Law 19983 on
1. Main normative acts related to the security of critical information infrastructures in Azerbaijan. (Easy)
The primary legal framework is established by the Law of the Republic of Azerbaijan “On Informatization, Information Resources, and Protection of Information.” This is heavily reinforced by specific Presidential Decrees that define the security parameters of Critical Information Infrastructure (CII) and assign regulatory oversight to the State Service for Special Communication and Information Security (XRITDX).
Furthermore, the “Strategy of the Republic of Azerbaijan on Information Security and Cybersecurity” serves as a roadmap for national defense. These acts collectively dictate the mandatory baseline defenses that both state and private infrastructure operators must deploy.
2. Sanctions applied for failure to comply with minimum information security requirements. (Medium)
Non-compliance with established security baselines primarily triggers administrative liability under the Code of Administrative Offenses of the Republic of Azerbaijan. State regulators can impose substantial financial penalties on both the responsible officials and the legal entity itself.
If this negligence directly leads to a massive data breach or operational failure that causes significant material damage, the situation crosses into the criminal domain. In such cases, executives can face criminal charges under relevant articles for professional negligence or violation of computer safety rules.
3. Methods for a country to study the experience of other countries in information warfare. (Easy)
A country can analyze foreign information warfare tactics by actively participating in international cybersecurity forums, joint military-cyber exercises, and bilateral intelligence-sharing networks. Additionally, establishing academic research units dedicated to reverse-engineering documented historical incidents (such as known attacks on regional power grids) provides invaluable tactical data.
Fostering deep partnerships with global tech vendors also allows a nation to receive real-time telemetry on evolving threats. This proactive observation helps defensive teams build preemptive countermeasures before similar tactics are deployed against their own borders.
4. Liability for disclosure of state secrets resulting from unauthorized access to information systems
This scenario creates a cumulative legal conflict where the perpetrator faces severe criminal prosecution on multiple fronts under the Criminal Code. The individual will be charged both for the illegal intrusion into a restricted computer system and for the unauthorized acquisition or disclosure of state secrets.
If the breach was engineered to hand over sensitive data to a foreign entity, the charges can be escalated to state treason, which carries the heaviest possible prison sentences. The law holds that bypassing a digital security boundary to access state secrets proves clear criminal intent, eliminating any defense of accidental discovery.
5. Criminal-law assessment of stealing users’ card information through a website. (Hard)
This act is a multi-layered offense that is treated with high severity under the Criminal Code. It is legally assessed as computer fraud because the perpetrator uses unauthorized modification of digital data to illicitly acquire financial assets.
Additionally, prosecutors will append charges related to illegal access to computer information and the unlawful interception of private data streams. Because this crime directly undermines public trust in the national digital economy, judicial outcomes typically involve strict, non-custodial or long-term custodial sentences depending on the scale of the financial damage.
6. System, types, and norms of information law. (Medium)
Information law functions as an uncodified, highly interdisciplinary branch of law that bridges public administration, civil liberties, and technical regulations. Its internal system comprises general constitutional principles, institutional norms (such as e-government and media regulations), and protective sub-norms governing data privacy and active cyber defense.
These norms are functionally divided into permissive (granting public data access), mandatory (requiring strict security audits), and prohibitive (banning cybercrime). As technology evolves, these legal norms must constantly adapt to cover emerging fields like artificial intelligence governance.
7. Ways in which hybrid warfare and disinformation violate people’s rights. (Medium)
Hybrid warfare and systemic disinformation campaigns directly infringe upon a citizen’s constitutional right to access reliable, unmanipulated information. By intentionally distorting public reality, these operations can destabilize societal peace, which indirectly threatens fundamental human rights to personal safety, liberty, and democratic choice.
Furthermore, when disinformation targets minority groups or specific public figures, it often translates into real-world hate speech and discrimination. This atmosphere compromises the state’s ability to protect its citizens’ personal dignity and freedom of expression without fear of engineered retaliation.
8. Use of social media in information warfare and preventive measures. (Easy)
Social media platforms serve as primary delivery vectors in modern conflicts due to their ability to rapidly spread propaganda, deepfakes, and algorithmic bias via coordinated bot networks. Effective preventive measures require a mixture of proactive, independent fact-checking networks, automated platform moderation, and national digital literacy programs.
