Cybersecurity Law, Standards and Regulations, 2nd Edition

By Tari Schreider

ASIS Book of The Year Runner Up. Selected by ASIS International, the world's largest community of security practitioners.

In today’s litigious business world, cyber-related matters could land you in court. As a computer security professional, you are protecting your data, but are you protecting your company? While you know industry standards and regulations, you may not be a legal expert. Fortunately, in a few hours of reading, rather than months of classroom study, Tari Schreider’s Cybersecurity Law, Standards and Regulations (2nd Edition), lets you integrate legal issues into your security program.

Tari Schreider, a board-certified information security practitioner with a criminal justice administration background, has written a much-needed book that bridges the gap between cybersecurity programs and cybersecurity law. He says, “My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective façade or false sense of security.”

In a friendly style, offering real-world business examples from his own experience supported by a wealth of court cases, Schreider covers the range of practical information you will need as you explore – and prepare to apply – cybersecurity law. His practical, easy-to-understand explanations help you to:

• Understand your legal duty to act reasonably and responsibly to protect assets and information.
• Identify which cybersecurity laws have the potential to impact your cybersecurity program.
• Upgrade cybersecurity policies to comply with state, federal, and regulatory statutes.
• Communicate effectively about cybersecurity law with corporate legal department and counsel.
• Understand the implications of emerging legislation for your cybersecurity program.
• Know how to avoid losing a cybersecurity court case on procedure – and develop strategies to handle a dispute out of court.
• Develop an international view of cybersecurity and data privacy – and international legal frameworks.

Schreider takes you beyond security standards and regulatory controls to ensure that your current or future cybersecurity program complies with all laws and legal jurisdictions. Hundreds of citations and references allow you to dig deeper as you explore specific topics relevant to your organization or your studies. This book needs to be required reading before your next discussion with your corporate legal department.

This new edition responds to the rapid changes in the cybersecurity industry, threat landscape and providers. It addresses the increasing risk of zero-day attacks, growth of state-sponsored adversaries and consolidation of cybersecurity products and services in addition to the substantial updates of standards, source links and cybersecurity products.

• Language: English
• Publisher: Rothstein Publishing
• Release date: Feb 22, 2020
• ISBN: 9781944480578

Tari Schreider

Tari Schreider, C|CISO, CRISC, ITIL® Foundation, MCRP, SSCP is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. Schreider is an instructor for EC-Council where he teaches advanced CISO certification and risk management courses. Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the world’s largest oil and gas companies, an NERC CIP compliance program for one of Canada’s largest electric utility companies, an integrated security control management program for one of the largest 911 systems in the US and designed a cybersecurity service architecture for one of the largest retailers in the US. He has advised organizations worldwide including Brazil, China, India and South Africa on how to improve their cybersecurity programs. Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting companies affected during the 1992 Los Angeles riots and 1993 World Trade Center bombing. His most unique experience came during the Gulf War helping a New York financial institution recover after becoming separated from its data center in Kuwait. Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines, including Business Week, New York Times, SC Magazine, The Wall Street Journal and many others. He is the author of The Manager’s Guide to Cybersecurity Law (Rothstein Publishing, 2017) and is a co-author of the US patent Method for Analyzing Risk.

Book preview

Introduction to the 2nd Edition

Think about building your organization’s cybersecurity law program much like taking a trip to the law library. Would you know which law books you would most need? Generally, security professionals don’t. Further imagine the librarian walking you through the aisles of mahogany bookcases of case law and legal precedents pointing out exactly which books to check out. Then imagine having a virtual paralegal to conduct research on the legal subject pertinent to your cybersecurity program. I think you would agree that would be ideal. Well, that is the experience this book is designed to provide you.

Although I am not an attorney, I have spent nearly forty years researching, studying and applying legal and regulatory statutes to security programs. It is these lessons learned and curation of the most applicable legal information that I am passing on to you in order to make your job as a security manager just a little bit easier. One cannot create an effective cybersecurity program without aligning to cybersecurity laws, standards and regulations.

The information in this book has been organized in order of importance to security managers and practitioners. The book by design doesn’t republish laws, regulations and standards in their entirety; I did not want to load the book up with information that is easily acquired elsewhere. I have provided many hyperlinks (digital version) and URLs (print version) to guide you to the authoritative sources of the statutes covered within the book. I wanted this book to be as concise as possible, yet jam packed with information you can use now and often going forward.

