Cybersecurity Law Key Terms

Under the Computer Fraud and Abuse Act, the act of entering a computer system or a particular part of a computer system, such as files, folders or databases.

Source: Van Buren v. United States, 593 U.S. 374, 388, 141 S. Ct. 1648, 1657 (2021)

The process of granting or denying specific requests for or attempts to obtain and use information and related information processing services, enter specific physical facilities, or access a specific computer system or device.

Sources: Glossary, National Initiative for Cybersecurity Careers and Studies; Glossary, NIST Computer Security Resource Center

A cyber adversary, such as a nation-state or a ransomware network, that possesses sophisticated levels of expertise and significant resources that allow it, by using multiple attack vectors like vulnerability exploitation, credential abuse, and social engineering, to create opportunities within a computer network to achieve its objectives. These objectives typically include establishing and extending footholds within the technology infrastructure of the targeted organization for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization or positioning itself to carry out these objectives in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period of time and adapts to defenders' efforts to resist it.

Sources: NIST SP 800-39; Glossary, NICCS; Glossary, CSRC; Project Upskill Glossary | Cybersecurity and Infrastructure Security Agency

The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a computer system.

Source: Glossary, CSRC

Source: Glossary, CSRC

The unauthorized access to or acquisition of computerized data that compromises the security, confidentiality or integrity of personal information. Note: Definitions of "personal information" vary across different laws, regulations and enforcement regimes. Breach may refer more generally to the compromise of the security of a computer system or network. See also "data breach" and "cyber incident."

Source: Cal. Civ. Code 1.81 § 1798.82; New York Gen. Bus. Law, 39-F § 899-AA. See also Glossary, CSRC.

The legal requirement, under law or contract, to inform individuals, third parties, and/ or governmental authorities that personal information has been compromised. See also "incident reporting/disclosure."

Source: Cybersecurity Law Fundamentals, 2nd ed. pp. 63-64

"A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

Source: Glossary, CSRC

Source: Cybersecurity Law Fundamentals, 2nd ed. pg.16

Source:  Glossary, CSRC citing Committee on National Security Systems Instruction 4009- 2015

Source: 18 U.S.C. § 1030(a)(3)

Sources: Glossary, CSRC; Glossary, NICCS; 44 USC § 3552(a)(3)(B)

Sources: NIST SP 800-37 Rev. 2; Information Systems Audit and Control Association Glossary of Terms

Source: 42 U.S.C. § 5195c(e)

Source: Cybersecurity Law Fundamentals, 2nd ed. pg.16

Sources: 44 U.S.C. § 3552(2). Compare, however, 6 U.S.C. § 650(12) and 6 U.S.C. § 681(5), the latter of which excludes an occurrence that imminently, but not actually, jeopardizes (i) information on information systems; or (ii) information systems. See also FIPS Publication 200.

Source: CNSSI 4009-2015 from DoD JP 3-12

Source: New York State Department of Financial Services Cybersecurity Requirements, 23 NYCRR 500

Source: 6 U.S.C. § 650(7)

Sources: IBM. See also 6 U.S.C. § 650(18).

Sources: 6 U.S.C. § 650(8); Glossary, NICCS

Source: 6 U.S.C. § 650(5)

Source: 10 U.S.C. § 1030(e)(8)

Sources: Cal. Civil Code § 1798.82(g). See also 45 C.F.R. § 164.402 (Health Insurance Portability and Accountability Act breach notice rule); 16 C.F.R. § 314.2(m) (FTC GrammLeach-Bliley Act safeguards rule); NICCS; CISA Glossary.

Sources: Fair Information Practice Principles (FIPPs) | FPC.gov. See also Cal. Civil Code § 1798.100(c); Cal. Code Regs. tit. 11 § 7002(d).

Source: Storage Networking Industry Association

Data protection also refers to "the rules and safeguards applying under various laws and regulations to personal data about individuals that organizations collect, store, use and disclose. 'Data protection' is the professional term used in the EU, whereas in the U.S. the concept is generally referred to as 'information privacy.'" When used in this context, "data protection is different from data security, since it extends beyond securing information to devising and implementing policies for its fair use."

Source: IAPP Glossary of Privacy Terms

Sources: See "key" and "decryption key" in Glossary, CSRC.

