What is legal?

First, the locations of the sites and the legal jurisdiction governing the businesses that we are testing will each present distinct laws and regulations that we should be aware of. In the United States and European Union, actions that cross state or member borders fall under the primary jurisdiction of their overarching regulations. To avoid running afoul of these laws, you maybe well served to search on your governing body's laws (for the EU, http://eur-lex.europa.eu/homepage.html) that offer a good starting place, while the US Department of Justice offers similar search capabilities but summarizes national code in the guide called Prosecuting Computer Crimes https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf). US laws, which are similar to the Computer Fraud and Abuse Act of 1984, the Economic Espionage Act of 1996, the Federal Information Security Management Act (FISMA), Cyber Security Enhancement Act of 2002, and Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT, from 2001), also impact the legal precedent and principles of American cyber laws. Regulations such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Digital Security Standard (PCI-DSS) maybe applied to many of the customers that we'll be interacting with, depending on their function and governing agencies.

The EU just enacted a new far-reaching regulation called the General Data Protection Regulation (GDPR, http://www.eugdpr.org) that helps define the responsibilities of companies, and it will certainly impact our roles for projects involving companies doing business in the EU. The Indian Government recently instituted its own comprehensive National Cyber Security Strategy of 2013 and provides access to all of them through their Ministry of Electronics and Information Technology site (http://meity.gov.in/content/cyber-laws-security). Many other Asian and African nations have also continually revised their own laws. It is worth investing in reference books and legal journals that cover the constantly evolving legal landscape, which can help you stay on the right side of the law. 

As your practice grows, it maybe worth having a lawyer or firm, concentrating on laws around cyber security, data, privacy, and ethical hacking, on a retainer to help craft you legally sound contracts and provide representation in the event of any legal action with which you and your company maybe involved.