I have integrated a Did You Know series of callout boxes that highlight interesting and relevant legal cases, precedents or events that bring to life the information discussed in order to show you that what I am presenting has actually happened. To help you retain the information within this book and hone your cyberlaw skills, each chapter has ten self-study questions. You should use this book as your virtual cybersecurity law reference library and on-call cyberlaw paralegal.

The following is an overview of each chapter:

Chapter 1: Introduction to Cybersecurity Law - To establish a foundation in cybersecurity law, this chapter walks you through just enough legal foundation to provide you with insight into the basics of cyber law, how cybersecurity statutes have evolved, and how cybercrimes are enforced and prosecuted. This information won’t allow you to pass the bar exam, but it will allow you to have substantive conversations with your organization’s legal counsel and to understand the difference between criminal and civil offenses as well as how cybercriminals are prosecuted. Equally important, this information will help you to understand the cybersecurity laws and regulations that you will undoubtedly encounter without having to run down the hall and ask your in-house legal counsel how they apply to cybersecurity within your organization.

Chapter 2: Overview of US Cybersecurity Law - Armed with a solid understanding of legal basics, you can begin reading about US cybersecurity law. This chapter introduces you to computer crime laws in the private and public sector, how crimes are litigated, and walks you through data breach lawsuits and how they get started. Essential doctrines such as duty of care, failure to act, reasonable person, and common law are also covered. You will learn about the rules of criminal and civil procedure used in cybercrime and data breach cases. The chapter presents an overview US Federal computer crime statutes and state computer crime laws.

Chapter 3: Cyber Privacy and Data Protection Law - The origin of many cybersecurity lawsuits is the loss of a person or person’s personal information. This chapter dives deep into all the types of laws that govern the protection of personally identifiable information. I begin with a discussion of the common law of privacy to establish a baseline of understanding. I then walk you through children’s, healthcare, Federal, state and international privacy statutes. Data breach litigation is broadly covered with insight into injury vs no-injury cases and shareholder lawsuits. I also look at emerging legal privacy issues relating to digital wiretaps, digital assistants, and social media and potential impacts to the Fourth Amendment.

Chapter 4: Cryptology and Digital Forensics Law - Here I cover two of the more complex aspects of cybersecurity law: cryptography and digital forensics. I delve into cryptography as it is the premier method of securing data from intentional or accidental disclosure. It is important to understand how the law views data encryption and its relationship to the fifth amendment. Digital forensics is integral to prosecuting cybercrime cases as all evidence is gathered digitally and must follow the rules of civil and criminal procedure. You will also learn about cryptology and forensics legislation.

Chapter 5: Acts, Standards and Regulations - Throughout the book I introduce you to many different statutes as they align to the topics presented within their respective chapters. In this chapter, I cover over 20 national and international statutes that apply to various industries. I introduce you to some cybersecurity acts and regulations that are not as widely known. The Center for Internet Security (CIS), International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) and other leading cybersecurity standards are covered in some detail as they’re used to comply with the acts and regulations shown throughout the book as well as within this chapter.

Chapter 6: Cybersecurity Law Program - Now that you have read the previous chapters and have gained a working understanding of cyberlaw, it’s time to build your cyberlaw program. In this chapter I provide you with a cybersecurity law program model and a supporting set of development templates. I also show you how you can hedge your cybersecurity program results through the adoption of a cyber insurance policy

Chapter 7: Future Developments in Cybersecurity Law - Laws evolve over time and in the world of cybersecurity emerging technology is a key driver in the evolution of cybersecurity legislation. In this chapter I discuss the legal implications of big data, cloud computing, Internet of Things, and security testing. This chapter provides a forum for me to discuss cybersecurity law in of all places outer space and the sea. Treaties, international legal frameworks, and trade pacts are covered here.

Appendix A: As if the chapters didn’t provide you with enough information, I provide you with a rich appendix of useful sources of tools, resources and checklists.

This book makes extensive use of hyperlinks to aid the reader in finding supportive external information. Links have been verified up to the publication date; however, some links may be changed at their source or restricted by certain browsers. In the event of a broken link, you can either paste the URL in a browser or search on the associated link name.

