Blog

Cyber Law Glossary: 173 Cybersecurity Definitions and Terms, Explained

Written by Tara Swaminatha | Jun 19, 2023 8:41:47 PM

Welcome to the Cyber Law Glossary! If you're looking for foundational information and knowledge on cyber law, privacy law and cybersecurity terminology, you've come to the right place.

A  |  B  | CD  |  E  |  F  | GH  |  |  J  |  K  |  L  |  O  |  P  |  Q  |  R  |  S  |  T  |  U  | V | W |  X  |  Y | 

2FA Two-Factor Authorization (2FA) adds a double layer of security protection, going beyond the usual username and password by requiring users to verify identity with two different authentication factors: one that you know (e.g., password) and one that you have (e.g., code from a text or authenticator app). Examples include personal identification numbers (PIN) or time-based one-time password (TOTP) codes (e.g., Google Authenticator, Microsoft Authenticator, Duo, Okta, etc.).  

Access Control — Access control is a data security mechanism that organizations employ to grant or deny a user (or service account) access to resources or information by checking whether the user (or service account) has authorization to access the resources or information. Role-based access control (RBAC) is a method of restricting access based on a user's role. It can simplify and organize managing access permissions. Instead of granting 12 individuals in Department 94 access to a cloud storage application, which leaves room for unintentional error, the system administrator can grant “Department 94” (as a role) access to the cloud resource. Then when all 12 individuals leave to start their own company, the system admin only needs to delete “Department 94” access and not each of the 12 individuals, which, again, leaves room for unintentional error.

The Four As:

  • Authorization: After consulting with appropriate managers, and because it is necessary to perform User123’s work functions, User123 is authorized to access the super secret secure room. A system administrator will now configure User123’s badge settings so the badge is encoded with authorization to access the super secret secure room.
  • Access Control
    The door to the super secret secure room is programmed to unlock only after (1) a badge card is swiped, (2) the access control system reads the user account information encoded on the badge card, (3) the access control system looks up the relevant user account with an authoritative source to check whether the swiped badge is assigned to a user whose account is authorized to access the super secret secure room, and (4) the access control system authorizes the unlock function.  
  • Authentication: the system requires User123 to provide a code from an authentication app (or if you prefer Mission Impossible style stories - the system requires User123 to say a specific phrase in User123’s own voice). If the system confirms the code or specific phrase match User123’s information, the system is satisfied that the person using User123’s badge to access the super secret secure room is in fact, User123 and not an imposter.
  • Auditing: Audit logs can be useful for routine checks, for example, the audit logs could be reviewed monthly to check whether any badges from terminated employees accessed the super secure room after their departure date so the badges can be deactivated. Audit logs also often play a crucial role in investigations. If a coveted stack of post-its and sticky chart paper are stolen from the super secret secure room, investigators would probably like to know who entered and exited the room. If audit logs were properly enabled to record exit times and not just entry times, investigators should be able to determine the list of people who entered and exited during a certain time period.   

Affirmative Defense An affirmative defense is a legal provision that may shield a defendant (company) from liability and penalties for violating a statute or regulation because of certain circumstances. An affirmative defense does not equate to a defendant saying “I didn’t do it”. It equates to a defendant saying “I did it BUT because the following circumstances defined in the statute apply to me, I am shielded from consequences and liability.” (See Safe Harbor

In Ohio, Utah and Connecticut, in the aftermath of hacks and data breaches, victim companies may be able to avoid liability for consumer civil claims if they can prove they have implemented a cybersecurity program aligned with a widely-recognized information security standard, such as the NIST Cybersecurity Framework, CIS Critical Controls, NIST SP 800-53, ISO 27001, or PCI-DSS. Its purpose is to encourage organizations to take proactive steps in protecting and improving cyber protections by following long-standing solid guidelines for developing appropriate security protections. The safe harbor clauses in Ohio, Utah and Connecticut do not exempt businesses from state regulatory enforcement actions.

African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention) Similarly to GDPR or CBPRs, as of February 2023 only 13 of the 55 eligible African nations have ratified and acceded to this convention designed to provide standard, continent-wide parameters for safeguarding personal information. The treaty itself requires 15 nations to accede before it can take effect. It was adopted on June 27th, 2014.

Agent An agent is an antivirus or other endpoint security software installed on a device (e.g., laptop, smartphone, computer or physical server) that constantly scans and reports malicious activity. Agents are often vendor-specific. 

Attribution Attribution is the action of attempting to track and identify the identity of an individual responsible for malicious cyber activity. Attribution can also mean being able to attribute certain actions to a user account or individual.

Auditing — Auditing is the comprehensive analysis and review of a company's IT infrastructure to determine whether or not it has the necessary security programs in place while also adhering to current regulations.

Authentication In its most tangible sense, is the act of determining whether an individual sitting at the keyboard accessing a system resource is who the individual purports to be. For example, suppose Employee XYZ is authorized to log in to a device with valid credentials for the account name User123. When someone enters Employee XYZ’s account credentials (account name User123 and valid password) to log in to the device, authentication is the act of verifying whether the person who entered valid User123 account credentials is, in fact, Employee XYZ, and not an imposter.

Authorization Authorization is the process of determining a specific account’s (user account or system account) access to a system resource (e.g., file, application, system, etc.). (System accounts are often forgotten but should be an important part of cybersecurity program documentation and processes, not just user accounts).

Azure — Azure is a cloud-native and intelligent network firewall security service that provides threat protection for your cloud workloads running in Microsoft's Azure cloud platform.

Bank Secrecy Act The Bank Secrecy Act is a United States law requiring financial institutions in the U.S. to assist U.S. government agencies in detecting and preventing money laundering. Pursuant to the BSA, businesses must maintain records and file reports that could be useful in criminal, tax and regulatory matters. Businesses are required to report foreign bank and financial accounts, in addition to cash payments received exceeding $10,000.

Bitcoin Bitcoin is a cryptocurrency, or virtual currency, that acts as money and a form of payment independent of any single person, group, or entity, thereby eliminating the need for third-party involvement in financial transactions.

Bitcoin Exchange A bitcoin exchange is a digital marketplace where you can deposit money via bank transfer, wire, or other forms of deposits and then buy, sell or trade bitcoins for other assets, such as conventional fiat currencies or other digital currencies.    

Budapest Convention Also known as the Council of Europe Convention on Cybercrime, the Budapest Convention is the first international treaty aimed at combating Internet and computer crime by harmonizing national laws, improving investigative techniques and increasing international cooperation. The latest (optional) protocol aims to help member countries expedite evidence-sharing across borders for law enforcement to effectively investigate crimes involving electronic information. The protocol suggests (1) allowing law enforcement in country A to request evidence directly from service providers in country B (according to proper legal process), and (2) allowing service providers in country B to disclose information to foreign law enforcement without going through domestic authorities.

