Cyber Security Law: Definition & Scope
Cyber Security Law: Definition & Scope
Miami - November 6, 2020
Cyber Security Law "promotes the confidentiality, integrity, and availability of public and private information, systems, and networks, through the use of forward-looking regulations and incentives, with the goal of protecting individual rights and privacy, economic interests, and national security." ― Jeff Kossef, Iowa Law Review (2018).
Cyber Security Laws and Regulations aim at safeguarding information technology and computer systems by obliging companies, organizations and institutions to protect their systems, networks and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks.
Cyber Security Law typically includes:
1) Data Security/Protection Law (e.g. E.U. GDPR or California Consumer Privacy Act);
2) Security/Data Breach Notification Law: It requires an individual/entity, affected by a data breach, to notify their customers and other parties (e.g. licensors) about the breach and to take specific steps to remedy the situation [e.g. first of its kind was the California Senate Bill 1386 (2002) which provides that "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Delayed notification is allowed "if a law enforcement agency determines that it would impede a criminal investigation."]
3) Data Breach Litigation: An Emerging Body of Legal Practice & Precedent. Private companies face lawsuits (including class actions) brought by (i) consumers whose data was stolen/leaked (companies being obliged to protect customer data, they can be deemed ‘negligent’ when they fail to do so), or (ii) shareholders after stock prices plummeted following a breach. Courts may award damages in data breach cases if the harm caused by a data breach is well characterized (the challenge being that they do not always fit into traditional theories of damages).
4) Computer Hacking Criminal & Civil Law: Criminal & Civil Liability imposed on individuals who cause damage to computers, obtain information without authorization, or engage in unauthorized “hacking.”
In order to comply with all applicable cyber security laws and regulations, digital companies also need to enter into certain cyber security contracts with third party cyber security firms including for instance:
- E-Commerce Platform Network Security Assessment Agreements,
- Data Security & End-to-End Encryption Agreements to prevent Eavesdropping,
- Computer Security Agreements (which help counter Direct Access Attacks),
- Cyber-Attack Monitoring Services Agreements,
- Vulnerability Scanning, Assessment and Management Service Contracts,
- Penetration Testing Service Agreements,
- Red Team Assessment Service Agreements, or
- Multi-Factor Authentication (MFA) Service Level Agreements (which help prevent Backdoors Attacks).
Dr. Ariel Humphrey