Unit 6: LEGAL, ETHICAL AND PROFESSIONAL ISSUES

IN INFORMATION SECURITY

• Introduction
•Law and Ethics in Information Security
•Organizational Liability and the Need for Counsel
•Policy Versus Law
•Cyber Crime
•Cyber-crime on the rise
•Cyber law of India
•Need for cyber law in India
 Introduction
1. Legal Issues
• These relate to laws and regulations that
govern how information is used, stored, and
protected. Organizations must comply to avoid
penalties or legal action.
• Examples:
• Data Protection Laws (e.g., GDPR, HIPAA):
Organizations must protect personal data like names,
medical records, or financial details.
Example: A hospital must secure patient records; leaking
them could lead to legal action.
• Cybercrime Laws: Hacking, phishing, and unauthorized
access are criminal offenses.
Example: A person accessing a company’s server
without permission can be prosecuted under cybercrime
laws.
• Ethical Issues
• These concern what is morally right or wrong,
even if not covered by law. Ethics guide
behavior in ambiguous situations.
• Examples:
• Privacy: Even if it's not illegal, reading
someone’s emails without consent is unethical.
Example: An employee accessing a colleague’s
email without permission.
• Honesty in Research or Reporting: Modifying
security test results to look better is unethical.
Example: A consultant lying about a system’s
vulnerability assessment.
• Professional Issues
• These are standards set by professional
bodies to ensure responsible and trustworthy
conduct by members in the field.
• Examples:
• Adhering to Codes of Conduct: Professionals like CISSPs
or members of ACM/IEEE must follow codes about
confidentiality, integrity, and responsible behavior.
Example: Not disclosing confidential client data even
after leaving the job.
• Competence: Professionals must only work within their
area of expertise.
Example: A network admin shouldn’t handle advanced
cryptography tasks without proper knowledge.
• Law and Ethics in Information Security
Law in Information Security
• Laws provide a formal framework to protect
data, systems, and users. They are legally
enforceable, and violating them can result in
penalties, fines, or imprisonment.
Key Areas:
• Data Protection Laws: Regulate how personal
information is collected, used, and stored.

Example: Under GDPR (EU), users must give consent

before their data is collected.

• Cybercrime Laws: Make activities like hacking,

phishing, and malware distribution illegal.

• Example: Unauthorized access to a company’s server

can be prosecuted under Computer Misuse Acts.
• Intellectual Property Laws: Protect software,
data, and digital content.

Example: Copying and using software without

a license violates copyright laws.
Ethics in Information Security
• Ethics refer to moral principles that guide
behavior — what is right or wrong, even if not
legally defined.
Key Principles:
• Respect for Privacy: Even if you have access to
someone’s data, you should not misuse it.
•
Example: An IT admin should not read
employees’ personal emails.
• Honesty and Integrity: Be truthful in your
actions and reports.
•
Example: A cybersecurity analyst should not
hide a discovered vulnerability to avoid blame.
• Confidentiality: Keep sensitive data secure
and only share with authorized individuals.
•
Example: Not leaking client data after leaving
a job, even if there’s no NDA.
• Organizational Liability and the Need for
Counsel
Organizational Liability
• This refers to an organization's legal responsibility
for actions (or inactions) that cause harm—
whether due to data breaches, negligence, or
failure to follow laws and regulations.
Why it Matters:
• If a company fails to protect sensitive data or
violates privacy laws, it can be sued, fined, or
held accountable for damages.
Real-Life Examples:
• Equifax Breach (2017): Personal data of over
140 million people was exposed due to poor
security. The company faced lawsuits and paid
$700 million in settlements.
• Target Data Breach (2013): Hackers stole
credit/debit info of 40 million customers.
Target had to pay $18.5 million to settle with
affected states.
Need for Counsel (Legal Advice)
• Due to complex and changing laws around
information security, organizations need legal
counsel to:
• Ensure compliance with data protection laws
(like GDPR, HIPAA, etc.)
• Draft clear security policies and user
agreements
• Respond properly to breaches or incidents
Real-Life Example:
• Facebook (Cambridge Analytica Scandal):
Poor handling of user data led to legal issues
and a $5 billion fine from the FTC. Legal
counsel would’ve helped them manage data
sharing policies better and avoid reputational
damage.
In Summary:
• Organizational Liability = Being held
responsible for data misuse or breaches.
• Need for Counsel = Having legal experts to
prevent violations and protect the
organization legally.
• Policy Versus Law
Law
• A law is a government-enforced rule that everyone
must follow. It is created by legislatures and violating a
law leads to legal penalties like fines or jail.

