An Introduction to Cybersecurity Law

Understanding “the law” helps business people know when to call in their lawyers, how to interpret their legal advice and how to value their contributions. This article is intended to provide an introduction to business people of laws related to cybersecurity.?

Legal risk management involves understanding the laws and regulations that apply in all the jurisdictions in which the business operates. Understanding means the ability to assess the legal and enforcement risks that business can incur. Assessment is a challenging task due to the large number of laws and regulations, varying laws and enforcement authority across multiple jurisdictions, and the complexities of private law and regulatory systems.

Laws are created by the legislative authority, interpreted by the judicial authority, and enforced by the executive authority. Laws can be in the form of primary legislation, such as an Act of Congress, or secondary legislation where law-making authority is delegated to other regulatory agencies because of their technical expertise.?

Civil Law

Civil law governs private relationships between individuals. It deals with issues such as contracts, property rights, and torts (dealing with issues such as negligence). In contrast to criminal law, the focus of civil law is on compensation rather than punishment. Should a person breach a civil law that harms another person, the latter can sue. Civil law remedies include compensation, termination of a legal relationship, an injunction to stop harmful activities, or an order to take specific actions. In the context of cybersecurity, civil law deals with issues related to poor security practices in the development of information and communication technology products and services.

Criminal Law

Criminal law governs behavior considered unacceptable by society. It is enforced by the state to deter bad behaviour, limit the ability of a criminal to cause harm, seek retribution for crime committed, compensate the victim, and (at least in theory) rehabilitate the criminal. The terms “guilty” and “innocent” are reserved for verdicts in criminal cases. Punishments include imprisonment, fines, forfeiture of criminal proceeds, and restitution to the victim.

Proof and Evidence

The concept of “proof” in law refers to using permissible evidence to demonstrate the truth of events that are contested. Evidence can take various forms, such as witness testimony, business records, recordings, and photographs.

The standard of proof in law is the level of certainty required to demonstrate the truth of contested events. The standard varies depending on the type of legal matter, with criminal cases generally requiring a higher degree of certainty (beyond a reasonable doubt) compared to civil cases (balance of probabilities). The standard of proof must be met by the party carrying the burden of proof (generally the government in criminal matters or the person starting the legal proceedings in civil matters), who must use admissible evidence to prove their case to the finder of fact (e.g. judge, jury, or regulator).

Legal risk analysis often includes consideration of the rules and the relative ability of each party to prove their case and the cost of the legal action. Documentation is necessary to prove one’s case. Document retention policies are important to businesses. If a legal action is threatened, destruction of relevant evidence is illegal.?

Jurisdiction

Jurisdiction refers to the authority of a state to assert legal power over entities operating within its literal and online territory. The principles of “conflict of laws” determines which law applies to resolve disputes that cross jurisdictional borders. The rise of online activities has led to an increase in cross-border legal responsibilities, making it important to consider jurisdiction and conflict of law principles.

There are three aspects of jurisdiction to consider: prescriptive jurisdiction, juridical jurisdiction, and enforcement jurisdiction. Prescriptive jurisdiction refers to the scope of a state’s authority to make laws and regulate activities. Juridical jurisdiction refers to a court’s authority to make decisions in a case. Enforcement jurisdiction refers to a state’s ability to enforce its laws, through arrest or seizure of property. These concepts apply to multi-state activities conducted online.

States can claim prescriptive jurisdiction over non-resident persons who solicit business from residents or over actions taken by their own nationals while outside its borders.There may be cases where more than one state claims jurisdiction over a single act.?

States assert prescriptive and juridical jurisdiction over actions that harm their residents, whether these actions take place within or outside of the state’s territory. In the case of actions taking place outside of the state’s territory, courts may interpret domestic law in a way that asserts jurisdiction if the content is visible to persons within the state. Examples of laws enforced in this manner include copyright, defamation, and gambling. This practice of asserting jurisdiction is based on the state’s interest in protecting its residents and its domestic market.

States with computer crime laws often have jurisdiction over actions that target computers located within their territory, even if the person committing the action is located outside of the state. Cyberattackers who conduct offensive activity against computers located in another state are responsible if they violate the criminal law of that state, even if the activity is not illegal in the state where the cyberattacker is physically present.

The General Data Protection Regulation (GDPR) in the European Union (EU), brought a significant change to the territorial prescriptive jurisdiction of European data protection law. GDPR applies to the processing of personal data in the context of activities of a controller or processor (see the discussion of these terms and GDPR in the Data Protection section below) in the EU, regardless of where the processing takes place. GDPR asserts prescriptive jurisdiction over personal data processing activities anywhere in the world related to offering goods or services to or monitoring the behaviour of Europeans.

