Kesan Jay P - Kesan and Hayess Cybersecurity and Privacy Law in a Nutshell (Nutshells)

West Academic Publishings Law School Advisory Board

Jesse H. Choper

Professor of Law and Dean Emeritus
University of California, Berkeley

Joshua Dressler

Distinguished University Professor Emeritus,
Frank R. Strong Chair in Law
Michael E. Moritz College of Law, The Ohio State University

Yale Kamisar

Professor of Law Emeritus, University of San Diego
Professor of Law Emeritus, University of Michigan

Mary Kay Kane

Professor of Law, Chancellor and Dean Emeritus
University of California, Hastings College of the Law

Larry D. Kramer

President, William and Flora Hewlett Foundation

Jonathan R. Macey

Professor of Law, Yale Law School

Arthur R. Miller

University Professor, New York University
Formerly Bruce Bromley Professor of Law, Harvard University

Grant S. Nelson

Professor of Law Emeritus, Pepperdine University
Professor of Law Emeritus, University of California, Los Angeles

A. Benjamin Spencer

Justice Thurgood Marshall Distinguished Professor of Law
University of Virginia School of Law

James J. White

Robert A. Sullivan Professor of Law Emeritus
University of Michigan

Cybersecurity and Privacy Law

In a nutshell

Jay P. Kesan

University of Illinois at Urbana-Champaign

Carol M. Hayes

University of Illinois at Urbana-Champaign

The publisher is not engaged in rendering legal or other professional advice, and this publication is not a substitute for the advice of an attorney. If you require legal or other expert advice, you should seek the services of a competent attorney or other professional.

Nutshell Series, In a Nutshell and the Nutshell Logo are trademarks registered in the U.S. Patent and Trademark Office.

2019 LEG, Inc. d/b/a West Academic

444 Cedar Street, Suite 700
St. Paul, MN 55101
1-877-888-1330

West, West Academic Publishing, and West Academic are trademarks of West Publishing Corporation, used under license.

Printed in the United States of America

ISBN: 978-1-63460-272-3

For Rosalyn

J.P.K.

Acknowledgments

The content of this nutshell is based in part on the authors research over the last decade. We express our gratitude to the National Research Council for their feedback concerning our active defense research. We also appreciate all of our opportunities for collaboration within the Critical Infrastructure Resilience Institute, a Center of Excellence of the Department of Homeland Security. We would also like to thank Katie Bethke and Kyle Dettro for their excellent research assistance.

Some of the content contained in this volume is adapted from works that the authors published in the Harvard Journal of Law and Technology, the Washington and Lee Law Review, the Indiana Law Journal, the Michigan State Law Review, the Arizona Law Review, the Minnesota Law Review, the Illinois Law Review, the Encyclopedia of Cloud Computing, and the International Encyclopedia of Digital Communication and Society. We are also thankful to the editors of these publications.

Outline

d. Technological Hacking Plus Human
Error 33

I. Executive Order 13,636, Presidential Policy Directive 21, and the Cybersecurity
Framework 144

Cybersecurity and
International Law 161

a. Examplethe European Convention
on Cybercrime 163

b. International Cyber Threats in
Action 172

c. Jus Ad Bellum: Uses of Force and
Armed Attacks 185

Privacy Theory and
Investigations 203

b. Electronic Communications Privacy
Act 213

Privacy Law and Data
Protection 227

a. Privacy Laws Applicable to
Government Records 228

b. Privacy Laws Targeting the Private
Sector 232

Table of Cases

References are to Pages

Alleruzzo v. SuperValu, Inc. (In re SuperValu, Inc., Customer Data Sec. Breach Litig.), 113

American Family Mut. Ins. Co. v. Rickman, 58

Auernheimer, United States v., 65

Beck v. McDonald, 110, 112

Bragg v. Linden Research, Inc., 254

Carpenter v. United States, 211

Carpenter, United States v., 219

Clapper v. Amnesty Intl, 111

Continental Group v. KW Property Management, 65

CoStar Realty Info., Inc. v. Field, 58

Couch v. United States, 208

Drew, United States v., 65

EF Cultural Travel v. Explorica, 58, 62

F.T.C. v. Wyndham Worldwide Corp., 6, 160

Fair Hous. Council of San Fernando Valley v. Roommates.com, LLC, 41

Flores-Figueroa v. United States, 119

Garelli Wong & Associates, Inc. v. Nichols, 56

Griswold v. Connecticut, 206

Horizon Healthcare Servs. Inc. Data Breach Litig., In re, 113

International Airport Centers v. Citrin, 56

J.S. v. Village Voice Media Holdings, LLC, 41

Jacobsen, United States v., 208

John, United States v., 61

Jones, United States v., 209

Katz v. United States, 207

LabMD, Inc., In re, 160

Lewert v. P.F. Changs China Bistro, Inc., 112

LVRC Holdings LLC v. Brekka, 63

Miller, United States v., 208

Modis, Inc. v. Bardelli, 65

Morris, United States v., 65

Moses Afonso Ryan LTD v. Sentinel Insurance Company, 33

NAACP v. State of Alabama, 207

National Cable and Telecommunications Association v. Brand X, 237

Network Associates, Inc., People v., 254

Nicaragua v. United States, 183

Nosal, United States v., 62, 64

Ontario, City of v. Quon, 209

Pacific Aerospace & Electronics v. Taylor, 58

Pulte Homes, Inc. v. Laborers Intern. Union of North America, 26

Remijas v. Neiman Marcus Group, LLC, 112

Riley v. California, 210

Rodriguez, United States v., 62

Rosenbach v. Six Flags Entertainment Corp., 264

Rosenbach v. Six Flags Entmt Corp., 267

Schmerber v. California, 235

Shaw v. Toshiba America Information Systems, 52

Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 56

Spokeo, Inc. v. Robins, 113

Trotter, United States v., 50

Valle, United States v., 63

Warshak, United States v., 220

WEC Carolina Energy Solutions LLC v. Miller, 63

Cybersecurity and Privacy Law

In a nutshell

Chapter 1

Introduction

Cybersecurity is a serious concern in the modern age. Our real lives and digital lives are often inextricably linked. Attorneys and their clients are significantly affected by the implications of cybersecurity events. Data security is also becoming an ethical issue for attorneys. To protect client information, attorneys increasingly have to take active steps to protect data, not just refrain from making disclosures.

Cybersecurity policy issues implicate both private and public international law in addition to domestic law. The cybersecurity climate has created an environment where general practitioners should be aware of the international implications of certain actions. The overlap of civilian and military information infrastructure means that civilians could be directly affected by cyberwar between sovereign nations. In this nutshell, we will provide an overview of many of the major legal issues relating to cybersecurity. We decided to briefly introduce major international cybersecurity issues first in this chapter in part because there is no easy line between domestic and international in cybersecurity. The Internet provides a forum that is at once the worlds largest conference room and the worlds largest battlefield.

Cybersecurity is not an area where attorneys can afford to remain uninformed. It affects governments, the military, big businesses, small businesses, and the law firms themselves. Regardless of an attorneys clients or practice areas, as long as the Internet still exists and people still use computers throughout their personal and professional lives, data security will be an underlying concern in virtually everything that the attorney does.