Chapter 1

Introduction to Cybersecurity Law

A sense of excitement and anxiety simultaneously rush over you upon receiving an invitation to present your cybersecurity program to senior executives of your company. At last, you have achieved recognition for creating a cybersecurity program that meticulously follows industry standards! Your program has passed several independent assessments and even garnered approving nods from internal audit. Filled with confidence and thinking your life as a leader and manager in cybersecurity couldn’t be better, you embark enthusiastically on your carefully prepared presentation. Then, shortly after your opening remarks, your organization’s chief legal counsel chimes in, Have you ensured our cybersecurity program complies with and supports all the legal statutes we must adhere? The room goes silent and all eyes are on you: your answer to this question will get the immediate attention of the senior leadership of your company - and imprint the question of your subject-matter competency on their minds. As the champion of your organization’s cybersecurity program, your challenge is to answer this question skillfully to earn the confidence and respect of those with the authority to support and fund your cybersecurity initiatives. This chapter provides you with the foundation to answer this and many more questions on the legal aspects of cybersecurity.

This chapter will help you to:

Communicate effectively with your company’s legal counsel by having a working knowledge of how the US legal system applies to cybersecurity.

Seek out and implement ways to improve your company’s cybersecurity program to avoid post-cyberattack lawsuits.

Upgrade your cybersecurity policies to comply with state, federal, and regulatory statutes.

1.1 Infamous Cybercrimes

Cybercrime using a computer first became a thing in 1973 when a 41- year-old Chief Teller at Union Dime Savings Bank in New York, NY was arrested and charged with stealing $2.5 million from the bank’s deposits using the bank's computer to shuffle hundreds of individual accounts and then fed fraudulent and inaccurate information into the computer so that those accounts always appeared up to date (Fosburgh, 1973). I remember from a control seminar years ago that this case was cited as the reason banking regulators instituted the two-week vacation rule requiring senior managers or those in sensitive positions to take vacations in order to allow others to potentially uncover fraud.

You may have seen many headlines, articles, or lists showcasing computer hacking and other cybercrime events; however, few focus on the cybercriminals who have been charged, prosecuted, and convicted for their cyber offenses. Before we begin our cybersecurity law journey, I think it only appropriate to offer a brief historical perspective of what happened when the crime was over and the offenders were punished.

Significant cybercrime court cases of the past ten years include:

Did You Know?

Prior to the 27-year sentence of Roman Seleznev, the longest sentence for a US computer crime was 20 years handed down to the TJ Maxx hacker Albert Gonzalez in 2010.

Is your company willing to assist in the prosecution of a computer hacker who stole sensitive information?

Source:

https://www.justice.gov/opa/pr/

leader-hacking-ring-sentenced-massive-identity-thefts-payment-processor-and-us-retail

September 24, 2010 - The first Voice over Internet Protocol (VoIP) hacker was sentanced to 120 months in prison for selling VoIP services for a profit. Edwin Andres was extradited after transmitting over 10 million minutes of unauthorized phone calls over the victim’s networks (FBI, 2010).

July 22, 2011 - Rogelio Hacket was sentanced to ten years in prison and fined $100,000 for trafficking in stolen credit cards and aggravated identity theft leading to $36 million in fraudulent transactions (US Department of Justice, 2011).

October 18, 2012 - Top executives of Kolon Industries indicted for stealing Dupont’s Kevlar trade secrets. Using computers to copy intellectual property and then to destroy the data, Kolon pleaded guilty and paid $360 million in restitution. Several executives were sentenced to prison terms (E.I. DuPont de Nemours, 2011).

July 26, 2013 - Five Russian and Ukrainian hackers charged in $300 million crime from the theft and use of 160 million credit card numbers from Carrefour SA, JCPenney, JetBlue Airways, Visa, and others (Williams, 2015).

August 27, 2014 - Former acting director of cybersecurity at the US Department of Health and Human Services (HHS) convicted on child pornography charges. Ultimately he was sentenced to 25 years (Robinson, 2014).

December 17, 2015 - Six defendants from China, Germany, Singapore, and the US pled guilty to $100 million software piracy scheme. Over a period of six years 170,000 stolen Microsoft and Adobe activation keys were sold illegally (US Department of Justice, 2015).

