The Manager's Guide to Cybersecurity Law
eBook - ePub

The Manager's Guide to Cybersecurity Law

Essentials for Today's Business

  1. 164 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

The Manager's Guide to Cybersecurity Law

Essentials for Today's Business

Book details
Book preview
Table of contents
Citations

About This Book

In today's litigious business world, cyber-related matters could land you in court. As a computer security professional, you are protecting your data, but are you protecting your company? While you know industry standards and regulations, you may not be a legal expert. Fortunately, in a few hours of reading, rather than months of classroom study, Tari Schreider's The Manager's Guide to Cybersecurity Law: Essentials for Today's Business, lets you integrate legal issues into your security program.

Tari Schreider, a board-certified information security practitioner with a criminal justice administration background, has written a much-needed book that bridges the gap between cybersecurity programs and cybersecurity law. He says, "My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective faƧade or false sense of security."

In a friendly style, offering real-world business examples from his own experience supported by a wealth of court cases, Schreider covers the range of practical information you will need as you explore ā€“ and prepare to apply ā€“ cybersecurity law. His practical, easy-to-understand explanations help you to:

  • Understand your legal duty to act reasonably and responsibly to protect assets and information.
  • Identify which cybersecurity laws have the potential to impact your cybersecurity program.
  • Upgrade cybersecurity policies to comply with state, federal, and regulatory statutes.
  • Communicate effectively about cybersecurity law with corporate legal department and counsel.
  • Understand the implications of emerging legislation for your cybersecurity program.
  • Know how to avoid losing a cybersecurity court case on procedure ā€“ and develop strategies to handle a dispute out of court.
  • Develop an international view of cybersecurity and data privacy ā€“ and international legal frameworks.

Schreider takes you beyond security standards and regulatory controls to ensure that your current or future cybersecurity program complies with all laws and legal jurisdictions. Hundreds of citations and references allow you to dig deeper as you explore specific topics relevant to your organization or your studies. This book needs to be required reading before your next discussion with your corporate legal department.

