What are the legal and ethical issues in cyber security?

A survey by the Department for Digital, Culture, Media & Sport found that almost all businesses with more than ten employees and 85% of businesses with fewer than ten employees handle digital data. In a world that seems to be rapidly digitising, this number likely won’t come as a surprise.

What may come as a surprise is the fact that one in two organisations experienced a successful cyber attack in the past three years.

As businesses continue to opt for digital data storage, hackers and cyber criminals continue to evolve and outsmart cyber security by developing sophisticated tactics to bypass vulnerabilities and steal sensitive data, including the personal details and credit card information of a company’s customers. Cybercrime is a highly professionalised industry and poses a huge challenge to organisations and to individuals.

While cyber security protocols are essentials for all businesses, there are legal and ethical issues relating to this.

What is the difference between legal and ethical issues?

Legal standards are set and enforced by government agencies, making any breach punishable by law. Ethical considerations are based on rights and wrongs and aren’t legally punishable but are enforced by human principles.

While ethical issues may seem less important because there are no legal consequences for a business if it occurs, the repercussions can instead come from their customer base. Reputational damage can be incredibly costly for a company due to boycotts from both customers and suppliers.

Ethical issues in cyber security

As the cyber security industry continues to grow – from $173.5bn in 2022 to a projected $266.2bn by 2027 – so too do the questions around ethical principles and what is right or wrong in the field. 

Ethical concerns around cyber security issues tend to be led by public and industry discourse.

Safeguarding customer data

While companies do have a legal responsibility to keep their computer systems and customer data protected, there is also an ethical safeguarding issue in the sector.

Human error causes 85% of data breaches, making it the largest threat to data security. A worker clicking on a phishing email and accidentally downloading malware onto their computer won’t result in law enforcement action, though the company will pay the price of the attack. Cyber security professionals within organisations have an ethical responsibility to be the ones who safeguard data to the highest standard, from not leaving their computer unlocked when they leave their desks to being extra vigilant with suspicious looking emails.

Respecting customer privacy

Those who work in cyber security teams within businesses will, due to the nature of the profession, see and handle private information all the time. 

This data and the information it holds about an individual’s personal life should be kept strictly confidential, and customer privacy should be respected.

Artificial intelligence (AI) and cyber security ethical questions

The popularisation of AI being used to transform cyberspace into being more efficient shows no signs of slowing down, and has become a vital tool in efforts against cyber attacks due to its ability to detect and prevent any potential breaches more efficiently than traditional methods.

However, AI is currently an unregulated industry without a defined code of ethics and so it comes with ethical dilemmas, particularly in regards to cyber security. In order to build trust and confidence in an AI, transparency is needed to understand how an algorithm conducts its decision making. If sensitive information and data is collected and stored within an AI-powered cyber security system, the company owning that AI should ensure the collection and storage of such data is ethical and responsible.

Legal issues in cyber security

In 2017, the UK launched its National Cyber Security Centre (NCSC) with the main purpose being to reduce cyber threats to the UK by improving cyber security and cyber resilience amongst both individuals and businesses.

Part of the Government Communication Headquarters (GCHQ), an intelligence and security organisation, the NCSC outlines and upholds the UK’s legal requirements in cyber security. 

UK General Data Protection Regulation (GDPR)

This Regulation doesn’t mandate a specific set of cyber security measures, but it does expect organisations to manage the risk of a data breach by focusing on explicit accountability for data protection and information security.

Companies must comply, and must prove they comply, with data privacy initiatives by committing to mandatory staff training and internal data audits, and by keeping detailed documentation of their processes. It is essential for businesses to have a robust method of detecting any breaches, and procedures in place for internal reporting and investigation into the cause if or when it happens.

As per the legal requirements of UK GDPR, all organisations have a duty to report a security breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the incident. If the individuals whose personal data has been compromised are at a high risk of being adversely affected by the incident, the organisation must also inform them.

Once it has happened a data breach must be recorded, whether it meets the requirement to notify the ICO or not.

Networks and Information Systems (NIS) Directive

The first piece of EU-wide cyber security legislation, the NIS Directive aims to achieve a high level of network and information system security across critical infrastructure. 

This Directive applies to operators of essential services (OES) – including energy, transport, healthcare, water and digital infrastructure sectors – and digital service providers (DSPs) who are bigger than a micro or small enterprise (which employs less than 50 people and/or has a turnover of less than €10m) – including online search engines, online marketplaces and cloud computing services.

Under the NIS Directive, OES and DSPs are legally required to manage any risks to their network and information systems through security measures and must notify any serious incidents impacting continuity or availability of their service to the relevant authority.

The NCSC’s Cyber Assessment Framework (CAF) has been developed to enable organisations to adopt good practice in their cyber security protocols.

Develop skills to be a part of a growing industry

Now more than ever, businesses have a need for information technology professionals with specialised and up-to-date skills and knowledge in the cyber security field to protect against the ever-smarter malicious hackers. As the need to keep sensitive data safe becomes a legal requirement, as well as an ethical one, the investment in this industry is at an all-time high.

If you’re looking to gain new skills and become a cyber security expert, study Abertay University’s 100% online MSc Computer Science with Cyber Security. This programme is available to study both full-time and part-time and has six starts a year, enabling you to study wherever and whenever it suits you.