Police officers can arrest a person within their state’s territory. An extradition order is required in order to arrest a criminal outside the state. Extradition is governed by bilateral treaties and is only allowed if the crime is considered a crime in both states .The Budapest Convention, which mandates the inclusion of computer crimes in extradition procedures, serves as a legal basis for extradition between states without a bilateral treaty. Extradition requests for cybercrime suspects can sometimes be denied because there is no extradition treaty, the act was not criminal in both countries, or when there are concerns over treatment the accused will face.

States can order residents within their jurisdiction to produce data under their control, even if the data is stored outside the state’s territory. States can also request mutual legal assistance from other states, but the process is often slow. Alternatives to this process include gathering evidence directly under the Budapest Convention which imposes requirements on states to provide mutual legal assistance and preserve electronic evidence in the investigation of cybercrime.

Technological intervention, such as content filtering, can be used by states or individuals to enforce laws or reduce the risk of legal consequences. States can enforce filtering by ordering it directly or by issuing orders to in-state internet service providers (ISPs) to block the receipt of offending content. Out-of-state entities that host offending content can also initiate filtering to limit transfers to states where it may result in liability.

Data sovereignty refers to a state’s right to regulate and enforce jurisdiction over data stored within its territory. With the growth of cloud computing, the physical location of data storage has become less relevant, which has raised concerns about the number of states that might seek to enforce their jurisdiction over such data. Some states have responded to these concerns by mandating local storage and processing (localization) for certain types of data. The EU, for instance, has a localization requirement for personal data.

In rem?jurisdiction (power over property) allows a state to assert control over property within its territory, and this has been applied to seize and forfeit servers and domain names involved in illegal activities.?

Privacy

Privacy is the right for a person to be free from intrusion by others into their personal affairs, also known as the “right to be left alone.” In the context of cybersecurity, privacy law often arises in the context of electronic surveillance and related investigatory activity. This area of law is constantly evolving in response to new technologies and use cases enabled by cloud data processing services.

The right to privacy is widely recognized as a human right, but it is not absolute and is subject to limitations and exceptions. The application of privacy principles to data, such as electronic communications, has evolved over time and is currently internationally accepted. However, the interpretation and implementation of privacy rights varies among countries. Expectations of privacy can also vary between different societies and according to the nature of a person’s relationship with the intruding??party. As people rely on third-party cloud services for more personal aspects of their lives, privacy concerns over the data processed through these systems will lead to new legislation.

Metadata, the data that describe other data, is often treated differently from content data in privacy laws. Private information is disclosed through modern metadata such as URLs, and location data from personal mobile data communications.

There is no harmonization of legal standards and procedures for lawful interception of online data. Service providers, such as communication companies, are usually subject to local laws that require them to provide facilities and technical assistance for lawful interception (which attempts to maintain the privacy of the contents). As encryption becomes more widespread, states are facing difficulties accessing plaintext??or unencrypted messages.

Providers of public communication services are usually restricted from intercepting communications that pass through their networks. Efforts to intercept communications on a third-party network is considered a crime under computer intrusion laws. Interception by a person on their own non-public network, such as on their LAN, may or may not be subject to computer crime legislation. In-house interception activities may be limited by privacy and data protection laws. Some privacy violations, such as unauthorized interceptions of communications or intrusion into data, can be prosecuted by the state as crimes.

Data Protection

There are laws that govern how personal data is collected, processed, and stored. The laws are based on privacy principles, but they also addresses issues relevant to modern data processing techniques. The focus is on protecting individual rights to personal data. Data protection laws provide remedies for individuals whose privacy rights have been violated, such as the ability to seek monetary compensation through a legal action. Some violations of privacy, such as unauthorized interception of communications, are defined as crimes.

EU General Data Protection Regulation (GDPR)

The EU data protection law is meant to protect the privacy rights of individuals who are potentially identifiable through their communications. GDPR requires organizations to consider data protection from inception, and to implement measures that minimize the risk of data breaches. Implementation includes both technical and organizational measures that are appropriate for the risk level involved in the processing activity.?

The definition of “personal data” under EU data protection law is broad and includes any information related to an identified or identifiable natural person. The definition covers not only obvious personal identifiers but also other factors that can lead to the identification of an individual. The term “personally identifiable information” or PII is often used in the US and may have different interpretations in different contexts, but it is not the same as “personal data”.

