LawZeee — Cybersecurity Law Glossary | LawZeee — Know Your Cyber Laws Before You Break It

This glossary bridges technical cybersecurity terms and legal definitions. It is organized into three sections:

Section A: Technical Terms — what these mean technically + why they matter legally
Section B: Legal Terms — statutory/case definitions in plain language
Section C: Bridging Terms — concepts that exist in both worlds with different meanings

Section A: Technical Terms

API Key A credential (string of characters) that identifies and authenticates a calling application to a web service. Legal significance: API keys are "access credentials" under CFAA § 1030(a)(6); their unauthorized use or trafficking is a federal offense. Their exposure in code repositories is a common source of breach.

Authentication The process of verifying the identity of a user or system (e.g., password, token, certificate, biometric). Legal significance: whether authentication was bypassed or exploited determines whether CFAA "unauthorized access" was present.

Botnet A network of computers infected with malware and controlled remotely by a threat actor, often used for DDoS attacks, spam, or credential stuffing. Legal significance: operating a botnet is criminal under CFAA § 1030(a)(5) (damage) and § 1030(a)(7) (extortion if used as leverage). Takedown operations involve infrastructure seizure (domains, C2 servers).

Brute Force Attack Systematically trying all possible passwords or keys until the correct one is found. Legal significance: constitutes unauthorized access attempt under CFAA; the credentials obtained are "stolen" for identity theft and fraud purposes.

Bug Bounty A program run by an organization offering monetary rewards to security researchers who find and responsibly disclose vulnerabilities. Legal significance: participation in a sanctioned bug bounty program is strong evidence of "authorized access" and "good faith security research" — reducing CFAA exposure. DOJ policy and CISA Binding Operational Directive 20-01 support formalized disclosure programs.

C2 / Command-and-Control Infrastructure (servers, domains) used by threat actors to send commands to malware on compromised systems. Legal significance: seizing C2 infrastructure is a primary enforcement tool in ransomware disruption operations; operating C2 infrastructure is itself criminal.

Credential Stuffing Using lists of stolen username/password combinations (from prior breaches) to automatically attempt logins on other services, exploiting password reuse. Legal significance: the underlying credentials are stolen property; the access obtained may constitute CFAA violations; the breach that produced the credential list creates separate liability.

Cryptojacking Unauthorized use of a victim's computing resources to mine cryptocurrency. Legal significance: falls under CFAA § 1030(a)(5) (intentional damage) and potentially § 1030(a)(2) (obtaining information without authorization); the computing resource theft may constitute wire fraud.

DDoS (Distributed Denial of Service) Flooding a target system with traffic from many sources to make it unavailable. Legal significance: DDoS attacks constitute CFAA § 1030(a)(5) damage (impairing integrity/availability of systems); the botnet used may be separately chargeable.

Data Exfiltration Unauthorized transfer of data out of an organization's systems to attacker-controlled infrastructure. Legal significance: the core harm in most data breach cases — triggers breach notification obligations, civil claims, and criminal charges (CFAA, wire fraud, trade secret theft).

Exploit Code or technique that takes advantage of a vulnerability to cause unintended behavior in a system. Legal significance: possessing or using an exploit for unauthorized access is criminal; selling exploits enters complex territory (zero-day markets, VEP). The distinction between "offense" (exploit) and "tool" (vulnerability knowledge) shapes how prosecutors charge security researchers vs. malicious actors.

Forensic Image A bit-for-bit copy of storage media preserving all data (including deleted files) for evidence. Legal significance: forensic images are the foundation of digital evidence; improper imaging or handling breaks chain of custody and can render evidence inadmissible.

HAR (HTTP Archive) A file format capturing all network requests/responses from a browser session. Legal significance: HAR files are high-value forensic artifacts — they can reveal internal system endpoints, authentication tokens, session cookies, and API keys. In bug bounty/penetration testing, HAR files are evidence supporting vulnerability reports.

Indicator of Compromise (IoC) Technical artifact (IP address, domain, file hash, registry key) indicating a system has been breached. Legal significance: IoCs form the factual basis for attribution claims in civil and criminal cases; they connect observed intrusion activity to specific threat actors.

IMDS (Instance Metadata Service) A cloud-provider service (AWS, GCP, Azure) that allows VMs to retrieve credentials and configuration at a special non-routable IP address (169.254.169.254). Legal significance: SSRF attacks targeting IMDS are a well-known attack vector for cloud credential theft; accessing IMDS without authorization constitutes CFAA violation.