On a legal level, states implement strict regulatory frameworks that hold platform providers accountable for refusing to take down malicious, state-sponsored content. Building national cyber-resilience teams to quickly debunk viral myths in real-time is also crucial to stabilizing public opinion.
9. Legal response measures taken during interference with an energy company considered critical information infrastructure. (Medium)
The immediate legal step requires the affected utility provider to trigger mandatory breach-notification protocols, alerting the national CERT and state security agencies within the legally mandated timeframe. This is followed by the immediate opening of a formal criminal investigation led by state prosecutors to determine if the act constitutes cyber-sabotage or terrorism.
Simultaneously, emergency decrees may be issued to temporarily decouple certain infrastructure elements from public networks to preserve operational stability. If the attack is traced back to a foreign country, the state may initiate international diplomatic protests or invoke mutual legal assistance treaties to track down the hackers.
10. Legal problems arising from employees sharing confidential company information on social media
This scenario triggers a complex mix of labor disputes, breaches of Non-Disclosure Agreements (NDAs), and severe commercial data leaks. The primary legal challenge for the enterprise lies in proving that the employee acted with clear intent or gross negligence, as well as accurately calculating the exact financial impact of the leaked data on market valuation.
If the shared data includes client personal records, the company faces immediate regulatory fines for failing to secure its internal databases. This underscores the necessity for companies to implement clear, binding social media policies within their standard employment contracts.
11. Legal admissibility of information obtained through covert video surveillance. (Medium)
In the vast majority of legal frameworks, digital evidence captured via hidden or covert cameras without prior judicial authorization or explicit consent is strictly inadmissible in court. Bypassing these procedural requirements violates constitutional rights to privacy and the inviolability of private property, rendering the evidence legally void.
Judges will invoke the “fruit of the poisonous tree” doctrine to completely throw out such recordings, regardless of how clearly they depict an illegal act. The only narrow exceptions typically involve highly specific state-sanctioned counter-intelligence or anti-terror operations.
12. Legal measures taken against a hacker attacking a foreign server from the territory of Azerbaijan
Because cybersecurity laws maintain strict territorial jurisdiction, local law enforcement agencies can arrest and prosecute anyone executing cybercrimes from within national borders, regardless of where the target server sits. The individual will be formally indicted under the Cybercrime chapter of the Criminal Code of Azerbaijan for unauthorized computer access and disruption.
If Azerbaijan shares a mutual legal assistance treaty (MLAT) or extradition agreement with the victim’s nation, local authorities will coordinate with foreign investigators to collect digital evidence. However, if extradition is barred by law, the hacker will be tried locally using the evidence provided by the foreign state.
13. Legal measures taken against an enterprise using illegal software. (Hard)
An enterprise utilizing pirated or unlicensed software faces significant multi-jurisdictional legal consequences, beginning with civil lawsuits from copyright holders seeking statutory damages and asset freezes. State regulatory bodies can also issue administrative fines and confiscate the hardware running the unauthorized code.
In cases of large-scale, commercial-grade software piracy, the corporate officers can face direct criminal liability for intellectual property theft. Beyond financial losses, a court-ordered compliance audit can severely disrupt or halt the company’s daily business operations.
14. Legal consequences of a company’s refusal to report a cybersecurity incident. (Easy)
Modern regulatory frameworks mandate that any major cybersecurity incident, especially those involving consumer data, must be reported to state authorities within a strict, narrow window. Refusing to report or intentionally concealing a breach results in severe administrative fines, potential operational suspension, and the loss of corporate licenses.
Furthermore, it exposes the enterprise to massive class-action civil lawsuits from affected clients who can easily argue that the delay worsened their financial exposure. This silence also destroys corporate reputation, as transparency is a key metric in modern market trust.
15. Balancing privacy and security while monitoring employees’ computer activities. (Hard)
To maintain a legally sound balance, an enterprise must completely eliminate any expectation of privacy on corporate devices through a clearly signed Acceptable Use Policy (AUP). The monitoring must be strictly proportional, meaning it should focus solely on protecting trade secrets and preventing network threats, rather than snooping on personal employee habits.
