INFORMATION SECURITY LAW
Prof. Andrea Matwyshyn
Welcome.
1. Overview:
This course describes the substantive law relevant to the field of information security or "infosec" law, commonly known to policymakers as "cybersecurity." It examines how courts, legislatures, and regulators confront the major legal issues that information security presents. Each week consists of three types of 'readings' - one set introduces you to a key aspect of the history and culture of information security; the second set introduces technical and policy standards ; the third consists of statutes and caselaw.
The early weeks in this class introduce you to the state of the law of information security and assist you in acquiring technical competence in the terms of art of the field. The later weeks in the course identify and frame current legal debates in Congress, state legislatures, regulatory agencies, and the business community on matters of information security.
2. Grading: 50% Final Project; 50% Participation.
Final Project:
- Select a transparency project related to this class (make me an offer or ask me for a suggestion) that will help consumers to be more informed about some aspect of infosec regulation, the infosec-related workings of an agency or some aspect of market dynamics related to this class. Think about aggregating existing streams of data in new and more useful ways and providing legal analysis related to the issues discussed in class. Here are some sample projects: https://www.andreamm.com/student-projects
OR
- Using information you have learned in this class as well as outside research, demonstrate your mastery of infosec regulation by authoring a white paper with detailed commentary explaining the legal issues raised by your project in a way understandable to non-experts. The paper should be extensively footnoted and contain a bibliography of sources. (approximate 5-10 pages)
- Due at exam time for this period, turned in by each student on Blackboard.
Participation:
- Preparation when volunteering or cold-called in class and in class 'workshop 'exercises
- Participation in project presentations in class - 20 minutes per project on final day of class
- Leading class discussion on the day you are the discussion leader + Hot Topic presentation (choose a security topic from the last calendar week and tell the class about it - 5 minutes)
3. Reading Materials:
Mandatory:
- Movies listed on syllabus (part of your assigned reading - arrive prepared to discuss)
- Readings linked off this syllabus
Recommended:
- Brian Kernighan, Understanding the Digital World http://www.kernighan.org
- Steven Bellovin, Thinking Security: Stopping Next Year's Hackers, https://www.amazon.com/Thinking-Security-Addison-Wesley-Professional-Computing/dp/0134277546/ref=sr_1_1?ie=UTF8&qid=1480686609&sr=8-1&keywords=bellovin
4. Office Hours : After class for two hours and by appointment - please email to schedule: a.matwyshyn@neu.edu with InfoSec Law as your subject line.
5. Visitors: Visitors are welcome with prior consent of the instructor upon not less than 24 hours advance notice.
6. Technology policy:
- Blackboard will be used for various class communications. Please check daily.
- As an act of respect to fellow students, all gadgets must be on mute during class. Laptop usage is permitted only for pedagogical purposes. Participation points may be deducted in the sole discretion of the instructor for any class disruption.
* * *
Week 1: Introduction - Definitions; the relationship of information security/"cybersecurity" to privacy and national security
** LECTURE NOTES: https://digitalcommons.law.byu.edu/lawreview/vol2017/iss5/6/ and https://www.sup.org/books/extra/?id=16759&i=Introduction_pages&p=1 and https://papers.ssrn.com/sol3/papers.cfm?abstract_id=914783
History and Practice
Standards
-
2016 Executive Order on Cybersecurity https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/executive-order-commission-enhancing-national-cybersecurity
-
2017 Executive Order on Cybersecurity https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/
Statutes
-
CFAA https://www.law.cornell.edu/uscode/text/18/1030 ; http://www.tiki-toki.com/timeline/entry/549077/CFAA-Timeline/
