Cyber Law: Navigating an Uncertain New World
The internet has transformed the way we live, work, and interact. In many respects, it has also opened up uncharted legal territory, with experts scrambling to sort out the implications. Businesses want to know who is liable if sensitive data is compromised in a breach. Individuals want to protect themselves from losses and damage incurred by events such as “doxxing” or identity theft. The list goes on.
We asked Dr. Curtis KS Levinson, a leading cyber policy expert, to identify some of the hot-button legal issues impacting the cyber arena. Dr. Levinson is the US Cyber Defense Advisor to NATO and also runs a private consultancy specializing in compliance, continuity/recovery, governance, and security issues.
While cyber law is a vast field, Levinson said, four areas are of particular interest currently: ransomware, identity theft, the Internet of Things, and the legal requirement (in many states) for businesses to have a valid Written Information Security Program on file.
Ransomware: In recent years, more and more individuals and businesses have fallen prey to cyber criminals who infiltrate computer systems, encrypt valuable assets, and threaten to destroy the data or render it permanently inaccessible unless money is paid to them. “I almost always recommend not paying the ransom,” Dr. Levinson says. “Otherwise, you’re just setting yourself up for it to have it happen all over again.” Those hit by such an attack, he notes, not only suffer the consequences of losing their data but must go through the often messy process of assigning valuation to what has been lost. If they have taken out cyber insurance, there may be questions as to what is covered.
Identity Theft: Malicious actors not only appropriate the identities of individual persons but in some cases are able to impersonate entire organizations. In both cases, Levinson says, questions may arise as to who is liable for actions performed in the name of that individual or organization. “It’s not like with credit card fraud, where you’re only liable for a set amount and the credit company picks up the rest,” he warns. “If your identity has been stolen, there may be no clear limitation on what you’re legally liable for, and for how much.”
Internet of Things (IoT): “We’re currently filling our homes and offices with IP-enabled gadgets, from coffeepots to security systems. All these devices and networks are potentially vulnerable to being breached or hacked,” Levinson says. “Your IP-enabled security system may be protecting your home or office, but who is protecting the security system?” If a system is breached and a home or business is attacked, questions arise concerning the legal recourse for victims and the liability that can be assigned to the manufacturer of the system or the vendor that sells it.
Written Information Security Program (WISP): More and more states are now requiring businesses and organizations to have a valid Written Information Security Program (WISP) on file – but many are unaware of the requirement or the steps needed for compliance, Levinson says.
If an incident occurs and a business does not have a valid WISP, any cyber insurance it has purchased may be of no avail. “There’s a lot of fine print involved in cyber insurance, and often that includes a clause stating that you must not only have a WISP in place and have tested it. Your organization can pay cyber insurance premiums every month and then not be able to collect when an attack happens.”
At Capitol Technology University, students earning a masters in cyber security will take IAE-671 Legal Aspects of Computer Security and Information Policy. This course provides an overview of the legal rights and liabilities associated with operation and use of computers and information, including the legal and regulatory compliance issues critical for chief information security officers.