103 Iowa L. Rev. 985 (2018)

Download PDF

Abstract

As data breaches, denial-of-service attacks, and other cybersecurity incidents lead to extraordinary economic and national security consequences, commentators increasingly look to the legal system for solutions. Unfortunately, U.S. laws do not have a unified and coherent vision for the regulation and promotion of cybersecurity. For that matter, the U.S. legal system lacks a consistent definition of the term “cybersecurity law.”

This Article aims to fill that gap by defining “cybersecurity law.” Although many articles have addressed various aspects of cybersecurity, none has stepped back to define exactly what “cybersecurity” is and the goals of statutes and regulations that aim to promote cybersecurity. By defining the scope and goals of this new legal field, policymakers can then examine how lawmakers could improve existing laws. Part II of this Article briefly describes the cybersecurity challenges that the United States faces by examining the cyberattack on Sony Pictures Entertainment. Part III defines “cybersecurity law” as a legal framework that “promotes the confidentiality, integrity, and availability of public and private information, systems, and networks, through the use of forward-looking regulations and incentives, with the goal of protecting individual rights and privacy, economic interests, and national security.” Part IV explains the current legal regime for cybersecurity and concludes that many of the most prominent cybersecurity laws only address a small portion of the broader legal framework. Part V examines the gaps in current U.S. cybersecurity law and suggests starting points for improvements.