Module 07 · Cyberspace Tech Solutions Cybersecurity Curriculum
Cybersecurity Laws & Ethics
~60 minutes covering India's IT Act, GDPR, HIPAA, PCI-DSS, ISO 27001, NIST CSF, and ethical responsibilities in cybersecurity.
20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes
Learning Outcomes
- Navigate legal frameworks governing cybersecurity (IT Act, GDPR, HIPAA)
- Uphold ethical standards in security practices and responsible disclosure
- Ensure organisational compliance with relevant laws and standards
⚠️ Note: This content is educational. Laws vary by jurisdiction and change over time. Always consult a qualified legal professional for actual compliance advice.
Core Concepts · ~10 min
Laws, Regulations & Ethics
India IT Act 2000 & Amendment 2008 — Key Sections
| Section | Offence | Penalty |
|---|---|---|
| 43 | Unauthorised access, damage, disruption to computers/networks | Compensation (civil remedy) |
| 65 | Tampering with computer source code | Up to 3 years imprisonment / ₹2 lakh fine |
| 66 | Computer-related offences (hacking) | Up to 3 years / ₹5 lakh fine |
| 66B | Receiving stolen computer resources/communication devices | Up to 3 years / ₹1 lakh fine |
| 66C | Identity theft (using electronic signature/password fraudulently) | Up to 3 years / ₹1 lakh fine |
| 66D | Cheating by impersonation using computer resource | Up to 3 years / ₹1 lakh fine |
| 66F | Cyber terrorism | Life imprisonment |
| 67 | Publishing obscene material electronically | Up to 5 years / ₹10 lakh fine |
| 69 | Government power to intercept/monitor/decrypt information | Non-compliance: up to 7 years |
| 72 | Breach of confidentiality and privacy | Up to 2 years / ₹1 lakh fine |
ℹ️ CERT-In (Computer Emergency Response Team - India) is the national agency for handling cybersecurity incidents and issuing guidelines under MeitY.
GDPR — EU General Data Protection Regulation
| Element | Detail |
|---|---|
| Applies to | Any organisation processing EU citizens' personal data, regardless of location |
| Breach notification | 72 hours to notify supervisory authority; "undue delay" for data subjects |
| Max fine | €20M or 4% of global annual turnover — whichever is higher |
| DPO required | Organisations processing large-scale personal data or sensitive categories |
| Legal bases | Consent, contract, legal obligation, vital interest, public task, legitimate interest |
8 Data Subject Rights:
Access
Get a copy of data
Get a copy of data
Rectification
Correct inaccurate data
Correct inaccurate data
Erasure
Right to be forgotten
Right to be forgotten
Portability
Transfer data
Transfer data
Objection
Object to processing
Object to processing
Restriction
Limit processing
Limit processing
No Automation
Human review
Human review
Information
Know how data used
Know how data used
Other Key Regulations
| Regulation | Jurisdiction | Protects | Key Requirement |
|---|---|---|---|
| HIPAA | US | PHI (health data) | Privacy Rule, Security Rule, Breach Notification Rule |
| PCI-DSS | Global (card industry) | Cardholder data | 12 requirements; mandatory for card processing orgs |
| ISO/IEC 27001 | International | ISMS | Certification standard for information security management |
| NIST CSF | US (widely adopted globally) | Critical infrastructure | 5 functions: Identify, Protect, Detect, Respond, Recover |
| SOX | US | Financial records | IT controls for financial reporting integrity |
Cybersecurity Ethics
- Responsible Disclosure: Report vulnerabilities to the vendor privately and give them time to patch before public disclosure.
- Authorisation: Never test systems you do not have explicit written permission to test — regardless of your intent.
- Privacy: Handle personal data discovered during investigations with discretion and minimise exposure.
- Honesty: Report findings accurately, even if unflattering to the client.
- Whistleblowing: Report illegal activity encountered during work (e.g., CSAM, evidence of crimes) to appropriate authorities.
- Bug Bounty: Platforms like HackerOne and Bugcrowd provide legal frameworks for reporting vulnerabilities in exchange for rewards.
Interview Q&A · ~20 min · 20 Questions
Interview Questions & Model Answers
1What is the IT Act 2000 and what offences does it cover?Easy▼
The Information Technology Act 2000 is India's primary legislation governing electronic commerce, digital signatures, and cybercrime. Amended in 2008 to address emerging cyber threats. Key offences:
- Unauthorised computer access (S.43, S.66)
- Data theft and identity theft (S.66B, S.66C)
- Cheating by impersonation (S.66D)
- Voyeurism using electronic devices (S.66E)
- Cyber terrorism (S.66F — life imprisonment)
- Publishing obscene content (S.67)
- Breach of confidentiality by service providers (S.72)
💡 S.66A (offensive messages) was struck down by the Supreme Court in Shreya Singhal v. Union of India (2015) as unconstitutional for violating free speech.
