Cybersecurity Law Fundamentals:

A Survey of AN Evolving Field and A Handbook for Practitioners

by James X. Dempsey and John p. carlin

Published by the International Association of Privacy Professionals

Now Available: The Second Edition of

Cybersecurity Law Fundamentals

A survey of an evolving field And a handbook for practitioners

First published in 2021, Cybersecurity Law Fundamentals has been completely revised and updated.

U.S. cybersecurity law is rapidly changing. Since 2021, there have been major Supreme Court decisions interpreting the federal computer crime law and deeply affecting the principles of standing in data breach cases. The Securities and Exchange Commission has adopted new rules for publicly traded companies on cyber incident disclosure. The Federal Trade Commission revised its cybersecurity rules under the Gramm-Leach-Bliley Act and set out new expectations for all businesses collecting personal information. Sector-by-sector, federal regulators have issued binding cybersecurity rules for critical infrastructure, while a majority of states have adopted their own laws requiring reasonable cybersecurity controls. Executive orders have set in motion new requirements for federal contractors.

All these changes and many more are addressed in the second edition of Cybersecurity Law Fundamentals, published April, 2024. The second edition is co-authored by John P. Carlin, partner at Paul Weiss and former long-time senior official of the U.S. Justice Department, where he was one of the architects of current U.S. cybersecurity policy.

Purchase Cybersecurity Law Fundamentals, Second Edition (2024): print or digital.

Who should have Cybersecurity Law Fundamentals?

Cybersecurity Law Fundamentals is both a primer and a reference volume, with pointers to more in-depth resources. It organizes the disparate threads of cybersecurity law into a framework. It can be picked up and perused by generalists and newcomers to the field: the general counsel of a corporation whose area of expertise may be far from cybersecurity but who must have a basic understanding of regulatory requirements and of the legal risk the company will face when it suffers a breach; the policymaker interested in understanding the gaps in the law and filling them; the attorney seeking a career transition to a rapidly growing practice area; the journalist trying to contextualize a new executive order or legislative proposal. But it also serves the cybersecurity practitioner looking for a quick refresher or a citation.

Updates And supplemental material

The purpose of this website is three-fold: (1) Since the law in this field is changing so rapidly, this website hosts regular updates to the second edition of Cybersecurity Law Fundamentals. (2) These pages host supplemental material omitted from the second edition mainly to keep the printed volume to a reasonable length. Here, for example, you will find long lists of cases further representing points in the book. The format of each chapter is to place updates, if any, first, then followed by any supplemental material. (3) This website preserves updates to the first edition, mainly as archival material, but also to support users as they transition to the second edition. Everything in the first edition updates is now reflected in the second edition or in the supplemental sections for each chapter, listing additional cases.

Caution: The supplemental material and updates here will likely have little meaning, and could be confusing or even misleading, without the full volume.

Latest updates include:

  • Nov. 5, 2024: Update to Chapter 16 to note issuance of a final rule on outbound investments.

  • Oct. 31, 2024: Updates to Chapter 9 on a new CFPB rule and to Chapter 16 on DOJ’s proposed rule on data transactions.

  • Oct. 29, 2024: Update to Chapter 12 describing the New York State cybersecurity regulation for hospitals.

  • Oct. 25, 2024: Update to Chapter 8 describing the DOJ’s latest FCA settlement.

  • Oct. 23, 2024: Update to Chapter 11 on SEC enforcement actions.

  • Oct. 19, 2024: Update to Chap. 3 on amendments to Pennsylvania breach notice law.

  • Oct. 18, 2024: Update to Chapter 12 describing NYSDFS guidance on cybersecurity risks of AI.

  • Oct. 12, 2024: Updates to Chapter 9 describing the new CMMC Program rule.

  • Oct. 11, 2024: Updates to Chapter 9 on new DOL guidance to employee benefits plans and to Chapter 10 on the FTC’s proposed settlement with Marriott.

  • Sept. 25, 2024: Update to Chapter 12 to add the new Rhode Island privacy law.

  • August 15, 2024: Updates to Chapter 16 on Congressional action to ban TikTok and regulate data brokers and updates to Chapter 9 on the latest DoD rulemaking to implement CMMC 2.0.

  • July 26, 2024: Update to Chapter 8 on recent False Claims Act settlements.

  • July 25, 2024: Update to Chapter 11 on a new FCC enforcement action.

  • July 18, 2024: Edits to Chapter 11 describing the district court decision in the SEC enforcement action against SolarWinds.

  • July 15, 2024: Edits to Chapter 12 to add the new Minnesota law and edits to Chapter 5 to add recent cases.

  • July 11, 2024: Updates to Chapters 2 and 5 to add recent cases.

  • June 25, 2024: Update to Chapter 11 on HHS OCR enforcement actions against ransomware victims; update to Chapter 3 describing yet more guidance from the SEC on its reporting requirement.

  • June 21, 2024: Update to Chapter 16 describing the first-ever action under EO 13873 on ICTS transactions.

  • June 20, 2024: Update to Chapter 11 on a recent SEC enforcement action against a publicly-traded company.

  • May 17, 2024: Update to Chapter 9 on the SEC’s adoption of breach notice rules for broker-dealers and other entities.

  • May 10, 2024: Noting that the Maryland governor has signed that state’s new privacy legislation.

  • May 3, 2024: Added four new state laws to Chapter 12.

  • May 3, 2024: Updates to Chapter 3 on breach notice, including the FTC’s final rule on health apps.

  • May 3, 2024: Updates to Chapter 16, including the EO and rulemaking on “Preventing Access to Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of Concern.”

Praise for Cybersecurity Law Fundamentals

Cybersecurity Law Fundamentals is a must-have handbook. From FTC Act enforcement, to breach notification laws, to the Computer Fraud and Abuse Act and responding to ransomware attacks and more. Dempsey and Carlin have organized the US’s fragmented approach to cybersecurity law into an accessible volume for students and practitioners alike. Travis LeBlanc, partner and co-chair of Cooley's cyber/data/privacy practice and member, Privacy and Civil Liberties Oversight Board.

Cybersecurity Law Fundamentals is an absolutely essential volume.  Dempsey and Carlin have created a field guide to an area of law that is being created in real time before our eyes. Paul Schwartz, Jefferson E. Peyser Professor of Law, Berkeley Law School and co-author of Privacy Law Fundamentals.

Send corrections, suggestions, and updates to the book and to this website to jxdempsey@gmail.com

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.

Last updated: Nov. 5, 2024.