Understanding Computer Crime Laws

Understanding Computer Crime Laws

Computer crime legislation varies significantly across jurisdictions, but common themes emerge that penetration testers must understand. In the United States, the Computer Fraud and Abuse Act (CFAA) serves as the primary federal statute criminalizing unauthorized computer access. The CFAA's broad language potentially criminalizes any access that exceeds authorization, making written permission absolutely critical for penetration testers. Penalties under the CFAA can include substantial fines and imprisonment, with enhanced penalties for accessing government systems or causing significant damage.

State laws add additional layers of complexity, as each state maintains its own computer crime statutes. Some states have more restrictive laws than federal statutes, potentially criminalizing activities that might be permissible under federal law. International testing introduces even greater complexity—the UK's Computer Misuse Act, the EU's Directive on Attacks against Information Systems, and various national implementations create a patchwork of requirements. Penetration testers working internationally must understand that actions legal in their home country might violate laws in the target's jurisdiction.

The definition of "authorization" proves particularly critical for penetration testers. Authorization must be explicit, written, and provided by someone with actual authority to grant permission. Verbal authorization provides insufficient protection, as disputed conversations offer no legal defense. Authorization must come from appropriate organizational representatives—typically executives or designated security personnel—not just IT staff who might lack authority to approve security testing. Understanding organizational structures and confirming authorization sources protects against inadvertent unauthorized testing.

Civil liability represents another legal concern beyond criminal prosecution. Even authorized testing that causes unintended damage might result in civil lawsuits. Professional liability insurance, often called errors and omissions (E&O) coverage, provides important protection for independent consultants and small firms. Larger organizations typically maintain corporate insurance, but understanding coverage limitations and exclusions helps testers avoid personal liability. Contractual provisions addressing liability and indemnification require careful review before beginning engagements.