2What is GDPR and who does it apply to?Easy▼
GDPR (General Data Protection Regulation) is the EU's comprehensive data protection law that came into effect on 25 May 2018. It applies to:
- Any organisation established in the EU that processes personal data
- Any organisation outside the EU that offers goods/services to, or monitors the behaviour of, EU data subjects
💡 GDPR's territorial scope is extraterritorial — it follows the data subject, not the company's location. A startup in Bengaluru serving EU users must comply.
3What are the data subject rights under GDPR?Medium▼
GDPR grants 8 rights to individuals whose data is being processed:
- Right of Access (Art. 15): Obtain a copy of personal data held by an organisation.
- Right to Rectification (Art. 16): Correct inaccurate data.
- Right to Erasure (Art. 17): "Right to be forgotten" — request deletion under certain conditions.
- Right to Restriction (Art. 18): Limit how data is processed.
- Right to Data Portability (Art. 20): Receive data in machine-readable format to transfer elsewhere.
- Right to Object (Art. 21): Object to processing for direct marketing, profiling, etc.
- Rights related to automated decision-making (Art. 22): Not to be subject to solely automated decisions with significant effects.
- Right to be informed: Transparency about how data is used (via privacy notice).
4What is a DPO and when is one required under GDPR?Medium▼
A Data Protection Officer (DPO) is a mandated role under GDPR responsible for overseeing data protection strategy, ensuring compliance, and acting as a contact point for data subjects and supervisory authorities.
A DPO is required when the organisation is:
A DPO is required when the organisation is:
- A public authority or body (except courts)
- Processing personal data on a large scale as a core activity
- Processing special categories of data (health, biometric, criminal records) on a large scale
💡 A DPO is an advisory role — they are not personally liable for non-compliance. The data controller/processor remains legally responsible.
5What is HIPAA and what data does it protect?Easy▼
HIPAA (Health Insurance Portability and Accountability Act, US, 1996) protects Protected Health Information (PHI) — any individually identifiable information relating to a person's health, healthcare provision, or payment for healthcare.
Three key rules:
Three key rules:
- Privacy Rule: Governs use and disclosure of PHI. Patients have rights to access their records.
- Security Rule: Requires administrative, physical, and technical safeguards for electronic PHI (ePHI).
- Breach Notification Rule: Notify affected individuals within 60 days; HHS and media if >500 individuals in a state.
💡 Examples of PHI: name + diagnosis, email + health condition, IP address linked to health queries. Even de-identified data must pass the Expert Determination or Safe Harbor method.
6What is PCI-DSS and who must comply?Medium▼
PCI-DSS (Payment Card Industry Data Security Standard) is a private security standard maintained by the PCI Security Standards Council (founded by Visa, Mastercard, Amex, Discover, JCB). Any organisation that stores, processes, or transmits cardholder data must comply.
12 requirements (grouped into 6 goals):
12 requirements (grouped into 6 goals):
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography
- Protect all systems against malware
- Develop and maintain secure systems and software
- Restrict access by business need-to-know
- Identify users and authenticate access
- Restrict physical access
- Log and monitor all access
- Test security of systems and networks regularly
- Support information security with organisational policies
7What is ISO 27001 and what does certification mean?Medium▼
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It provides a systematic framework for managing information security risks using people, processes, and technology.
Certification means an accredited third-party auditor has verified that the organisation's ISMS meets the standard's requirements, including:
Certification means an accredited third-party auditor has verified that the organisation's ISMS meets the standard's requirements, including:
- Risk assessment and treatment process
- Management commitment and defined policies
- Implementation of controls from Annex A (93 controls in ISO 27001:2022)
- Continuous improvement process (Plan-Do-Check-Act cycle)
💡 ISO 27001 is not a checklist — it's a management system. The key is demonstrating a systematic approach to risk management, not just having security tools.
8What is the NIST Cybersecurity Framework?Easy▼
The NIST CSF (Cybersecurity Framework) is a voluntary framework published by the US National Institute of Standards and Technology providing guidance for managing cybersecurity risk. It is structured around 5 core functions:
- Identify: Understand assets, risks, and governance (asset management, risk assessment)
- Protect: Implement safeguards (access control, training, data security, patch management)
- Detect: Identify cybersecurity events (anomaly detection, continuous monitoring, SIEM)
- Respond: Take action on detected incidents (IR planning, communications, mitigation)
- Recover: Restore capabilities after incidents (recovery plan, improvements)
💡 NIST CSF is widely adopted globally despite being a US framework. It is referenced in ISO 27001 implementations and compliance programmes worldwide.
