CSE332

INDUSTRY ETHICS
AND LEGAL ISSUES

Ethical and Professional

issues in Information
Security
 Law and Ethics in Information Security
• Laws: Rules adopted and enforced by governments to codify
expected behavior in modern society

• Ethics: Relatively fixed moral attitudes or customs of a societal group

(based on cultural mores)

• The key difference between law and ethics is that law carries the
sanction of a governing authority and ethics do not
 Law and Ethics in Information Security

• Law and ethics guide cybersecurity practices.

• Laws ensure data protection and privacy.

• Ethics focus on responsible security decisions.

• Cyber laws prevent hacking and misuse.

• Privacy rights balance security and access.

• Compliance ensures trust and legal safety.

 Features of Law and Ethics in Information Security

• Data Protection – Ensures confidentiality and integrity of information.

• Privacy Regulations – Safeguards personal and sensitive user data.
• Cybercrime Prevention – Criminalizes hacking, fraud, and cyber threats.
• Compliance Standards – Organizations must follow legal frameworks.
• Intellectual Property Protection – Secures software, patents, and copyrights.
• Accountability – Holds individuals and organizations responsible.
 Types of Laws in Information Security
• Data Protection Laws – Regulate data collection, storage, and processing. (e.g., GDPR, CCPA, HIPAA)

• Cybercrime Laws – Prevent hacking, fraud, and identity theft. (e.g., CFAA, UK Computer Misuse Act)

• Intellectual Property Laws – Protect software, trademarks, and copyrights. (e.g., Copyright Act, Patent Laws)

• Compliance and Regulatory Laws – Ensure businesses follow security standards. (e.g., ISO 27001, PCI DSS,

SOX)

• Surveillance and Privacy Laws – Balance national security with individual privacy. (e.g., FISA, ECPA, PRISM

regulations)

• Contract and Liability Laws – Govern security obligations in business agreements. (e.g., NDA, SLAs in

cybersecurity contracts)
 Types of Ethics in Information Security
• Privacy Ethics – Ensures responsible handling of user data.

• Hacking Ethics – Differentiates ethical hacking (white-hat) from malicious hacking (black-hat).

• AI and Security Ethics – Manages bias, transparency, and accountability in security AI.

• Corporate Ethics – Defines security responsibilities of organizations.

• Whistleblowing Ethics – Protects individuals reporting security violations.

• Cybersecurity Professional Ethics – Guides IT professionals on ethical security practices. (e.g., ISC²

Code of Ethics)
 Examples of Law and Ethics in Information Security

• Facebook-Cambridge Analytica Scandal (Privacy Ethics & Data Protection Laws Violation)

• WannaCry Ransomware Attack (Cybercrime & Compliance Failure)

• Apple vs. FBI Encryption Case (Privacy vs. Surveillance Ethics)

• Google AI Bias in Hiring (AI and Security Ethics Concern)

• Edward Snowden NSA Leaks (Whistleblowing & Government Surveillance Ethics)

• Sony Pictures Hack (Intellectual Property & Cybercrime Violation)

 Advantages and Disadvantages of Law and Ethics in Information Security

Advantages:
• Data Protection – Ensures confidentiality and prevents unauthorized access.

• Privacy Assurance – Strengthens user trust in organizations.

• Cybercrime Prevention – Reduces risks of hacking and fraud.

• Legal Compliance – Avoids lawsuits and regulatory penalties.

• Corporate Accountability – Holds businesses responsible for security breaches.

• Ethical Decision-Making – Encourages responsible cybersecurity practices.

Disadvantages:
• Compliance Costs – Implementing security laws can be expensive.
• Restrictive Policies – May limit innovation and data access.
• Legal Complexity – Varying global regulations make compliance challenging.
• Privacy vs. Security Conflict – Government surveillance may compromise individual
rights.
• Slow Legal Updates – Laws may not keep pace with new cyber threats.
• Enforcement Challenges – Difficult to track and penalize cybercriminals globally
 Organizational Liability and the Need for Counsel

• Organizations face significant legal and ethical responsibilities regarding information security.
• Failure to comply with security laws and ethical standards can result in legal penalties, financial losses,
and reputational damage.
 Organizational Liability in Information Security

Organizations can be held liable for:

• Data Breaches – If customer or employee data is compromised due to negligence.

