Key Team Members from Outside Your Organization8-11
    • § 8:5.3 : Key Components of the Incident Response Plan8-12
    • § 8:5.4 : Incident Response Training: Tabletop Exercises8-13
    • § 8:5.5 : Maintaining a Dynamic Incident Response Plan8-14
  • § 8:6 : Implementing and Using the Incident Response Plan8-15
  • § 8:7 : Responding to a Data Breach8-16
    • § 8:7.1 : Executing the Incident Response Plan8-16
    • § 8:7.2 : Outside Forensic Experts8-16
    • § 8:7.3 : Securing the Network: Containing the Breach8-17
    • § 8:7.4 : Preservation8-18
    • § 8:7.5 : Identifying Indicators of Compromise8-19
    • § 8:7.6 : Malware Reverse Engineering8-20
    • § 8:7.7 : Some Common Attack Vectors and Threat Actors8-21
      • [A] : Social Engineering8-22
      • [B] : SQL Injection8-24
      • [C] : Password Attacks: Brute Force and Dictionary Attacks8-25
      • [D] : Attacks via a Trusted Third Party8-26
      • [E] : Advanced Persistent Threat8-26
      • [F] : Botnets8-28
  • § 8:8 : Remediation8-28
  • § 8:9 : Identifying Compromised Data8-29
  • § 8:10 : Managing Internal and External Communications8-30
  • § 8:11 : Post-Incident Review8-32
  • Appendix 8A : 20 Legal Items to Remember During Cyber Incident Response8-34
Appendix A: NIST Cybersecurity Framework
Appendix B: NIST Cybersecurity Roadmap
Appendix C: Executive Order 13636—Improving Critical Infrastructure Cybersecurity
Appendix D: Presidential Policy Directive/PPD-21—Critical Infrastructure Security and Resilience
Appendix E: Executive Order 13691 Fact Sheet
Appendix F: Executive Order 13691—Promoting Private Sector Cybersecurity Information Sharing
Appendix G: Executive Order 13694—Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities
Appendix H: Best Practices for Victim Response and Reporting of Cyber Incidents
Appendix I: DOJ White Paper—Sharing Cyberthreat Information Under 18 USC § 2702(a)(3)
Appendix J: DOJ and FTC Antitrust Policy Statement on Sharing of Cybersecurity Information
Appendix K: Federal Reserve: Interagency Supplement to Authentication in an Internet Banking Environment
Appendix L: SEC Division of Investment Management: Cybersecurity Guidance
  Index

  Please click here to view the latest update information for this title: Last Update Information  
 

Print Share Email

  • FOLLOW PLI:
  • facebook
  • twitter
  • LinkedIn
  • GooglePlus
  • RSS

All Contents Copyright © 1996-2016 Practising Law Institute. Continuing Legal Education since 1933.