chevron-down Created with Sketch Beta.

The Business Lawyer

Winter 2022-2023 | Volume 78, Issue 1

Survey of the Law of Cyberspace: An Introduction

John Rothchild


  • The format of the survey has evolved over the years. During its first dozen years, the essays tended to be fewer in number and longer. More recently, there have usually been eight to twelve essays shorter in length.
  • The briefer essays make the survey more accessible to an audience whose principal focus is not cyberlaw, and their greater number allows for coverage of more of the many subject areas that comprise cyberlaw.
  • The topics in the survey include privacy and data security, cyber security, contracts, intermediary liability, electronic payments and financial services, advertising and consumer protection, artificial intelligence.
Survey of the Law of Cyberspace: An Introduction Maneerat

Jump to:

This year marks the twenty-fifth anniversary of the Survey of the Law of Cyberspace. The first survey, published in 1997, began with the following words: “The idea to publish a Survey of the Law of Cyberspace in The Business Lawyer was conceived in response to the increasing number of lawyers who find that their practice is taking place in cyberspace—a world dominated by electronic information transmittal.” Now, twenty-five years further into the Internet age, it is safe to posit that virtually all lawyers must engage with digital communications as part of their practice.

The format of the survey has evolved over the years. During its first dozen years, the essays tended to be fewer in number and longer—usually three to five essays averaging twenty-five to thirty-five printed pages each. More recently, there have usually been eight to twelve essays, averaging nine to eleven pages each. The briefer essays make the survey more accessible to an audience whose principal focus is not cyberlaw, and their greater number allows for coverage of more of the many subject areas that comprise cyberlaw.

Over these twenty-five years the roster of contributing authors has naturally changed, but there are some islands of stability. Stephen Middlebrook, a contributor to one of the earliest surveys, has also contributed to the ten most recent surveys, and Sarah Jane Hughes has contributed to seventeen of these surveys.

The current survey covers developments in cyberlaw that occurred in the year ending May 2022.

Privacy and data security. In her review of developments in state privacy law, Lakshmi Gopal offers a detailed description and comparison of the three most recent comprehensive state privacy statutes, enacted in Colorado, Connecticut, and Utah, and reviews updates of the California and Virginia laws. A brief discussion of the Uniform Personal Data Protection Act is followed by a review of litigation under the Illinois Biometric Information Privacy Act and a discussion of two new biometric privacy laws in New York City.

Meg Strickler covers a different swath of the privacy landscape, focusing on federal law developments. As she explains, the Federal Trade Commission (“FTC”) has directed particular attention to children’s privacy, issuing a policy statement on the Children’s Online Privacy Protection Act (“COPPA”) and settling several enforcement actions under the COPPA Rule. The FTC also settled actions involving misrepresentations about privacy made to consumers, and issued a staff report about the privacy practices of Internet service providers. Finally, her survey discusses a policy change by Apple that makes it harder for the deployers of apps to track their users online.

Cybersecurity. Roland L. Trope reviews two cases in which a party has relied on a security paradigm that is no longer valid. In the first, an employee overseeing robots working on a factory floor was tragically killed due to failure of the assumption that robots can safely operate in close proximity to humans. In the second, the issuer of an “all risks” insurance policy invoked the policy’s exclusion for “warlike” actions in an effort to avoid paying the insured’s claims for its losses resulting from a malware attack, but was unsuccessful due to its failure to inform the insured that cyberattacks had become a means by which nations conduct war and that it would construe the exclusion accordingly.

Sasha Hondagneu-Messner describes some recent initiatives by the Securities and Exchange Commission aimed at enhancing cybersecurity in connection with investment markets. The agency has increased staffing in its unit dealing with cryptocurrency and cyberthreats, settled several actions against public companies in which it alleged cybersecurity violations, and proposed new cybersecurity rules applying to investment advisors and public companies.

Contracts. Nancy S. Kim reviews the newest cases dealing with online contracting. She notes that courts are maintaining their recent focus on website design and the specific context in which online contracting occurs. The cases she discusses deal with the requirement that notice of terms be clear and conspicuous; what actions by the consumer will constitute a manifestation of assent to the terms; and the enforceability of “sign-in wrap” agreements and other contracting paradigms ranging from browsewraps to clickwraps.

Intermediary liability. Chase J. Edwards reviews some of the most important developments relating to the liability of online intermediaries based on activities of their subscribers. In two cases against the makers of Snapchat predicated on its provision of a feature that allegedly resulted in high-speed car crashes with deadly results, both courts denied Snapchat the immunity conferred by Section 230, and one of the two allowed the case to proceed after finding plaintiffs had sufficiently alleged a claim for negligent design of the feature. Two courts addressed the applicability of Section 230 to retweets, arriving at different results depending on whether the retweeter added his own commentary. Two courts diverged from previous rulings in holding that an online gun marketplace is not entitled to Section 230 immunity, but ruled in favor of the defendant on the merits. The essay concludes with a review of Florida and Texas laws that forbid social media platforms from banning certain speakers or viewpoints.

Electronic payments and financial services. Stephen T. Middlebrook, Sarah Jane Hughes, and Tom Kierner present a masterful tour through a multitude of developments in electronic payments and financial services. They discuss regulation of earned wage access products; enforcement actions relating to government benefit cards; new regulations for payroll cards; efforts by the Consumer Financial Protection Bureau to expand its regulatory authority; warnings from regulators about potential unfair and deceptive practices; and enforcement actions relating to garnishment practices, remittance services, Internet lenders, and cryptocurrency exchanges.

Advertising and consumer protection. Richik Sarkar’s contribution addresses several developments at the FTC. These include settlements involving in-game advertising and online product reviews and ongoing revisions to two FTC guidance documents. The essay continues with a discussion of developments relating to telemarketing: new Federal Communications Commission rules about international robocalls, a proposed FTC rule on recordkeeping by telemarketers, and several court decisions under the Telephone Consumer Protection Act. The essay closes with discussion of a new Department of Justice charging policy and a new court case under the Computer Fraud and Abuse Act.

Artificial intelligence. Michael Simon and Andrew Pery survey recent developments relating to regulation of artificial intelligence. They begin by reviewing the newest national regulations from China and the European Union, and then move to regulatory efforts by the U.S. Congress and several federal agencies. They conclude with a tour of regulations issuing from several states and municipalities.