Frequently asked questions

Simply head over to the account section in settings and click on ā€œCancel Subscriptionā€ - itā€™s as simple as that. After you cancel, your membership will stay active for the remainder of the time youā€™ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlegoā€™s features. The only differences are the price and subscription period: With the annual plan youā€™ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access The Manager's Guide to Cybersecurity Law by Tari Schreider, Kristen Noakes-Fry in PDF and/or ePUB format, as well as other popular books in Negocios y empresa & Seguros. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Rothstein Publishing
Year
2017
ISBN
9781944480301
Topic
Negocios y empresa
Subtopic
Seguros
Image
Chapter 1
Introduction to Cybersecurity Law
A sense of excitement and anxiety rush over you simultaneously upon receiving an invitation to present your cybersecurity program to senior executives of your company. At last, you have achieved recognition for creating a cybersecurity program that meticulously follows industry standards! Your proposal has passed several independent assessments and even garnered approving nods from internal audit. Filled with confidence and thinking your life as a leader and manager in cybersecurity couldnā€™t be better, you embark enthusiastically on your carefully prepared presentation. Then, shortly after your opening remarks, your organizationā€™s chief legal counsel chimes in, ā€œHave you ensured our cybersecurity program complies with and supports all the legal statutes we must adhere?ā€ Your answer to this question will get the immediate attention of the senior leadership of your company ā€“ and imprint the question of your subject-matter competency on their minds. As the champion of your organizationā€™s cybersecurity program, your challenge is to answer this question skillfully in order to earn the confidence and respect of those with the authority to support and fund your cybersecurity initiatives.
This chapter will help you to:
ā€¢ Communicate effectively with your companyā€™s legal counsel by having a working knowledge of how the US legal system applies to cybersecurity.
ā€¢ Seek out and implement ways to improve your companyā€™s cybersecurity program to avoid post-cyberattack lawsuits.
ā€¢ Upgrade your cybersecurity policies to comply with state, federal, and regulatory statutes.
1.1 Infamous Cybercrimes
You may have seen many headlines, articles, or lists showcasing computer hacking and other cybercrime events; however, few focus on the cybercriminals who have been charged, prosecuted, and convicted for their cyber offenses. Before we begin our cybersecurity law journey, I think it only appropriate to offer some examples of what happened when the crime was over and the offenders were punished.
Significant cybercrime court cases of the past five years include:
ā€¢ October 18, 2012 ā€“ Top executives of Kolon Industries indicted for stealing Dupontā€™s Kevlar trade secrets. Using computers to copy intellectual property and then to destroy the data, Kolon pleaded guilty and paid $360 million in restitution. Several executives were sentenced to prison terms (E.I. DuPont de Nemours, 2011).
ā€¢ July 26, 2013 ā€“ Five Russian and Ukrainian hackers charged in $300 million crime from the theft and use of 160 million credit card numbers from Carrefour SA, JCPenney, JetBlue Airways, Visa, and others (Williams, 2015).
ā€¢ August 27, 2014 ā€“ Former acting director of cybersecurity at the US Department of Health and Human Services (HHS) convicted on child pornography charges. Ultimately he was sentenced to 25 years (Robinson, 2014).
ā€¢ December 17, 2015 ā€“ Six defendants from China, Germany, Singapore, and the US plead guilty to $100 million software piracy scheme. Over a period of six years 170,000 stolen Microsoft and Adobe activation keys were sold illegally (US Department of Justice, 2015).
ā€¢ September 1, 2016 ā€“ A Romanian hacker known as ā€œGucciferā€ received a 52-month prison sentence for 100 counts of unauthorized access to a protected computer and aggravated identity theft (US Department of Justice, 2016).
TIP: Use the examples above to compare with your security technologies and practices currently in place and ask yourself if your methods would have detected trade secret theft, hacker intrusions, a senior executive violating a security policy, use of pirated software, or employee identify theft.
1.2 Civil vs. Criminal Cybersecurity Offenses
As the manager of cybersecurity, you may need to deal with both civil and criminal cases.
ā€¢ Criminal cases will result from either an insider committing a cyber offense or an external party hacking into your computer systems.
ā€¢ Civil cases will arise from your organization suing a company, or they sue you for some harm caused by a cyberattack.
For both instances, your cyberseurity program will need to address each scenario. You must also be ready to be either the plaintiff or the defendant.
ā€¢ In a civil case, as the plaintiff, you would be claiming that some entity has failed to fulfill a legal duty. For example, you would be the plaintiff if your company is bringing suit against a cloud service provider that exposed your customersā€™ data due to an incorrectly configured firewall.
ā€¢ As a defendant, an entity would be accusing your organization of the same. In criminal cases, the government or a private entity will bring the case against you (the defendant), and your role will be to gather evidence to disprove the alleged offense. For example, you will be the defendant if a class action lawsuit is brought against your company following a hacking incident where customer data was stolen.
By now, you should be contemplating how to ensure your cybersecurity program supports these legal scenarios. The determination of whether it is a civil or criminal matter begins with the establishment of the crime.
1.2.1 Clarifying the Definition of Cybercrime
No universal definition of cybercrime exists; however, a general consensus exists that cybercrime falls into two categories. The first category is current crimes that are now committed using computers and networks. The second includes crimes that have specifically evolved in the computer age and use sophisticated methods to commit crime. Definitions of cybercrime have fundamental similarities in a broad sense; however, a diverse array of opinions nonetheless exists.
ā€¢ Not surprising many courts also have varying interpretations of cybercrime including how to even spell the term with it often referred to as cyber crime, cyber-crime, or cybercrime.
