Cybersecurity has become a big deal. Corporations have begun to worry about cybersecurity risks. In response, some major law firms have recently established or significantly bolstered practice groups in cybersecurity law.
If you look closely, though, there isn’t much clarity about what ‘cybersecurity law’ actually means. In this post, I thought I would explain what I think of as the field of cybersecurity law.
In my view, cybersecurity law spans four basic topics:
(1) The law governing steps that potential or actual victims of Internet intrusions can take in response to potential or actual intrusions
This has two basic components. First, what steps can the victim take to uncover evidence of the intrusion or trace it to its source? For example, under the Wiretap Act, the Stored Communications Act, the Pen Register statute, and their state equivalents, what powers does the victim have to monitor attacks, disclose records relating to the attacks to others, and conduct monitoring of future attacks? Second, what active steps can the victim take in response to try to minimize the harm of the intrusion or stop future intrusions? For example, under the Computer Fraud and Abuse Act, what are the lawful limits of a victim’s response?
(2) The law governing liability for computer intrusions, both for the perpetrator and the victim
This question has two basic components. First, what is the criminal and/or civil liability of the person or entity that committed the intrusion — and for that matter, what does the law consider an “intrusion”? This primarily concerns the Computer Fraud and Abuse Act and related state laws, but it also includes other laws such as the Economic Espionage Act and the Identity Theft statutes. Second, what is the potential civil liability for the entity that has been victimized, either for the intrusion itself or for failure to comply with breach notification statutes? The relevant sources of laws here include breach notification statutes and state tort law for negligent security practices.
(3) The regulatory law of computer security
Executive agencies have been active in promulgating standards and bringing enforcement actions relating to cybersecurity practices. What are the regulatory authorities, and what powers do different agencies have to enforce cybersecurity standards? Sources of law here can include the FTC’s Section 5 authority, the Health Insurance Portability and Accountability Act (HIPAA), SEC guidance, the Gramm-Leach-Bliley Act, and various state laws. This subject also includes regulatory provisions in foreign countries where companies may do business.
(4) Special issues raised by government network offense and defense
U.S. government actors must deal with many special cybersecurity issues. When a government network provider is attacked, for example, monitoring may implicate the Fourth Amendment. The rules for offensive network attacks are very different for governments, as the government is generally exempt from the CFAA but must comply sources of law such as the Fourth Amendment and the law of armed conflict. The security of federal government networks also implicates special issues such as the application of the Privacy Act for maintaining personal records and the Espionage Act in the case of national security leaks.
I’m sure others would offer different lists, as defining a field is always a matter of perspective. But that’s a rough overview of the subjects that I think of as encompassing “cybersecurity law.” Or at least that’s my first cut at the problem. If others have suggestions for improving the list, please send them on.