Cybercrime is quickly becoming one of the most dangerous types of crime, not just in the UK, but globally. A research report published by the Home Office in October 2013 concluded, based on statistics from global anti-virus providers, that security attacks by cyber criminals are in the billions, with numbers rising year after year. In the post-Snowden era, concern over online hacking and the subsequent comprising of personal data is at an all-time high. Just recently the controversial adultery website, Ashley Madison, was subject to a security attack of unprecedented levels, with hackers threatening to sell the personal information of the site’s 37 million users for profit.
The issue of data security is clearly at the forefront of legal discussions of hacking. But how does the law provide for the protection of personal data in the UK? It is only in the last 25 years, with the rapid growth of computer usage and huge advances in technology, that legislation designed to counteract cybercrime has been passed by the UK government.
The Computer Misuse Act 1990
The Computer Misuse Act 1990 was the first key piece of legislation designed to deter hackers, and was passed partly in reaction to a high-profile hack into a British Telecom service in the mid-1980s. The trial court proceedings for this case – known as R v Gold & Schifreen (1988) – saw the two men responsible, Schifreen and Gold, receive fines of £750 and £600 respectively. However, as the law at this time lacked a clear precedent for hacking, it was not considered by to be a criminal offence by many legal scholars. An appeal was made to the Criminal Division of the Court of Appeal. Schifreen and Gold had been charged under the Forgery and Counterfeiting Act 1981, which the counsel believed had been misapplied to their conduct. As a result, the men were acquitted by the Lord Chief Justice, and the acquittal was upheld by the House of Lords.
The Computer Misuse Act aimed to provide a clear law for the purpose of “securing computer material against unauthorised access or modification; and for connected purposes”. Three criminal offences were introduced (Secs. 1-3), each carrying a potential punishment of 12 months imprisonment and/or a fine. These offences are “unauthorised access to computer material”, “unauthorised access with intent to commit or facilitate commission of further offences” and “unauthorised modification of computer material”.
Amendments to the Act made in 2006 saw the maximum imprisonment sentence for “unauthorised access to computer material” increased to 2 years (Sec. 35). Significantly, the amendments also introduced further criminal offences, including “unauthorised acts with intent to impair operation of computer, etc. punishable by up to 10 years in prison or a fine or both” (Sec. 36) and “making, supplying or obtaining articles for use in computer misuse offences, punishable by up to 2 years in prison or a fine or both”.
Over the course of the past 25 years, The Computer Misuse Act has been applied to convict in roughly 80 major cases of cybercrime and hacking. A recent high-profile case brought to a close in July 2015 saw a Morrisons supermarket employee facing three charges of fraud after leaking the personal details of nearly 100,000 supermarket staff, before creating a fake email account using a colleague’s details in order to cover his tracks. The defendant published information about staff salaries, bank details and National Insurance numbers on data sharing websites, and also sent it to several newspapers. The prosecutors identified that the defendant had acted with intent, his motive being a personal grievance as a result of being accused of dealing in legal highs at work.
The significance of the defendant’s criminal conduct centred on the serious risk of identity theft faced by the staff who had their personal details leaked online. In addition, the data breach cost Morrisons more than £2 million to rectify. Although the defendant denied the charges against him, he was found guilty and was sentenced to eight years imprisonment. This is one of, if not the longest, term of imprisonment that has been faced by a person convicted under The Computer Misuse Act.
The legal repercussions for breaches of The Computer Misuse Act have varied greatly between cases in accordance with the relative severity of the crime and the potential harm caused to others. For example, in April this year, an adult student from the University of Birmingham was sentenced to only four months in prison after pleading guilty to six charges of Computer Misuse after stealing University staff passwords, which were then used to access his examination results and improve his own grades. Teenagers charged under the Act have been sentenced to upwards of 100 hours community service.
The Data Protection Act 1998
The Data Protection Act 1998 (commenced 2000), is viewed as the main piece of legislation designed to govern the protection of personal data in the UK. Enacted to bring the UK into line with EU standards, the Act highlights a person’s right to privacy when it concerns the processing of personal data. Any person who holds personal data is legally obliged to comply with a set of eight data protection principles defined within the Act. These principles govern, for example, the purposes for which data can be processed, as well as the limitations on the amount of data that can be processed for a specific purpose.
Nonetheless, the Data Protection Act is known to be complex, and there are several notable exceptions to its principles, including the processing of data for the purposes of national security, crime and taxation. Data that must be accessed by authorities as a means of apprehending criminals and terrorists is exempt from the Data Protection Act. Data that is processed by an individual solely for the individual’s personal domestic usage is also exempt.
Under Section 55 of the Act, the unlawful obtaining of personal data by hackers, impersonators and anyone else without authorisation, is made a punishable offence. Significantly, whilst the Data Protection Act criminalises the purposeful hacking of personal data by hackers, it also makes it an offence to fail to comply with the data protection regulations imposed by the Information Commissioner’s Office (ICO). These regulations, which are particularly important for businesses, are intended to prevent accidental loss, destruction of, or damage to, personal data.
In the past few years, there have been several high-profile instances of big companies breaching the Data Protection Act by failing to adhere to ICO regulations designed to safeguard personal data against cyber threats. For example, in May 2007, the personal details of 26,000 Marks & Spencer employees held on a laptop was stolen due a failure to encrypt the data. The ICO issued Marks & Spencer an enforcement notice to ensure all devices holding personal data are encrypted, yet no further action was taken, since this was a first time breach for the company.
The breach made by Marks & Spencer may also be considered relatively minor in severity when compared to the breach made by Sony Computer Entertainment Europe Limited (Sony) in April 2011. Sony’s failure to provide up-to-date security software allowed hackers to infiltrate the online store of Sony’s PlayStation Network, gaining access to millions of UK users’ personal information, including names, dates of birth, addresses and credit card details. This was considered a ‘serious’ breach of the Data Protection Act and, in 2013, Sony was subsequently fined £250,000 by the ICO.
The issue of data protection concerns clearly more than just the right to privacy. Hacking facilitates a number of other crimes as a result of unauthorised access to personal data.
With access to key personal information, including names, addresses, credit card numbers and medical details, hackers are positioned to attempt fraud and identity theft, which can cause significant legal problems both for victims and the businesses whose security systems fail to prevent attacks. In a similar vein, businesses and professionals are at risk of intellectual property theft. Hackers may be able to gain access to information about a company’s key projects, software or technology, which can then be sold on for profit.
Hacking is now also considered a potential act of terrorism, or ‘cyberterrorism’, as defined by the Terrorism Act 2000. Although not all hacking is done for the purposes of terrorism, hackers will be considered as terrorists if their actions are considered a means of intimidating the public (or indeed a particular section of the public), or promoting a political, religious or ideological cause.
With numerous and far-reaching legal implications, hacking is an issue that those who use technology to store their important information, from individuals and families, to businesses of all sizes, must be aware of.
About Stokoe Partnership
Stokoe is a leading criminal litigation practice that specialises in defending very serious crime.
Ernest has several years’ post-qualification experience in representing clients in serious and minor criminal cases. He is a qualified Duty Solicitor and has substantial experience in advising and assisting suspects at the police station and defending in the Magistrates’ and Youth Court.