Jeff Kosseff is an Assistant Professor of Cybersecurity Law at the United States Naval Academy. He is the author of Cybersecurity Law (Wiley), the first comprehensive textbook on U.S. cybersecurity laws and regulations, and in spring 2019 will publish The Twenty-Six Words that Created the Internet, a nonfiction narrative history of Section 230 of the Communications Decency Act. His articles about cybersecurity and Internet law have appeared in Iowa Law Review, Wake Forest Law Review, IEEE Security & Privacy, Computer Law and Security Review, Columbia Science and Technology Law Review, and other publications. In October 2017, he testified about online sex trafficking and Section 230 before the House Judiciary Committee's Subcommittee on Crime, Terrorism, Homeland Security, and Investigations. In March 2017, he testified about Section 702 of the Foreign Intelligence Surveillance Act before the House Judiciary Committee.
Jeff has practiced cybersecurity and privacy law, and clerked for Judge Milan D. Smith, Jr. of the U.S. Court of Appeals for the Ninth Circuit and for Judge Leonie M. Brinkema of the U.S. District Court for the Eastern District of Virginia. He is a graduate of Georgetown University Law Center and the University of Michigan. Before becoming a lawyer, he was a journalist for The Oregonian and was a finalist for the Pulitzer Prize for national reporting.
Cybersecurity Law (Wiley, 2017): Textbook/treatise on global cybersecurity laws and regulations for U.S. companies. Second edition forthcoming December 2019
The Twenty-Six Words that Created the Internet (Cornell University Press, forthcoming Spring 2019): nonfiction narrative history of Section 230 of the Communications Decency Act
Hamiltonian Cybersecurity, Wake Forest Law Review (forthcoming 2019): Cyberattacks present existential challenges for U.S. national security and economic interests, yet Congress has failed to adopt a comprehensive regulatory framework to secure private-sector information and systems. To fill that gap, state legislatures have passed many laws that regulate data security, data breaches, and protection of personal data. The requirements of these laws vary significantly, are outdated, and sometimes conflict. This Article explains why this state-centric approach to cybersecurity is inadequate. First, the Article examines the Framers’ desire for a uniform approach to commercial regulations, and explains how the U.S. approach is scattered, outdated, and decentralized. A comprehensive federal cybersecurity statute would help to realize the Framers’ vision. Second, the Article asserts that, given this prudential argument, the state approach to cybersecurity and data protection regulations may be unconstitutional under the Dormant Commerce Clause, which prohibits state laws that unduly burden interstate commerce or impose inconsistent regulations.
Defining Cybersecurity Law, Iowa Law Review (2018): As data breaches, denial-of-service attacks, and other cybersecurity incidents lead to extraordinary economic and national security consequences, commentators increasingly look to the legal system for solutions. Unfortunately, U.S. laws do not have a unified and coherent vision for the regulation and promotion of cybersecurity. For that matter, the U.S. legal system lacks a consistent definition of the term “cybersecurity law.” This Article aims to fill that gap by defining cybersecurity law. Although many articles have addressed various aspects of cybersecurity, none have stepped back to define exactly what cybersecurity is and the goals of statutes and regulations that aim to promote cybersecurity. By defining the scope and goals of this new legal field, we can then examine how lawmakers could improve existing laws.
Developing Collaborative and Cohesive Cybersecurity Legal Principles, paper presented at the NATO Cooperative Cyber Defense Center of Excellence Conference on Cyber Conflict (Tallinn, Estonia) and published in the IEEE conference proceedings (June 2018): This Paper sets forth the need for nations to discuss common legal principles for promoting and regulating cybersecurity, similar to the privacy principles articulated in Organization for Economic Cooperation and Development’s Fair Information Practices in 1980. As a starting point for discussion, this Paper suggests four goals of common international principles for cybersecurity law: (1) modernization of cybersecurity laws; (2) uniformity of legal requirements; (3) coordination of cooperative incentives and coercive regulations; and (4) supply chain security. Although cybersecurity laws always will vary, international coordination could improve the efficacy of cybersecurity laws by providing some degree of consistency. A dialogue also could help policymakers learn from other nations’ cybersecurity successes and failures.