Capturing private credentials or personal banking information during routine corporate logging can expose the company to severe privacy violation lawsuits. Therefore, monitoring tools must be carefully configured to filter out non-work-related personal data.
16. Legal risks related to servers of a company receiving technological support from a foreign country
The primary legal risk involves data sovereignty and the potential for extra-territorial data access, where foreign governments could legally subpoena your data under their local laws (such as the US CLOUD Act). There is also the constant threat of violating local data localization laws, which strictly require citizens’ personal information to be processed and stored within sovereign borders.
Additionally, if geopolitical tensions shift, international sanctions or sudden policy changes could abruptly cut off technical support, leaving the company’s infrastructure highly vulnerable. This makes deep supply-chain auditing and vendor verification absolute operational necessities.
17. Legality of using data obtained from a computer without permission as evidence. (Hard)
Data harvested via unauthorized access or hacking into a device is viewed by the courts as contaminated evidence and is generally barred from judicial proceedings. Accepting unlawfully acquired digital data violates the fundamental right to a fair trial and destroys procedural due process.
Even if the data contains undeniable proof of a separate crime, the court must reject it to maintain systemic integrity and deter illegal vigilantism. Parties attempting to use such data may themselves face immediate criminal countersuits for unauthorized computer intrusion.
18. Legal obligations of management in case of customer data leakage in a banking system. (Easy)
Bank management is legally obligated to execute an immediate containment plan to isolate the compromised systems and halt further data exposure. They must concurrently notify the Central Bank and national data protection regulators, providing a detailed breakdown of the compromised data fields and immediate remediation steps.
Management must also issue transparent public notices to all affected customers, advising them on how to secure their accounts against secondary fraud. Failure by management to act swiftly can result in immediate regulatory intervention, removal of executive licenses, and severe corporate fines.
19. Branches of law and legal relations, relationship between the state and law. (Easy)
The legal ecosystem is split into public law, which governs state operations and crime, and private law, which regulates interactions between independent individuals and businesses. Under the foundational principle of the rule of law, the state acts as both the supreme creator of legal norms and an entity fully constrained by those very same rules.
This dual nature ensures that state power cannot be wielded arbitrarily against its citizens, creating a predictable framework for public administration. Legal relations exist only when these state-enforced norms formally bind parties to specific mutual rights and duties.
20. Rules for evaluating digital evidence with an unknown source in court. (Easy)
Courts evaluate all incoming digital evidence based on three rigid pillars: authenticity, integrity, and verifiable reliability. If the ultimate source of a piece of digital evidence is completely anonymous or untraceable, the judge is highly likely to reject it due to a broken chain of custody.
Without verifiable source metadata or cryptographic hashes, there is no technical way to prove that the file was not altered, fabricated, or planted. Therefore, unknown source files are treated as mere hearsay rather than concrete forensic evidence.
21. Liability for a dismissed employee sending the customer database to a personal address. (Easy)
This action immediately exposes the former employee to triple-tiered liability across civil, administrative, and criminal sectors. The company can launch immediate civil litigation for breach of contract, intellectual property theft, and violation of signed NDAs to claw back damages.
Administratively, the individual faces penalties for the unlawful transfer and processing of personal data without proper authorization. On a criminal level, this behavior qualifies as corporate espionage and unauthorized data extraction, which can result in active prison sentences.
22. Measures taken when personal data is stolen through unauthorized access to a user’s computer
The immediate response requires the victim to lodge a formal complaint with specialized law enforcement cybercrime units to open a criminal investigation. Technical experts will work to preserve system logs, trace IP addresses, and identify the command-and-control servers utilized by the attacker.
Concurrently, the victim must notify their financial institutions and identity providers to preemptively freeze accounts and mitigate secondary identity theft. Legally, once the hacker is identified, the victim can launch civil claims within the criminal process to demand compensation for financial and moral damages.
23. Articles of the Criminal Code applied in cases of threats against critical infrastructure. (Easy)
In the context of Azerbaijani criminal law, digital threats or attacks targeting vital infrastructure trigger the heavy application of Chapter 30 of the Criminal Code, specifically Article 271 (Illegal access to a computer system) and Article 273 (Disruption of a computer system or network).