ā€¢ Contributing to the disparity of definitions is the changing landscape of technology. Cloud computing, software-defined infrastructure, and outsourcing have all but obliterated many definitions of cybercrime. A clear and concise definition of cybercrime establishes the proper foundation for developing policies and practices to detect, prevent, and mitigate offenses. I will discuss more about policy creation in Chapter 6.
An understandable definition of cybercrime bridges the gap between the law and your cybersecurity program and brings clarity to the portions of your cybersecurity program that address criminal offenses.
1.2.2 Challenging Your Current Definition of Cybercrime
Is the current description of the crimes clear and concise enough to create actionable policies and practices? Many definitions just state that computer crime is the commission of a crime through the use of equipment and networks. I argued just such a point with a client once and even performed a breach of security simulation to prove the point. The exercise consisted of USB sticks strewn across their parking lot, with the hope that a few unsuspecting employees would pick them up and attempt to read the data. Approximately a dozen employees were detected by the clientā€™s endpoint security software plugging the USB sticks into their computers. The exercise showed that no crime had been committed according to their definition as neither a computer nor a network was used to commit the offense. Their legal department agreed and subsequently made modifications to their definition of cybercrime. How do you feel your employees would do with a similar test?
1.2.3 Creating a Strong Cybercrime Definition
Depending on geographical location and jurisdiction, cybercrime definitions vary. You will want your cybercrime definition to hold true regardless of the rapidity of legislative and technological change, as well as adhere to multiple legal jurisdictions. Consider peer-testing your cybercrime with a definition that I have developed over my career of working with numerous companies. This definition has evolved from dozens of legal department reviews:
Cybercrime is a criminal act in which computerized equipment, automated service, or communications mechanism is either the object or the means of perpetrating legal or regulatory restricted or prohibited offenses.
Such a definition has a number of advantages:
ā€¢ Including the word offenses in the definition rather than citing specific examples such as theft or fraud makes the definition timeless.
ā€¢ The use of the words equipment, service, and communications frees the definition from being dependent on specific technologies.
ā€¢ You will not need to cite specific examples such as cybertheft or computer fraud in your definition, as those examples will always be a crime regardless of a cyber component.
To ensure that your cybersecurity program defines cybercrime adequately in an actionable sense, be sure to validate the definition with your company lawyers.
1.2.4 Cybercrime Categories in the Incident Response Plan
Once you have a vetted and approved cybercrime definition, donā€™t forget about identifying the likely types of cybercrimes to which your organization is exposed. Naming cybercrimes within the definition will burden the description unduly by limiting its applicability and usefulness, which is why it is important to identify them separately. The proper place to address the identified cybercrimes is in your companyā€™s incident response plan, a set of instructions or tasks specifying the actions necessary to respond to a specific security emergency. Emergencies could include virus outbreaks, loss or theft of an employee-assigned laptop containing sensitive information, or a ransomware attack. Using a risk assessment as your guide, focus on the cybercrimes with the highest possible likelihood of occurrence which have a correspondingly high potential of impact.
To aid in the identification of cybercrimes, you will find it helpful to examine the four primary categories:
1. Personal Cybercrimes. These types of crimes target people and consist of cyberbullying, cyberstalking, identity theft, identity impersonation, fraud scams, data theft, ransomware attacks, etc.
2. Institutional Cybercrimes. These types of crimes target companies or governments and consist of denial of service attacks, cybervigilantism, cyber terrorism, cyber-slander, hacktivism, website defacement, etc.
3. Property Cybercrimes. These types of crimes target digital property and consist of data theft, computer sabotage, data destruction, etc.
4. Inchoate Cybercrimes. Inchoate is a specific legal term that is used to describe crimes that have been started, but not completed. An example of this type of crime would be where a hacker has completed the initial steps of an attack of a network or computer (target). These steps could include scanning a target for potential vulnerabilities, verifying the vulnerabilities exist on the target, and installing malicious software to siphon away confidential data. In this example, all the hacker would need to do to complete the crime is activate the malicious software remotely. What would make this an inchoate crime is that the last step of activating the malicious software is never completed. Despite the fact that such crimes are incomplete and no harm as yet occured, they were nonetheless attempted, demonstrating a substantial criminal effort was under way. Inchoate crimes also include cyber conspiracy, cybersolicitation, cyberstalking, and other types of attempted crimes.
TIP: The tone and scope of a cybersecurity program start with a proper cybercrime definition. The definition will shape the construction of information and asset protection policies and practices. Address specific high-risk cybercrimes within your incident response plan.
1.3 Understanding the Four Basic Elements of Criminal Law
It would be nearly impossible to build connections to the law in your cybersecurity plan without at least knowing the fundamentals of criminal law. If you know how the legal system determines guilt or innocence, you ...

Table of contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Dedication
  5. Table of Contents
  6. Foreword
  7. Preface
  8. Chapter 1: Introduction to Cybersecurity Law
  9. Chapter 2: Overview of US Cybersecurity Law
  10. Chapter 3: Cyber Privacy and Data Protection Law
  11. Chapter 4: Cryptography and Digital Forensics Law
  12. Chapter 5: Future Developments in Cybersecurity Law
  13. Chapter 6: Creating a Cybersecurity Law Program
  14. Appendix A: Useful Checklists and Information
  15. About the Author
  16. Credits
  17. More from Publisher