4 Areas Where Cyber Law is Evolving


Internet-of-things devices, ransomware and insurance are raising questions about liability.

As the internet of things, cloud computing and artificial intelligence have become a part of our everyday discourse, the cyber threats they introduce are rapidly evolving. These new types of breaches are causing more confusion about liability.

At the end of last year alone, we saw a federal judge in California uphold a ruling that allowed victims of the Yahoo breaches to file lawsuits against the company. In 2017 Anthem Health Insurance had to pay $115 million to victims after it was revealed the company had a second, massive breach. Both are unprecedented rulings.

What we’re seeing from these new and evolving breaches is that our legal process surrounding them is all over the place.  And different agencies currently get involved at various points, including the U.S. Consumer Product Safety Commission, the Federal Trade Commission, the PCI Security Standards Council and state regulators, such as New York State’s Department of Financial Services.

While cyber law is a vast, ever-evolving field, there are currently four areas of interest that are having a significant impact on how organizations, governments, businesses and individuals navigate these new waters in a world saturated with technological innovation:

Internet of Things: Who’s Liable?

Connected devices and IP-enabled gadgets have been popping up everywhere recently—not just smart coffee pots and smart lighting in our households but also in the workplace with versatile agents such as Alexa for Business. All these devices and networks are potentially vulnerable to being breached or hacked, especially as they typically ship with a standard password like 0000. Should liability be assigned to the manufacturer or the vendor that sells it?

One easy way to ensure your organization is protected is to change all default security codes or passwords.

Ransomware: What’s Covered?

Increasingly growing, ransomware allows cyber criminals to infiltrate computer systems, encrypt valuable assets, and threaten to destroy the data or render it permanently inaccessible unless money is paid. Most experts, including myself, advise ransomware victims not to pay to avoid inviting future attacks.

Make sure you have reliable anti-virus and anti-malware software and are also keeping your operating systems up to date.

Written Information Security Program: Where’s the Compliance?

More and more states are now requiring businesses and organizations to have a valid Written Information Security Program, or a WISP, on file but many are unaware of the requirement or the steps needed for compliance.

Do your due diligence and educate yourself on what you need for a valid, compliant WISP. The state of Massachusetts has a compliance checklist that is helpful for small businesses or individuals wanting to develop a WISP, which is a good place to start.

Identity Theft: Will Cyber Insurance Help?

Identity theft comes in all shapes and sizes—not just an individual’s identity. In some cases, this includes impersonating entire organizations.

When it comes to cyber insurance, if an incident occurs and a business does not have a valid WISP, cyber insurance won’t be valid. There’s a lot of fine print involved in cyber insurance, which often ensures it’s not effective.

Regulations are starting to ensure that all parties involved are responsible, from manufacturers providing warnings about passwords to WISP implementation and compliance standards. Follow the processes to make insurance useful.

Th Bottom Line is Educate Yourself and Your Organization

My overall advice is to do your homework and involve all stakeholders when it comes to cybersecurity, cyber insurance and cyber law. There’s a commitment to education that’s required to ensure that you and your organization have taken all the necessary precautions to avoid a catastrophe.

Dr. Curtis Levinson currently serves as chief information security officer for MetTel and U.S. cyber defense adviser to NATO. Follow him on Twitter: @CurtisLevinson.