Bug Bounty A bug bounty program that allows independent security researchers or ethical hackers to discover and report a vulnerability or bug to the developer of an application and receive a reward or compensation in return. (See Vulnerability Disclosure Program)

Business Continuity (BC) Business continuity (BC) refers to having a detailed plan to deal with any problematic IT or information-related disruption so an organization can continue functioning with as little disruption as possible after a cyber threat. Typically, BC plans involve identifying alternate options that can be spun up quickly. BC plans often go hand in hand with disaster recovery (DR) plans. (See Disaster Recovery)

Business Email Compromise (BEC) A business email compromise (BEC) attack is a phishing attack where the hacker poses as someone important or powerful within a company or organization and tricks an individual into performing harmful actions, usually involving changing wire information thereby redirecting wire transfers to the attackers instead of the intended recipients.

California Consumer Privacy Act (CCPA) The CCPA is a digital consumer protection law that defies simple definition. Broad, cumbersome and often confusing, the CCPA was first-of-its-kind as a U.S. state comprehensive privacy law with teeth. The CCPA includes a private right of suit with state fines of up to $750 per person. It also established the California Privacy Protection Agency. Substantively, CCPA gives California residents more control over the personal information a business collects and possibly sells about them by granting certain rights, including:

  • The right to know what personal information a company collects and how it's used.
  • The right to delete personal data.
  • The right to opt-out of data collection or sale.

As of March 2023, the CCPA does not apply to employees or B2B personal information. 

California Consumer Privacy Act of 2018 (‘CCPA’) See Comprehensive Privacy Laws and our blog, Which 2023 U.S. State Comprehensive Privacy Laws Apply to Your Organization?

California Privacy Rights Act of 2020 (‘CPRA’) See Comprehensive Privacy Laws and blog, Which 2023 U.S. State Comprehensive Privacy Laws Apply to Your Organization?

CBPR (Cross-Border Privacy Rules) Developed by representatives from the following economies, each of whom participate in APEC (Canada, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the United States of America). The CBPRs are a set of rules economies can follow to signal to each other that they hold certain minimum legal protections for personal information and that they are committed to interoperability with other economies and they recognize the economic impact of strict, non-interoperable regulations, which they want to avoid. Organizations can certify to the CBPRs. To participate, economies must have national legislation covering required topics. The CBPRs are not binding, however, which softens their effectiveness.

Center for Internet Security (CIS) The CIS is a nonprofit organization focused on developing, validating and promoting timely best practices solutions that help people, businesses and governments protect themselves against cyber threats. 

Center for Internet Security (CIS) Controls v8 A recommended set of actions for cyber defense that provides actionable and specific steps to prevent and stop pervasive and dangerous cyberattacks. Available here.

CFAA (18 U.S.C. 1030) the Computer Fraud and Abuse Act The Computer Fraud and Abuse Act of 1986 is a federal law criminalizing hacking. The law prohibits accessing a computer without authorization or in excess of authorization. (See Van Buren)

Chief Information Security Officer (CISO) A CISO is a senior-level executive in charge of developing, implementing and monitoring an organization’s information security governance and overall program. Sometimes pronounced <‘see so>, sometimes pronounced <‘sizz oh>.  

Cloud The cloud is not a cloud. The cloud refers to servers or infrastructure maintained by one company for the benefit of its customers who access the servers or infrastructure over the Internet, including the software and databases that run on those servers. It can be thought of as remote storage, remote processing, remote software or remote infrastructure.

Cloud Security Alliance (CSA) The Cyber Security Alliance (CSA) is an organization that helps define and raise awareness of overall best practices to help ensure a secure cloud computing environment by developing the cloud control matrix, (CCM), a control framework specifically designed for cloud environments as companies increasingly move IT infrastructure off-premises and to remote entities (i.e., to the cloud). CCM follows the same general security principles as other security industry standards but focused on issues more relevant to the cloud. CSA also offers cloud-security research, education, certifications and events.  

Colorado Privacy Act See Comprehensive Privacy Laws and our blog, Which 2023 U.S. State Comprehensive Privacy Laws Apply to Your Organization?

Communications Assistance for Law Enforcement Act (CALEA) CALEA is a federal statute that is often mischaracterized. CALEA does not require carriers to build capabilities that would allow efficient responses to law enforcement requests. But if the capability exists, carriers must have the ability to retrieve information in a reasonably short period of time.

Compliance or Alignment with Industry Standards For the most part, companies cannot be “certified” against standards. Certification is not the purpose or intent of industry standards. While some organizations tout that they are in compliance with industry standards, and while we know what they mean, industry standards are meant to be followed and are designed according to best practices. Instead of “certifying” to an industry standard, an organization “is built in line with” or “aligns with” or “is developed according to” an industry standard. As such, it is not an issue of compliance. Cybersecurity programs that follow industry standards are deemed to be in alignment with industry standards.

Comprehensive Privacy Laws (U.S. State laws) Beginning with California, U.S. states have begun passing comprehensive privacy acts that provide consumers with certain rights related to gathering and using personal information. Referred to in the industry as “Comprehensive Privacy Laws”, the laws impose obligations to protect consumer personal information; notify consumers about collection, use, disclosure and sale; some carry a private right of action for consumers whose information is exposed by the entity; and others include fines - some of them steep - for violations. Prior to California’s Comprehensive Privacy Law (the CCPA), all 50 states and territories did have Data Breach Notification Laws on the books. Although the Data Breach Notification Laws might prompt entities to implement safeguards to avoid exposing consumer information, the laws do not impose privacy-related obligations described above.   

As of late April 2023, 9 states have passed Comprehensive Privacy Laws. To find out which applies to your organization, see our blog post here.

Effective in 2023

California

California Consumer Privacy Act of 2018 (‘CCPA’)

In effect

 

California Privacy Rights Act of 2020 (‘CPRA’) (amends CCPA)

In effect

Virginia

Consumer Data Protection Act (‘CDPA’)

In effect

Colorado

Colorado Privacy Act (‘CPA’)

1 July 2023

Connecticut

Connecticut Act Concerning Personal Data Privacy and Online Monitoring (‘CTDPA’)

1 July 2023

Utah

Consumer Privacy Act (‘UCPA’)

31 December 2023

Passed in 2023, Effective in 2024

Tennessee

Tennessee Information Protection Act (TIPA)

1 July 2024

  Texas

Texas Data Privacy and Security Act 1 July 2024

Montana

Montana Consumer Data Privacy Act (MCDPA)

1 October 2024

Passed in 2023, Effective in 2025

Iowa

Iowa Consumer Data Protection Act (ICNPA)

1 January 2025

Passed in 2023, Effective in 2026

Indiana 

Indiana Consumer Data Protection (IDCP)

1 January 2026

Connecticut Privacy Act See Comprehensive Privacy Laws and our blog, Which 2023 U.S. State Comprehensive Privacy Laws Apply to Your Organization? 

