2.2.1. Legal Systems and Types of Law
💡 First Principle: The type of legal proceeding determines the evidence standard required, who bears the burden of proof, and what the potential penalties are. Using criminal-law thinking in a civil matter (or vice versa) leads to wrong answers and real-world mistakes.
Two primary legal system traditions:
Common Law (US, UK, Canada, Australia): Law develops through court decisions (precedent/stare decisis) as well as legislation. Courts interpret statutes. Prior rulings bind future cases. Most cybercrime is prosecuted under common law systems.
Civil Law (France, Germany, most of continental Europe, Japan): Law is primarily codified in comprehensive statutes. Judges apply the code; precedent is less binding. Many privacy frameworks (GDPR) operate in civil law countries.
Types of law relevant to information security:
| Type | Who Brings Action | Standard of Proof | Penalties | Security Relevance |
|---|---|---|---|---|
| Criminal | Government / State | Beyond reasonable doubt (~95%) | Imprisonment, fines, criminal record | Computer fraud (CFAA), identity theft, unauthorized access |
| Civil / Tort | Private parties | Preponderance of evidence (>50%) | Monetary damages, injunctions | Negligence claims after breach, contract disputes, IP infringement |
| Administrative / Regulatory | Government agencies | Varies by agency | Fines, license revocation, consent decrees | FTC, SEC, HIPAA, PCI enforcement actions |
| Industry Standards | Standards bodies, contract parties | Contract terms | Contract penalties, loss of certification | PCI DSS, ISO 27001, SOC 2 compliance failures |
Key cybercrime statutes (US context):
- Computer Fraud and Abuse Act (CFAA) — Federal statute criminalizing unauthorized computer access. The primary US federal cybercrime law. "Unauthorized access" is the key element.
- Electronic Communications Privacy Act (ECPA) — Governs interception of electronic communications; relevant to monitoring employees, wiretapping.
- Sarbanes-Oxley (SOX) — Financial reporting integrity for public companies; requires accurate financial records and internal controls.
- HIPAA — Health information privacy and security for covered entities and business associates.
- GLBA (Gramm-Leach-Bliley Act) — Financial services customer data protection.
⚠️ Exam Trap: The CFAA applies to "unauthorized" access. An employee with authorized access who misuses that access for unauthorized purposes may still violate the CFAA — but this is a contested legal area. The exam tests whether you know the CFAA governs unauthorized computer access, not whether you can litigate it.
Reflection Question: A company suffers a breach and wants to prosecute the attacker. Their legal team also plans to sue the attacker for damages. What are the parallel proceedings, what different evidence standards apply to each, and why does this matter for how the organization preserves digital evidence?