JWT (JSON Web Token) A compact token format used for authentication and authorization, containing signed claims. Legal significance: JWTs are "access credentials" — stolen or forged JWTs constitute unauthorized access; weak JWT signing algorithms (HS256 with weak keys) create exploitable vulnerabilities.

Lateral Movement After initial compromise, the attacker moves through a network to reach additional systems. Legal significance: lateral movement expands the scope of CFAA charges (each system accessed = potential separate count); it demonstrates intentionality relevant to sentencing.

Malware Software designed to damage, disrupt, or gain unauthorized access to systems (includes ransomware, trojans, spyware, worms). Legal significance: introducing malware is CFAA § 1030(a)(5); developing/distributing malware may be charged under wire fraud, CFAA, and (if it intercepts communications) wiretap statutes.

Man-in-the-Middle (MitM) Attack Intercepting communications between two parties without their knowledge. Legal significance: may violate CFAA, Wiretap Act (18 U.S.C. § 2511), and Electronic Communications Privacy Act depending on the interception method and content captured.

Persistence Techniques used by attackers to maintain access to a compromised system across reboots and remediation attempts (e.g., backdoors, scheduled tasks, registry entries). Legal significance: persistence demonstrates ongoing unauthorized access — each day of continued access is potential separate CFAA exposure; it also affects damages calculation (duration × scope).

Phishing Deceptive emails or messages designed to trick users into revealing credentials or installing malware. Legal significance: phishing is the delivery mechanism for many wire fraud schemes (18 U.S.C. § 1343) — the "scheme to defraud using interstate wires" is established by the phishing email itself.

PKI (Public Key Infrastructure) System of digital certificates and certificate authorities used to verify the identity of websites and users over TLS/SSL. Legal significance: certificate mis-issuance, stolen code-signing certificates, and PKI compromise are high-severity supply chain vulnerabilities; fraudulent certificates may enable man-in-the-middle attacks at scale.

Privilege Escalation Gaining higher-level access than initially obtained (e.g., user → administrator → root). Legal significance: each escalation step may constitute a separate CFAA violation (accessing prohibited system areas); it demonstrates sophistication relevant to sentencing.

Ransomware Malware that encrypts a victim's data and demands payment (typically cryptocurrency) for the decryption key. Legal significance: ransomware attacks trigger CFAA § 1030(a)(5) (intentional damage) and § 1030(a)(7) (extortion threats); payment creates OFAC sanctions exposure; the full charge stack typically includes wire fraud and money laundering.

Ransomware-as-a-Service (RaaS) A criminal business model where ransomware developers license their tools to affiliates who conduct attacks in exchange for a revenue share. Legal significance: RaaS creates complex criminal enterprise structures — developers, affiliates, and money mules may all face CFAA, wire fraud, RICO, and money laundering charges depending on their role.

Sandbox Escape Exploiting a vulnerability to break out of an isolated execution environment (e.g., browser sandbox, container, virtual machine) into the host system. Legal significance: sandbox escapes dramatically increase breach severity and CFAA damage exposure; they are frequently the "critical" element in chained exploit scenarios.

Session Hijacking Stealing or forging a user's active session token to impersonate them without credentials. Legal significance: constitutes unauthorized access (CFAA); the stolen session is an "access credential" for § 1030(a)(6) purposes; damages include all actions taken using the hijacked session.

Spear Phishing Targeted phishing attacks directed at specific individuals using personalized information. Legal significance: same as phishing but the targeting demonstrates premeditation, which is relevant to mens rea and sentencing enhancement arguments.

SQL Injection Inserting malicious SQL code into application inputs to manipulate database queries, often extracting or modifying data. Legal significance: SQL injection is unauthorized access under CFAA; it is frequently the technical vector in large-scale data breaches generating class action litigation.

SSRF (Server-Side Request Forgery) An attack causing a server to make requests to unintended locations, often used to access internal services or cloud metadata. Legal significance: SSRF reaching cloud IMDS endpoints can result in full cloud account compromise; constitutes unauthorized access under CFAA.

TLS/SSL Cryptographic protocols encrypting communications between clients and servers (HTTPS). Legal significance: failure to implement TLS properly is a baseline security failure regulators (FTC, state AGs) cite in data security enforcement; intercepting TLS traffic without authorization may violate wiretap statutes.

Threat Actor An individual or group responsible for an attack. Legal significance: "threat actor" is the technical term; legal proceedings use "defendant" or "accused" — but the technical attribution of an intrusion to a specific threat actor is the bridge between incident response and prosecution.