Consent Decree or Consent Order A consent order (or consent decree) is a voluntary agreement similar to a settlement between a defendant company and a regulatory enforcement agency. It generally has the same effect as a court order and can be enforced by a federal district court if the defendant companies do not comply with the order. The order typically persists for a number of years (20 years usually for the FTC) and requires biennial audits to certify compliance.

Crypto Exchange A digital platform where you can buy and sell (exchange) cryptocurrency. 

Cryptocurrency or Crypto A digital currency that is designed to function as a medium of exchange via a computer network and is not reliant on any central authority, such as a government or bank, to support or maintain it. Cryptocurrency transaction and ownership data is stored in a digital ledger using distributed ledger technology, typically a blockchain. Accounting typically uses a double-ledger to record money exchanged. The distributed digital ledger provides even more confidence and confirmation in currency exchanged in a transaction. 

CSA Cloud Control Matrix (CCM) The CCM is a cybersecurity control framework developed by the CSA and used as a tool for cloud computing, which lists 16 domains covering all critical aspects of cloud technology security. It provides guidance to organizations to help them identify which security controls to implement, especially controls that should be implemented by each actor within the cloud supply chain.  

Cyber Cyber relates to any characteristics involving computers, information technology and virtual reality.  

Cyber Insurance Cyber insurance is an insurance product intended to protect some aspects of liability for organizations from internet-based risks, technology infrastructure risks and other risks related to cyber threat actors and malicious online activities. As of March 2023, premiums and exclusions are up, coverage is down.

Cybersecurity Cybersecurity is the discipline that involves ensuring the confidentiality, integrity and availability of information, assets, networks and applications. Cybersecurity refers to employing security mechanisms to combat threats (physical, human/personnel or cyber-related) that could impact the confidentiality, integrity or availability of information, assets, networks and applications.  

Cybersecurity Compliance Program A cybersecurity program that manages how an organization implements and measures its information security policies against a set of established standards and requirements. Standards and/or requirements may be required by law or voluntary.

Cybersecurity Maturity Model Certificate (CMMC) The CMMC 2.0 is a comprehensive framework launched by the Department of Defense (DoD) that’s designed to help the DoD measure the strength of contractors’ security measures designed to protect and safeguard sensitive national security information from increasingly frequent and complex cyberattacks. Contractors can obtain certification if they meet the requirements at varying levels of the CMMC.

Cybersecurity (or Privacy) Program — A catch-all term that means an organization’s current policies, procedures and operations for protecting its information, infrastructure and operations and handling personal information or other sensitive information.

Cybersecurity Standard A collection of guidelines or best practices an organization can use to improve its security and privacy strength by helping to identify and implement appropriate measures to protect its systems and data from cyber threats according to a risk-based approach designed to ensure organizations will consider each facet of a security program. There are several cybersecurity frameworks and compliance standards that organizations can follow, including NIST 800-53, NIST CSF, CIS Critical Controls, and ISO 270001.

Dark Web "The Dark Web" is a subset of the Internet (not a different Internet!) where users can access intentionally hidden web content anonymously using a special web browser called a TOR browser and/or various encryption techniques. (See TOR Browser, Dark Web Sites).  

Dark Web Marketplace  A Dark Web site that offers goods or services for sale. Often run like well-oiled machines, these businesses generate a significant amount of revenue. The majority of items and services offered are illegal, dangerous, taboo, personal information stolen in ransomware or other attacks, or instrumentalities (tools) to commit different cyber attacks.  

Dark Web Sites Unlike URLs on the “regular” Internet, URLs on the Dark Web are not user-friendly or memorable, for example: http://h a y s t a k 5 n j s m n 2 h q k e w e c p a x e t a h t w h s b s a 6 4 j o m 2 k 2 2 z 5 a f x h n p x f i d.onion/ (the letters aren’t typically spaced out but we are trying to save you from yourselves and us from ourselves). If you get one character wrong, you won’t find the site. In general, you have to know the discombobulated URL to access it.  

Data Breach Notification Laws (U.S. States) State statutes require covered organizations to notify consumers and, in some cases, State authorities, when consumer personal information is accessed or acquired by an unauthorized party. All 50 states and territories have a Data Breach Notification Law.

Data Disposal Laws Data disposal laws require organizations to securely dispose of sensitive or confidential data or personal information on all computer systems and electrical devices being disposed of or recycled, or when data are being deleted under retention policies.   

Data Inventory Data inventory is a complete inventory or record of all data held within a system so an organization can fully understand what data needs to be protected and the legal obligations that may apply to different types. A data inventory and data map are often combined.

Data Loss Prevention (DLP) — A security strategy that focuses on detecting and preventing data loss, leakage and misuse of an organization's data by ensuring users do not send sensitive information outside the corporate network. DLPs can be deployed to monitor data exiting the company from different avenues, including email (body text or attachments) or via network traffic.

Data Map A data map is a short-hand way of describing an organization’s complete and up-to-date representation of the data flows of all data (from a Data Inventory) entering, traversing and exiting its systems or control. Maintaining a data map is important for organizations to help determine what personal information is stored and where to ensure all personal information remains secure. Under the GDPR, a data map-turned- Record of Processing Activities includes additional information, such as the purposes for processing each type of data and the legal basis for such processing (at least under the GDPR). A data inventory and data map are often combined or are included in an organization’s Record of Processing Activities.

Data Protection Data protection is the legal regime established to require businesses and other organizations to safeguard and protect personal information from corruption, compromise or loss. Data Protection and Privacy are sometimes used interchangeably although strong proponents of either term may vehemently disagree. In general, Data Protection is the term used predominantly in the EU (plus the UK and Switzerland) and Privacy is somewhat more common in the United States. This is based on no actual evidence-based conclusions. Just our own observations.

Data Protection Authority (DPA) Independent public authorities that supervise the application of data protection laws in the European Union (EU). Each EU Member State has a data protection authority. 

Data Protection Officer (DPO) A data protection officer (DPO) is required by GDPR and the UK GDPR under certain conditions. The Data Protection Officer can be internal or external (although as of February 2023, some EU courts and regulators are debating details about DPO independence requirements) and oversees a company’s data protection strategy and ensures the organization applies and adheres to the laws protecting personal data. The DPO also serves as a point of contact for an organization’s primary Data Protection Authority.

