Cybersecurity law is one of the most rapidly evolving areas in the legal landscape, driven by the relentless pace of technological advancement and ever-emerging threats. Since the first edition of Cybersecurity Law Fundamentals in 2021, pivotal incidents like the Colonial Pipeline ransomware attack have reshaped the federal government's approach to cybersecurity, prompting extensive regulatory changes and new legal interpretations.

The second edition of this book, authored by James Dempsey and John Carlin, reflects these seismic shifts, and goes beyond merely listing cases and regulations. It offers a coherent and engaging narrative that guides readers through the intricacies of cybersecurity law from the perspective of a general counsel dealing with a cyberattack.

Whether you're a general counsel grappling with legal risks, a practitioner transitioning to this field, a policymaker seeking to bridge gaps in existing laws, or an educator teaching the next generation of lawyers, this book is crafted to meet your needs. Here, Dempsey details the tangled web of statutes, regulations, and guidelines that define U.S. cybersecurity law today and how these elements intersect and impact various sectors, offering practical insights and a structured approach to navigating this complex and ever-changing legal terrain.

What motivated the decision to revise and update Cybersecurity Law Fundamentals?

I don’t think there has ever been an area of the law that has evolved as rapidly as cybersecurity law. The first edition was in 2021. For the second edition, every single chapter had to be revised, and the length of the volume grew by 50 pages, even though I moved a lot of lists of cases and details of regulations to the companion website, cybersecuritylawfundamentals.com.

Can you elaborate on the key changes in U.S. cybersecurity law since the book’s initial publication in 2021?

In May 2021, just as the first edition was being finalized, the Colonial Pipeline system was hit by a ransomware attack, shutting down the flow of petroleum products to the entire East Coast for days. That prompted a sea change in the federal government’s approach. Until Colonial, most cybersecurity law was about the protection of personal information and focused on notification to consumers and the criminal prosecution of hackers. By and large, the federal government did not regulate the cybersecurity practices of critical infrastructure. Long lines at gas stations prompted the federal government to adopt binding directives for pipelines, then railroads, then the aviation sector, and it expanded the scope of cybersecurity concerns from information technology to include “operational technology,” which encompasses all of the devices that control industrial processes. At the same time, the federal government expanded its use of trade and investment laws to limit foreign participation—especially Chinese participation—in U.S. telecommunications networks and other sectors. Meanwhile, attorneys representing consumers whose data had been stolen were continuing to develop innovative theories of standing and to explore the application of traditional tort doctrines to businesses holding personal data.

How does Cybersecurity Law Fundamentals address the evolving landscape of federal cybersecurity statutes, regulations, and guidelines, particularly from your perspective?

Cybersecurity law is a patchwork quilt, indeed, a crazy quilt, stitched together with often-mismatched doctrines: ancient common law concepts of negligence and contract; early 20th-century prohibitions of unfair and deceptive trade practices; consumer protection law; crimes reminiscent of trespass; federal and state legislation, including laws for banking, health care, medical devices, the electric power grid, and many other sectors; industry standards; national security law; and trade and investment law.

The goal of the book is to give a coherent summary of this incoherent body of law. It tries to tell a narrative; from the perspective of a general counsel whose company suffers an attack. The GC’s first instinct is “we’ve been victimized,” so the book starts with criminal law. Then the GC realizes that consumers need to be notified through breach notification letters, and, if the incident is “material,” so does the investing public, through an SEC filing, so the book describes those requirements. Then the class action lawsuits start, so the book covers standing and the types of claims that are brought. Soon, regulators such as the Federal Trade Commission or state attorneys general may open investigations, so the book describes the legal authority for such enforcement actions and the cybersecurity failings that regulators focus on. As the forensic analysis of the incident continues, it may emerge that the attacker was a nation-state, so that raises questions of national security law and the powers of the President regarding foreign trade and investment, which is where the book concludes. Along the way, there are chapters on paying ransomware and on information sharing, defensive tactics, and the government’s use of search warrants to disrupt cybercrime groups.

Could you provide insights into the significance of the Supreme Court decisions mentioned in the book, especially concerning the federal computer crime law, and standing in data breach cases?

The second edition gives considerable attention to two recent Supreme Court cases. The 2021 decision in Van Buren v. United States defined the key terms of “authorization” and “authorized access” in the federal Computer Fraud and Abuse Act. These terms had generated a major circuit split. In Van Buren, the Supreme Court made it clear that the act does not apply to employees who misuse data they were otherwise authorized to access, ending the use of the act’s civil and criminal provisions in disputes over an employee’s theft of data, for example, to start a competing enterprise.

Another 2021 decision, TransUnion v. Ramirez, addressed the question of standing in federal court. Addressing that case in the revised edition was very hard. The Court seemed to foreclose standing based on the risk of future harm in actions for damages, which had been the basis for standing in many data breach cases, where plaintiffs could not specifically allege identity theft or fraudulent use of their stolen data. But despite TransUnion, lower courts have continued to find standing even in the absence of allegations of ID theft or fraud. The revised edition describes eight different theories that have been accepted by courts, on top of actual loss of money through the fraudulent use of stolen information.

Given the diverse audience Cybersecurity Law Fundamentals caters to, how do you ensure the book effectively serves the unique needs of each group in understanding U.S. cybersecurity law?

The book does not seek to be comprehensive. For almost every topic covered, there are specialized treatises or articles. And some of the areas, such as negotiations with the Committee on Foreign Investment in the U.S., are definitely best left to experts. The book, however, is intended as an overview, for that general counsel who needs a basic understanding of the legal risks that a company faces; the practitioner seeking a career transition to this rapidly expanding practice area; the policymaker trying to understand the gaps in the law and how to fill them. And, I’m pleased to say, professors and instructors at a number of law schools use the book in their cybersecurity law classes.

Click here to purchase a print copy

Click here to purchase a digital copy