Legal Considerations
Penetration testing operates on the edge of legality. Without proper authorization, the activities performed during a test are indistinguishable from criminal hacking.
United States Laws
- CFAA (Computer Fraud and Abuse Act)
Federal law - unauthorized access is felony
- State Computer Crime Laws
Vary by state, often stricter than federal
- Wiretap Act
Interception of communications
- ECPA
Electronic Communications Privacy Act
Australian Laws
- Criminal Code Act 1995 (Cth)
Part 10.7 - Computer offences (up to 10 years imprisonment)
- Privacy Act 1988
Australian Privacy Principles (APPs) - data handling
- Telecommunications (Interception) Act 1979
Interception of communications prohibited
- State/Territory Legislation
NSW, VIC, QLD have additional computer crime laws
International Laws
- UK - Computer Misuse Act 1990
Unauthorized access and modification
- EU - GDPR
Data protection during testing
- EU - NIS Directive
Network and Information Security
- Various National Laws
Check local jurisdiction requirements
Australian Compliance
- ACSC Essential Eight
Australian Cyber Security Centre baseline controls
- ISM (Information Security Manual)
ASD guidelines for government systems
- APRA CPS 234
Financial sector information security standard
- Notifiable Data Breaches (NDB)
Mandatory breach reporting scheme
Authorization Requirements
- • Signed Statement of Work (SOW) or Contract
- • Signed Rules of Engagement (ROE)
- • Written authorization from asset owner
- • Emergency contact information
- • Clear scope definition (in/out of scope)