Hack Lab: Introduction to Cybersecurity (INTLPOL 268)

Stanford University

  • Riana Pfefferkorn (Stanford Internet Observatory)

Syllabus (Stanford Canvas)

Weekly Reading Assignments

Week 1 (Sept. 28): Section 1 (Preview: Introduction to the Law)

Week 2 (Oct. 5): Section 2.1 (Computer Fraud and Abuse Act)

Week 3 (Oct. 12): Sections 2.2 & 2.3 (Van Buren's Ramifications for Security Research & Digital Millennium Copyright Act)

Week 4 (Oct. 19): Section 2.4.1 (Wiretap Act and Wi-Fi "Sniffing")

Week 5 (Oct. 26): Section 2.4.2 (Wiretap Act, SCA, and GET Requests)

Week 6 (Nov. 2): Section 3 (Part II: When Entities Get Hacked)

Week 7 (Nov. 9): Section 4.1 (Encryption & Technical Assistance)

Week 8 (Nov. 16): Section 4.2 (Government Hacking)

Week 9 (Nov. 30): Section 5 (Part IV: When Countries Hack Each Other)

Week 10 (Dec. 7): Review (and possible surprise special guest speaker!) - no new reading assigned

Note: These readings are subject to change during the quarter; if you get ahead in the reading, check back the week before lecture for any updates. 

3 Part II: When Entities Get Hacked 3 Part II: When Entities Get Hacked

Week 6

Week 6 (Nov. 2, 2022): Data Breach Notification & Data Security Requirements

This week, we’ll look at the flip side of legal liability when a company (or other organization) gets hacked: the victim company’s own potential liability under state laws and agency regulations that require a minimum level of data security and impose notification requirements in the event of a data breach (or, increasingly, other cybersecurity incident).

3.1 Data Breach Notification Requirements 3.1 Data Breach Notification Requirements

Week 6

3.1.1. State Data Breach Notification Laws - Map & Chart (updated Sept. 2022)

Take some time to play around with the map on page 2 of this report and check out the laws in states of interest to you.

This document is an example of what's known as a "50-state survey"; compiling all the data, and keeping it up-to-date as state laws change, is the sort of assignment commonly given to junior associates at law firms. I like this other firm's map better because it's more interactive and rich-featured, but unfortunately it's out-of-date.

State Data Breach Notification Laws - Map & Chart (updated Sept. 2022)

3.1.2. By the Numbers: Parsing Cybersecurity Incident and Breach Reporting Requirements - R Street Institute (Sept. 1, 2022)

By the Numbers: Parsing Cybersecurity Incident and Breach Reporting Requirements - R Street Institute (Sept. 1, 2022)

3.1.3. Courts order handover of breach forensic reports in trend welcomed by consumers, feared by defendants - CyberScoop (Aug. 4, 2021)

Courts order handover of breach forensic reports in trend welcomed by consumers, feared by defendants - CyberScoop (Aug. 4, 2021)

3.2 Data Security Requirements 3.2 Data Security Requirements

Week 6

3.2.1. The evolution of the 'reasonable security' standard in the US context - IAPP (June 4, 2020)

The evolution of the 'reasonable security' standard in the US context - IAPP (June 4, 2020)

3.2.2. Recent Case: FTC v. Wyndham Worldwide Corp. - 129 Harv. L. Rev. 1120 (Feb. 10, 2016)

As with the case note for the Google Street View case that we read earlier this quarter, this is likewise a piece of writing about a court decision that was authored by an outside observer; it is not the court's opinion itself.

Recent Case: FTC v. Wyndham Worldwide Corp. - 129 Harv. L. Rev. 1120 (Feb. 10, 2016)