Flashcards Studio

A private cybersecurity firm is contracted by a regional hospital to perform vulnerability testing on its patient portal. The written contract authorizes login-based testing within a defined scope and explicitly prohibits exporting or copying any patient records outside the test environment. The firm, claiming it has legitimate access, obtains administrator credentials by impersonating a hospital IT staff member and, using those credentials, logs into the live portal. While testing, the firm goes beyond the defined scope and copies 140 patient records (names, dates of birth, medical record numbers) to a laptop with the intent to publish the vulnerability and sell the data. The hospital files charges of hacking under RA 8792, Sec. 33(a). (a) State the controlling rule and the elements of the offense under Sec. 33(a). (b) Apply the rule to the firm’s conduct and determine whether it is liable for hacking. (c) If authorization were expressly limited to testing login and vulnerability scanning and did not authorize data export, would that change liability under Sec. 33(a)? Explain.