Cybersecurity Law - Jeff Kosseff

Sommaire:

About the Author xvii

Foreword to the Fourth Edition (2026) xix

Foreword to the Third Edition (2023) xxi

Foreword to the Second Edition (2019) xxiii

Acknowledgment and Disclaimers xxvii

Introduction to First Edition xxix

1 Data Security Laws and Enforcement Actions 1

1.1 FTC Data Security 2

1.1.1 Overview of Section 5 of the FTC Act 2

1.1.2 Wyndham: Does the FTC Have Authority to Regulate Data Security Under Section 5 of the FTC Act? 6

1.1.3 LabMD: What Constitutes Unfair Data Security? 10

1.1.4 FTC June 2015 Guidance on Data Security, and 2017 Updates 13

1.1.5 FTC Data Security Expectations and the NIST Cybersecurity Framework 18

1.1.6 Lessons from FTC Cybersecurity Complaints 18

1.1.6.1 Failure to Secure Highly Sensitive Information 19

1.1.6.1.1 Use Industry- standard Encryption for Sensitive Data 20

1.1.6.1.2 Routine Audits and Penetration Testing Are Expected 20

1.1.6.1.3 Health- Related Data Requires Especially Strong Safeguards 21

1.1.6.1.4 Data Security Protection Extends to Paper Documents 23

1.1.6.1.5 Business- to- Business Providers Also Are Accountable to the FTC for Security of Sensitive Data 25

1.1.6.1.6 Companies Are Responsible for the Data Security Practices of Their Contractors 27

1.1.6.1.7 Make Sure that Every Employee Receives Regular Data Security Training for Processing Sensitive Data 28

1.1.6.1.8 Privacy Matters, Even in Data Security 28

1.1.6.1.9 Limit the Sensitive Information Provided to Third Parties 29

1.1.6.1.10 Children's Data Requires Special Protection 29

1.1.6.1.11 Promptly Notify Customers of Breaches of Sensitive Data 30

1.1.6.2 Failure to Secure Payment Card Information 31

1.1.6.2.1 Adhere to Security Claims about Payment Card Data 31

1.1.6.2.2 Always Encrypt Payment Card Data 32

1.1.6.2.3 Payment Card Data Should Be Encrypted Both in Storage and at Rest 32

1.1.6.2.4 In- store Purchases Pose Significant Cybersecurity Risks 33

1.1.6.2.5 Minimize Duration of Storage of Payment Card Data 35

1.1.6.2.6 Monitor Systems and Networks for Unauthorized Software 35

1.1.6.2.7 Apps Should Never Override Default App Store Security Settings 36

1.1.6.3 Failure to Adhere to Security Claims 36

1.1.6.3.1 Companies Must Address Commonly Known Security Vulnerabilities 37

1.1.6.3.2 Ensure That Security Controls Are Sufficient to Abide by Promises About Security and Privacy 38

1.1.6.3.3 Omissions about Key Security Flaws Also Can Be Misleading 40

1.1.6.3.4 Companies Must Abide by Promises for Security- related Consent Choices 41

1.1.6.3.5 Companies That Promise Security Must Ensure Adequate Authentication Procedures 42

1.1.6.3.6 Adhere to Promises About Encryption 43

1.1.6.3.7 Promises About Security Extend to Vendors' Practices 44

1.1.6.3.8 Companies Cannot Hide Vulnerable Software in Products 44

1.1.7 FTC and Software Patching 44

1.2 State Data Breach Notification Laws 45

1.2.1 When Consumer Notifications Are Required 46

1.2.1.1 Definition of Personal Information 47

1.2.1.2 Encrypted Data 48

1.2.1.3 Risk of Harm 48

1.2.1.4 Safe Harbors and Exceptions to Notice Requirement 49

1.2.2 Notice to Individuals 49

1.2.2.1 Timing of Notice 49

1.2.2.2 Form of Notice 50

1.2.2.3 Content of Notice 50

1.2.3 Notice to Regulators and Consumer Reporting Agencies 51

1.2.4 Penalties for Violating State Breach Notification Laws 51

1.3 State Data Security Laws 51

1.3.1 Oregon 53

1.3.2 Rhode Island 54

1.3.3 Nevada 55

...