Thus far we have focused primarily on laws that affect the security of data, systems, and networks, and the ability of the government and the private sector to conduct surveillance on this infrastructure to prevent cybercrime and other harms. However, an examination of cybersecurity law would be incomplete without an overview of privacy law.

Privacy law limits companies' collection, use, sharing, and retention of personal information. Although data security laws provide the safeguards that companies must have in place to prevent hackers from accessing customer data, privacy law restricts companies' ability to use customer data. For instance, privacy law may prevent a company from selling customer web‐browsing activities to third‐party marketers, building customer profiles based on the videos they view online, or using facial recognition.

Some might argue that privacy law is outside the scope of cybersecurity law, and they may be correct. At least under some conceptions of cybersecurity law, it is irrelevant how companies choose to legitimately use customer data. However, cybersecurity is an emerging field and there is no single, settled definition of the term. Nevertheless, privacy does often intersect with cybersecurity; consequently, all cybersecurity professionals should have a basic understanding of privacy legal principles.

Any examination of cybersecurity law would be incomplete without an overview of the legal restrictions on the use and disclosure ...