Vulnerability A weakness in a system, software, or protocol that can be exploited. Legal significance: knowing about a vulnerability and choosing not to disclose it (rather than weaponizing it) is generally legal in the U.S.; the Vulnerabilities Equities Process (VEP) governs when the government must disclose vulnerabilities it discovers. Security researchers who discover vulnerabilities may submit them under a VDP or bug bounty program.

Zero-Day (0-day) A vulnerability that is unknown to the affected vendor and has no available patch — exploited before the vendor has "zero days" to respond. Legal significance: zero-days are commercially traded (by governments, brokers, and criminals); the VEP governs government retention vs. disclosure; using a zero-day in unauthorized access is still CFAA regardless of the "novelty" of the vulnerability.

Section B: Legal Terms

Aggravated Identity Theft (18 U.S.C. § 1028A) Federal statute imposing a mandatory consecutive 2-year prison term when a person uses a stolen identity in connection with enumerated predicate felonies (including CFAA felonies and wire fraud). Cannot be suspended, run concurrently, or negotiated away without the government declining to charge it.

Authorized Access Under CFAA, access to a computer that the owner has permitted. Post-Van Buren (2021), the analysis focuses on whether the person accessed areas of the system they were permitted to access — not whether they used the data for an authorized purpose.

Breach Notification Statutory requirement to notify affected individuals (and in some cases, regulators) after unauthorized access to personal data. Timelines vary: CA/NY = 30-day outer deadline; GDPR = 72 hours to supervisory authority; NIS2 = 24h early warning + 72h full notification.

Budapest Convention Council of Europe Convention on Cybercrime — the primary multilateral treaty for cybercrime harmonization and cross-border cooperation. Requires Parties to criminalize illegal access, data/system interference; establishes 24/7 contact points (Article 35) for immediate evidence assistance.

CFAA (Computer Fraud and Abuse Act, 18 U.S.C. § 1030) The primary U.S. federal anti-hacking statute. Criminalizes unauthorized access, damage to protected computers, credential trafficking, and extortion threats involving computers. Also creates a civil cause of action for qualifying "damage or loss."

CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) U.S. federal law (administered by CISA) mandating cyber incident reporting for critical infrastructure sectors. Rulemaking still being finalized.

CLOUD Act Clarifying Lawful Overseas Use of Data Act — U.S. framework allowing executive agreements with foreign governments to resolve conflicts of law in cross-border data access for criminal investigations, reducing MLAT latency.

Class Action A lawsuit brought by one or more plaintiffs on behalf of a large group. In data breach cases, class actions aggregate thousands of individual statutory damage claims ($100–$750/person under California's CCPA private action) into massive aggregate exposure.

Concrete Harm Under Spokeo v. Robins (2016) and TransUnion LLC v. Ramirez (2021), plaintiffs must demonstrate a "concrete" injury — not merely a statutory violation — to have Article III standing. This is the primary procedural filter in data-breach class actions.

Coordinated Vulnerability Disclosure The practice of reporting a vulnerability to the affected vendor before public disclosure, allowing time to develop and release a patch. DOJ policy recognizes good-faith coordinated disclosure as outside the intended scope of CFAA prosecution.

Criminal Enterprise (RICO) Under RICO, an "enterprise" is any group of individuals or entities (formal or informal) engaged in, or affecting, interstate commerce. Ransomware groups with division of labor (coders, affiliates, money mules, negotiators) may qualify.

Data Controller (GDPR) Under GDPR, the entity that determines the purposes and means of processing personal data. Data controllers bear primary GDPR compliance obligations, including breach notification.

Data Processor (GDPR) Under GDPR, an entity that processes personal data on behalf of a data controller. Processors have narrower GDPR obligations but must notify controllers of breaches without undue delay.

Damage (CFAA) Under 18 U.S.C. § 1030(e)(8), "damage" means "any impairment to the integrity or availability of data, a program, a system, or information." This covers ransomware encryption, data deletion, and system disruption.

Essential Entity (NIS2) Under NIS2 Directive (EU) 2022/2555, certain critical sectors (energy, transport, banking, health, digital infrastructure) are classified as "essential" — subject to stricter oversight and higher fine ceilings (≥ €10M or ≥ 2% worldwide turnover).

Exceeds Authorized Access (CFAA) Post-Van Buren v. United States (2021): accessing a part of a computer system that the person was not permitted to access at all. Does NOT cover using permitted access for an unauthorized purpose.

Extradition The formal legal process by which one country surrenders a person to another country for prosecution. In cybercrime, extradition is often unavailable (no treaty, political considerations, health/human rights grounds). Many indictments result in "fugitive status" rather than custody.

