People occasionally ask about InfoSec courses that cover law and cyberlaw and about schools that offer cyberlaw programs.
I’m curious about this whole thing for a slightly tangential reason.
On the one hand there’s the idea of Cyberlaw as part of a general law school curriculum.
On the other, there’s cyberlaw for InfoSec people and managers and executives.
The former will already have covered issues like criminal law, contract law, rules of evidence an so forth. Would all that be necessary for the latter group?
An in general, we do have a domain of the CISSP CBK that covers ‘law an ethics’, but I get the impression that in the effort to “internationalize” it has been gutted; the rationale being that many laws are so regional that the exam can’t address them without being very biased.
Well, I disagree. For a number of reasons.
First, there is a lot of law that is about principles.
I think its important to cover basics like CONTRACTS and LIABILITY, which I have seen one in a way that covers the variety of the western European legal codes.
Second, there is a fair bit of international or internationally recognised law. How else could trade and commerce go on? In addition there are many laws that are being applied or recognized cross-border in
one way or another, especially in the areas of cyber-related crimes such as fraud and extortion. Some of these may only be the basis for extradition, but they are examples of what happens in practice.
Finally the study of law in other jurisdictions is valuable as is the study of history; it gives us examples of the goo and the bad, how they were applied and what their successes, pitfalls and limits were.
This is more relevant that it seems at first. The impact of Sarbines-Oxley (SOX) applies to many of us outside the USA because we deal with companies in our own nation that have offices registered and trading inside the USA. On top of that, SOX has been the basis for – often better thought out – similar legislation in other countries. The same reasoning applies to things like the DMCA, CAN-SPAM and the like.
I ought to mention things like PCI as well, even though they are not “laws” in the same sense. PCI *IS* international, just as other banking standards that those of us who deal with finance InfoSec have to deal
with – BASEL, FFIEC and others.
Purely as a side issue, I think all of us need to know about matters like employment law, many of us are ‘consultants’ and need to know about contract law. Many of us are in situations where InfoSec deals with HR and that justifies knowing about employment law. We my also need to know about matters such as copyright and non-disclosure, and what contracts can and cannot bin one to.
Speaking as a “consultant”, I’d add that I’m very glad of my grounding as part of the management electives of my undergraduate degree in engineering that covered contract law. Many of the contracts I have been offered by small firms where they were drawn up by the owner (often an ‘entrepreneur’ with no business or legal background and often without guidance of a lawyer or even a CMA/accountant) were inequitable, unreasonable and full of ‘traps’ because of poor wording.
I think an understanding of the basics of criminal law, contract law and law pertaining to international trade are essential to members of our profession, regardless of their role. The CBK and exam may avoid them but as individuals we should each recognise the relevance of these and other legal and quasi-legal ‘standards’ and make them part of our ongoing education.