Private Computer Searches and the Fourth Amendment, I/S: A Journal of Law and Policy for the Information Society (forthcoming 2018): The Fourth Amendment generally restricts a search or seizure conducted by a government entity, such as the state police or Federal Bureau of Investigation. The Supreme Court has held that the Fourth Amendment applies to a search or seizure performed by a private party unless that private party is an “agent or instrument” of the government. The Supreme Court has not formulated a specific test to determine whether a private party is an agent or instrument, leaving it to lower courts to formulate their own analytic frameworks. The prevailing agency test in most circuits focuses on whether the private party intended to help law enforcement. In this Article, I argue that this subjective analytical framework is flawed because it is contrary to the principles that the Supreme Court has articulated in its opinions about Fourth Amendment agency, which focus on the actions of the government, and not the intent of the private party. Moreover, from a practical standpoint, the subjective agency-or-instrument test has been difficult to apply with certainty and consistency. To assess the practical difficulties of the current test, this Article reviews the criminal prosecutions of defendants in child pornography cases in which the evidence was initially discovered by online service providers or computer repair technicians. The Article proposes an alternative, objective agent-or-instrument test that looks to the government’s actions. Under the proposed test, the private party is deemed an agent or instrument only if the government substantially participated in the search or seizure.
Twenty Years of Intermediary Immunity: The U.S. Experience, SCRIPTed: A Journal of Law, Technology & Society, 14:1 SCRIPTed 5 (2017): Policymakers worldwide have long debated how to maintain free expression on the Internet while minimizing defamation and other harmful online speech. Key to these debates has been intermediary liability: whether online platforms should be held legally responsible for user-generated content. To inform this continued debate, this Article examines the U.S. experience with relatively broad intermediary liability immunity. Enacted two decades ago, Section 230 of the Communications Decency Act provides robust immunity to websites, ISPs, social media providers, and other online platforms for legal claims arising from user content. This Article examines the scope of the immunity that Section 230 provides to U.S. platforms and examines the primary criticisms of this approach. This Article analyses court opinions involving Section 230, and examines the content moderation policies and practices of the leading U.S. online platforms. The Article concludes that Section 230 has fostered the growth of social media, user reviews, and other online services that rely primarily on user generated content. Critics of Section 230 raise valid concerns that the broad immunity often prevents lawsuits against online platforms; however, my research concludes that many of the largest U.S. intermediaries voluntarily block objectionable and harmful content due to consumer and market demands.
New York’s Financial Cybersecurity Regulation: Tough, Fair, and a National Model, Georgetown Law Technology Review 1 Geo. L. Tech. Rev. 432 (2017): This Article explores the new cybersecurity requirements that New York’s financial regulators will impose on its regulated companies, and argue that the revised regulation is a model of a rigorous, fair, and technologically sound cybersecurity regulation. New York’s regulation could serve as a model for a uniform nationwide cybersecurity regulation that would provide certainty and clarity to companies while protecting the confidentiality, integrity, and availability of information and systems. Cybersecurity law in the United States currently is a patchwork of outdated privacy and computer crime laws; New York’s regulation, in contrast, is a model cybersecurity statute for the modern era.
The Gradual Erosion of the Law that Shaped the Internet, Columbia Science and Technology Law Review, 18 Colum. Sci. & Tech. L. Rev. 1 (2017): In this Article, I review all Section 230-related court opinions published between July 1, 2015 and June 30, 2016 to determine the extent of immunity. The review found that in approximately half of the cases, courts refused to fully grant Section 230 immunity. Most commonly, the courts conclude that the online service provider actually created and published the content. To be sure, 20 years after Congress enacted Section 230, Section 230 remains a strong shield for online service providers in many cases. However, as the amount of user-generated content has exponentially increased in recent years, courts have struggled with what was once viewed as bullet-proof immunity for online intermediaries, and are slowly enlarging the loopholes that allow plaintiffs’ lawsuits against intermediaries to survive.
Cyber-Physical Systems and National Security Concerns, chapter in Security and Privacy in Cyber-Physical Systems: Foundations and Applications (Wiley) (forthcoming 2017): A set of international legal rules, known as jus ad bellum (Latin for “right to war”), provide a framework for determining whether an attack against a nation-state was unlawful, and whether it is permissible for the target state to respond with self-defense. Over the past decade, legal scholars and government officials have struggled to determine how to apply jus ad bellum to attacks on computer systems. This Chapter extends that analysis to attacks on cyber-physical systems. I conclude that although cyber-physical systems present new national security challenges, the jus ad bellum analysis applies just as easily to cyber-physical attacks as it does to attacks on computer systems and purely physical targets.