Forfeiture Government seizure of assets derived from or used in criminal activity. In cybercrime, forfeiture targets cryptocurrency wallets, proceeds of ransomware payments, and infrastructure. A key mechanism enabling victim-facing recovery even when sentences are short.

FTC Act § 5 (15 U.S.C. § 45) Federal Trade Commission authority to prohibit "unfair or deceptive acts or practices." Used against companies with inadequate data security — not against hackers. Parallel to criminal enforcement against the attacker.

GDPR (Regulation (EU) 2016/679) General Data Protection Regulation. EU law governing personal data processing, with breach notification obligations (72h to supervisory authority) and fines up to €20M or 4% worldwide annual turnover.

Important Entity (NIS2) Under NIS2, a lower-risk category than "essential" — subject to lighter oversight and lower fine ceilings (≥ €7M or ≥ 1.4% worldwide turnover).

Injunctive Relief Court order requiring a party to do or stop doing something. In cybercrime civil cases, injunctive relief can compel an attacker to stop accessing systems, return/destroy data, or dismantle malware infrastructure.

Loss (CFAA) Under 18 U.S.C. § 1030(e)(11), "loss" means "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." Heavily litigated in civil CFAA cases.

MLAT (Mutual Legal Assistance Treaty) Bilateral or multilateral treaty mechanism for sharing evidence between countries for criminal investigations. MLATs are the formal (and slow) pathway for cross-border electronic evidence. Average MLAT processing times measured in months to years.

NIS2 (Directive (EU) 2022/2555) EU directive on cybersecurity of network and information systems — requires covered entities to implement risk management measures and report significant incidents. Fine maxima: essential entities ≥ €10M or ≥ 2% worldwide turnover; important entities ≥ €7M or ≥ 1.4% worldwide turnover.

Pattern of Racketeering Activity (RICO) RICO requires proof of a "pattern" of at least two related racketeering acts (predicate offenses) within 10 years. In cybercrime, predicate acts include wire fraud, CFAA violations, and money laundering.

Personal Jurisdiction A court's authority over a specific defendant. In cross-border cyber cases, establishing personal jurisdiction over foreign hackers is a major procedural hurdle — often requiring evidence of purposeful availment of the forum state or effects targeting that state.

Protected Computer (CFAA) Under 18 U.S.C. § 1030(e)(2), any computer used in or affecting interstate or foreign commerce or communication. Practically covers virtually all internet-connected devices.

Punitive Damages Damages awarded beyond compensation, intended to punish and deter. Under California PC § 502, available for willful violations with malice, oppression, or fraud — rarely awarded in cybercrime civil cases but important leverage in settlement.

Restitution Court-ordered payment from a convicted criminal to victims for losses. In federal cybercrime cases, restitution orders can be massive; practical recovery depends on asset seizure feasibility.

RICO (18 U.S.C. §§ 1961–1964) Racketeer Influenced and Corrupt Organizations Act. Criminal penalties (§ 1963) up to 20 years per count + forfeiture. Civil RICO (§ 1964(c)) allows treble damages + attorney's fees. Used in organized cybercrime prosecutions.

Sovereign Immunity Doctrine protecting foreign states from suit in U.S. courts under the Foreign Sovereign Immunities Act (FSIA). In WhatsApp v. NSO Group (9th Cir. 2021), the court rejected NSO's claim to foreign sovereign immunity as a contractor acting on behalf of foreign governments.

Standing Constitutional requirement (Article III) that a plaintiff demonstrate injury-in-fact, causation, and redressability. In data-breach class actions, standing is often the dispositive question — particularly after Spokeo (2016) and TransUnion (2021).

Statutory Damages Fixed damages set by statute, available without proving actual loss. California Civil Code § 1798.150 provides $100–$750 per consumer per incident (or actual damages if greater) for qualifying security breaches. Massive aggregate exposure in class actions.

VDP (Vulnerability Disclosure Policy) A formal organizational policy defining how security researchers may test and report vulnerabilities, and how the organization will respond. CISA Binding Operational Directive 20-01 requires federal civilian agencies to publish VDPs. Participation in a VDP-governed engagement is strong evidence of "authorized access."

Venue The geographic location where a case is tried. In cybercrime, "where the crime happened" is often ambiguous — distributed intrusions may affect computers in multiple districts. United States v. Auernheimer (3d Cir. 2014) vacated a conviction because the government chose the wrong venue.

Wire Fraud (18 U.S.C. § 1343) Federal crime of executing a scheme to defraud using interstate wire communications (email, internet, phone). Up to 20 years' imprisonment. Commonly charged alongside CFAA in hack-and-extort cases.

