The keep out of jail free card

One area sure to create panic among IT directors is e-crime, especially given the recent spate of high-profile data loss incidents. Jon Fell and John Skelton investigate the details of e-crime law ­ – and how IT directors can avoid liability.

What does the Computer Misuse Act 1990 (CMA) actually cover? Are denial of service (DOS) attacks unlawful?

The CMA consists of two key offences. First, unauthorised access to computer programs or data, otherwise known as hacking. This offence is coupled with a more serious version, which is if the hacking is carried out with intent to commit or facilitate further offences. The second offence is unauthorised modification of computer material.

The Police and Justice Act 2006 (PJA), though not yet in force, will introduce long-awaited amendments to the CMA. The PJA replaces the offence of unauthorised modification of computer material with an offence imposing criminal liability on a person who: knowingly commits an unauthorised act in relation to a computer; intends to perform such an act; or is reckless as to whether he or she might be performing such an act.

The offence is committed where the effect of the unauthorised act is: to impair the operation of any computer; to prevent or hinder access to any program or data held in any computer; or to impair the operation of any such program or the reliability of any such data.

The Police and Justice Act also brings in a new offence of obtaining, supplying or offering to supply an article with the intention ­ – or in the belief that ­ – it is likely to be used to commit or assist in the commission of an offence. An article includes any program or data held in electronic form.

The intention is to criminalise the widespread distribution of hacking tools.

But developers of legitimate testing and system management tools need to be wary of being caught by the wide ambit of the offence.

DOS attacks deliberately flood a web or email server with information until it crashes. Confusion had arisen over whether DOS attacks were covered by the unamended CMA in the case of David Lennon, who was originally cleared in 2005 of crashing the email server of his former employer by inundating it with emails.

The ruling was later overturned ­ – and to avoid further confusion, the PJA more explicitly covers DOS attacks as “unauthorised acts with intent to impair the operation of a computer”.

With all of the hype about identity theft, what are the legal issues?

Identity theft is undoubtedly a growing problem and a hot media topic. We have all seen advertisements that offer protection against identity fraud, and assistance in putting everything back to normal after the event.

Apart from direct financial loss, the consequences of identity theft can be far-reaching. Witness the case of Simon Bunce, whose plight was recently reported by the BBC.

Bunce had his credit card details stolen online and then became caught up in Operation Ore and was wrongly accused of being a paedophile. Notwithstanding his innocence, it took Bunce some time to prove that it was impossible for him to have been the person using his card, during which time his reputation was tarnished and he lost his highly-paid job.

Identity theft in itself is not unlawful; it is what the thief does with the identity which leads to a crime being committed. This may seem an arbitrary distinction, as identity theft often leads to identity fraud. However, while e-crime is on the increase, as is people’s awareness of it, there is no consensus as to how it should be defined and what should constitute a crime.

In the absence of clearly defined criminal offences, there is often a misunderstanding as to whether a particular activity is unlawful and so whether it should be reported to the authorities. In any event it is difficult to track incidents of online crime.

In the past, companies have been reluctant to tell the police about e-crime for fear of adverse publicity. This reluctance is exacerbated by the absence of clear definitions of e-crime. If it is not clear if a crime has been committed, then what incentive is there to file a report? As with any form of crime, good intelligence is essential to prevention and detection.

Perhaps the most important question is: “who will pick up the costs of identity theft?” So far the banks have protected their customers against losses. This has been on the basis that the customers have a duty to take reasonable care of their personal and financial details.

However, the revised Banking Code, which came into effect at the beginning of April 2008 and is produced by the British Bankers’ Association, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up-to-date anti-virus, anti-spyware and firewall software installed on their machines.

Maybe with the financial climate taking a turn for the worse, more emphasis will be placed on the need to take personal responsibility for online security. Only time will tell who ends up bearing the brunt of online crime.

Is putting a firewall in place sufficient with regards to security obligations under the Data Protection Act (DPA)?

Recently there have been several high-profile incidents where various public and private sector organisations have failed to take the appropriate steps to comply with the seventh principle to the Act, which states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

In late 2007, the Information Commissioner’s Office came to the view that retailer Marks & Spencer’s processing of personal data contravened the seventh principle, when it allowed the details of 26,000 employees to be held on a laptop without the protection of encryption.

The assistant Information Commissioner stated: “It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption.”

We await the outcome for HSBC, which, in April of this year, admitted losing a computer disc with the details of 370,000 customers. Again, the information on the disc was unencrypted.

In his guidance on the DPA, the Information Commissioner states there can be no standard set of security measures that an organisation can implement to ensure compliance. The Commissioner instead notes that what is “appropriate” will depend on the circumstances, but of particular importance will be the nature of the information and the harm that might result if a breach of security were to occur.

The Commissioner sees this as a “risk- based approach to determining what measures are appropriate”. The Act also states that what is appropriate will depend on the state of the art in relation to available security measures and the cost of implementing such measures.

Although it is not guaranteed, certified compliance with ISO/IEC 27001 is generally taken to indicate an organisation’s compliance with the security requirements of the Act. Certain types of personal data require particular attention to security because the harm from disclosure would be greater than the harm from the disclosure of normal information. The types of information that require special attention to security are: human resources data; financial data; and sensitive personal data.

IT leaders should note that it is not just technical measures that must be considered ­ – procedural measures also need to be implemented.

Personal data should not be left visible on an unattended computer screen.

Employees should activate a password-protected screen saver or close down the relevant file.

More importantly, consideration should be given as to whether it is ever justifiable to hold significant amounts of personal data on a laptop or other portable storage device.

Why do I need boardroom buy-in to my information security strategy?

There are a number of good reasons for making sure you get senior management buy-in to your information security strategy. More importantly, there are a number of good reasons why senior management should make it a priority to get involved.

As far as the board is concerned, stakeholders want to ensure that organisations are run in a competitive and risk-averse manner. Following recent high-profile financial scandals, investors are keen to see that an organisation has taken internal and external security measures.

Most business sectors are administered by a regulatory authority, a professional body or by means of voluntary codes of conduct. Increasingly, there is a focus by regulators and codes of conduct on the need to put in place appropriate information security measures.

It has been acknowledged for some time that a top-down management approach to risk is the correct strategy to adopt. To be fair, this is not a new concept and flows from the Turnbull Report of 1999, which recommended that all directors should analyse their current and foreseeable future risks and then prioritise so the key risks are identified.

The report recommended appropriate procedures should then be implemented to either eliminate or minimise the risk. It is for the board to ensure that such procedures are enforced. The approach necessitates top-level management buy-in to the whole process and is the approach adopted by virtually all information security standards.

We have already seen the DPA impose obligations on organisations in relation to security, and there are many other examples. But as far as directors are concerned, part 16 of the Companies Act 2006 ­ – which came into force on 6 April 2008 ­ – provides enhanced rights to auditors to obtain information.

In particular, there is a requirement on all companies to provide accurate information to their auditors, and failure to provide accurate information or to delay in doing so can lead to a criminal offence being committed.

The 2006 Act requires that a statement goes into the company’s accounts to reflect that each of the directors has disclosed all relevant information to its auditors. The key to the disclosure requirement is that the information provided must be accurate.

Any person who knowingly or recklessly makes a statement that is “misleading, false or deceptive in a material particular”, commits an offence and runs the risk of going to jail. Without appropriate information security in place, it is difficult to ensure the integrity ­ – and therefore the accuracy ­ – of a company’s data. The threat of jail usually pushes information security way up the boardroom agenda.

Jon Fell is a partner and John Skelton is a senior associate at international law firm Pinsent Masons

Next week: part one of Computing’s definitive guide to outsourcing