• Non-Compliance with Regulations – Violating laws like GDPR, HIPAA, or PCI DSS can result in

heavy fines.

• Cybersecurity Negligence – Failure to implement security measures can lead to legal action.

• Intellectual Property Violations – Unauthorized use of copyrighted or patented technology.

• Insider Threats and Employee Misconduct – Misuse of company data by employees leading

to legal liability.
 Need for Legal Counsel in Cybersecurity

Organizations require legal counsel to:

• Ensure Compliance – Guide businesses on adhering to global cybersecurity regulations.

• Manage Data Protection Policies – Develop legal policies for handling customer and employee data.

• Handle Cybersecurity Incidents – Provide legal defense in case of breaches or cyberattacks.

• Draft Contracts and Agreements – Ensure secure and legally binding terms in business deals.

• Risk Assessment and Mitigation – Identify potential legal risks and prevent liabilities.
 Examples of Organizational Ethics and Liability in Information Security

• Facebook-Cambridge Analytica Scandal (Ethical and Legal Violations in Data Privacy)

• Equifax Data Breach (Failure to Ensure Ethical Cybersecurity Practices)

• Uber Data Breach Cover-Up (Lack of Transparency and Ethical Conduct)

• Wells Fargo Fake Accounts Scandal (Unethical Employee Behavior and Corporate Accountability)

• Yahoo Data Breach (Corporate Negligence in Cybersecurity and Legal Repercussions)

 Answer the following questions

• What happens without ethical employee conduct?

• How does unethical behavior harm organizations?
• What legal risks arise from misconduct?
• Why is customer trust easily lost?
• Can organizations face penalties for employees?
• How does non-compliance affect reputation?
 Policy Versus Law
1. Definition

• Policy – Internal guidelines set by organizations to govern behavior.

• Law – Legally enforceable rules established by governments.

2. Purpose

• Policy – Ensures consistency, security, and ethical conduct within an organization.

• Law – Maintains order, protects rights, and enforces justice in society.

3. Enforcement

• Policy – Enforced internally by management or HR departments.

• Law – Enforced by government authorities and courts.

4. Consequences of Violation

• Policy – Can lead to warnings, termination, or internal penalties.

• Law – Can result in legal action, fines, or imprisonment.

5. Flexibility

• Policy – Can be modified by the organization as needed.

• Law – Requires legal procedures or legislative approval to change.

6. Scope

• Policy – Applies only within an organization or institution.

• Law – Applies to everyone within a jurisdiction.

 Policies in Information Security

• Acceptable Use Policy (AUP) – Defines proper use of company systems and networks.

• Password Management Policy – Sets rules for creating and maintaining secure passwords.

• Data Backup and Recovery Policy – Outlines procedures for data protection and restoration.

• Incident Response Policy – Establishes steps to follow during cybersecurity incidents.

• Bring Your Own Device (BYOD) Policy – Regulates the use of personal devices for work.

• Access Control Policy – Determines user roles and permissions for system access.
 Laws in Information Security

• General Data Protection Regulation (GDPR) – Protects personal data of EU citizens.

• Health Insurance Portability and Accountability Act (HIPAA) – Ensures security of healthcare

information.

• Computer Fraud and Abuse Act (CFAA) – Criminalizes unauthorized computer access.

• Cybersecurity Information Sharing Act (CISA) – Encourages data sharing for cybersecurity.

• Digital Millennium Copyright Act (DMCA) – Protects digital content and intellectual property.

• California Consumer Privacy Act (CCPA) – Regulates data privacy rights for California residents.
 Differences Between Policy and Law
Criteria Policy Law
Nature Internal organizational rule Government-enforced legal rule
Guides employees’ actions and Maintains societal order and
Objective
decisions justice
Authority Created by an organization Created by legislative bodies
Applies to all individuals and
Applicability Limited to a specific organization
entities
Can be updated internally as
Modification Requires a legal process to change
needed
Enforced by courts and legal
Enforcement Managed by HR or internal teams
agencies
Can result in warnings or
Consequences Can lead to fines, penalties, or jail
termination
Data privacy law (e.g., GDPR,
Example Company cybersecurity policy
HIPAA)