Information Security Law in the EU and the U.S.: A Risk-Based Assessment of Implicit and Explicit Regulatory Policies



The level of information security currently provided by governments and private entities leaves them and the (personal) data they store exposed to a high level of risk. To manage that risk, different regulatory measures have been proposed and adopted. They range from anti-hacking criminal statutes to producer liability for security vulnerabilities or an obligation for companies to notify their customers in the event of a data breach.

While a previous study commissioned by the European Network and Information Security Agency (ENISA) used economics to analyze regulatory policies for information security, this thesis will apply a risk-based analysis based on the technological aspects of information security.

It will develop a methodology for performing a risk-based legal analysis of different regulatory policies for information security. Four fundamentally different risk management options available to any regulator will be discussed: risk mitigation, risk avoidance, risk transfer, and risk acceptance. The methodology will be based on five risk components: assets, vulnerabilities, safeguards, threats, and threat agents. The thesis will show that the effectiveness of any regulatory policy largely depends on its relation to specific risk components.

Specific emerging technological threats (e.g. botnets, zero-day exploits, drive-by-downloads and Web Exploit Toolkits), the challenge they pose to regulators and over twenty different regulatory policies for information security will be analyzed. These will include mandatory data breach notification, producer/seller liability for vulnerabilities, producer/seller liability for products not "save by default", producer/seller liability for delayed patches, limiting copyright for patches, internet access provider liability, user liability, hosting provider liability, prohibition of hacker tools, mandatory vulnerability disclosure for producers, mandatory vulnerability disclosure for third parties, incentives for product certification (e.g. Common Criteria), incentives for developer certification (e.g. GIAC), incentives for company certification (e.g. ISO 27000), incentives for self-regulation (e.g. PCI DSS), criminalizing unauthorized computer access, surveillance to enable the fight against crime/terrorism, mandatory risk management and mandatory certification and accreditation of computer systems.

The methodology developed in this thesis will be applied to analyze these regulatory policies and their implementation in EU law, U.S. federal law, and U.S. state law. Due to the economic importance of the states of California and New York, these jurisdictions will be the focus of the state law analysis.

The thesis will not only establish a guideline for deciding how to best counter emerging threats such as botnets or Web Expoit Toolkits but will also present a general framework for assessing regulatory measures with respect to information security.

The project is co-sponsored by the Stanford-Vienna Transatlantic Technology Law Forum and the The Europe Center (Freeman Spogli Institute for International Studies).