September 1, 2016 - A Romanian hacker known as Guccifer received a 52-month prison sentence for 100 counts of unauthorized access to a protected computer and aggravated identity theft (US Department of Justice, 2016).

April 21, 2017 - The son of a Russian lawmaker, Roman Seleznev was sentanced to 27 years in prison for his computer hacking crimes that caused at least $169 million in damage to 4,200 small businesses and financial institutions around the world (Perlroth, 2017).

February 27, 2018 - Taylor Huddleson of Hot Springs, AR was sentanced to 33-months, plus two-years supervised release not for hacking, but for selling a remote access trojan (RAT) hacker tool called NanoCore to hackers for $25 (US Department of Justice, 2018)

June 10, 2019 - Daniel Kelly, a South Wales, United Kingdom (UK) hacker with Asperger’s syndrome and depression, was sentanced to four-years detention after a cyberattack on UK’s telecommunication company TalkTalk. Kelly used stolen information to blackmail, bully and intimidate victims (UK News, 2019).

Crime doesn’t always pay, as these high-profile cases prove.

TIP: Use the examples above to compare with your security technologies and practices currently in place and ask yourself if your methods would have detected trade secret theft, hacker intrusions, a senior executive violating a security policy, use of pirated software, or employee identify theft.

1.2 Cybercrime Taxonomy

To provide you with a sense of the types of cybercrimes that bad actors could commit, Table 1-1 presents a taxonomy of cybercrimes divided between crimes that are primarily people-oriented vs. those requiring technology.

Table 1-1. Cybercrime Taxonomy

1.3 Civil vs. Criminal Cybersecurity Offenses

As the manager of cybersecurity, you may need to deal with both civil and criminal cases.

Criminal cases will result from either an insider committing a cyber offense or an external party hacking into your computer systems.

Civil cases will arise from your organization suing a company, or they sue you for some harm caused by a cyberattack.

For both instances, your cyberseurity program will need to address each scenario. You must also be ready to be either the plaintiff or the defendant.

Did You Know?

In August of 2019, Capital One named hosting service GitHub in a class action lawsuit claiming they should have noticed and removed customer’s personal data for the three months they hosted the data.

Do you have agreements with hosting companies to verify you do not host personal data?

Source:

https://www.globaldatasentinel.com

/the-latest/data-security-news/github-named-in-capital-one-hack-lawsuit/

In a civil case, as the plaintiff, you would be claiming that some entity has failed to fulfill a legal duty. For example, you would be the plaintiff if your company is bringing suit against a cloud service provider that exposed your customers’ data due to an incorrectly configured firewall.

As a defendant, an entity would be accusing your organization of the same. In criminal cases, the government or a private entity will bring the case against you (the defendant), and your role will be to gather evidence to disprove the alleged offense. For example, you will be the defendant if a class action lawsuit is brought against your company following a hacking incident where customer data was stolen.

By now, you should be contemplating how to ensure your cybersecurity program supports these legal scenarios. The determination of whether it is a civil or criminal matter begins with the establishment of the crime.

1.3.1 Clarifying the Definition of Cybercrime

No universal definition of cybercrime exists; however, a general consensus exists that cybercrime falls into two categories. The first category is current crimes that are now committed using computers and networks. The second includes crimes that have specifically evolved in the computer age and use sophisticated methods to commit crime. Definitions of cybercrime have fundamental similarities in a broad sense; however, a diverse array of opinions nonetheless exist.

Not surprising many courts also have varying interpretations of cybercrime including how to even spell the term with it often referred to as cyber crime, cyber-crime, or cybercrime.

Contributing to the disparity of definitions is the changing landscape of technology. Cloud computing, software-defined infrastructure, big data, mobile computing and outsourcing have all but obliterated many definitions of cybercrime. A clear and concise definition of cybercrime establishes the proper foundation for developing policies and practices to detect, prevent, and mitigate offenses. I will discuss more about policy creation in Chapter 6.

An understandable definition of cybercrime bridges the gap between the law and your cybersecurity program and brings clarity to the portions of your cybersecurity program that address criminal offenses.

1.3.2 Challenging Your Current Definition of Cybercrime

Did You Know?