Data Security Laws As opposed to U.S. state data breach notification laws, which require notifying consumers whose personal information has been exposed, data security laws place affirmative obligations on a company to maintain security measures to protect personal information. (ZeroDay Law would like to remind you that organizations need security measures to protect all kinds of important and sensitive information beyond personal information too.) Some laws apply to governmental entities while others apply to businesses

Decoding Cyber Law Decoding Cyber Law is a podcast hosted by Tara Swaminantha, a security technologist-turned-lawyer. It serves up fresh, practical insights into cyber law and incidents, pulling back the curtain on how industry experts approach cybersecurity. Each episode brings you real stories from a diverse group of industry insiders working in the real cyber world.

Disaster Recovery (DR) A set of policies, procedures and tools created to enable an organization to get back up and running in the event of an incident impacting the availability of one or more critical systems in a cyber incident. These are often cumbersome to create and internal teams tend to have difficulty getting support for borrowing other staffs’ time to create the procedure and document and test it.  The disaster recovery plan provides a detailed, step-by-step process that ensures organizations can continue to operate with minimal losses in the event of a cyber incident.  Typically, DR plans involve identifying alternate options that can be spun up quickly. DR plans often go hand in hand with business continuity (BC) plans. (See Business Continuity)

Diversity In addition to equity and inclusion (not to mention safety, justice, and on and on), diversity is something ZeroDay Law believes we need desperately. ZeroDay Law also believes that - based on evidence from at least one successful security/tech giant - that true diversity is not only achievable but actually improves information security and privacy work. In general, diversity is the practice of including or involving people from a range of different social, racial or ethnic backgrounds and of different genders, sexual orientations, viewpoints and perspectives. ZeroDay Law strongly believes in diversity, equity, inclusion and mentoring, especially women of color and we always welcome allies with our philosophy.

Encryption Encryption is the process of using an encryption algorithm (see below) to change readable data (e.g., a password) into unreadable data (e.g., unreadable letters and numbers) to add security in transit or storage. Encryption is often said to obfuscate information to make it unreadable and more secure.  

Encryption Algorithm A mathematical formula used to obscure the input (plain text string of characters and numbers) that returns an unreadable output (encrypted, encoded or cipher text). Encryption algorithms can be strengthened by using “keys” that are required to encrypt and decrypt the data (if decryptable). Sometimes the same key encrypts and decrypts the data, sometimes one key encrypts data and a different key is required to decrypt it.

Endpoint An endpoint is any device that can be connected to a network, including computers, laptops, mobile phones, tablets, servers, IoT devices and can include printers, scanners or other Internet-enabled equipment.

Endpoint Detection and Response (EDR) Endpoint Detection and Response (EDR) is a security solution that detects threats on endpoints (usually mobile devices, laptops and computers). EDR tools can automatically fix issues discovered on an endpoint by removing and containing threats. EDR solutions will also record malicious behavior and notify security teams of threats, helping companies predict and prevent future attacks. EDR solutions have the ability to collect and respond to malicious activity across multiple endpoints, including servers, networks, cloud storage or processing in one central location. XDR is usually vendor-specific.

Enforcement Action Enforcement action means “an action taken by the Department upon its own initiative or at the request of an affected party in furtherance of its statutory authority and responsibility to execute and ensure compliance with applicable laws.”

Exploit — An exploit is a code or a program that is developed to take advantage of vulnerability or security flaws in software, hardware, or networks to launch a cyber attack (e.g., installing malware). Once a vulnerability is identified, the race begins between a software developer (trying to develop a patch to close the vulnerability) and the threat actors to develop a working exploit that can take advantage of (exploit) the vulnerability to conduct malicious activity. 

Extended Detection and Response (XDR) Extended Detection and Response (XDR) has a broader scope than EDR (See above) and is a security solution that has the ability to collect and respond to malicious activity across multiple endpoints, including servers, networks, cloud storage or processing in one central location. XDR is usually vendor-specific. XDR is designed to reduce the workload for security professionals charged with monitoring an organization’s IT infrastructure for threats. 

Fair Credit Reporting Act (FCRA) The Fair Credit Reporting Act (FCRA) is a federal law that ensures information in consumer credit bureau files is accurate, fair and private. The law oversees and regulates how credit reporting agencies collect, access, use and share the information contained in your consumer reports. The law also regulates how other entities can and cannot use consumer credit information and mandates certain disclosures prior to making decisions (e.g., about employment or credit) without proper notice to the consumer.

Federal Information Security Management Act (FISMA) The Federal Information Security Management Act (FISMA) was passed in December 2002 and amended by the Federal Information Security Modernization Act of 2014. FISMA requires federal agencies to maintain an organization-wide program to secure information and systems, including any provided or managed by another entity. As amended, FISMA emphasizes continuous monitoring and focuses on issues that can be caused by security incidents.

Federal Risk and Authorization Management Program (FedRAMP) FedRAMP is a certification cloud providers can obtain to prove they have a sufficient cybersecurity program to provide cloud products and services to the federal government. FedRAMP prescribes information security standards developed specifically to ease the burden on government agencies to conduct individual security reviews of cloud providers.

Firewall A firewall monitors and filters incoming and outgoing network traffic based on a security policy, allowing approved traffic in and denying all other traffic. Firewalls can be software or hardware, or virtual in a private or public cloud. Firewalls are used to segment networks so that an attack on one section of a network can’t easily cross into the other sectors. The opposite of a segmented network is a flat network.

Forensic Image A forensic image is a bit-by-bit copy of a source device stored in a forensic image format, which is then used by law enforcement to conduct an investigation, so the original, fragile data is protected. (See Image)

FTC Act Section 5 Section 5(a) of the FTC Act (15 U.S.C. Sec. 45(a)(1)). Protects consumers from companies’ unfair and deceptive trade practices including false advertising. As of now, no U.S. federal privacy or security law or regulation applies to all personal information. Companies in certain sectors are subject to security and privacy requirements if regulated by a federal regulator (e.g., healthcare, HHS) but those laws are not broadly applicable. Safe Web (15 U.S.C. Sec 45(a)(4)(A)) gives the FTC authority over any conduct that is likely to cause reasonably foreseeable injury in the U.S. or involves material conduct within the U.S., even for foreign defendant entities.

Many organizations that are not subject to another primary federal regulator are subject to FTC authority to investigate or enforce companies' failure to protect personal information via its consumer protection enforcement powers. Companies who misrepresent the security and privacy measures in place to protect personal information can be held liable under Section 5 of the FTC Act for having deceived consumers who felt false safety disclosing personal information to the company under the impression the information would be protected.

Full-disk Encryption (or Whole Disk Encryption) Full-disk encryption refers to the security method for protecting sensitive data at the hardware level by encrypting all data on a drive, including temporary files and in some cases the master boot sector. Encrypting a full disk offers more security than partial-disk encryption.  