In Defense of FAA Section 702: An Examination of Its Justification, Operational Employment, and Legal Underpinnings (co-author with Chris Inglis), Hoover Institution National Security, Technology, and Law Working Group paper (2016): This paper makes make the case that the provisions of Section 702 of the FISA Amendments Act are both necessary and appropriate under the US Constitution's mandate that the government pursue all of its aims (e.g., security and privacy). Moreover, the paper provides compelling evidence to rebut widely circulated myths regarding the actual implementation of Section 702, most notably that NSA exceeded either the intent or the letter of its authorities. For this reason, we believe that Congress should reject calls to repeal or amend Section 702. The statute already provides a well-regulated system for intelligence agencies to collect the foreign intelligence from non-U.S. persons who are not located in the United States. The National Security Agency has stated that Section 702 is its single most significant tool for identifying terrorist threats. The program is overseen by all three branches of government and has an unprecedented system of checks and balances. In the past seven years, the program has been remarkably effective, both at protecting the privacy of U.S. persons and obtaining valuable intelligence from foreign sources. Accordingly, Congress should reauthorize this valuable foreign intelligence program.
The Hazards of Cyber-Vigilantism, Computer Law & Security Review, 32:4 Comp. L. & Sec. Rev. 642 (2016): In recent years, some aggressive actions against cyber-criminals and terrorists have come not only from state actors, but also from independent third parties such as Anonymous. These groups have claimed some significant victories in their battles against ISIS and similar organizations, by hacking their email, publicly exposing their secret communications, and knocking their websites offline. The hacker groups also combat other cyber criminals, including distributors of child pornography. Some of the groups' activities, however, violate the computer hacking laws of many nations. Some commentators have criticized these statutes, claiming that the laws unnecessarily prohibit private actors from serving the public good. I defend the broad prohibition of cyber-vigilantism, and argue that well-intentioned private actors can accomplish their goals by working with governments.
The Cybersecurity Privilege, I/S: A Journal of Law and Policy for the Information Society, 12:2 I/S: A Journal of Law & Policy 641 (2016): Cybersecurity work often relies on highly confidential information about a company’s network vulnerabilities, and therefore the disclosure of the work product or communications could be useful to plaintiff’s lawyers or regulators after a data security incident. To protect against this risk, companies attempt to cover their cybersecurity professionals’ communications and work product under an existing evidentiary privilege, such as the attorney-client privilege or work product doctrine. However, such privileges are an uneasy fit for some cybersecurity work, particularly prophylactic measures that are not directly tied to ongoing or potential litigation. In other words, current evidentiary law discourages companies from investing in the services necessary to prevent cyberattacks from occurring. In this Article, I propose the creation of a stand-alone privilege for cybersecurity work.
A New Legal Framework for Online Anonymity, IEEE Security & Privacy (Nov./Dec. 2015): In this article, I trace the right to anonymity’s history and rationale and how the US and other western nations developed legal rules to provide a limited right of online anonymity. In the past, courts have analyzed the right to anonymity as an extension of the right to free speech. Here, I argue that a California court’s new alternative approach, which instead focuses on the right to privacy, could provide a useful road map for other courts in the US and other western democracies that recognize the right to anonymity.
Private or Public? Eliminating the Gertz Defamation Test, University of Illinois Journal of Law, Technology, & Policy, 2011 U. Ill. J. L. Tech & Pol’y 249 (2011): This Article proposes that courts require a demonstration of actual malice for all defamation claims, eliminating the public/private dichotomy. A requirement of actual malice in all cases still provides sufficient safeguards for the plaintiff in the types of cases that defamation law has long been intended to address.
Defending Section 230: The Value of Intermediary Immunity, Journal of Technology, Law, & Policy (University of Florida) 15 J. of Tech. Law and Policy 123 (2010): This Article argues that judicial interpretations of Section 230 are correct as matters of statutory law and policy. The general reasons for Section 230‟s broad immunity are supported by constitutional decisions that limit liability for speech in other contexts. Although Internet service providers and websites have not faced significant tort liability, they have adopted many of the content protection measures that Congress envisioned when it passed the unprecedented statutory immunity.
