Startling new research revealed that only 299 hackers have been prosecuted in the last four years under the Computer Misuse Act 1990.
In response, Pauline Neville-Jones, Shadow Security Minister, Conservative Party has suggested that the Government does not treat cybercrime as a serious offence.
But in light of the recent DTI Information Security Breaches Survey, that shows 96 percent of large companies suffered a security incident last year, the research highlights an even more alarming and important issue that all businesses must face up to: are they reporting security breaches as often as they should be?
Security and data breaches are inevitable even within the most guarded organisations. Yet reporting them can lead not only to media scrutiny and public stigmatisation, as in the largely publicised Monster.com breach which took place early this year, but also to more serious external investigations by regulators and the police. No company wants to risk its reputation, however with careful and strategic planning businesses have the opportunity to take control of the situation.
In addition, by reporting the crime, the organisation is one step closer to working with the authorities in setting better business practices for the industry as a whole.
Many business security data breaches come from within the organisation. Major staff reductions over the last six months, for example, could lead a disgruntled employee who has been made redundant or fired, and who still has sufficient access to his former employers’ network, to download and use customer and company data for malicious intent.
According to Ponemon Institute, six out of every ten employees stole company data when they left their job last year. With modern technology, portable storage devices such as a USB memory stick can hold large amounts of valuable and confidential information such as company secrets and contact lists in very discreet ways, which can then be used for financial gain.
These types of internal breach can have an explosive impact on the company concerned once any crime is reported – making the business feel more like a victim of crime. The subsequent investigation into how customer data was mishandled, lost or stolen by an employee or ex-employee may highlight a lack of security in the first instance - a recent survey of CIOs in 2009 revealed that 38 percent of companies did not have data encryption solutions and 13 percent said they did not know if encryption was even in use.
Most critically, these investigations can prove more punitive for the business concerned than the criminal. The risks involved in reporting a security breach have therefore deterred businesses from taking steps that will lead to a prosecution of the criminal. However, by implementing a rigorous and well conceived security policy and procedures, the repercussions of a security breach can be managed and the fallout from a potential crisis controlled.
Under the Data Protection Act 1998, all companies handling personal or confidential data, such as customer addresses, bank account numbers or internal account information, must ensure the security of electronic data. Failure to do so could lead to a data breach that results in a hefty fine or even a jail sentence for not only directors of the company but also its employees and may impact on customer loyalty, corporate reputation and competitive advantage.
It may be a surprise to many that a data protection issue can lead to criminal conviction, but in 2002 80 such convictions were made.
Offences range from failing to notifying the Commissioner of processing, selling of data, and breaching an enforcement notice. If a data breach has occurred, it is better to ensure steps are taken to place the criminal before the judgment of the court. Not only does this demonstrate a ‘zero tolerance’ towards cybercrime, but it could also act as a deterrent, thus reducing the possibility of a future security breach of this kind.
First and foremost, companies may not realise their current exposure as a result of deficiencies in their existing security policies. The first step for any business to take is to seek legal counsel from those who have expertise within the IT Security area to ensure that all areas of compliance are met by appropriate security solutions and policies.
Permissions can be written to allow certain users to ‘see and write’ certain files and others not to. USB ports can have limited access to reduce the amount of people transferring data using a USB memory stick or CD, while allowing those who need to transfer data on a daily basis, such as a remote worker, to remain productive.
When a data breach does occur, businesses will then be better protected against the potential backlash and prepared to respond in an informed way to any negative publicity or disinformation which may arise.
The protection of intellectual property and confidential information is critical in maintaining a successful business.
Millions of pounds are lost each year as a result of weak protection. By seeking legal advice on how to protect business IP and put in place strong security policies and procedures, businesses can be more confident of the benefits of timely and responsible reporting of criminal activity and have suitable evidence to enable a successful prosecution of the ‘real’ criminal.
A breakdown of the Data Protection Act and Computer Misuse Act
Data Protection Act
The Data Protection Act 1998 was introduced to give individuals the right to know what information is held about them and to ensure that personal information is handled properly.
The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with certain principles; known as the eight principles. The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
The Information Commissioner is the regulator of data protection issues and has certain legal powers to ensure that organisations comply with the legislation and even to prosecute those who commit criminal offences under the Act.
The Eight Principles
The Data Protection Acts states that personal data held by an organisation must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
The Computer Misuse Act
The Computer Misuse Act 1990 makes hacking and the introduction of viruses to computers criminal offences. Under the Act there are three specific offences and these are:
- Unauthorised access to computer material (that is, a program or data);
- Unauthorised access to a computer system with intent to commit or facilitate the commission of a serious crime; and
- Unauthorised modification of computer material.
Penalties and sanctions under the Data Protection Act 1998 and the Computer Misuse Act 1990
Data Protection Act 1998 (“DPA”)
A criminal conviction under the DPA will result in the perpetrator being fined and the amount of the fine may, in some circumstances, be unlimited. However, no custodial sentences will be given for criminal offences under the DPA.
Under the DPA, criminal liability does not lie solely with the data controller. Officers of companies may also be personally criminally liable if any offence was committed with the consent or connivance of or found to be attributable to any neglect on the part of any officer. In addition, if employees obtain or disclose personal information without the consent of the data controller, they too will be criminally liable.
Computer Misuse Act 1990 (as amended by the Police and Justice Act 2006) (“CMA”)
A criminal conviction under the CMA carries the following penalties:
Offence: Unauthorised access to computer material
Penalty:Up to two years’ imprisonment and/or a fine.
Offence:Unauthorised access with intent to commit or facilitate committing further offences
Penalty: Up to five years' imprisonment and/or a fine
Offence: Unauthorised modification to computer material
Penalty: Up to ten years' imprisonment and/or a fine.
Mike Warriner is technology specialist at technology and corporate law firm, White & Black Legal