If the attack is deliberately designed to cause widespread societal panic, massive economic destabilization, or loss of human life, prosecutors will elevate the charges. In those extreme scenarios, the actions are reclassified under Article 214 (Terrorism) or Article 282 (Sabotage), both of which carry maximum prison sentences.
24. Form of presenting an insulting social media post as evidence in court. (Easy)
To successfully present a digital post in a legal dispute, it should ideally be formally preserved by a licensed notary public who generates an official verification protocol. This paper or digital report is accompanied by unedited, high-resolution screenshots that explicitly display the URL, account handles, and exact timestamps.
Additionally, preserving the raw metadata or electronic source code of the webpage provides an extra layer of protection against claims of fabrication. This comprehensive presentation ensures the opposition cannot simply delete the post and claim it never existed.
25. Proving disclosure of a trade secret by an employee through digital evidence. (Medium)
Proving corporate espionage requires a rigorous digital forensics audit of the employee’s assigned corporate hardware, cloud storage access patterns, and internal communication logs. Investigators look for clear digital footprints, such as mass data transfers to external USB devices (visible via registry hives) or outgoing emails containing sensitive attachments sent to personal accounts.
Correlating these data transfer timestamps directly with the employee’s working hours builds an airtight timeline for prosecutors. Discovering matching files on the employee’s personal devices or cloud accounts later seals the evidence chain.
26. Verification of evidence reliability in cases of alleged falsification of email correspondence. (Hard)
When a party claims an email chain has been manipulated, forensic examiners bypass the visual text and dig straight into the raw email header files. They analyze cryptographic authentication protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC records to verify server legitimacy.
They will also cross-match the listed IP routing hops with the official connection logs of the sending and receiving Mail Transfer Agents (MTAs). Any structural conflict in timestamps, unique message IDs, or broken cryptographic signatures will immediately expose the falsification.
27. Liability arising from a website collecting geolocation data without permission (Medium)
Secretly tracking consumer location data represents a massive violation of national data protection statutes and basic privacy rights. The website operator faces severe administrative fines from communications regulators, alongside mandatory structural orders to completely purge the illegally harvested datasets.
If the tracking is found to be deliberate and widespread for commercial monetization, it can trigger class-action civil lawsuits for damages from thousands of users simultaneously. Regulatory bodies also hold the legal power to completely block or blacklist the domain within the country until full compliance is proven.
28. Preparation steps and stages for a country’s cyber warfare readiness. (Medium)
National cyber warfare readiness is built in structured stages, starting with the drafting of a comprehensive, legally binding National Cybersecurity Strategy. This is followed by the creation of a centralized military Cyber Command and a network of highly responsive civilian and military CERTs/CSIRTs.
The next stage focuses on mandating strict zero-trust architectures across all critical infrastructure networks and running nationwide cyber-war simulation games to test response times. The final, continuous stage requires heavy public investment in local STEM education and tech research to maintain a sovereign pipeline of defensive cybersecurity talent.
29. Impact of infrastructure damage during cyber warfare on civilians and relevant international law
Cyberattacks directed at power stations, water treatment centers, or hospital networks can cause immediate, catastrophic damage to civilian populations, completely mimicking the effects of physical bombings. Under International Humanitarian Law (IHL), particularly the foundational principles codified in the Geneva Conventions, such actions are strictly illegal if they fail to respect the rules of distinction and proportionality.
Cyber operations must never target assets that are indispensable to the survival of the civilian population. Nation-states that deploy indiscriminate malware against civilian networks can be held legally liable for committing modern war crimes.
30. Main technologies included in a defense strategy against cyber warfare. (Medium)
An advanced national cyber defense strategy relies heavily on AI-powered threat detection systems and Security Information and Event Management (SIEM/XDR) platforms that analyze network traffic anomalies in real-time. This technical baseline is reinforced by widespread implementation of Zero-Trust Network Architectures, strict network segmentation, and hardware-enforced firewalls.
Continuous end-to-end data encryption protocols protect sensitive data streams even if a perimeter breach occurs. Finally, deploying completely air-gapped, decentralized immutable cloud backup systems ensures that critical services can be restored within minutes of a catastrophic attack.