INFORMATION SECURITY LAW

Prof. Andrea Matwyshyn

Welcome.

 

1.   Overview:   

This course describes the substantive law relevant to the field of information security or "infosec" law, commonly known to policymakers as "cybersecurity." It examines how courts, legislatures, and regulators confront the major legal issues that information security presents.  Each week consists of three types of 'readings' - one set introduces you to a key aspect of the history and culture of information security; the second  set  introduces technical and policy standards ; the third consists of statutes and caselaw. 

The early weeks in this class introduce you to the state of the law of information security and assist you in acquiring technical competence in the terms of art of the field. The later weeks in the course identify and frame current legal debates in Congress, state legislatures, regulatory agencies, and the business community on matters of information security.  

2. Grading   50% Final Project;  50% Participation.          

Final Project:     

-  Select a transparency project related to this class (make me an offer or ask me for a suggestion) that will help consumers to be more informed about some aspect of infosec regulation, the infosec-related workings of an agency or some aspect of market dynamics related to this class.   Think about aggregating existing streams of data in new and more useful ways and providing legal analysis  related to the issues discussed in class.  Here are some sample projects:  https://www.andreamm.com/student-projects

OR 

-  Using information you have learned in this class as well as outside research, demonstrate your mastery of infosec regulation by authoring a white paper with detailed commentary explaining the legal issues raised by your project in a way understandable to non-experts.  The paper should be extensively footnoted and contain a bibliography of sources.     (approximate 5-10 pages)

-  Due at exam time for this period, turned in by each student on Blackboard. 

Participation:

-  Preparation when volunteering or cold-called in class and in class 'workshop 'exercises

-  Participation in project presentations in class - 20 minutes per project on final day of class

-  Leading class discussion on the day you are the discussion leader + Hot Topic presentation (choose a security topic from the last calendar week and tell the class about it - 5 minutes)

3.  Reading Materials:   

Mandatory:

- Movies listed on syllabus  (part of your assigned reading - arrive prepared to discuss)

- Readings linked off this syllabus

Recommended:

- Brian Kernighan, Understanding the Digital World http://www.kernighan.org 

- Steven Bellovin, Thinking Security: Stopping Next Year's Hackers, https://www.amazon.com/Thinking-Security-Addison-Wesley-Professional-Computing/dp/0134277546/ref=sr_1_1?ie=UTF8&qid=1480686609&sr=8-1&keywords=bellovin

4.  Office Hours :  After class for two hours and by appointment - please email to schedule: a.matwyshyn@neu.edu with InfoSec Law as your subject line. 

5.  Visitors:    Visitors are welcome with prior consent of the instructor upon not less than 24 hours advance notice.

   

6.  Technology policy

-     Blackboard will be used for various class communications.   Please check daily.

-     As an act of respect to fellow students, all gadgets must be on mute during class.  Laptop usage is permitted only for pedagogical purposes.   Participation points may be deducted in the sole discretion of the instructor for any class disruption.

* * *  

  

Week 1: Introduction - Definitions; the relationship of  information security/"cybersecurity" to privacy and national security

** LECTURE NOTES: https://digitalcommons.law.byu.edu/lawreview/vol2017/iss5/6/ and https://www.sup.org/books/extra/?id=16759&i=Introduction_pages&p=1  and https://papers.ssrn.com/sol3/papers.cfm?abstract_id=914783

History and Practice

Standards

Statutes

* * * 

Week 2: Fiduciary duties,  corporate governance, and intangible assets - Basics of corporate information security

** LECTURE NOTES:  http://www.djcl.org/wp-content/uploads/2014/08/Imagining-the-Intagible.pdf  and https://scholarship.law.umn.edu/cgi/viewcontent.cgi?article=1165&context=mjlst 

History and practice

Standards

Cases

* * * 

Week 3:  Corporate duties of disclosure - Vulnerabilities versus data breaches

**LECTURE NOTES: Cyber Harder 

History and practice

Standards

Statutes and cases

* * * 

Week 4:  FTC (and CFPB) enforcement - Security and unfair and deceptive trade practices

**LECTURE NOTES: https://openscholarship.wustl.edu/law_lawreview/vol85/iss3/2/   ;  https://southerncalifornialawreview.com/2013/09/01/privacy-the-hacker-way-article-by-andrea-m-matwyshyn/87_1/

History and practice

Standards

Cases and enforcement actions

* * *

Week 5: The FDA, security, and medical devices

**LECTURE NOTES:  The Internet of Bodies (forthcoming 2019) 

History and practice

Standards

Cases

* * *

Week 6: The FBI, security, and next generation criminal enforcement

**LECTURE NOTES:  The Internet of Suspect Bodies (forthcoming 2020) 

History and practice

Standards

Cases

 

* * * 

Week  7:  The Limits of Free Speech and Protest - Hactivism and security "whistleblowers"

** LECTURE NOTES:  https://scholarlycommons.law.northwestern.edu/nulr/vol107/iss2/10/

​History and practice

Standards

Cases

 

* * * 

Week 8:  Nation state conduct - Hybrid warfare, vulnerability equities, and Infrastructure

**LECTURE NOTES: https://digitalcommons.law.byu.edu/lawreview/vol2017/iss5/6/

History and practice

Standards

Cases

Standards

 

* * * 

Week 9:  The SEC, financial infrastructure security, and market dynamics

**LECTURE NOTES:  https://scholarship.law.berkeley.edu/bblj/vol3/iss1/4/  and

https://scholarship.law.umn.edu/cgi/viewcontent.cgi?article=1165&context=mjlst

History and practice

Standards

Statutes and cases

 

* * * 

Week 10:  DOJ, reforming the CFAA, and innovation policy 

** LECTURE NOTES:  https://scholarship.law.nd.edu/ndlr/vol87/iss5/7/  

and https://scholarship.law.umn.edu/mjlst/vol8/iss2/9/ and Broken 

History and practice

 

Standards

Cases

     

* * * 

Week 11:  Hot Topics:  Federalism, security, and voting Infrastructure

 

**LECTURE NOTES:  https://link.springer.com/article/10.1007/s10551-009-0312-9  and Owning Our Vote (forthcoming 2019)

History and practice

Standards

Cases and decertifications

* * * 

Week 12:  Hot topics: Product liability, Security and AI 

**LECTURE NOTES: https://www.ieee.org/about/industry/confluence/feedback.htmand Artifice and Intelligence (forthcoming 2019)

History and practice

Standards

Statutes and cases​

* * * 

Week 13:  Hot topics: Security, "smart contracts," cryptocurrency, and blockchain

**LECTURE NOTES:  Crypto Co(i)n (forthcoming 2020)

​History and practice

Standards

Cases and enforcement actions

* * * 

Week 14 & 15: Security workshop and presentations