9What is responsible disclosure in cybersecurity?Medium▼
Responsible disclosure (also called coordinated vulnerability disclosure) is the process of privately reporting a discovered vulnerability to the vendor/organisation, giving them a reasonable time to develop and release a patch, before publicly disclosing the details.
Standard timeline: 90 days (Google Project Zero standard). Steps:
Standard timeline: 90 days (Google Project Zero standard). Steps:
- Discover vulnerability
- Contact vendor security team privately with full details
- Wait agreed disclosure period (typically 90 days)
- If vendor patches before deadline, coordinate public disclosure
- If vendor misses deadline, disclose publicly (full or partial)
💡 Full Disclosure (immediate public release) is considered irresponsible as it gives no time to patch. Bug bounty programmes formalise responsible disclosure with legal protection and rewards.
10What is the difference between privacy and security?Easy▼
- Privacy: The right of individuals to control how their personal information is collected, used, and shared. It is about appropriate use of data. Example: A hospital sharing patient data with a marketing firm (without consent) violates privacy, even if the data is encrypted.
- Security: The technical and procedural measures protecting data from unauthorised access, modification, or destruction. It is about protecting data. Example: Encryption, firewalls, access controls.
💡 GDPR requires both: security controls (Article 32) AND privacy principles (data minimisation, purpose limitation, transparency).
11Under GDPR, how quickly must you notify authorities of a data breach?Easy▼
Under GDPR Article 33, a personal data breach must be notified to the competent supervisory authority (e.g., ICO in UK, CNIL in France, DPC in Ireland) within 72 hours of becoming aware of the breach — "without undue delay."
Exceptions: Notification is NOT required if the breach is "unlikely to result in a risk to the rights and freedoms of natural persons" (e.g., encrypted data on a lost device where the key remains secure).
Article 34 requires notification to affected data subjects (individuals) "without undue delay" if the breach is likely to result in a high risk to their rights and freedoms.
Exceptions: Notification is NOT required if the breach is "unlikely to result in a risk to the rights and freedoms of natural persons" (e.g., encrypted data on a lost device where the key remains secure).
Article 34 requires notification to affected data subjects (individuals) "without undue delay" if the breach is likely to result in a high risk to their rights and freedoms.
💡 The 72-hour clock starts when the organisation (not just a junior employee) becomes "aware" of the breach. Many breaches are discovered long after they occur — the clock starts at discovery, not at the breach date.
12What is the maximum penalty for violating GDPR?Easy▼
GDPR has a two-tier penalty structure:
- Lower tier (Article 83(4)): Up to €10 million or 2% of global annual turnover — for violations of data controller/processor obligations, certification bodies, and monitoring bodies.
- Upper tier (Article 83(5)): Up to €20 million or 4% of global annual turnover (whichever is higher) — for violations of basic principles (lawfulness, consent), data subject rights, international transfer rules.
💡 The "4% of global annual turnover" element means large companies face proportionally massive fines — for a company with €10B revenue, that's €400M.
13What are the ethical responsibilities of a cybersecurity professional?Medium▼
Cybersecurity professionals are given significant access to sensitive systems and data. Ethical responsibilities include:
- Authorisation: Only test or access systems with explicit written permission.
- Confidentiality: Protect sensitive information discovered during work (credentials, personal data, trade secrets).
- Honesty: Report findings accurately — do not hide or exaggerate vulnerabilities.
- Non-maleficence: Do not use skills to harm others, even if not explicitly prohibited.
- Reporting illegal activity: Report discovered crimes (child exploitation material, evidence of other crimes) to authorities.
- Responsible disclosure: Report vulnerabilities privately first; give vendors time to patch.
- Continuing education: Stay current — using outdated practices can harm clients.
14What is Section 66 of the IT Act 2000?Easy▼
Section 66 of the IT Act 2000 (as amended in 2008) deals with computer-related offences (hacking). It states that if a person dishonestly or fraudulently commits any act referred to in Section 43 (unauthorised access, damage, disruption), they shall be punished with:
- Imprisonment up to 3 years, or
- Fine up to ₹5 lakh, or
- Both
💡 The distinction between S.43 and S.66 matters in practice: S.43 is civil liability (compensation), S.66 is criminal prosecution (imprisonment). An act can attract both.
15What is CERT-In and what is its role?Medium▼
CERT-In (Indian Computer Emergency Response Team) is India's national nodal agency for cybersecurity, operating under the Ministry of Electronics and Information Technology (MeitY). Its roles:
- Incident response: Coordinates national response to major cyber incidents.
