“…—Katherine Raphaelson, Director, Massachusetts Telecommunications Council "This book is written for those who have little or no technical background. …”

Tabla de Contenidos: “…9 1.1.4 FTC June 2015 Guidance on Data Security 11 1.1.5 FTC Protecting Personal Information Guide 14 1.1.6 Lessons from FTC Cybersecurity Complaints 15 1.1.6.1 Failure to Secure Highly Sensitive Information 16 1.1.6.1.1 Use Industry-Standard Encryption for Sensitive Data 16 1.1.6.1.2 Routine Audits and Penetration Testing are Expected 17 1.1.6.1.3 Health-Related Data Requires Especially Strong Safeguards 18 1.1.6.1.4 Data Security Protection Extends to Paper Documents 19 1.1.6.1.5 Business-to-Business Providers also are Accountable to the FTC For Security of Sensitive Data 20 1.1.6.1.6 Companies are Responsible for the Data Security Practices of Their Contractors 22 1.1.6.1.7 Make Sure that Every Employee Receives Regular Data Security Training for Processing Sensitive Data 23 1.1.6.1.8 Privacy Matters, Even in Data Security 23 1.1.6.1.9 Limit the Sensitive Information Provided to Third Parties 24 1.1.6.2 Failure to Secure Payment Card Information 24 1.1.6.2.1 Adhere to Security Claims about Payment Card Data 24 1.1.6.2.2 Always Encrypt Payment Card Data 25 1.1.6.2.3 Payment Card Data Should be Encrypted Both in Storage and at Rest 26 1.1.6.2.4 In-Store Purchases Pose Significant Cybersecurity Risks 26 1.1.6.2.5 Minimize Duration of Storage of Payment Card Data 28 1.1.6.2.6 Monitor Systems and Networks for Unauthorized Software 29 1.1.6.2.7 Apps Should Never Override Default App Store Security Settings 29 1.1.6.3 Failure to Adhere to Security Claims 30 1.1.6.3.1 Companies Must Address Commonly Known Security Vulnerabilities 30 1.1.6.3.2 Ensure that Security Controls are Sufficient to Abide by Promises about Security and Privacy 31 1.1.6.3.3 Omissions about Key Security Flaws can also be Misleading 33 1.1.6.3.4 Companies Must Abide by Promises for Security-Related Consent Choices 33 1.1.6.3.5 Companies that Promise Security Must Ensure Adequate Authentication Procedures 34 1.1.6.3.6 Adhere to Promises about Encryption 35 1.2 State Data Breach Notification Laws 36 1.2.1 When Consumer Notifications are Required 37 1.2.1.1 Definition of Personal Information 37 1.2.1.2 Encrypted Data 38 1.2.1.3 Risk of Harm 39 1.2.1.4 Safe Harbors and Exceptions to Notice Requirement 39 1.2.2 Notice to Individuals 40 1.2.2.1 Timing of Notice 40 1.2.2.2 Form of Notice 40 1.2.2.3 Content of Notice 41 1.2.3 Notice to Regulators and Consumer Reporting Agencies 41 1.2.4 Penalties for Violating State Breach Notification Laws 42 1.3 State Data Security Laws 42 1.3.1 Oregon 43 1.3.2 Rhode Island 45 1.3.3 Nevada 45 1.3.4 Massachusetts 46 1.4 State Data Disposal Laws 49 2 Cybersecurity Litigation 51 2.1 Article III Standing 52 2.1.1 Applicable Supreme Court Rulings on Standing 53 2.1.2 Lower Court Rulings on Standing in Data Breach Cases 57 2.1.2.1 Injury-in-Fact 57 2.1.2.1.1 Broad View of Injury-in-Fact 57 2.1.2.1.2 Narrow View of Injury-in-Fact 60 2.1.2.2 Fairly Traceable 62 2.1.2.3 Redressability 63 2.2 Common Causes of Action Arising from Data Breaches 64 2.2.1 Negligence 64 2.2.1.1 Legal Duty and Breach of Duty 65 2.2.1.2 Cognizable Injury 67 2.2.1.3 Causation 69 2.2.2 Negligent Misrepresentation or Omission 70 2.2.3 Breach of Contract 72 2.2.4 Breach of Implied Warranty 76 2.2.5 Invasion of Privacy by Publication of Private Facts 80 2.2.6 Unjust Enrichment 81 2.2.7 State Consumer Protection Laws 82 2.3 Class Action Certification in Data Breach Litigation 84 2.4 Insurance Coverage for Cybersecurity Incidents 90 2.5 Protecting Cybersecurity Work Product and Communications from Discovery 94 2.5.1 Attorney-Client Privilege 96 2.5.2 Work Product Doctrine 98 2.5.3 Non-Testifying Expert Privilege 101 2.5.4 Applying the Three Privileges to Cybersecurity: Genesco v. …”