In 2016, 300 USB devices were strewn around the campus of the University of Illinois at Urban-Champaign. Ninety-eight percent were picked up, with 45% plugged into computers and their files opened.

Can your company stop a USB drop attack?

Source:

https://www.proofpoint.com/us/

security-awareness/post/usb-attacks-how-do-you-counteract-curiosity

Is the current description of the crimes clear and concise enough to create actionable policies and practices? Many definitions just state that computer crime is the commission of a crime through the use malicious direct or initial use of computer equipment and networks. I argued just such a point with a client once and even performed a drop USB attack simulation to prove the point. The exercise consisted of Universal Serial Bus (USB) sticks strewn across their parking lot, with the hope that a few unsuspecting employees would pick them up and attempt to read the data.

Approximately a dozen employees were detected by the client’s endpoint security software plugging the USB sticks into their computers. The exercise showed that no crime had been committed according to their definition as neither a computer nor a network was used to directly commit the offense. Their legal department agreed and subsequently made modifications to their definition of cybercrime. How do you feel your employees would do with a similar test?

1.3.3 Creating a Strong Cybercrime Definition

Depending on geographical location and jurisdiction, cybercrime definitions vary. You will want your cybercrime definition to hold true regardless of the rapidity of legislative and technological change, as well as adhere to multiple legal jurisdictions. Consider peer-testing your cybercrime with a definition that I have developed over my career of working with numerous companies. This definition has evolved from dozens of legal department reviews:

Cybercrime is a criminal act in which computer-based equipment, automated services, or communications mechanism is either the object or the means of perpetrating legal or regulatory restricted or prohibited offenses.

Such a definition has a number of advantages:

Including the word offenses in the definition rather than citing specific examples such as theft or fraud makes the definition timeless.

The use of words such as equipment, service, and communications free the definition from being dependent on specific technologies.

You will not need to cite specific examples such as cybertheft or computer fraud in your definition, as those examples will always be a crime regardless of a cyber component.

To ensure that your cybersecurity program defines cybercrime adequately in an actionable sense, be sure to validate the definition with your company lawyers.

1.3.4 Cybercrime Categories in the Incident Response Plan

Once you have a vetted and approved cybercrime definition, don’t forget about identifying the likely types of cybercrimes to which your organization is exposed. Naming cybercrimes within the definition will burden the description unduly by limiting its applicability and usefulness, which is why it is important to identify them separately. The proper place to address the identified cybercrimes is in your company’s incident response plan, a set of instructions or tasks specifying the actions necessary to respond to a specific security emergency. Emergencies could include virus outbreaks, loss or theft of an employee-assigned laptop containing sensitive information, or a ransomware attack. Using a risk assessment as your guide, focus on the cybercrimes with the highest possible likelihood of occurrence which have a correspondingly high potential of impact.

To aid in the identification of cybercrimes, you will find it helpful to examine the four primary categories:

Personal Cybercrimes. These types of crimes target people and consist of cyberbullying, cyberstalking, identity theft, identity impersonation, fraud scams, blackmail, data theft, ransomware attacks, etc.

Institutional Cybercrimes. These types of crimes target companies or governments and consist of denial of service attacks, cybervigilantism, cyber terrorism, cyber-slander, hacktivism, website defacement, etc.

Property Cybercrimes. These types of crimes target digital property and consist of data theft, computer sabotage, data destruction, etc.

Inchoate Cybercrimes. Inchoate is a specific legal term that is used to describe crimes that have been started, but not completed. An example of this type of crime would be where a hacker has completed the initial steps of an attack of a network or computer (target). These steps could include scanning a target for potential vulnerabilities, verifying the vulnerabilities exist on the target, and installing malicious software to siphon away confidential data. In this example, all the hacker would need to do to complete the crime is activate the malicious software remotely.

What makes this example an inchoate crime is that the last step of activating the malicious software is never completed. Despite the fact that such crimes are incomplete and no harm as yet occured, they were nonetheless attempted, demonstrating a substantial criminal effort was under way. Inchoate crimes also include cyber conspiracy, cybersolicitation, cyberstalking, and other types of attempted crimes.

TIP: The tone and scope of a cybersecurity program start with a proper cybercrime definition. The definition will shape the construction of information and asset protection policies and practices. Address specific high-risk cybercrimes within your incident response plan.