- Alerting: Issues security advisories and vulnerability notes for Indian organisations.
- Reporting mandate: Under CERT-In Directions 2022, service providers, intermediaries, data centres, body corporates must report incidents within 6 hours of detection.
- Coordination: Works with international CERTs and INTERPOL.
- Capacity building: Provides training and awareness programmes.
💡 The 6-hour reporting window to CERT-In is stricter than GDPR's 72 hours — making India one of the fastest mandatory breach notification regimes globally.
16Can a cybersecurity professional be held liable for finding vulnerabilities? Explain.Hard▼
This depends critically on authorisation:
- With written authorisation (pentest contract/scope): A security professional conducting a pentest within agreed scope is legally protected. The contract/Rules of Engagement document authorises the activity.
- Without authorisation (unauthorised access): Even with good intent, accessing systems without authorisation is a criminal offence — S.66 IT Act, Computer Fraud and Abuse Act (US), Computer Misuse Act 1990 (UK). "I was trying to help" is not a legal defence.
- Bug bounty: Platforms like HackerOne/Bugcrowd provide formal legal safe harbour — test within scope and you are legally protected.
💡 Always get written authorisation before touching any system. Verbal permission is insufficient. A pentest without a signed scope document exposes you to criminal liability.
17What is a Data Protection Impact Assessment (DPIA)?Hard▼
A DPIA (Data Protection Impact Assessment) is a systematic process required by GDPR (Article 35) to identify and minimise data protection risks in processing activities that are likely to result in high risk to individuals.
When is a DPIA mandatory?
When is a DPIA mandatory?
- Systematic and extensive profiling with significant effects
- Large-scale processing of special categories (health, biometric, criminal) data
- Systematic monitoring of publicly accessible areas (CCTV)
- New technologies (facial recognition, IoT, AI scoring systems)
💡 A DPIA is not a one-time exercise — it should be reviewed whenever processing activities change significantly.
18What is data minimisation and why is it important?Easy▼
Data minimisation is a core GDPR principle (Article 5(1)(c)) stating that personal data collected should be adequate, relevant, and limited to what is necessary for the stated purpose. Don't collect data "just in case" it might be useful later.
Why important:
Why important:
- Reduced breach impact: You can't lose data you don't have. Less data = smaller blast radius in a breach.
- Legal compliance: Collecting more data than necessary is a GDPR violation.
- Trust: Users trust organisations more when minimal data is collected.
- Cost: Storing less data reduces storage and security costs.
💡 The principle: "Don't collect a person's full date of birth if you only need to verify they're over 18 — collect a Yes/No answer instead."
19What is the difference between a data processor and data controller under GDPR?Medium▼
- Data Controller: The entity that determines the purposes and means of processing personal data. They decide what data is collected, why, and how. Example: A hospital that decides to store patient records is the controller.
- Data Processor: The entity that processes personal data on behalf of the controller, following the controller's instructions. Example: A cloud hosting company storing those patient records for the hospital.
- Controllers have the primary legal obligation and liability.
- Processors must act only on documented controller instructions.
- A Data Processing Agreement (DPA) is required between controller and processor.
- A processor cannot use the data for their own purposes.
20What is consent under GDPR and what makes it valid?Hard▼
Consent is one of six legal bases for processing personal data under GDPR. For consent to be valid, it must be:
- Freely given: No power imbalance; cannot be a condition of service (unless data processing is necessary for the service).
- Specific: For a particular, clearly stated purpose — not blanket consent for "all our services."
- Informed: Individuals must know who is processing data and for what purpose.
- Unambiguous: A clear affirmative action — pre-ticked boxes or inactivity do NOT constitute consent.
- Withdrawable: Individuals must be able to withdraw consent at any time, as easily as they gave it.
💡 Cookie consent banners often fail GDPR because they use dark patterns (making "decline" harder than "accept") or use pre-ticked boxes. These are invalid consent mechanisms.
MCQ Quiz · ~15 min · 25 Questions
Multiple Choice Questions
Progress:
0 / 25
Simulation 1 · ~4 min
Law / Regulation Matcher
Match each scenario to the most relevant law or regulation using the dropdown.
Simulation 2 · ~4 min
GDPR Compliance Checker
Answer these 6 questions about TechCorp's data practices. Toggle Yes or No for each.
Simulation 3 · ~4 min
Ethical Decision Scenarios
For each scenario, choose the most ethically and legally appropriate response.
Simulation 4 · ~3 min
Data Classification Exercise
Classify each data type using the dropdown: Public / Internal / Confidential / Restricted.
🎉
Module Complete!
You've completed Cybersecurity Laws & Ethics.