-
DMCA Section 1201 - Report of Library of Congress, p. 71-74 https://www.copyright.gov/policy/1201/section-1201-full-report.pdf
-
HIPAA Security Rule - https://www.hhs.gov/hipaa/for-professionals/security/index.html
-
GLBA https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying
-
COPPA https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance#step6
* * *
Week 2: Fiduciary duties, corporate governance, and intangible assets - Basics of corporate information security
** LECTURE NOTES: http://www.djcl.org/wp-content/uploads/2014/08/Imagining-the-Intagible.pdf and https://scholarship.law.umn.edu/cgi/viewcontent.cgi?article=1165&context=mjlst
History and practice
Standards
-
ISO 29147 https://www.iso.org/standard/45170.html (free download)
-
ISO 30111 https://www.iso.org/standard/53231.html (no free download - watch video linked below)
-
https://www.youtube.com/watch?v=-L3DNZtK8lc (slides are linked below)
-
https://www.rsaconference.com/writable/presentations/file_upload/asec-t18.pdf
-
NIST Security Maturity Model https://csrc.nist.gov/Projects/Program-Review-for-Information-Security-Assistance/Security-Maturity-Levels
Cases
-
http://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/05/14-10037.pdf
-
https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/13-17102.pdf
* * *
Week 3: Corporate duties of disclosure - Vulnerabilities versus data breaches
**LECTURE NOTES: Cyber Harder
History and practice
Standards
Statutes and cases
- https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1
- https://targetbreachsettlement.com/Portals/0/Documents/Settlement%20Agreement.pdf
- https://www.rosenlegal.com/media/casestudy/851_Yahoo%20-%20Web%20Complaint.pdf
- https://www.dfs.ny.gov/about/ea/ea180627.pdf
* * *
Week 4: FTC (and CFPB) enforcement - Security and unfair and deceptive trade practices
**LECTURE NOTES: https://openscholarship.wustl.edu/law_lawreview/vol85/iss3/2/ ; https://southerncalifornialawreview.com/2013/09/01/privacy-the-hacker-way-article-by-andrea-m-matwyshyn/87_1/
History and practice
Standards
-
https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf
-
https://www.ftc.gov/system/files/documents/federal_register_notices/2013/01/2012-31341.pdf
Cases and enforcement actions
-
https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_revised_complaint_0.pdf
-
https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_revised_agreement.pdf
-
https://www.ftc.gov/system/files/documents/cases/150824wyndhamopinion.pdf
-
https://www.ftc.gov/system/files/documents/cases/141231snapchatcmpt.pdf
-
https://www.ftc.gov/system/files/documents/cases/141231snapchatdo.pdf
-
https://www.ftc.gov/system/files/documents/cases/160329oraclecmpt.pdf
-
https://www.ftc.gov/system/files/documents/cases/160329oracledo.pdf
-
https://www.ftc.gov/system/files/documents/cases/161214ashleymadisoncmplt1.pdf
-
https://www.ftc.gov/system/files/documents/cases/161214ashleymadisonorder1.pdf
-
https://www.ftc.gov/system/files/documents/cases/1523134_c4636_lenovo_united_states_complaint.pdf
-
http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf
* * *
Week 5: The FDA, security, and medical devices
**LECTURE NOTES: The Internet of Bodies (forthcoming 2019)
History and practice
Standards
Cases
* * *
Week 6: The FBI, security, and next generation criminal enforcement
**LECTURE NOTES: The Internet of Suspect Bodies (forthcoming 2020)
History and practice
-
http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf
-
https://www.theguardian.com/technology/2016/mar/28/apple-fbi-case-dropped-san-bernardino-iphone
-
https://www.cleveland.com/metro/index.ssf/2018/05/ohio_prison_inmates_pirated_mo.html
-
https://www.nytimes.com/2018/07/27/us/idaho-prison-hack-jpay-nyt.html
-
https://www.businessinsider.com/washington-prisons-software-glitch-2015-12
-
https://www.nytimes.com/2017/10/26/opinion/algorithm-compas-sentencing-bias.html
Standards
-
https://www.nij.gov/topics/law-enforcement/strategies/predictive-policing/Pages/welcome.aspx
-
https://www.rand.org/content/dam/rand/pubs/research_reports/RR200/RR233/RAND_RR233.sum.pdf
Cases
-
https://www.brennancenter.org/sites/default/files/NYPD%20Palantir%20FOIL%20061416.pdf
-