1.4 Understanding the Four Basic Elements of Criminal Law

It would be nearly impossible to build connections to the law in your cybersecurity plan without at least knowing the fundamentals of criminal law. If you know how the legal system determines guilt or innocence, you can better create a cybersecurity program with appropriate enforcement mechanisms.

One of the biggest disconnects in cybersecurity programs and the law is in the area of security policies. You will need to ask yourself if the security policies of your company hold employees to a higher standard than the law or if you would terminate an employee violating a policy without criminal intent. Policies will be discussed more in Chapter 6.

The four elements of criminal law which you should be familiar with are mens rea, actus reus, concurrence, and causation. It is advisable for you to use these four elements of criminal law as your security policy enforcement standard to avoid legally contested terminations resulting from a security policy violation.

1.4.1 Mens Rea

The first element of criminal prosecution is proving mens rea or a guilty state of mind of the offender. However, as cybercriminals operate remotely and generally without witnesses, it is nearly impossible to prove their intent or state of mind during the commission of their hacking into a computer system or network. You may also think of this as the evil intent of the offender.

1.4.2 Actus Reus

Actus reus is the second and the most critical element of pursuing a case against an unknown subject (unsub) or perpetrator. Simply put, actus reus is the criminality of the offense itself where law enforcement collects the evidence and witness testimony necessary to prove beyond a reasonable doubt that one or more individuals committed the crime. Unfortunately, existing laws all but make it impossible for prosecutors to establish actus reus due in part to the ease with which criminals can cover their digital tracks or evidence. Uncovering evidence requires highly experienced forensic investigators. See Chapter 4 for more detail on digital forensics.

1.4.3 Concurrence

The third element of a crime is concurrence. As if mens rea and actus reus were not difficult enough to determine individually, prosecutors also need to show they occurred at the same time - the element of concurrence. Offenders cannot be found guilty without a direct connection between the mens rea and actus reus elements of a crime, or in other words they had the intent to violate a law as well as cause harm. Early computer criminals were often found not guilty because prosecutors could not prove both their evil intent and evil acts.

1.4.4 Causation

Causation is the fourth element of an offense and one of the most difficult to prove. Here, prosecutors must prove the criminal activity and the outcome or detrimental effects of that activity. Causation is essentially actus reus in association with harm. The difference between the elements of concurrence and causation may seem subtle, but it is significant. Concurrence just means that two things must happen at the same time. Causation is the conduct of the perpetrator and the result of his or her act. You may think of this as the harm caused to people or property as a result of a criminal activity.

Figure 1-1 is a summary of the four essential elements of criminal law.

Figure 1-1. Four Basic Elements of Cybercrime Model. (By Tari Schreider, licensed under a Creative Commons Attribution-NonCommercial-NoDerivitives 4.0 International License)

1.5 Branches of Law

You will encounter three basic types of law in cybersecurity: public, private, and regulatory.

Public cyberlaw refers to cybercriminals and the government. Public law is part of the criminal legal system allowing the government to bring an action against those that violate cybersecurity and privacy laws.

Private cybersecurity law applies to companies with respect to their obligations and contracts. Private law, part of the civil legal system, allows companies to resolve common law disputes also called tort law.

Regulatory law, also known as administrative law, sets out the rules and regulations prescribed by various governmental agencies.

1.6 Tort Law

Up to this point, you have learned how cyberlaw relates to criminals, but how does cybersecurity law relate to your organization? Organizations can be held liable for a cyberattack. The last thing you would want to occur after surviving an attack is to face a lawsuit for causing and contributing to the cyberassault.

A tort is a civil wrong that happens when a group or individual commits an act or omission that causes harm or loss. The primary purpose of tort law is to compensate or provide relief to injured parties for the damage caused by others. The courts also impose penalties and fines to the extent they serve as a deterrence against future acts. The burden of proof in these cases usually shifts from the injured party to the accused party to prove they did no wrong.

Although there are a number of different types of torts, as the cybersecurity manager you need only be concerned with cyber and strict liability torts. There are three types of torts:

Intentional - Occurs when an intentional act results in damages to another.

Negligence - Failure to follow a degree of care that a reasonable and prudent person would follow to avoid a forseeable harm.