• Example:
• GDPR (General Data Protection Regulation) in the EU
requires companies to protect personal data.
If a company shares user data without consent, it can
be fined millions (as Facebook and Google have
experienced).
Policy
• A policy is an internal rule or guideline set by an
organization to guide behavior and operations. It’s not
legally binding by itself but can lead to disciplinary
action within the organization if broken.

• Example:
• A company might have an Email Usage Policy that
bans employees from using work email for personal
communication.
If someone breaks this rule, they might be warned,
suspended, or fired—but not taken to court.
Real-Life Combined Example:
• A company must follow GDPR law (external)
and may also have a Data Handling Policy
(internal).
If an employee mishandles customer data:
• They may face internal discipline for breaking
policy.
• The company could face legal action under
GDPR.
• Cyber Crimes
• Cyber crime refers to illegal activities carried
out using computers, networks, or the
internet.
• These crimes target individuals, organizations,
or even governments, often involving theft,
fraud, or data breaches.
Types of Cyber Crimes & Real-Life Examples:
• Hacking
Unauthorized access to computer systems or
networks.
Example: In 2014, Sony Pictures was hacked—
confidential data and unreleased movies were leaked.

• Phishing
Sending fake emails or messages to trick users into
revealing personal info.
Example: A fake “bank” email tricks a user into
entering their login details on a scam website.
• Identity Theft
Stealing personal info to impersonate someone and
commit fraud.
Example: Hackers steal credit card data and use it to make
purchases.

• Ransomware Attacks
Malware locks a victim’s files and demands payment to
unlock them.
Example: The WannaCry attack (2017) affected thousands
of computers worldwide, especially in hospitals.
• Cyberbullying
Harassing or threatening someone online
through messages or social media.
Example: Repeatedly sending abusive
messages to someone on Instagram or
Facebook.
• Cyber crime is a growing threat with serious
consequences. It includes any criminal activity
involving digital systems, and it can cause
financial loss, data exposure, and emotional
harm.
• Which of these is an example of
cyberbullying?
A. Sending threatening messages via social
media
B. Hacking a bank server
C. Writing code to protect data
D. Downloading free antivirus
• What is the main motive behind most financial
cyber crimes?
A. Entertainment
B. Political activism
C. Profit or financial gain
D. Legal protection
Which of the following is a crime that involves
stealing someone’s identity to commit fraud
online?
A. Ransomware
B. Cyberbullying
C. Identity theft
D. Piracy
• A company password policy is considered a:
A. Public law
B. Government regulation
C. Corporate policy
D. Cyber crime
• What happens if an employee breaks an
internal policy?
A. They go to jail
B. They face internal disciplinary action
C. They must report to the government
D. They change the law
• Which of the following is not a reason to hire
legal counsel in information security?
A. To comply with regulations
B. To fight hackers physically
C. To draft privacy policies
D. To manage legal risks after a breach
• If an organization fails to secure customer data
and a breach occurs, who may be held
responsible?
A. Only the customer
B. The IT department only
C. The organization as a whole
D. Internet Service Provider
• Which law is specifically aimed at protecting
personal data in the European Union?
A. HIPAA
B. PCI DSS
C. GDPR
D. DMCA
• Which of the following best describes ethics in
information security?
A. Rules enforced by the government
B. Software development guidelines
C. Personal standards of right and wrong
behavior
D. Technical policies for IT staff
• Sending fake emails to trick users into giving
sensitive information is known as:
A. Spamming
B. Hacking
C. Phishing
D. Snooping
• What type of cyber crime involves locking data
and demanding money to unlock it?
A. Phishing
B. Hacking
C. Ransomware
D. Spoofing
• An internal rule in a company, such as an
internet usage guideline, is an example of a:
A. Law
B. Regulation
C. Policy
D. Statute
• Why do organizations need legal counsel in
information security?
A. To train employees on programming
B. To ensure compliance with laws and
manage legal risks
C. To block websites
D. To fix hardware issues
• What is organizational liability in the context
of information security?
A. Responsibility for software updates
B. Legal responsibility for security breaches or
data mishandling
C. Assigning passwords to users
D. Following employee code of conduct
• Which of the following is an example of an
ethical issue in information security?
A. Hacking into a system
B. Respecting user privacy
C. Breaching a copyright law
D. Installing antivirus software
• Laws are enforced by:
A. Company managers
B. Employees
C. Government authorities
D. IT professionals