Further Reading: Chapter 4 — Legal and Regulatory Framework

Essential Reading

Computer Fraud and Abuse Act (18 U.S.C. § 1030). The full text of the federal statute. Reading the actual law — rather than summaries — is essential for understanding its scope and limitations. Available through the Legal Information Institute at Cornell Law School. Why read this: Every ethical hacker should be able to read and interpret the statute that most directly governs their work.

Van Buren v. United States, 593 U.S. 374 (2021). The Supreme Court's landmark decision narrowing the CFAA's "exceeds authorized access" provision. Justice Barrett's majority opinion is clear, well-reasoned, and directly relevant to security researchers. The dissent by Justice Thomas is also worth reading for its counterarguments. Why read this: This is the most important CFAA case for security professionals, and it is accessible to non-lawyers.

UK Computer Misuse Act 1990 (as amended). The full text of the UK's primary computer crime statute. Available through legislation.gov.uk. Why read this: The CMA is the second most important computer crime statute for English-speaking security professionals and provides an instructive comparison to the CFAA.

Books

Kerr, Orin S. Computer Crime Law (4th edition, West Academic, 2020). The leading academic treatise on computer crime law in the United States. Written by a former DOJ prosecutor and now a leading law professor, this book provides comprehensive coverage of the CFAA, ECPA, and related statutes. It is written for law students but is accessible to technical professionals willing to engage with legal reasoning. Why read this: The most thorough and authoritative treatment of U.S. computer crime law available.

Porcedda, Maria Grazia. Cybersecurity, Privacy and Data Protection in EU Law (Hart Publishing, 2023). A comprehensive analysis of the European legal framework for cybersecurity, including the NIS Directive, GDPR, and the EU Cybercrime Directive. Particularly useful for penetration testers who work with European clients. Why read this: European cybersecurity law is increasingly influential globally, and this book provides the most accessible introduction.

Trope, Roland L. and Power, Lara D. "Lawyers as the Front Line of Cybersecurity Defense." IEEE Security & Privacy 15, no. 3 (2017). An article examining the role of legal professionals in cybersecurity, including the legal aspects of penetration testing. Why read this: Offers insight into how lawyers view penetration testing engagements.

Reports and Policy Documents

U.S. Department of Justice. "Policy Regarding Charging Cases Under the Computer Fraud and Abuse Act." (May 2022). The DOJ's revised CFAA enforcement policy stating that good-faith security research should not be charged. This document is essential reading for every security researcher working in the United States. Why read this: This policy represents the most significant official guidance on how the CFAA applies to security research.

CISA Binding Operational Directive 20-01: "Develop and Publish a Vulnerability Disclosure Policy." (September 2020). The federal directive requiring all civilian executive branch agencies to publish vulnerability disclosure policies. Includes templates and guidance that are useful for any organization. Why read this: Establishes the U.S. government's baseline expectations for vulnerability disclosure, which influence private-sector practices.

NIST Special Publication 800-115: "Technical Guide to Information Security Testing and Assessment." While dated (2008), this NIST publication provides a government-endorsed framework for security testing that includes legal and authorization considerations. Why read this: NIST guidelines carry significant weight in government and regulated industries.

Specialized Topics

Amit Elazari Bar On. "The Electronic Frontier Foundation (EFF) Model Vulnerability Disclosure Policy." Elazari's work on standardizing safe harbor provisions for vulnerability disclosure has been influential in shaping modern bug bounty program terms. Why read this: Practical guidance for evaluating and improving bug bounty legal protections.

HackerOne. "The Gold Standard Safe Harbor." HackerOne's template for best-in-class safe harbor provisions in bug bounty programs. Available on HackerOne's website. Why read this: The industry-leading standard for bug bounty legal protections.

Bugcrowd. "The Ultimate Guide to Vulnerability Disclosure." A comprehensive guide to designing and implementing vulnerability disclosure programs, including legal considerations. Why read this: Practical guidance from one of the leading bug bounty platforms.

International Law

Council of Europe. Convention on Cybercrime (Budapest Convention), ETS No. 185. The full text of the most important international treaty on cybercrime. Available from the Council of Europe's Treaty Office. Why read this: Understanding the Budapest Convention is essential for penetration testers who work internationally.

EU Directive 2013/40/EU on Attacks Against Information Systems. The EU directive that harmonized cybercrime legislation across EU member states. Why read this: Provides the legal framework for computer crime in the EU.

Insurance and Risk Management

Coalfire. "Lessons Learned from Iowa: Physical Penetration Testing Best Practices." Coalfire's public post-mortem of the Iowa courthouse incident, with recommendations for the industry. Why read this: First-hand lessons from the most high-profile penetration testing legal incident in recent history.

Marsh & McLennan Companies. "Cyber Insurance Market Overview." Annual reports on the cyber insurance market, including coverage for security testing activities. Why read this: Understanding the insurance landscape helps penetration testers make informed decisions about their coverage.

Online Resources

Electronic Frontier Foundation (EFF) — Coders' Rights Project. The EFF provides legal resources, advice, and representation for security researchers facing legal threats. Their website includes guides on security researcher rights and a directory of attorneys who specialize in cybersecurity law. URL: https://www.eff.org/issues/coders

SANS Institute — Legal Issues in Information Security. SANS reading room papers on legal topics relevant to security professionals, regularly updated. URL: https://www.sans.org/reading-room/

Cyberlaw Clinic at Harvard Law School. Provides legal guidance and resources for security researchers, including a "Researcher's Guide to Security Testing." URL: https://clinic.cyber.harvard.edu/

CREST — Professional Standards. CREST publishes professional standards for penetration testing, including legal and ethical requirements for CREST-accredited companies. URL: https://www.crest-approved.org/

Academic Journals

For readers interested in deeper legal scholarship on cybersecurity law:

  • Journal of Cybersecurity (Oxford University Press)
  • Stanford Technology Law Review
  • Harvard Journal of Law & Technology
  • Computer Law & Security Review (Elsevier)
  • International Journal of Law and Information Technology (Oxford)

These journals regularly publish articles on the legal dimensions of vulnerability research, penetration testing, and cybersecurity policy.