https://www.brennancenter.org/sites/default/files/opinion12222017.pdf
* * *
Week 7: The Limits of Free Speech and Protest - Hactivism and security "whistleblowers"
** LECTURE NOTES: https://scholarlycommons.law.northwestern.edu/nulr/vol107/iss2/10/
History and practice
-
https://www.rollingstone.com/culture/culture-news/anonymous-vs-steubenville-57875/
-
https://motherboard.vice.com/en_us/article/bmmak5/is-ddos-the-new-civil-disobedience
Standards
Cases
-
https://apps.washingtonpost.com/g/documents/world/us-vs-edward-j-snowden-criminal-complaint/496/
-
https://www.nytimes.com/2018/06/26/us/reality-winner-nsa-leak-guilty-plea.html
* * *
Week 8: Nation state conduct - Hybrid warfare, vulnerability equities, and Infrastructure
**LECTURE NOTES: https://digitalcommons.law.byu.edu/lawreview/vol2017/iss5/6/
History and practice
Standards
-
https://issuu.com/nato_ccd_coe/docs/tallinnmanual - Read Introduction; skim rest
-
https://ccdcoe.org/sites/default/files/documents/CCDCOE_Tallinn_Manual_Onepager_web.pdf
-
https://www.state.gov/s/cyberissues/releasesandremarks/272175.htm
Cases
Standards
* * *
Week 9: The SEC, financial infrastructure security, and market dynamics
**LECTURE NOTES: https://scholarship.law.berkeley.edu/bblj/vol3/iss1/4/ and
https://scholarship.law.umn.edu/cgi/viewcontent.cgi?article=1165&context=mjlst
History and practice
Standards
Statutes and cases
-
https://www.documentcloud.org/documents/4379880-Inbox-Cyrus-Farivar-Arstechnica-Com.html
-
https://www.documentcloud.org/documents/4379892-D-N-J-1-09-Cr-00626-JBS-82-0.htm
* * *
Week 10: DOJ, reforming the CFAA, and innovation policy
** LECTURE NOTES: https://scholarship.law.nd.edu/ndlr/vol87/iss5/7/
and https://scholarship.law.umn.edu/mjlst/vol8/iss2/9/ and Broken
History and practice
-
http://swartz-report.mit.edu/docs/report-to-the-president.pdf
- https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
- The Internet's Own Boy
Standards
Cases
-
https://www.documentcloud.org/documents/217117-united-states-of-america-v-aaron-swartz
-
https://www.justice.gov/opa/press-release/file/986606/download
-
https://gizmodo.com/us-hits-wannacry-hero-with-more-malware-charges-1826626461
-
https://www.justice.gov/ag/page/file/1076696/download p.123-126 and Appendix 2
* * *
Week 11: Hot Topics: Federalism, security, and voting Infrastructure
**LECTURE NOTES: https://link.springer.com/article/10.1007/s10551-009-0312-9 and Owning Our Vote (forthcoming 2019)
History and practice
-
https://www.defcon.org/images/defcon-25/DEF%20CON%2025%20voting%20village%20report.pdf
- https://www.cyberscoop.com/election-cybersecurity-elections-systems-software-dominion-voting/
- https://www.cbsnews.com/news/ahead-of-elections-states-reject-federal-help-to-combat-hackers/
- https://www.bloomberg.com/news/articles/2018-08-10/advocates-say-paper-ballots-are-safest
Standards
-
https://www.eac.gov/news/2017/06/07/06/07/2017-advisory-media/
-
https://copyright.gov/1201/2015/fedreg-publicinspectionFR.pdf - p.48-51
Cases and decertifications
* * *
Week 12: Hot topics: Product liability, Security and AI
**LECTURE NOTES: https://www.ieee.org/about/industry/confluence/feedback.html and Artifice and Intelligence (forthcoming 2019)
History and practice
-
https://www.youtube.com/watch?time_continue=20&v=n0kn4mDXY6I
-
http://time.com/4947879/stanislav-petrov-russia-nuclear-war-obituary/
- https://www.nytimes.com/2017/05/01/us/politics/sent-to-prison-by-a-software-programs-secret-algorithms.html?mcubz=3&_r=0
- https://www.wired.com/2015/10/can-learn-epic-failure-google-flu-trends/
- Terminator 3
Standards
Statutes and cases
* * *
Week 13: Hot topics: Security, "smart contracts," cryptocurrency, and blockchain
**LECTURE NOTES: Crypto Co(i)n (forthcoming 2020)
History and practice
-
https://www.zdnet.com/article/the-blockchain-explained-for-non-engineers/
-
https://www.coindesk.com/blockchains-feared-51-attack-now-becoming-regular/
-
https://www.technologyreview.com/s/608716/bitcoin-transactions-arent-as-anonymous-as-everyone-hoped/
-
https://medium.com/@leo_pold_b/blockchain-governance-takeaways-from-nine-projects-8a80ad214d15
Standards
Cases and enforcement actions
* * *
Week 14 & 15: Security workshop and presentations