Ethics and The Law: As an Ethical hacker, you need to be aware of the law and how it affects what you do. Ignorance or lack of understanding the law not only is a bad idea but can quickly put you out of business—or even in prison. In fact, under some situations the crime may be serious enough to get you prosecuted in several jurisdictions in different states, countries, or even countries due to the highly distributed nature of the internet. Of course, prosecution of a crime can also be difficult considering the web of various legal systems in play. A mix of common, military, and civil exists, requiring knowledge of a given legal system to be successful in any more toward prosecution.
As an ethical hacker you must also obey the Code of Ethics as defined by the EC-Council. One thing to remember though about ethics is that while you can get in legal trouble for violating a law, breaking a code of ethics won’t get you in legal trouble but could lead to other actions such as getting decertified.
Always ensure that you exercise the utmost care and concern to ensure that you observe proper safety and avoid legal issues. When your client has determined their goals along with your input, together you must put the contract in place. Remember the following points when developing a contract and establishing guidelines:
Trust The client is placing trust in you to use proper discretion when performing a penetration test. If you break this trust, it can lead to the questioning of other details such as the results of the test.
Legal Implications Breaking a limit placed on a test may be sufficient cause for your client to take legal action against you.
The following is a summary of laws, regulations, and directives that you should have a basic knowledge of:
- 1973-U.S. Code of Fairs Information Practices governs the maintenance and storage of personal information by data systems such as health and credit bureaus.
- 1974-U.S. Privacy Act governs the handling of personal information by the U.S. government.
- 1984-U.S. Medical Computer Crime Act addresses illegally accessing or altering medication data.
- 1986 (amended in 1996)-U.S. Computer Fraud and Abuse Act includes issues such as altering, damaging, or destroying information in a federal computer and trafficking in computer passwords if it affects interstate or foreign commerce or permits unauthorized access to government computers.
- 1986-U.S. Electronic Communications Privacy Act prohibits eavesdropping or the interception of message contents without distinguishing between private or public communications carrier to make wiretaps possible.
- 1996-U.S. Kennedy-Kassebaum Health Insurance and Portability Accountability Act (HIPAA) (with additional requirements added in December 2000) addresses the issues of personal healthcare information privacy and health plan portability in the United States.
- 1996-U.S. National Information Infrastructure Protection Act was enacted in October 1996 as part of Public Law 104-294; it amended the Computer Fraud and Abuse Act, which is codified in 18 U.S.C. $ 1030. This act addresses the protection of the confidentiality, integrity, and availability of data and systems. This act is intended to encourage other countries to adopt a similar framework, thus creating a more uniform approach to addressing computer crime in the existing global information infrastructure.
- 2002-Sarbanes-Oxley Act (SOX or SarBox) is a law pertaining to accountability for public companies relating to financial information.
- 2002-Federal Information Security Management Act (FISMA) is a law designed to protect the security of information stored or managed by government systems at the federal level.