Under the US Computer Fraud and Abuse Act (CFAA), what is the primary legal requirement before conducting a penetration test?