Jeff Kosseff. - Cybersecurity law /

Second Edition

Jeff Kosseff

This edition first published in 2020
2020 John Wiley & Sons, Inc.

Edition History
Wiley (1e, 2017)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

The right of Jeff Kosseff to be identified as the author of this work has been asserted in accordance with law.

Registered Office

John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

Editorial Office

111 River Street, Hoboken, NJ 07030, USA

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by printondemand. Some content that appears in standard print versions of this book may not be available in other formats.

Limit of Liability/Disclaimer of Warranty

While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials, or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress CataloginginPublication Data:

Names: Kosseff, Jeff, 1978 author.
Title: Cybersecurity law / Jeff Kosseff.
Description: Second edition. | Hoboken : Wiley, 2020. | Includes index.
Identifiers: LCCN 2019024454 (print) | LCCN 2019024455 (ebook) | ISBN 9781119517207 (hardback) | ISBN 9781119517290 (adobe pdf) | ISBN 9781119517320 (epub)
Subjects: LCSH: Data protectionLaw and legislationUnited States. |
Computer securityLaw and legislationUnited States.
Classification: LCC KF1263.C65 K67 2020 (print) | LCC KF1263.C65 (ebook) | DDC 343.7309/99dc23
LC record available at https://lccn.loc.gov/2019024454
LC ebook record available at https://lccn.loc.gov/2019024455

Cover image: spainter_vfx/Shutterstock

Cover Design: Wiley

This book is dedicated to my two biggest supporters, my wife, Crystal Zeh, and my daughter, Julia Kosseff.

Jeff Kosseff is an Assistant Professor of Cybersecurity Law in the Cyber Science Department at United States Naval Academy in Annapolis, Maryland. He has practiced cybersecurity and privacy law, and clerked for Judge Milan D. Smith, Jr. of the U.S. Court of Appeals for the Ninth Circuit and for Judge Leonie M. Brinkema of the U.S. District Court for the Eastern District of Virginia. Mr. Kosseff is a graduate of Georgetown University Law Center and the University of Michigan. Before becoming a lawyer, he was a journalist for The Oregonian and was a finalist for the Pulitzer Prize for national reporting.

First and foremost, I'd like to thank my colleagues at the United States Naval Academy, and the hundreds of midshipmen whom I have taught in the Academy's cyber operations major. My daily discussions and debates with them have shaped how I think about the emerging field of cybersecurity law, and working with them every day is an inspiration.

Thanks to Wiley for seeing the need for a book that examines the many areas of the law that are related to the evolving world of cybersecurity.

I'd also like to thank the many people who have provided feedback, particularly as I have substantially revised the second edition of the book. They include Marc Blitz, Matt Bodman, Amit Elazari Bar On, Ashden Fein, Eric Goldman, Ido Kilovaty, Kurt Sanger, and Armin Tadayon. Special thanks to Brooke Graves for outstanding editing. Thanks to Liz Seif for excellent proofreading.

Any views expressed in this book are only my own, and do not represent the Naval Academy, Department of Navy, or Department of Defense. In this book, I present legal conclusions and facts as stated in judicial opinions and other court documents. By doing so, I am not necessarily endorsing those conclusions or factual claims.

This book is intended as a textbook and casebook for classes at the undergraduate, graduate, and law school levels, as well as a desk reference. However, due to the rapidly changing nature of cybersecurity law, this is not a substitute for legal advice or research on the current state of the law.

In the two years since the publication of the first edition of this book in early 2017, much has changed in the world of cybersecurity law. Legislators at the state, federal, and international levels enacted sweeping new laws to address cybersecurity. Courts issued significant new opinions in just about every area covered by the first edition. The U.S. government reorganized its civilian cybersecurity efforts amid unprecedented challenges.

I wrote the second edition to incorporate these new developments, and to make this book even more useful both in the classroom and in the workplace. Before I provide an overview of the changes to particular content, I'd like to highlight three significant additions to the book:

First, the book adds provides edited opinions that cover FTC data security authority, private data breach litigation, shareholder derivative data breach litigation, the Computer Fraud and Abuse Act, and the Fourth Amendment. By combining these edited cases with the narrative text, I hope that the book will be useful as both a traditional textbook and a casebook. The edited court opinions also will be useful to those using the book as a treatise, as it provides a more detailed look at some of the cases discussed in the main text.

Second, the new edition adds , which covers some aspects of the international law of cyberwarfare. As we have seen in the past few years, many cybersecurity threats have originated from state actors in other nations. This requires us to examine, under international law, what options a target country has to defend itself.

Third, Wiley offers a new, instructoronly website, which has suggested questions for class discussion, and model exam questions.