Last updated: 2026-04-12
Platform Philosophy
LawZeee teaches law by topic domain. Each domain = one module set. Each module set follows the same structure. The goal is that a legal professional can take a single module and leave with enough technical and statutory literacy to do their job better on that topic.
Current Domain: Cybersecurity Law (Phase 1)
Learning Objectives — Full Module Set
By the end of this module set, a student should be able to:
- Identify which federal and state statutes apply to a given cyber incident
- Explain the boundary of CFAA "unauthorized access" post-Van Buren
- Calculate breach notification deadlines under CA, NY, and EU (NIS2, GDPR)
- Name the key enforcement agencies, their jurisdiction, and their tools
- Evaluate whether a civil suit against a hacker is practically viable
- Identify the key procedural barriers in data-breach class actions (standing, attribution, jurisdiction)
- Recognize emerging legal tensions: zero-days, ransomware sanctions, good-faith research safe harbors
Module Map
| ID | Title | Primary Topics | Statutes/Cases | File |
|---|---|---|---|---|
| 1A | CFAA and the Federal Criminal Toolkit | CFAA, wire fraud, aggravated identity theft, RICO | 18 U.S.C. §§ 1030, 1343, 1028A, 1963; Van Buren (2021) | artifacts/modules/01a-cfaa-federal-statutes.md |
| 1B | State Breach Notification and Private Damages | CA breach notice + private action, NY breach notice + DFS, TX notice | CA Civil Code §§ 1798.82, 1798.150; CA PC § 502; GBS § 899-aa; 23 NYCRR 500 | artifacts/modules/01b-state-breach-notification.md |
| 1C | EU Frameworks: GDPR, NIS2, Budapest Convention | EU cybersecurity risk management, breach reporting, fines, cross-border cooperation | NIS2 (Directive (EU) 2022/2555); GDPR Arts. 33, 83; Budapest Convention Art. 35 | artifacts/modules/01c-eu-international-frameworks.md |
| 1D | Landmark Cases: Prosecutions and Civil Suits | CFAA boundary, standing, sovereign immunity, extradition, ransomware prosecution | Auernheimer (2014), Power Ventures (2016), Zappos (2018), Van Buren (2021), WhatsApp v NSO (2021), hiQ/LinkedIn (2022), Vasinskyi/REvil (2024), Bitfinex/Lichtenstein (2024) | artifacts/modules/01d-landmark-cases.md |
| 1E | Enforcement Agencies and Mechanisms | DOJ/CCIPS, FBI, FTC, CISA, OFAC, FinCEN; enforcement flowchart; MLAT/Budapest 24/7; crypto tracing; infrastructure seizure | FTC Act § 5; CIRCIA; CLOUD Act | artifacts/modules/01e-enforcement-agencies.md |
| 1F | Victim Remedies and Procedural Hurdles | Injunctions, compensatory/statutory/punitive damages; attribution choke point; standing (Spokeo/TransUnion); jurisdiction/venue; sovereign immunity; extradition limits | Spokeo (2016); TransUnion (2021); Zappos (9th Cir.); Auernheimer venue; Love (UK High Court extradition) | artifacts/modules/01f-victim-remedies.md |
| 1G | Emerging Issues | Zero-day markets (VEP), ransomware sanctions (OFAC/FinCEN), VDPs/good-faith research, e-evidence reform, encryption/lawful access | DOJ good-faith research policy; CISA BOD 20-01; CLOUD Act; Budapest Second Additional Protocol; UN Cybercrime Convention | artifacts/modules/01g-emerging-issues.md |
Teaching Sequence (Recommended)
1A (Federal criminal core)
→ 1B (State civil/regulatory)
→ 1C (International)
→ 1D (Case studies: brings 1A-1C to life)
→ 1E (Who enforces, how)
→ 1F (If you're the victim — what you can do)
→ 1G (What's changing)Glossary
artifacts/glossary/cybersecurity-law-glossary.md
Key bridging terms needed:
- Technical: unauthorized access, vulnerability, exploit, malware, ransomware, zero-day, credential stuffing, IMDS, SSRF, sandbox, HAR, PKI, TLS, API key, JWT
- Legal: CFAA, authorized access, exceeds authorized access, computer fraud, loss (CFAA definition), protected computer, wire fraud, RICO, standing, sovereign immunity, MLAT, extradition, restitution, forfeiture, breach notification, data processor/controller (GDPR), essential entity (NIS2)
- Bridging: attribution (technical vs. legal), discovery (incident timeline vs. legal discovery), chain of custody (forensic vs. evidentiary)
Future Domains (Phase 2+)
| Domain | Priority | Rationale |
|---|---|---|
| Privacy Law | High | CCPA, CPRA, state privacy laws, international data transfers — constant litigation surface |
| AI & Emerging Tech Law | High | AI Act (EU), FTC AI guidance, liability for AI outputs, IP in AI-generated content |
| Intellectual Property + Technology | Medium | Software copyright, trade secret in source code, patent in tech products |
| Financial Crime Law | Medium | AML/KYC, crypto asset forfeiture, OFAC sanctions, BSA — overlaps with cybercrime prosecution |
| Internet & Platform Law | Medium | Section 230, DMCA, platform liability, content moderation |
| Contracts + Technology | Lower | SaaS agreements, API terms, data processing agreements, liability caps |
Module Format Standard
Legacy Phase 1 modules use the original structure below. New blog posts and update memos should follow docs/BLOG-POST-STANDARD.md and start from research/cybersecurity/blog-drafts/LAWZEEE-POST-TEMPLATE.md.
Every LawZeee module follows this structure:
# Module [ID] — [Title]
> Last updated: YYYY-MM-DD | Source material: YYYY-MM-DD
> DISCLAIMER: Educational purposes only. Not legal advice.
## Overview
[2-3 sentence framing: why this matters to a legal professional]
## Key Concepts
[Technical concepts explained for legal audience — with analogy + precise definition]
## Statutory / Regulatory Framework
[Statutes, regulations, directives — with citations and key provisions]
## Landmark Cases
[Cases with: facts → charges/claims → outcome → why it matters]
## Enforcement Mechanics
[Who enforces, how, what tools, what penalties]
## Practitioner Takeaways
[Concrete guidance for lawyers/legal staff — framed as "courts have held", "regulators require", "practitioners should consider"]
## Quiz
[10 questions — see artifacts/quizzes/]