EU data protection law has global impact through contract requirements imposed on non-EU data processors. It covers the processing of data – i.e. collection, recording, organization and storage. It also covers control of data, which means determining the purposes of the data and the methods by which it is processed.

There are principles for the lawful processing of personal data. They are: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. Practitioners must be aware of sensitive personal data (e.g., racial origin, political opinions, and health data) which triggers additional protections and regulatory scrutiny. Consent for processing personal data is sometimes required and must be informed, clear,??specific, and given freely.?

The definitions of “processing” and “controller” and “processor” under GDPR make clear the roles and responsibilities of the two entities with respect to data. Processing is defined as any action taken with respect to personal data, including collection, recording, organization, and storage. The controller is the entity that determines the purposes and means of processing personal data, while the processor is the entity that carries out the processing on behalf of the controller.

Under law, controllers and processors must implement appropriate technical and organizational measures to ensure an appropriate level of security for processing personal data. Compliance requires appropriate technical measures as well as administrative management and oversight. GDPR provides examples of appropriate security measures, which include encryption. Security certifications help but are not considered guarantees of compliance with the law.

The transfer of personal data outside of the European Economic Area (EEA) is generally prohibited under GDPR. However, transfers can be made if the receiving country or international governmental organization has been found by the European Commission to have adequate legal protections in place. The process of obtaining an adequacy decision is initiated by the receiving state and often takes years of technical evaluation and diplomatic negotiation.

Data Breach Notification

The EU was first to impose requirements mandating the notification of personal data breaches to data subjects (individuals). The US has also started imposing a general duty to notify affected persons of personal data breaches. A personal data breach is defined as an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. The processor must first promptly notify the controller of the breach, and the controller must then notify the relevant supervisory authority, all within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must communicate the circumstances of the breach to these individuals. Communication to data subjects might, in some jurisdictions, be avoided if the controller has implemented measures to limit the harm caused by the breach, such as encryption because encryption reduces the potential harm that may come to data subjects.

GDPR carries significant legal risks for companies. This includes criminal prosecution, legal claims, enforcement notices, and large administrative fines. GDPR grants authority to impose fines of up to 4% of a company’s annual worldwide turnover. Companies must assess and manage this risk at senior leadership levels and comply with all GDPR requirements.

Crimes Against Information Systems

Cybercrime generally refers to three categories of criminal activity: financial fraud using cyberspace, distribution of criminal content and hate speech over the internet, and crimes against cyberspace infrastructure such as computer system intrusion.?

Early computer crime laws mainly focused on unauthorized intrusion into computer systems or improper modification of their contents. However, these laws became inadequate when DoS and DDoS (Denial of Service, e.g. overwhelming a computer system’s processing power) attacks emerged. Currently, computer crime laws prohibit acts that cause a degradation in the performance of an information system, which includes Denial of Service.

Many legal systems prohibit the act of intercepting electronic communications without authorization, which is considered a violation of privacy. The penalties for this type of crime are often more severe if the communication is intercepted during its transmission on public networks. The production or distribution of tools with the intention of facilitating illegal activities against information systems is also considered a crime in many countries.

The penalties for committing a crime against information systems vary across countries and jurisdictions. Some people argue for longer sentences in cases where the acts cause significant damage to human welfare or national security.?

Hacking Back

The absence of a specific legal basis for “hacking back” (retaliation by a company against their presumed cyberattacker) has made the practice controversial. Many warn against “hacking back” due to the potential for significant harm (including retaliating against the wrong party and/or inducing more attacks) and the risk of prosecution by the state. The deployment of any such countermeasures is likely to cause friction between states and may also pose risks to innocent third parties. As a result, the majority of states have rejected any notion of “self-help” in the context of cybersecurity, and instead maintain a preference for the use of state-led responses to cyberattacks, such as diplomatic and legal measures.

Contract Law

A “contract” is a legally binding agreement between two or more parties. To be considered a contract, the agreement must show evidence of enforceability, such as consideration (value provided to each party) and intention to create a legal relationship. The specific time at which a contract is formed in online transactions can vary based on different legal systems but usually occurs once an offer has been transmitted and accepted.?

Warranties are promises in contracts regarding the quality or legal status of goods or services, or the adequacy of information provided by one party. State contract laws usually add implied minimum warranties concerning the quality of goods and services. These include objective quality of goods, subjective quality of goods, and objective quality of services. Objective quality of goods refers to the promise that the goods delivered will be satisfactory to a normal buyer, while subjective quality of goods refers to the promise that the goods will meet the specific purpose of the buyer, who must disclose this purpose in advance. Objective quality of services refers to the promise that the service provider will exercise due care in delivering the service. In the context of information and communications technology, it is common for vendors to attempt to exclude these implied warranties, but it is more difficult to exclude in contracts with consumers.