Fundamental Right Fundamental right is the EU terminology to describe the most important, intrinsic rights of individuals. In the EU, most - if not all - countries regard privacy as a fundamental human right, which is tantamount to a constitutional right in the U.S. (e.g., the right to free speech, which is not as robust in the EU as in the U.S.). 

General Data Protection Regulation (GDPR) The GDPR is a regulation in the EU that sets out rules regarding data protection for personal data of EU persons. The GDPR establishes individuals’ rights that must be enabled by businesses, requires technical and operational measures to protect data, reports certain data breach incidents to data protection authorities (and, in some cases, individuals), and governs how businesses must protect data being transferred out of the EU.

GLBA Privacy Rule The Gramm-Leach-Bliley Act (GLBA) Privacy Rule (16 C.F.R. Part 313) requires financial institutions subject to FTC jurisdiction to provide notice that informs customers of their rights, including the right to opt out of the sharing of nonpublic personal information. The definition of financial institution for the purposes of this Rule can be found at 16 C.F.R. Part 313(1)(b).

GLBA Safeguards Rule The GLBA Safeguards Rule (16 C.F.R Part 314) requires financial institutions subject to FTC’s jurisdiction to develop, implement and maintain a comprehensive information security program that protects customer information and complies with the overall GLBA Rule’s requirements. The definition of financial institution for the purposes of this Rule can be found at 16 C.F.R. Part 314(1)(b).

Go Bag A “go bag” is a physical backpack filled with all information, emergency equipment and tools needed in the wake of a cyber emergency. A “go bag” is ready to go at any given moment.  

Governance (cybersecurity or privacy) The policies and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements. Requirements are understood and inform the management of cybersecurity and/or privacy risk. 

Gramm-Leach-Bliley Act (GLBA) The GLBA is a United States federal law that specifies how financial institutions may share and must protect their customers’ private information.

Hash Algorithm A hash function is a mathematical or cryptographic algorithm that converts a string of characters or numbers of any length into a fixed-length value. The output from a two-way hash can be inverted so the original input can be recreated. The output from a one-way hash cannot be inverted; it is computationally infeasible to invert the output from a one-way hash to recreate the original string. One-way hashes are standard security practices for storing passwords so that they cannot be discovered. Adding a “salt” or random numbers included with the original string increases the computational difficulty of inverting the hash output to the original string.

(FTC) Health Breach Notification Law  (16 CFR Part 318) The Rule applies to entities that are not subject to HIPAA but are vendors of personal health records. Vendors and related entities must notify consumers if unsecured personal health records are exposed. Service providers to the vendors must notify the vendor about breaches, who must then notify consumers. The Final Rule also specifies the timing, method and content of the notification, and in the case of certain breaches involving 500 or more people, requires notice to the media.

Health Insurance Portability and Accountability Act (HIPAA) A set of federal regulations designed to protect the privacy of patient’s health information. HIPAA applies to all forms of protected health information, including paper records, electronic records and oral communications that are handled by covered entities (i.e., providers and insurers) and the other organizations with whom they share PHI (i.e., business associates). HIPAA is enforced by the U.S. Department of Health and Human Services.

Image An image or forensic image is a bit-by-bit exact copy of a file or physical storage device such as a hard drive. In forensic investigations, original copies of evidence aren’t reviewed; images are made for analysis and can be admitted into evidence based on the testimony of an investigator who has run a hash algorithm on the original evidence prior to any other actions. The output (see One-Way Hash below) can be used to prove a copy is identical to the original. Adding even one space to a document on a hard drive would change the hash value derived from the drive. Therefore if the hash of a hard drive copy (image) matches the hash of the original, it is an exact match. 

Incident Response Incident response (IR) refers to the collective crisis management steps that are triggered in response to a cybersecurity incident. An incident response might also be referred to as a cyber incident response, cybersecurity incident response or simply IR.

Incident Response Plan An outline of an organization’s procedures, steps and responsibilities for its incident response program—almost like a playbook. It involves developing business processes that reduce recovery time and costs, minimize collateral damage like brand reputation and ensure the smooth functioning of normal business operations. IR Plans should include triggers so IR teams can spot potential legal issues (to enlist counsel’s help with) and help ensure the organization meets any compliance obligations related to notifying individuals or authorities after a breach of personal information.

Incident Response Team An incident response team, or IR team is a group of individuals tasked with participating in an IR effort following a specific incident. IR Teams are incident-specific and not necessarily the same from one incident to the next. A strong IR team should represent an appropriate cross-section of the organization.

Information Security  Information security safeguards sensitive data against unauthorized activities such as inspection, modification, recording, disruption or destruction. The goal is to protect and maintain the privacy of critical data such as customer account information, financial data, or intellectual property. Information security applies to electronic and physical or hard-copy information.

Information Security Department Charter An information security department charter is a document that clearly defines the scope and purpose of security within an organization, providing objectives and responsibilities to ensure the security program reflects clear organizational expectations. 

Information Security Standard A collection of guidelines or best practices an organization can use to improve its security and privacy strength by helping to identify and implement appropriate measures to protect its systems and data from cyber threats according to a risk-based approach designed to ensure organizations will consider each fact of a security program. There are several cybersecurity frameworks and compliance standards that organizations can follow, including NIST 800-53, NIST CSF, CIS Critical Controls, and ISO 270001.

Infrastructure-as-a-Service (IaaS) Infrastructure-as-a-Service is a term used to describe cloud computing services that offer essential computing, storage and networking resources to replace legacy on-premise servers and storage.

Integration Plan An integration plan is a process of carefully planning how to connect devices from one environment to another while working to avoid introducing security problems from one to the other. Integration plans are recommended after mergers or acquisitions. Sometimes the acquirer connects the purchased entities’ devices into the acquirer’s network. Sometimes the acquirer replaces the purchased entities’ devices with known safe devices for its network. Sometimes the transition progresses one device at a time so that each device can be determined safe before connecting it to the acquirer’s network.

International Organization for Standardization (ISO) — ISO 27001 and related standards, including others in its control family (e.g.,ISO 27002) are information security industry international standards. Whereas some information security standards do not have official certification processes, ISO certification is available to companies and can be used to demonstrate to customers, shareholders and partners that they have expended effort and thought into developing their cybersecurity program according to a recognized, well-regarded standard. That said, plenty of secure organizations aren’t ISO certified and plenty of ISO certified entities have experienced cyberattacks.

Internet Crime Complaint Center (IC3) The purpose of the IC3 is to provide the public with a reporting mechanism to submit information to the Federal Bureau of Investigation (FBI) concerning suspected cybercriminal activity and to develop alliances with law enforcement and industry partners. 

