Law, ethics and privacy

Why the law matters to technical people

Security work lives next to the criminal law: the same scan that's routine on an authorised engagement is an offence on a system you don't have permission to touch. Knowing where the line sits protects you, and understanding the law is half of governance. This chapter is UK-focused (matching most of the qualifications this covers), but the principles generalise.

The Computer Misuse Act 1990

The UK's primary anti-hacking law. It's deliberately broad, and the key word throughout is unauthorised; authorisation is what separates legitimate testing from a crime. Its offences (as currently in force):

• Section 1: Unauthorised access to computer material. Simply accessing any program or data without authorisation, knowing the access is unauthorised. Note: no damage or further intent is required; looking is enough. The basic hacking offence.
• Section 2: Unauthorised access with intent to commit or facilitate further offences. Section 1 plus an intent to commit a more serious crime (e.g. fraud). Heavier penalty.
• Section 3: Unauthorised acts with intent to impair, or recklessness as to impairing, the operation of a computer. Covers malware, ransomware and DoS attacks (damaging or disrupting systems).
• Section 3ZA: Unauthorised acts causing, or creating risk of, serious damage (to human welfare, the economy, national security). Added later for attacks on critical infrastructure; carries up to life imprisonment for the gravest cases.
• Section 3A: Making, supplying or obtaining articles for use in offences under s1, s3 or s3ZA. This is the dual-use tools provision: distributing or obtaining hacking tools intending them to be used in an offence. It's why security professionals must be careful about context: intent and authorisation are what matter.

The single most important takeaway: intent and even claimed good motive are not a defence to unauthorised access. The "grey hat" who scans a stranger's server uninvited and reports the holes has still committed a Section 1 offence. Always get written authorisation with an agreed scope before testing anything you don't own; the penetration tester's most important document is the signed contract, not any tool.

UK GDPR and the Data Protection Act 2018

The UK's data protection regime is the UK GDPR alongside the Data Protection Act 2018, regulating how personal data (information relating to an identifiable living person) is processed. It directly shapes security obligations.

Key roles:

• Data subject: the individual the data is about.
• Data controller: decides why and how data is processed; carries primary legal responsibility.
• Data processor: processes data on the controller's behalf (e.g. a cloud provider).
• ICO (Information Commissioner's Office): the UK regulator that enforces the law.

The principles require, among others, that personal data is processed lawfully and fairly, collected for specified purposes, minimised to what's needed, kept accurate, not retained longer than necessary, and (most relevant here) kept secure with "appropriate technical and organisational measures" (the integrity and confidentiality principle). The law also grants data subjects rights: access (a "subject access request"), rectification, erasure ("right to be forgotten"), portability, and to object.

Two security-critical obligations:

• Breach notification: a personal data breach that risks people's rights must be reported to the ICO within 72 hours of becoming aware, and affected individuals told if the risk is high. IR plans must therefore build in legal and regulatory communication steps.
• Penalties: the most serious infringements can attract fines up to the higher of £17.5 million or 4% of annual worldwide turnover. (A lower tier caps at £8.75m or 2%.) The scale is what makes data protection a board-level concern, not just a compliance footnote.

Other UK/relevant legislation to recognise

• Privacy and Electronic Communications Regulations (PECR): cookies, electronic marketing.
• Network and Information Systems (NIS) Regulations: security duties for operators of essential services and digital infrastructure.
• Investigatory Powers Act: state surveillance and interception.
• Police and Justice Act 2006 / Serious Crime Act 2015: amended and strengthened the Computer Misuse Act over time.

You don't need every detail; recognise what each governs.

Ethics and disclosure

Beyond the law sits professional ethics, where the recurring tension is how to handle a vulnerability you've found:

• Responsible / coordinated disclosure: privately tell the vendor, give them reasonable time to fix it, then (often) publish. The widely accepted ethical norm, it balances getting flaws fixed against public safety.
• Full disclosure: publish immediately and publicly. Pressures vendors to act fast but arms attackers in the meantime.
• Bug bounty programmes: vendors invite and pay for vulnerability reports within defined rules, giving researchers explicit authorisation (closing the Computer Misuse Act problem) and a legal safe harbour.

Underpinning all of it is the principle that has run through this whole course: authorisation is the ethical and legal foundation of security work. With it, you're a professional improving defences; without it, you're committing an offence, regardless of intent. Codes of conduct from bodies like (ISC)² and the idea of acting with integrity, competence and within the law formalise the same point.

Quick recall

• Computer Misuse Act 1990: s1 unauthorised access (looking is enough; no damage needed); s2 access with intent for further offences; s3 impairing operation (malware, DoS); s3ZA serious damage to infrastructure (up to life); s3A making/supplying/obtaining hacking tools. "Unauthorised" is the key word; good intent is no defence.
• UK GDPR + DPA 2018: protect personal data with appropriate measures; controller (responsible) vs processor; ICO regulates. Breach notification to the ICO within 72 hours; max fine £17.5m or 4% of global turnover, whichever is higher.
• Always get written authorisation and scope before testing; it's what makes the work legal.
• Disclosure: responsible/coordinated (the norm) vs full disclosure; bug bounties grant explicit authorisation and safe harbour.