Section C: Bridging Terms

Attribution

Technical meaning: Connecting observed attacker behavior (malware signatures, C2 infrastructure, TTPs) to a specific threat actor or group through forensic and intelligence analysis.
Legal meaning: Proving in court that a specific named defendant committed the intrusion — meeting the burden of proof (beyond reasonable doubt in criminal; preponderance in civil).
The gap: Technical attribution may be highly confident (same malware, same infrastructure, same TTPs) but still fall short of legal proof when the evidence chain cannot be presented in court, witnesses cannot be compelled, or the defendant claims the infrastructure was compromised by a third party.

Chain of Custody

Technical meaning: Documentation tracking who collected, handled, and analyzed digital evidence (forensic images, log files, network captures) and how it was stored.
Legal meaning: The formal legal record establishing that evidence has not been tampered with from collection through trial presentation. Breaks in chain of custody can result in evidence exclusion.
The bridge: Digital evidence requires both technical integrity (cryptographic hashes verifying no modification) and legal chain-of-custody documentation — both are required for admissibility.

Discovery

Technical meaning: In network/security contexts, "discovery" refers to finding devices, services, or vulnerabilities on a network (e.g., a port scan is "network discovery").
Legal meaning: The pre-trial phase where parties exchange evidence. Also the moment when a breach is "discovered" for purposes of triggering the 30-day notification clock under CA Civil Code § 1798.82 and NY GBS § 899-aa.
The gap: Litigants frequently dispute the "discovery date" — did the clock start when the first log anomaly was seen, when the forensics firm confirmed a breach, or when scope was fully determined? Courts have not uniformly resolved this.

Incident Response

Technical meaning: The structured process of detecting, containing, eradicating, and recovering from a security incident.
Legal meaning: The incident response process simultaneously creates legal obligations (notification clocks), evidence (forensic logs), and potential liability (was the response reasonable?). Incident response decisions made without legal counsel may inadvertently waive privilege, trigger disclosure obligations, or destroy evidence.
The bridge: "Litigation-ready" incident response means designing IR processes to preserve evidence, document timelines, and track decisions — not just to restore operations.

Threat Actor

Technical meaning: Any individual or group conducting or capable of conducting a cyberattack. Categorized by motivation (financial, espionage, hacktivist, destructive) and sophistication (APT vs. commodity).
Legal meaning: The defendant. Courts and prosecutors do not use "APT" or "threat actor" — they name individuals.
The gap: Technical threat intelligence ("APT28 conducted this attack") is often not sufficient for legal proceedings. Attribution must reach an individual with evidence sufficient for indictment or civil pleading.

Nation-State Actor / State-Sponsored Hacking

Technical meaning: Intrusions conducted by or on behalf of a government, often with extensive resources, sophisticated tooling, and intelligence objectives.
Legal meaning: State-sponsored hackers are often unchargeable in practice due to diplomatic immunity, lack of extradition treaties, and sovereign immunity doctrines. Indictments against them (e.g., Park Jin Hyok for North Korea; various GRU officers for Russia) serve political/deterrence purposes more than criminal accountability.
The bridge: Even when criminal accountability is unavailable, civil suits may be possible (as in WhatsApp v. NSO — but the defendant there was a private company, not a state). Sanctions (OFAC) and infrastructure disruption are the primary state-level tools.

Damage Assessment

Technical meaning: The forensic process of determining what systems were accessed, what data was exfiltrated, and what was altered or destroyed.
Legal meaning: Damage assessment costs are explicitly included in CFAA's definition of "loss" — they are recoverable even before any data is confirmed stolen. Courts have held that damage assessment costs alone (when they meet the $5,000 threshold) can support a civil CFAA claim.
The bridge: Documenting damage assessment costs carefully (time, third-party forensics fees, attorney fees for legal hold decisions) is critical to preserving CFAA civil claims and insurance coverage.

Responsible Disclosure / Coordinated Disclosure

Technical meaning: Security researchers report vulnerabilities to vendors first, allow a reasonable remediation period (commonly 90 days), and then disclose publicly if no patch is issued.
Legal meaning: DOJ policy (2022) recognizes good-faith security research and coordinated disclosure as outside the intended scope of CFAA prosecution. CISA BOD 20-01 requires federal agencies to have VDPs. Participation in a formal disclosure process is evidence of authorization.
The bridge: Whether a researcher is "authorized" depends on whether the organization had a VDP, bug bounty, or express authorization — not solely on whether the research was done in "good faith." CFAA still technically applies even to good-faith research absent authorization.