Iowa Consumer Data Protection Act (ICDPA)  The Iowa Consumer Data Protection Act is the sixth comprehensive state privacy act in the United States—behind California, Utah, Colorado, Virginia and Connecticut—that provides consumers in the state of Iowa with certain rights related to the gathering and using of personal information. The ICDPA is effective as of Jan 1, 2025. 

IP address An IP address, or internet protocol address, is a set of 4 numbers separated by decimals (each number is called an octet). An IP address is required for a device to be connected to a network or to access the Internet. An IP address can be internal, i.e., used to identify devices on a local network. IP addresses that start with 192.168.x.x are internal, as are others. IP addresses can be static or dynamic. A static IP address does not change; the device with that IP address will have it indefinitely. Dynamic IP addresses are essentially loaned to a device (from, e.g., an internet service provider) but to avoid having an external IP address for every device in existence, ISPs (or some large companies) purchase a block of IP addresses and assign them to devices when the device accesses the internet, then the ISP or company might “release” the IP address and assign it to another device if it is no longer being used.

ISO 270001+ — The International Standards Organization (ISO) control family  270001+ (ISO 27001) is a set of standards that offers best practice controls and comprehensive specifications for protecting and preserving your information under the principles of confidentiality, integrity, and availability. ISO standards are most commonly used outside the U.S. although they are regarded favorably in the U.S. as well.

Lanzarote Convention The Lanzarote Convention, also known as the Council of Europe Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse, was established to prevent sexual offenses against children, prosecute perpetrators and protect child victims. The Convention references the use of information and communication technologies that sexually exploit and abuse children, thereby expanding the scope of criminalization to cyberspace. The Convention became effective July 1, 2010, and has been ratified by all 46 members of the Council of Europe, in addition to The Russian Federation and Tunisia, for a total of 48 countries.  

LGPD (General Data Protection Law (in Portuguese) in Brazil) Brazil’s first comprehensive data protection regulation, which unifies over 40 prior data protection regimes. The LGPD generally aligns with the EU General Data Protection Act (GDPR).

Liability Risk Liability risk is the risk of being held accountable for a claim in a civil lawsuit or a regulatory enforcement action.   

Litigation Risk Litigation risk is the likelihood of being sued or investigated. Although a company may not be liable for claims asserted against it, companies should also consider the risk of facing litigation that would require defending against claims and the associated costs. 

Logs Logs are files that record information on activities that occur within a company's systems and networks, including servers, firewalls, and other IT equipment. Logs require configuring to ensure the right information is being captured depending on the purpose of the logs.  

Malware Malware is software, or code, that is specifically designed to disrupt, damage, or gain unauthorized access to a device, network, system or application. 

Media Access Control (MAC) Address A MAC address is the unique serial number assigned to each interface (device) on a network or the Internet, which is typically assigned by the manufacturer or vendor and serves as a physical identification number. A MAC address is somewhat similar to the VIN on a car.

Metaverse Additional name for Web 3.0, focused on Meta as a brand. (See Web 3.0)

Mobile Device Management (MDM) Mobile Device Management is a device-centric tool that allows organizations to identify and protect end-user devices (e.g., laptops, smartphones, and tablets). Typically MDMs offer the administrator the ability to remotely wipe the device if lost or stolen. MDM can also be used to ensure devices have required security features enabled.

Montana Consumer Data Privacy Act (MCDPA) See Comprehensive Privacy Laws and our blog, Which 2023 U.S. State Comprehensive Privacy Laws Apply to Your Organization? 

Multi-Factor Authentication (MFA) Multi-Factor Authentication adds a double layer of security protection, going beyond credentials (username and password) by requiring users to provide information to prove their identity with two different authentication factors: one you know (password) and one you have (code from an authenticator app or text message that requires you to have physical possession of the device to retrieve the code). Examples include text messages with a one-time code, or TOTP (time-based one-time passwords) usually from an authenticator app.

Mutual Lateral Assistance Treaty (MLAT) MLAT requests are formal requests by US enforcement authorities to request evidence from other countries to carry out an investigation. The process is relatively low and often involves sending written communications from domestic law enforcement to a U.S. point of contact in the Department of Justice, who then communicates with a counterpart in the foreign country, who then determines whether or not the crime being investigated and evidence sought would be appropriate to collect and disclose under the foreign country’s own legal regime.  

NAIC Model Law (data security) The National Association of Insurance Commissioners (NAIC) Data Security Model Law requires insurers and other entities licensed by state insurance departments to develop, implement, and maintain an information security program, as well as investigate and notify the state insurance commissioner of any cybersecurity events. Several state insurance agencies have adopted similar data security laws based on this model law.

National Institute of Standards and Technology (NIST) NIST establishes neutral standards for a wide variety of scientific and technical topics, e.g., standards for measurement, in order to facilitate interoperability among technology products, standard protocols followed in scientific efforts and by doing so, promote economic development and innovation. 

NIST Cybersecurity Framework (NIST CSF) — The NIST CSF provides guidance on how to manage and reduce IT infrastructure security risk in a systematic manner to help organizations address the various components of an appropriate security program. The CSF is made up of standards, guidelines, and practices that can be used to prevent, detect, and respond to cyberattacks. The framework is not something you can comply with but rather align or follow. The NIST CSF Version 2.0 Discussion Draft, a preliminary was released on April 24, 2023.

NIST SP 800-53 rev 5 A NIST special publication that provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. The framework helps organizations walk through the catalog of controls and identify areas of risk and proper controls to implement to mitigate risks where appropriate. 800-53 is updated periodically.   The framework offers enhanced (more secure or more private) control options that entities could adopt when appropriate to mitigate higher risk areas. NIST 800-53 is just less than 500 pages long.

Non-Fungible Tokens (NFTs) NFTs are unique cryptographic tokens that cannot be replicated and are sold or traded by an owner, which are all recorded on a blockchain.  

NYDFS Rule 500 The NYDFS Cybersecurity Rule 500 is a set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered institutions (financial institutions and insurance entities licensed in NY) in response to the growing sophistication and knowledge of cybercriminals. The first version of Rule 500 was unique in that it was more prescriptive in terms of requiring specific cybersecurity program components than most other regulations in existence at the time. The Department of Financial Services proposed a 2nd Amendment to the regulation and began reviewing public comments in January 2023.  

NY Shield Act The NY Shield Act, or the Stop Hacks and Improve Electronic Data Security Act, works with the New York data breach notification law and imposes more vigilant data protection requirements on companies that collect information from New York residents. Non-profit entities are not exempt from the Shield Act but are often exempt from comprehensive state privacy legislation (e.g., CCPA/CPRA).

Off-band Communications Off-brand communications is any type of communication that takes place outside the primary system or channel i.e., not on company email, not using company calendars). 