Source: 6 U.S.C. § 650(9)(A)

Source: CISA, "Understanding Denial-of-Service Attacks"

One element of a negligence claim under the common law. In data breach and other cybersecurity incident litigation, a threshold question on any claim of negligence is whether the defendant had a duty to protect the data or network, provide notice of incidents, or take other preventative or responsive actions.

Source: Cybersecurity Law Fundamentals, 2nd ed. pgs.136-38

"The process of transforming plaintext into ciphertext using a cryptographic algorithm and key," thereby concealing the data's meaning to prevent it from being known or used.

Source: NIST SP 800-56B Rev. 2

Under CFAA, "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."

Sources: 18 U.S.C. § 1030(e)(6). See also Van Buren v. United States, 593 U.S. 381-88, 141 S. Ct. 1648, 1657-58 (2021).

In the cybersecurity context, to extort or attempt to extort from any person any money or other thing of value by transmitting "any communication containing any (A) threat to cause damage to a protected computer; (B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or (C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion."

Source: 18 U.S.C. § 1030(a)(7)

"The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data." In the cybersecurity context, generally performed after a cybersecurity incident to determine the cause and scope of, and actors involved in, the incident.

Source: 32 C.F.R. § 236.2

A clause in insurance policies excluding coverage for losses due to hostile or warlike acts, often invoked by carriers when claims arise from a state-sponsored cyber incident.

Source: Cybersecurity Law Fundamentals, 2nd ed. pgs. 129-30

The methods and processes used to manage subjects (such as individual users) and their authentication and authorizations (privileges) to access specific objects (such as devices, networks or information). Sometimes referred to as identity and access management.

Source: Glossary, NICCS

"All types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain."

Sources: U.S. Department of Justice: Identity Theft. See also 18 U.S.C. § 1028.

Coordinated activities and procedures to detect, analyze, contain, remediate, and recover from cyber incidents, in order to minimize harm, comply with legal requirements and maintain or promptly restore operations.

Source: NIST SP 800-61 Rev. 2

The integrated employment, during military operations, of information-related capabilities in concert with other lines of operation to influence, disrupt, corrupt, or usurp the decision-making of adversaries and potential adversaries while protecting our own.

Source: Department of Defense JP 3-13

The protection, through administrative, technical and physical safeguards, of "information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide" integrity, confidentiality and availability.

Source: 44 U.S.C. § 3552(a)(3)

Any equipment or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information. "[A]ny equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information ... . includes computers, ancillary equipment ..., peripheral equipment ..., software, firmware and similar procedures, services (including support services), and related resources."

Sources: NIST SP 800-53 rev. 5; 40 U.S.C. § 11101(6).

"The process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices."

Source: NIST SP 800-94

Software or firmware intended or designed or to perform an unauthorized process that will have adverse impacts on the confidentiality, integrity or availability of an information or computer system.

Source: NIST SP 800-53 rev. 5

Continuously observing and analyzing a network, its traffic, the devices on the network and the data stored on the network to identify modifications or behavioral anomalies indicative of security threats, vulnerabilities, compromises or policy violations.

Source: CISA

Authentication method using two or more factors to achieve authentication. Factors include: something you know, e.g., password or personal identification number; something you have, e.g., cryptographic identification device, token, ATM card, smartphone; or something you are, e.g., biometric.

Sources: NIST SP 1800-17b; NIST SP 800-171r3

"A broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems and devices detect or cause a direct change through the monitoring and/ or control of devices, processes, and events." Examples include industrial control systems, building management systems, fire control systems and physical access control mechanisms.

Source: NIST SP 800-82r3

The Payment Card Industry Data Security Standard is an information security standard administered by the Payment Card Industry Security Standards Council for merchants, banks and other entities that process payments involving branded credit cards from the major card schemes.

Sources: NIST SP 1800-16B. See also PCI Security Standards Council.

Varies from state to state and law to law. Under the California Consumer Privacy Act, "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." 

Source: Cal. Civil Code tit. 1.81.5 § 1798.140(v)(1)

A similar definition is used by many of the state "comprehensive" privacy laws.

