short lines

IT SECURITY - PART 2

Tackling cyber-crime: International Trends and Data Protection Aspects

December 2003

This is the second of a 2-part Short Lines series on cyber-crimes. In Part 1, we examined the adequacy of current UK IT security laws and touched briefly on current legal developments on this front. In this part, we take a closer look at the proposed European Council Framework on Attacks against Information Systems, other current trends and data protection aspects of IT security.

Proposed Framework Decision

The Computer Misuse Act 1990 ( CMA ) is widely regarded as an insufficient deterrent against unauthorised access and modification of computer systems. For one, although the CMA 's jurisdiction is multi-territorial, it could not be applied against the Filipino student who started the "I love you" virus because there was no extradition treaty between the Philippines and the UK . With this in mind, governments are increasingly conscious that only broad international harmonisation and co-operation will be effective in tackling future attacks on information systems. The European Commission's Proposed Framework Decision on Attacks against Information Systems is currently with the European Parliament for its consideration. The Framework Decision will require European Union Member States to criminalise:

attacks through illegal access to Information Systems (Article 3)
illegal interference with Information Systems (Article 4)
the instigation, aiding, abetting and attempt of the above offences (Article 5).

Short Lines is a regular, brief, to the point alert on legal issues of current interest in our .com world. It is available on our website at http://www.kemplittle.com . It is not legal advice or a substitute for it. You may copy any part of it so long as you acknowledge its source. The author asserts his/her moral rights. We welcome all feedback and comments. Please email your contact at the practice or info@kemplittle.com or call us on +44 (0)20 7600 8080.

The definition of an Information System is technology neutral and will cover networks, servers, the Internet, PCs, PDAs, mobile phones and any devices which process data pursuant to a program. However, an offence will only be committed under this Article if (a) the system concerned had some form of security measures or (b) if there was intent to cause damage or derive economic benefit from the illegal access. Strangely, this raises the requirements which the authorities must prove in order to secure a conviction under the CMA.

Attacks through Illegal Access

This essentially covers the notion of hacking without right and is an analogue of Section 1 of the CMA .

The disjunctive requirements do illustrate that most victims of hacks do not have adequate security measures on their systems. The Commission is aware of this noting while it wants to encourage users to utilise effective security measures, it believes at this stage it is necessary that the law protects users who do not have such protection in place as well. This may well change as governments seek to encourage the private sector to be more proactive in the prevention of IT Security breaches.

Illegal Interference with Information Systems

This offence covers the intentional and serious hindering or interruption of an information system or alteration of the content of an information system to cause damage to another person. Broadly speaking, it is analogous to the offence of "unauthorised modification" under the CMA . However, the reference to "hindering or interruption" of information systems would cover denial of service and other similar attacks, an area where the jurisdiction of CMA is, at best, tenuous.

The use of the word serious indicates the prosecution would have to show that damage caused by the illegal interference was not too minor. Again, this appears to raise the bar of proving the offence. However, the Framework Decision does not define " serious " and Member States would be free to determine the level of seriousness required to cross the threshold. There is a real possibility that the threshold may differ from Member State to Member State thus defeating the purpose of harmonisation.

Notwithstanding the higher level of proof introduced by Article 4, the Framework Decision does improve on the CMA because the second limb of Article 4 addresses instances where the third party who suffers the damage is neither the owner nor the user of the information system concerned e.g. a bank customer who has his details changed on the bank's main server. Here, the Framework Decision recognises that victims of cyber-crimes/ IT attacks are not limited to the owners and primary users of the information systems concerned. All stakeholders must be adequately protected.

Aiding and Abetting and Attempts

It will also be an offence to aid, abet, instigate, or to attempt to commit, any of the acts prohibited under Articles 3 and 4 of the Framework Decision. This would be a sensible offence to add to the statute books - it would be a lack of foresight if only persons tapping at the keyboard or successful hackers could be prosecuted.

Trends

Whilst the Framework Decision shows some positive steps in international co-operation on tackling cyber crime, reliance solely on the criminal law is not sufficient to prevent breaches of IT security. It will be necessary for all owners of, and stakeholders in, any critical systems to address existing vulnerabilities and potential threats in a more considered manner and to co-operate with each other and governmental authorities. The US government is keenly aware of the necessity of active private sector participation if the fight against IT security breaches is to be won. In its Strategy for Securing Cyberspace document, it sets out a framework to co-ordinate co-operation within the private sector to implement appropriate security measures.

Within the EU, apart from the Framework Decision, there are already ad-hoc legal requirements to have adequate security measures in place: the Seventh Data Protection Principle under the Data Protection Act Directive (Directive 95/46/EC) requires all users of personal data to implement appropriate technical and organisational measures to prevent (i) unauthorised access and use, and (ii) accidental loss or destruction personal data stored in a system; and the Directive on Privacy and Electronic Communications (Directive 2002/ 58) requires providers of public telecommunication services to take appropriate technical and organisational measures to safeguard the security of the service. Various regulated financial institutions within the European Union are also required by their respective regulators to have proper IT security in place in order to qualify for their authorisations/ licences. Here we take a closer look at requirements under the Data Protection Act 1998.

Data Protection Requirements

As mentioned, the seventh data protection principle requires businesses to have in place adequate technical measures to prevent unauthorised access to the data contained in the system. If such unauthorised access leads to damage and distress suffered by an individual, such individual can claim compensation where the business concerned cannot prove that it took reasonable steps to comply with the seventh principle. It would not be difficult to foresee the distress that might be caused if credit card numbers or financial details are disclosed as a result of inadequate IT security. The UK Information Commissioner's Office has also indicated that it will concentrate more of its resources in monitoring and prosecuting the more serious breaches of the data protection rules. And it considers breaches by parties who are in a position of trust (e.g. by a business in relation to a customer) to be serious. The Department of Trade and Industry is also considering whether to require all UK businesses to implement ISO 1799:2000. This ISO standard is an entry-level framework for information security and identifies certain good practice steps such as access control, personnel security, organisational security, physical and environmental security.

To date, businesses have been predominantly focussed on the fair and lawful processing aspects of the data protection rules - eg whether consent of the individual has been adequately obtained. The approach of the Information Commissioner and the DTI indicates that slowly, but surely, the regulator and the government are beginning to emphasize on the IT security aspects as well. Whilst the punishment for breach of the data protection rules remains relatively weak, businesses are unlikely to welcome the adverse publicity it will attract in the event of a complaint or investigation. Ultimately, the need to maintain customer confidence may be the biggest driver in encouraging businesses to be more proactive in putting in place adequate IT security.

Calum Murray/ Denis Low

Useful URLs:-

Council Framework Decision on attacks against Cyber Crime- http://www.europa.eu.int/eur-lex/en/com/pdf/2002/com2002_0173en01.pdf

US Government Strategy for Securing Cyberspace - http://www.whitehouse.gov/pcipb/

Directive 95/46 on the protection of personal data - http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg =EN&numdoc=31995L0046&model=guichett

Directive on privacy and electronic communications (Directive 2002/58/EC) - http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf