Flashcards Studio

A municipal government contracts a private cybersecurity firm to conduct a vulnerability assessment of its citizen services portal. The contract allows login-based testing within a defined scope and forbids exporting or copying resident data outside the testing environment. During the engagement, the firm uses administrator credentials to access the live portal and, beyond the defined scope, downloads 210 resident records (names, addresses, contact numbers, and national IDs) to a laptop. The firm intends to publish the vulnerability and to sell the data. The city files charges of hacking under RA 8792, Sec. 33(a). (a) State the controlling rule and the elements of the offense under Sec. 33(a). (b) Apply the rule to the firm’s conduct and determine whether it is liable for hacking. (c) If the authorization were expressly limited to testing login controls and did not authorize data export, would that change liability under Sec. 33(a)? Explain.