However, state data breach notification laws often have a narrower definition. Under California's breach notification law, "personal information" means either of the following:

1. An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
   1. (A) Social security number.
   2. (B) Driver's license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
   3. (C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
   4. (D) Medical information.
   5. (E) Health insurance information.
   6. (F) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
   7. (G) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
   8. (H) Genetic data.
2. A username or email address, in combination with a password or security question and answer that would permit access to an online account.

Source: Cal. Civil Code tit. 1.81 § 1798.82(h)

"Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual."

Source: Office of Management and Budget Circular No. A-130

"A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a Web site, in which the perpetrator masquerades as a legitimate business or reputable person."

Sources: Internet Engineering Task Force RFC 4949 Ver 2. See also the latest annual report of the Anti-Phishing Working Group.

As required within the federal government under the E-Government Act, "an analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of information in identifiable form in an electronic information system; and to examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns. A privacy impact assessment is both an analysis and a formal document detailing the process and the outcome of the analysis."

Sources: OMB Circular A-130 (2016). See also IAPP Glossary of Privacy Terms. 

Related terms: Many comprehensive state privacy laws require a "data protection assessment." California law requires an annual cybersecurity audit. Article 35 of the EU General Data Protection Regulation requires controllers to undertake a "data protection impact assessment" of any processing likely to result in a high risk to the rights and freedoms of natural persons.

"Material and information relating to or associated with a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications; marketing plans or techniques; schematics; client lists; computer programs; processes; and know-how that has been clearly identified and properly marked by the company as proprietary information, trade secrets, or company confidential information. The information must have been developed by the company and not be available to the government or to the public without restriction from another source."

Source: Glossary, CSRC

Under the CFAA, a computer

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government;

(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; or

(C) that-

• (i) is part of a voting system; and
• (ii)(I) is used for the management, support, or administration of a Federal election; or (II) has moved in or otherwise affects interstate or foreign commerce."

Source: 18 U.S.C. § 1030(e)(2)

For purposes of HIPAA, "individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in electronic media; or

(iii) Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information:

(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);

(iii) In employment records held by a covered entity in its role as employer; and

(iv) Regarding a person who has been deceased for more than 50 years."

Source: 45 C.F.R. § 160.103

In HIPAA itself, health information is defined as "any information, whether oral or recorded in any form or medium, that— (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual."

Source: 42 U.S.C. § 1320d(4)

A form of malware that encrypts files on a device, rendering them unusable, with the malicious actors demanding ransom in exchange for decryption, often accompanied by a threat to sell or publicly release the data if the ransom is not paid, although some attackers skip the encryption step and demand ransom to not release stolen files.

Source: CISA

"The ability to continue to (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs."

Source: NIST SP 800-137 from NIST SP 800-39

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations resulting from the operation of a system. Part of risk management, it incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.

Sources: NIST SP 800-39; NIST SP 800-30 rev 1

Automated extracting of data from a website and copying it for manipulation, analysis or other reuse.

Sources: hiQ Labs v. LinkedIn Corp., 31 F.4th 1180, 1186 n.4 (9th Cir. 2022)

"Independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures."

Source: NIST SP 800-82r3 from ISO/IEC 7498-1:1994

An attack in which the adversary inserts a vulnerability into the product of an upstream provider, such as a software developer or software library, prior to its installation, allowing the adversary to compromise the systems of downstream users of that product.

Source: CNSSI 4009-2015 CISA

"Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes."

Sources: NIST SP 800-150. See also: NIST SP 800-172; NIST SP 800-172A

Under federal law, "to transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of," any password or similar information through which a computer may be accessed without authorization.

Source: 18 U.S.C. § 1029

A weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.

Source: NIST SP 800-30 Rev. 1

The process in which third parties, including independent security researchers, discover vulnerabilities in products or systems and report those to the product developers or system operators and for those developers or operators to receive such vulnerability reports and take remedial action, such as issuing patches.

Sources: Cybersecurity Law Fundamentals, 2nd ed. pgs. 217, 481; NIST SP 800-216

A previously unknown hardware, firmware, or software vulnerability, referred to as a zero-day vulnerability, or an attack exploiting such a vulnerability, referred to as a zeroday attack, in reference to the product developer having zero days to patch the flaw and defenders having zero days to prepare before it is exploited.

Source: IBM