One-way Hash A one-way hash function is a mathematical or cryptographic algorithm that converts a string of characters or numbers of any length into a fixed-length value that is computationally infeasible to invert to recreate the original string. One-way hashes are standard security practices for storing passwords so that they cannot be discovered. Adding a “salt” or random numbers included with the original string increases the computational difficulty of inverting the hash output to the original string.

Payment Card Industry Data Security Standard (PCI-DSS) The PCI-DSS is an information security standard developed by the payment card industry. Although compliance with PCI-DSS is generally not required by law, the major card brands (e.g., VISA, MasterCard) contractually require merchants or any organization handling payment card data to comply with and follow relevant parts of PCI-DSS.  In March 2022 PCI-DSS v 4.0 was released. A summary of changes can be found here and version 4.0 at a glance can be found here.

Payment Card Information Payment card information refers to any information contained on a customer’s payment card, such as the data printed on either side of the card and the information contained on the digital strip on the back of the card. 

Personal Data (EU) Personal data refers to any information that could be used to identify any living individual. The EU regulation requires all organizations, both public and private, that process personal data of EU persons to implement certain protections and disclose information about what data they collect and how they intend to use and share it, for data originating in the EU and being transferred to another country.

Personal Information (US) Personal information is defined slightly differently across countries’ and states’ laws, but it generally refers to information that can be used to identify an individual, such as a social security number, health information, or even an IP address. In the U.S. personal information typically excludes publicly available information (e.g., address and phone number).

Phishing Phishing is a cyber hacking technique where an attacker sends a fraudulent message or email to trick the receiver into giving personal information, such as passwords and credit card numbers.

Ping A ping is a computer networking administration tool that sends out a tiny bit of information to an IP address to determine whether or not the specific IP address or host exists or is responsive.

Privacy Compliance Program A privacy compliance program provides a suitable framework for collecting, storing, and processing personal data in your organization, in line with legal requirements and best practices.

Privacy Department Charter A privacy department charter is a document that clearly defines the scope and purpose of privacy within an organization, providing objectives and responsibilities to ensure the security program reflects clear organizational expectations.

Privacy Policy A privacy policy is a company’s external facing statement explaining its privacy practices concerning personal information it handles, typically excluding employee personal information. For businesses that are subject to specific laws, some U.S. state and federal laws and global laws dictate certain elements that companies must be contained in Privacy Policies.

Privacy Program Unlike cyber security, which aims to protect the confidentiality, integrity and availability of all information, a privacy program focuses exclusively on personal information.

Privilege (legal, attorney-client communication, attorney work product) — In the U.S. legal system, several types of privilege exist, each of which is used to be able to keep certain information confidential and refrain from having to disclose it to opposing parties in discovery. The two most relevant types of privilege for privacy and security-related legal matters are (1) lawyers’ work product and (2) communications between lawyers and clients where the client is seeking legal advice. The latter is the source of a fair amount of litigation concerning whether and to what extent certain information gathered during data breach investigations is subject to either of the privileges listed above.

Privilege (user account) The right and authorization granted to an individual to perform particular system-related operations or changes. For example, administrator accounts are considered “privileged” accounts because they are typically authorized to perform more significant functions than typical user accounts.

Ransomware Ransomware is a type of malware that encrypts or otherwise disables access to a victim company’s data or systems while the threat actors demand a ransom before they will provide a decryption key and/or refrain from releasing the victim’s stolen data. 

Ransomware Laws A growing number of state and federal laws prohibit government entities from paying ransomware demands (i.e., using public funds) with the idea that, if everyone agrees not to pay ransoms, ransomware attacks will subside because the attackers will not be successful, and public entities will avoid paying money that may support terrorist or other criminal operations.

Reasonable Cybersecurity Practices As a legal term, a standard set of cybersecurity program components calibrated to an organization’s specific risks, specifically that a court or other authority would find “reasonable” or sufficient. Although no prescriptive list of practices exists, reasonable cybersecurity practices can be assessed based on specific legal requirements in laws, regulations, enforcement action published opinions and case law. Generally, practitioners agree that aligning a cybersecurity program with a long-standing, accepted information security standard (e.g., NIST 800-53, NIST CSF, CIS Critical Controls, ISO 270001) should result in a reasonable cybersecurity program.

Record of Processing Activities A term most closely associated with GDPR, a record of processing activities is an inventory of data types, that defines data protection-related information about each data type, including purposes for processing and legal bases for processing. Records of processing activities can help an organization get a complete overview of what is being done with relevant personal data handled by the entity.

Regulatory Investigation A regulatory investigation is an actual or threatened written investigation by a state or federal regulator or governmental authority into a suspected violation of the laws each regulator or authority is charged with enforcing.  

Remote Monitoring and Managing (RMM) Remote monitoring and managing is the process of supervising and controlling remote endpoints and IT infrastructure components using locally installed agents that can be accessed by a management service provider. 

Reporting Lines Reporting lines are an important part of an organization’s governance structure, highlighting how authority, accountability, responsibility and independent audits are allocated within a company. 

Restore Restoring data means successfully retrieving data from a backup.

Riley v. California A United States Supreme Court case that ruled that the prior long-standing exception to a search warrant requirement – law enforcement’s ability to conduct a search incident to arrest - was unconstitutional when a phone or smartphone is on the arrestee's body. Law enforcement officers cannot seize and search the digital contents of a cellular phone without first obtaining a search warrant, even during an (otherwise permitted) search incident to arrest.

Safe Harbor (Affirmative Defense to a Claim) In Ohio, Utah and Connecticut, in the aftermath of hacks and data breaches, victim companies may be able to avoid liability for consumer civil claims if they can prove they have implemented a cybersecurity program aligned with a widely-recognized information security standard, such as the NIST Cybersecurity Framework, CIS Critical Controls, NIST SP 800-53, ISO 27001, or PCI-DSS. Its purpose is to encourage organizations to take proactive steps in protecting and improving cyber protections by following long-standing solid guidelines for developing appropriate security protections. The safe harbor clauses in Ohio, Utah and Connecticut do not exempt businesses from state regulatory enforcement actions.

Smishing Phishing conducted via SMS.

SOC 2 Type 2 A Service Organization Control (SOC) 2 Type 2 audit conducted by a CPA that examines large volumes of evidence to identify whether a company has certain safeguards in place. Requires previously having become SOC 2 Type 1 certified.

Social Engineering  Social engineering attacks are based on the use of psychological manipulation to influence people to perform actions or divulge confidential information to gain unauthorized access to networks, systems and data.

Software as a Service (SaaS) Software as a Service (SaaS) is a cloud-based delivery model that allows customers to access an application over the Internet via an interface. The SaaS application runs on the provider’s systems, not the customer’s systems. SaaS applications offset some costs (e.g., maintaining servers on premise) and benefits, but can also present challenges from a security perspective.