Note, The Elusive Value: Protecting Privacy During Class Action Discovery, Georgetown Law Journal, 97 Geo. L. J. 289 (2008): This Note proposes a set of guidelines for precertification and postcertification discovery. Courts should apply heightened scrutiny to any requests for identifying or personal information about absent class members, and they should apply that standard equally to discovery requests from plaintiffs and from defendants. In addition to heightened scrutiny, this Note recommends that if courts determine that personal or identifying information is necessary, they should consider technology, protective orders,15 and business arrangements that would minimize the invasion of absent class members’ privacy. This Note also recommends best practices for postcertification discovery of absent class members. Notices should inform class members about the nature of the information that may be provided to named plaintiffs. Adherence to a uniform set of best practices would ensure fairness for plaintiffs, defendants, and absent class members. I
Presenter, Defining Cybersecurity Law, Johns Hopkins University, Applied Physics Laboratory (Aug. 16, 2017)
Panelist, Inside Job, Improving Cybersecurity with Better Cyber Hygiene (June 15, 2017)
Presenter (with MIDN 1/C Dennis Devey), Understanding the Cybersecurity Act of 2015, BSidesCharm conference (April 30, 2017)
Moderator, The Future of Cybersecurity Regulation, Joint Service Academy Cyber Security Summit (Mar. 24, 2017)
Panelist, Governance, Risk Management & Compliance, Boston Conference on Cyber Security (Mar. 8, 2017)
Co-presenter (with Mike Bilzor), Cyber Reconnaissance and Intrusion, at Developing a Normative Framework for Cyberwarfare conference (Oct. 17, 2016)
Presenter: The Value of Intermediary Immunity: The U.S. Experience, Oxford Internet Institute Internet, Policy, & Politics Conference (Sept. 23, 2016)
Presenter, Cyber Security and the Law conference, French-American Foundation and Interpol (Sept. 16, 2016)
Panelist, Cyber Sovereignty: Ethical and Legal Considerations, Cyber Endeavor 2016, Naval Postgraduate School (June 22, 2016)
Moderator, Making Privacy Rules for New Networks: The FCC’s Regulation of Broadband ISPs, International Association of Privacy Professionals Global Privacy Summit (April 6, 2016)
Presenter, Preserving the Privilege During Breach Response, RSA Conference (Mar. 3, 2016)
Presenter, Ten Reasons to Adopt the NIST Cybersecurity Framework, The Law & Policy of Cybersecurity Symposium, University of Maryland (Feb. 5, 2016)
Presenter, Positive Cybersecurity Law: Creating a Consistent and Incentive-Based System (symposium article), Chapman Law Review, Chapman University (Jan. 29, 2016)
Presenter, Protecting the Privilege During Breach Investigations, InfoGovCon, Hartford, CT (Sept. 30, 2015).
Presenter, The Attorney-Client Privilege for Cybersecurity Investigations, Cyber Security Technology and Training Forum (Aug. 19, 2015)
Prevent Data Breaches, Don't Just Report Them, TechCrunch (May 9, 2017)
A VHS-Era Privacy Law in the Digital Age, TechCrunch (May 24, 2016)
In the Apple Encryption Debate, Can We Just Have the Facts, Please? TechCrunch (Oct. 26, 2016)
Should Tech Companies be Subject to the Fourth Amendment? TechCrunch (Dec. 13, 2015)
Time for a Serious Talk About Encryption, The Hill (Nov. 23, 2015)
The Biggest Cybersecurity Risk is Not Identity Theft, TechCrunch (Nov. 13, 2015)
Congress Looks at Car Hacking, The Hill (Oct. 26, 2015)
Notified About a Data Breach? Too Late, Wall Street Journal (Oct. 9, 2015)
Can Decency Be Legislated? TechCrunch (Oct. 9, 2015)
Cybersecurity is Expensive – That’s Why We Should Offer Tax Incentives, Forbes (Sept. 23, 2015)
To Fix Cybersecurity Law, Ask More Questions, TechCrunch (Sept. 15, 2015).
Georgetown University Law Center
Juris Doctor, magna cum laude and Order of the Coif (2010)
Executive Articles Editor, Georgetown Law Journal
University of Michigan
Master of Public Policy, economic policy (2001)
Bachelor of Arts, economics (2000)
Courses Taught (United States Naval Academy)
SY406: Cyber Law & Ethics
SY403: Cyber Policy & Planning
SY485B: Politics of Cyberspace