Breached!

This is an important book, offering a high-level overview of security and privacy, from the viewpoint of law and regulation. Both authors are law professors with deep expertise in both cybersecurity laws and privacy laws. They offer their assessment of what is working in today’s tech environment and some possibilities for improvement.
The book focuses on security and privacy breaches and the “breach notification” laws that arose from this trend. The law does offer a clear response to a breach, but it is doubtful if it has had much positive effect. Consumers receive little beyond token cash compensation or “credit monitoring”. The laws we have do not seem to reduce the onslaught of headline grabbing data breaches. The authors of Breached first give a historical overview of where we are and how we got here. Their viewpoint is that of the law and legal effects on cybersecurity and privacy. The second half of the book describes their solution: “Holistic Data Security Law”. The authors suggest a legal framework that would hold more actors accountable for breaches, not just the organization whose data was lost. These actors could include software developers, distributors, and others such as amplifiers and facilitators. Amplifiers are defined as those storing troves of data unnecessarily. Facilitators are government entities demanding backdoors to technology. Unfortunately, no single law would cover this ecosystem, so no silver bullet will be found.
Two other chapters offer specific suggestions on how to reduce the number and severity of data breaches. One idea is to unify privacy and security. Right now, they are often managed in separate organizational silos. Good cybersecurity is essential for effective privacy. At the same time, good privacy practices can minimize data breach impact. This would include things like data minimization and data mapping. Applications should have designed-in security and privacy.
The next chapter focuses on the human element of security and privacy. It has been documented that the human element is a contributing cause to most security breaches. The authors suggest rethinking tech design rules to focus on the human element of risk management.
The last book chapter summarizes the authors’ approach: “Holistic Data Security Law”. Key points include:
• Craft data security law to be more proactive and less reactive.
• Draft data security laws that provide incentives for right behaviors
• Data security law should encourage integration of privacy and security.
In summary Breached is an excellent overview book for cybersecurity professionals who are often focused on the technical details of threats and vulnerabilities and proposed technical solutions.