Standard Contractual Clauses (SCC) Standard Contractual Clauses are guidelines the European Commission gives that govern the exchange of personal information between the EU and non-EU countries. They represent one potential legal transfer mechanism for protecting personal data sent from the EU to another country.

Standing Not everyone can go to court for any reason. As such, legal “standing” limits participation in lawsuits by asking, for example, whether the individual(s) presenting a lawsuit have suffered any identifiable harm. 

State Data Breach Notification Laws U.S. state laws require organizations to notify state residents if their information has been exposed in a data breach. Some state laws also require notification to regulatory offices, state AG offices and credit reporting agencies. When we refer to State Data Breach Notification Laws we mean a statute that covers just data breach notification and not in the context of a broader law.

State-Sponsored Cyber Attacks State-sponsored cyber attacks are attacks carried out by hackers hired by and linked to a nation (state), with the overall goal to identify national infrastructure vulnerabilities and gather intelligence. 

Supply Chain Attack A supply chain attack is a cyber attack that targets weak links by attacking third-party vendors or suppliers who provide services or software to other organizations. Supply chain attacks can involve injection malware into a component of a product before it is provided to a manufacturer so that the manufacturer’s product is distributed with the malware, or by disabling an important part of a supply chain (e.g., the company that services machines that make labels) so that manufacturers cannot produce products.  

Swiss Data Protection Act (New Federal Act on Data Protection) Law governing processing personal data. Similar to the GDPR but with notable differences. The most recent version of the DPA goes into effect on September 1, 2023.

System A system is a set of resources of any combination of devices, servers, networks and applications that collect, process, maintain and share data or information, or provide infrastructure.

T-Rex Runner A browser game developed by Google and built into the Google Chrome web browser where players guide a pixelated T-Rex across a side-scrolling landscape to avoid obstacles. 

Tennessee Information Protection Act (TIPA) See Comprehensive Privacy Laws and our blog, Which 2023 U.S. State Comprehensive Privacy Laws Apply to Your Organization?

Third-Party Supplier (or Vendor) Security Program The Third Party Service Provider Security Policy is a security function that involves setting minimum standards for any service providers who handle or access data or systems. The NYDFS Cybersecurity Rule is one example of a regulatory requirement that requires financial and insurance firms to implement policies and procedures, due diligence, and contractual protections to oversee and manage the cybersecurity of their third-party service providers. 

TOR Browser A TOR browser (TOR stands for The Onion Router) allows users to achieve anonymity by using multiple layers of encryption to hide traffic, hide where traffic is routed and hide the identity of the device using the browser. (Each layer of encryption is a layer of an onion). TOR Browsers are commonly used for many purposes, one of which is to browse the dark web. Before you download one thinking, “Great! A truly anonymous browser!” hang on. They’re slow. If you get frustrated when your browser hangs for 0.3 seconds this is not the browser for you.  

TOTP (time-based one-time password) This is a temporary passcode generated by an algorithm that is valid for a short period of time (typically 30 seconds) and then no longer functions. TOTPs are increasingly common mechanisms for multi-factor authentication.  

Track 1 and 2 Data The data and information are stored on a magnetic strip on the back of a payment card. The data usually consists of the cardholder's name, account number (PAN), card brand, expiration date, bank ID (BIN), and other numbers the issuing bank uses to validate the data received.

U.S. State Data Breach Notification Statutes U.S. state laws require companies that suffer a data breach to notify the state's residents if their personal information has been exposed. Some laws also require notification to the state AG or other governmental entity and/or credit reporting agencies, typically if the number of residents whose data was exposed exceeds a certain threshold. Data breach notification laws are different from data security laws and comprehensive privacy laws although there may be some overlap.

U.S. v Jones (2012) A United States Supreme Court landmark case that held that installing a Global Positioning System (GPS) tracking device on a vehicle and using the device to monitor the vehicle’s movements constitutes a search requiring a search warrant under the Fourth Amendment. 

U.S. v. Microsoft (2001) A United States Supreme Court data privacy case in which Microsoft argued a judge did not have the authority to access emails on one of their networks in Ireland because the information was stored abroad. The case eventually led to the Clarifying Lawful Overseas Use of Data Act (CLOUD), which allows federal law enforcement to access data stored overseas if it’s on a U.S.-based technology company’s server. 

UK General Data Protection Regulation (UK GDPR) The UK GDPR is a United Kingdom regulation that requires every organization responsible for personal data to adhere to strict rules called ‘data protection principles to ensure information is used fairly, lawfully and transparently.

Utah Consumer Privacy Act (‘UCPA’) See Comprehensive Privacy Laws and our blog, Which 2023 U.S. State Comprehensive Privacy Laws Apply to Your Organization?

Van Buren v. U.S. (2021) — A United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) (federal anti-hacking law), which criminalizes accessing a computer without authorization or by exceeding authorized access. Under Van Buren, if a person is authorized to access some files in a computer system but other files in the same computer system are off-limit, the fact that the person accessed off-limit files in the computer system does not constitute exceeding authorized access for purposes of the CFAA.  

Virginia Consumer Data Protection Act (‘CDPA’) See Comprehensive Privacy Laws and our blog, Which 2023 U.S. State Comprehensive Privacy Laws Apply to Your Organization?

Vulnerability A vulnerability is a weakness or flaw in a system, software, security procedures, internal controls or any other element of IT and operational functions that could be exploited or triggered by a cyber threat actor. (See Exploit)

Vulnerability Disclosure Program A program that allows independent security researchers or ethical hackers to discover and report a vulnerability or bug to the developer of an application. (See Bug Bounty)

Vulnerability Management Program A vulnerability management program gives organizations a framework for managing risk focused on detecting, identifying and remediating vulnerabilities across a network.

Web 3.0 Web 3.0 refers to the third generation of the evolution of web technologies. Web 1.0 describes non-interactive web pages. Web 2.0 (where we all live currently) allows users to interact with websites, download and upload information. Web 3.0 will be decentralized, open to everyone and built on blockchain. In its simplest form, it will be a virtual universe or environment that allows users to traverse virtual space with an avatar and connect with other individuals. (See Metaverse)

Zero-Day Attack A zero-day attack is an attack in which a hacker exploits (takes advantage of) a previously unknown software vulnerability (flaw), causing damage or stealing data before the developers have a chance to identify and fix the flaw. 

ZeroDay Law — ZeroDay Law is a privacy and cybersecurity law firm that specializes in incident response management, planning and preparation, and ensuring that in-house counsel and organizations are prepared to manage the legal and technical requirements that occur before, during and after a cyber attack.