Duke University Law School
Law 550 "Legal Issues of Cybersecurity and Data Breach Response"
Fall 2021: 2:00 - 3:50 PM (Room 3000)
This two-credit "experiential" course will provide an advanced look into the dynamic and rapidly evolving legal field of cybersecurity and data breach response. The course will focus on the workflow during the aftermath of any sort of data security incident, a rapidly growing legal practice area, where legal professionals have emerged as critical leaders and decision-makers.
Every class will begin with a 15-20 minute discussion of current events. The course will be broken up into two parts.
The first part of the course will cover the foundation of the legal aspects of data breach response, in the form of traditional lectures and discussion. The second part of the course will involve a fictional fact pattern/simulation of a data security incident at a financial firm, which also entangles the theft of credit card data. Each class session will address a specific “legal workstream,” with student teams conducting various tasks and with “real-life” outside data breach response experts playing the roles of each relevant fiduciary and constituency. The tasks will include: intake; board briefing; law enforcement liaison; federal/state regulatory interphase; insurance company updates; and vendor/third party/employee briefings.
Course materials are all available online and free of charge. Students will be graded as follows: 30% of grade (Paper); 50% of grade (Simulation Exercise): and 20% of grade (Participation).
Part One: Preparation
We will discuss a range of the most important and timely cybersecurity/ data breach response legal topics, including discussions of:
Part Two: Simulation
The ABA Standards for Approval of Law Schools now require that law students take at least six credits in “experiential courses.” ABA Standard 303(a)(3). These standards also define three different kinds of courses that satisfy this requirement: I)“law clinics”, II)“externships”, or “field placements”; and III)“simulations.” This class fits into the category of a “simulation.”
Virtually every aspect of a data security incident response is rife with delicate and complex legal issues. The issues go well beyond the post-event legal consequences, such as regulatory notifications, requests and investigations; law enforcement interactions; vendor disputes and lawsuits; and potential consumer class actions. The expectation plainly is that counsel will have clear visibility into and participate in all aspects of cybersecurity planning, monitoring, reporting, and, of course, response. And, it is fair to say that internal counsel is now on notice – if there was any lingering doubt – that cyber risks fall squarely within their functional mandate.
Above all else, the legal ramifications of any cybersecurity incident or failure can be calamitous or even fatal for any public or private company. Even the most traditional realms of IT dominion such as exfiltration analysis, malware reverse engineering, digital forensics, logging review and most technological remediation measures are rife with legal and compliance issues and a myriad of potential conflicts.
For instance, after a cybersecurity incident, law enforcement, regulators, vendors, partners, insurers, customers and others may:
These requests raise a host of legal issues, including how exactly to respond to each request and whether any response would violate the privacy of customers; be at odds with commercial agreements; result in a waiver of the attorney-client or work product privileges; or have any other legal/compliance consequences.
Skills and Competencies Students Will Learn
This class is designed to equip students with a toolset that they can use to oversee and direct investigative data breach response workflow, commanding the investigation and remediation for the C-suite, sharing with senior management the ultimate responsibility for key decisions, while having the responsibility and duty of reporting to the company’s board.
Along these lines, the second part of the course will present a fact pattern involving a data security incident at a financial firm, which also involves possible theft of credit card data, a "business email compromise" (BEC) situation and a ransomware extortion scheme. Each class will address a specific “legal workstream,” with student teams conducting various tasks and with actual outside data breach response experts (in person or more likely, via Skype) playing the roles of each relevant fiduciary and constituency.
The tasks will be as follows:
Though the emphasis of this course is on the practical (i.e. the realities of a data breach response law practice), the course will also venture into some of the more theoretical conflicts that arise amid the juxtaposition of law, cyber and business. Constantly evolving, the legal issues of cybersecurity and data breach response create multiple and vibrant opportunities for discussion and analysis. Along these lines, each class may begin with a 20-minute discussion of “current events” pertaining to the legal issues of cybersecurity and data breach response. Though the instructor will provide topics for current events discussion, students will be encouraged to present recent current events for discussion as well.
Course Requirements, Workload Expectation and Grading
Prerequisites. This will be a two-credit course with no prerequisites.
Reading Assignments. In advance of each lecture class, there will likely be a reading assignment, the materials for which will be made available before the semester begins on Sakai (or on www.johnreedstark.com). On occasion, via Sakai, www.johnreedstark.com and/or email, students may receive additional materials relevant to the current events discussion.
Workload Expectation. As required by the ABA, for every hour students are in class, the ABA requires that each student must do about two hours of work outside of class, averaged across the semester; this can be in reading for class, preparing for the course exercises and working on papers.
Grading. Grading is comprised of three parts:
For a day-to-day schedule of the entire semester, including assigned materials for each week, click here.
To review of all class materials, click here.