Parties often use limitations and exclusions of liability to restrict financial responsibility for losses that may arise from the contracting relationship. An exclusion of liability seeks to avoid financial responsibility for certain types of financial loss, while a limitation of liability limits financial liability to a fixed sum or formula. These exclusions and limitations are common in contracts for information technology goods and services and are often seen as a risk-reduction tool. However, they are viewed with suspicion by most contract law systems and are legally not recommended when contracting with consumers.

Breach of Contract

In the event of a breach of contract, the non-breaching party has various remedies available, such as damages, recission, specific performance, and contractually mandated remedies. The severity of the breach often determines the type of remedy available. Damages are the most common remedy and aim to restore the financial expectation of the non-breaching party (i.e. putting the non-breaching party in the position they would have been without a breach). Recission is a more extreme remedy, used when the breach is severe, which declares the contract at an end and excuses the non-breaching party from further performance. Specific performance is also an extreme remedy and is reserved for situations where the breaching party is able take a simple action that satisfies the non-breaching party. Contractually mandated remedies, specified in the contract, can also be available but are often treated with suspicion by courts. Remedies are cumulative, meaning that a party can request multiple remedies for a single breach of contract.

Negligence

Negligence law (a part of “Tort” law) imposes a duty of care on a person to take reasonable steps to avoid causing harm to others. Negligence is a common basis of liability in many contexts, including cybersecurity, as individuals and organizations have a duty to take reasonable steps to protect against foreseeable harm. This duty includes taking steps to keep personal information secure and to prevent unauthorized access to confidential information. The victim must prove that the other party’s conduct caused them harm. This obligation means that the victim must demonstrate that the harm would not have occurred but for the other party’s conduct.

Product Liability

Product liability law is also relevant to cybersecurity. Product liability imposes liability on manufacturers and sellers for harm caused by products that are not reasonably safe. This liability can arise from defects in the design, manufacturing, or labeling of the product, or from a failure to provide adequate warnings or instructions. In the context of cybersecurity, this can include liability for harm caused by defective software or hardware products, or for harm caused by a failure to provide adequate security measures.

Vicarious Liability

Vicarious liability is a legal concept where an employer can be held responsible for the wrongful acts of their employees if those acts were committed within the scope of the employment relationship. Employers can avoid vicarious liability by insisting that employees act in lawful ways. This can be achieved through the development and enforcement of policies such as acceptable use policies, staff security standards, and employment policies.

Joint and Several Liability

Joint and several liability means that more than one party can be held responsible for causing harm to a single victim, and?any?of the responsible parties can be held liable for the?full?amount of damages awarded to the victim. This principle can become an issue when one of the defendants has limited financial resources or is located in a foreign jurisdiction where it is difficult to enforce a judgment. Companies should be mindful of this principle when working with partners or collaborators who may not have the financial resources to cover their share of a damages award in the event of a data protection violation.

Conclusion

The laws and regulations of each jurisdiction where a business operates will significantly affect business operations. The need to understand and comply with local data protection, privacy, and security laws is important for businesses operating online. All businesses need to be aware of the extra-territorial reach of certain laws and regulations.

Cybersecurity practitioners need to be aware of the risks not only to their employer, but, should they ever be tempted or instructed to break criminal law, also to their own personal reputation, safety and liberty. Practitioners may personally face consequences for their actions, regardless of whatever incentives may have been provided them by their employer.

Seeking the advice of experienced legal counsel will help to mitigate legal risk. This article provides information about legal principles and examples of laws and regulations. It is not legal advice. For legal advice, please consult a lawyer.

––

I would like to thank and acknowledge my good friend and superb lawyer, Robert Carolina , who wrote the excellent and detailed?Law & Regulation?chapter in?The Cyber Security Body of Knowledge, which chapter is the principal source of this summary article. In case anything is unclear or inconsistent between this summary article and the detailed chapter of Mr. Carolina, Mr. Carolina’s chapter is the authoritative source. For further detail and clarification of this article, see Mr. Carolina’s chapter in?The Cyber Security Body of Knowledge?by??The National Cyber Security Centre. [?https://www.cybok.org/media/downloads/CyBOK_v1.1.0.pdf?CyBOK Version 1.1.0 ? Crown Copyright, The National Cyber Security Centre 2021, licensed under the Open Government Licence:?https://www.nationalarchives.gov.uk/doc/open-government-licence/?. ]