Strict liability - Happens when a person does or omits to do something which is so beyond reasonable behavior standards that it is negligent on its face.

1.6.1 Cyber Tort

How would you handle the situation where the legal department informs you that several employees were named in either a cybertrespass or cyber harassment lawsuit? Knowing what to do begins with recognizing that cybersecurity tort is very real and is occurring with great regularity. Cybersecurity torts include intentional acts against persons or property. Cybersecurity torts are simply torts committed within cyberspace and fall into three general categories:

Intentional Cybercrimes Against Persons. Commiting acts of cyberbullying, cyber defamation, cyberstalking, and other attacks against people who are specifically targeted.

Cybertrespass to Chattle. Chattle is nothing more than moveable property, which in legal terms includes computers, networks, or related services. In this context, cybertrespass would be the act of preventing the owner from posessessing or using the property as the owner intended. This crime can include offenses such as denial of service (DoS) attacks, SPAM, and spyware. Not all courts agree on the use of cybertrespass due primarily to the overlap with unauthorized access laws.

Cyber-Conversion. The stealing of someone’s Internet domain name, committing session hijacking, or using computer services not authorized previously, etc. Essentially it is where someone obtains a cyber resource or service and converts it to their own without authorization.

You can detect most cyber tort offenses through the use of of security technologies such as security incident and event monitoring (SIEM), intrusion detections systems (IDS), and data loss prevention (DLP) systems. Company collaboration systems and emails can be monitored for key words related to cyberbulling or harrassment; email scanning software can block SPAM; and session encryption can be used for website communications to prevent someone from capturing a session cookie. I encourage you to think of threats outside of the conventional sense and think about them as crimes. Then think about what tools you could apply to detect and prevent these types of crimes.

1.6.2 Strict Liability Tort

Did You Know?

In 2018, The Pennsylvania Supreme Court ruled that the University of Pittsburgh Medical Center (UPMC), the defendant, realized or should have realized the likelihood that his actions could create a situation in which a third party might avail himself of an opportunity to commit a tort or crime."

Does your cybersecurity risk management program reasonably foresee cyberattacks?

Source:

http://cyber.pabar.org/index.php/2018/

12/03/pennsylvania-supreme-court-holds-employers-have-duty-to-protect-employee-data-from-cyberattacks/

Strict liability determines who is legally responsible for damages even in the event they were not at fault or negligent. Often used in product liability cases, strict liability is setting the standard for cybersecurity cases. Here, your company owes its customers a duty to protect their information, especially in light of the fact that cyberattacks are reasonably foreseeable with a preponderous of published attack evidence.

A successful cyberattack against your company will undoubtedly expose it to regulatory and civil liabilities. Having a legal strategy in place pre-breach to handle strict liability tort claims is a critical component of any cybersecurity program. I will discuss creating a program in Chapter 6.

You must also recognize that your cybersecurity program will be under a legal microscope. You will need to prove that your company used a risk-based approach, applying security controls commensurate with the threats to information and assets. Or in other words, you did what would be considered reasonable to detect and defend against an attack - often called the reasonable person test. But it doesn’t stop there; you will also need to prove that your actions during the attack did not cause or contribute to the harm caused.

1.6.3 Tort Precedents

Significant tort precedents relating to organizational liability exist that you and your legal department may find useful to examine:

Lone Star Bank, et. al v. Heartland Payment Systems (5th Cir., September 2013).

Patco Constr. Co. Inc. v. People’s United Bank (1st Cir., July 2012).

Dittman v. UPMC (Pa. Nov. 21, 2018).

In these cases, the court determined that the defendants (People’s Bank and Heartland) did not act in a commercially reasonable way. Commercially reasonable is an important term as it is regularly used in cybersecurity services contracts. Vendors will often cite in their contract will use commercially reasonable means to secure the customer's data. In legal terms this means conducted in good faith and in accordance with commonly accepted commercial practice. The court used this standard to determine if People’s Bank or Heartland implemented reasonable security safeguards in light of the known threat and whether followed generally accepted security practices. Both companies paid significant financial penalties and agreed to improve their data protection practices as part of their settlements.

In Dittman v. UPMC, the Pennsylvania Supreme Court held that an employer has a legal duty to exercise reasonable care to safeguard