On 21 July, the Office for National Statistics (‘ONS’) released its Crime Survey for England and Wales (‘CSEW’), which examines statistical trends in criminal activity over the year ending March 2016. Its final report offers a detailed picture of criminality in England and Wales.
While overall the trend is one of falling crime – crime having fallen to 6% its lowest level since 1981 – there was an increase in fraud – with a 5% rise. The survey also reports on the trend where fraud is increasingly committed by high tech methods. The CSEW reports that just over half of the 3.8m incidents of fraud (51%, or 1.9 million) were ‘cyber related’. Closely related to such cyber fraud is the separate offence of ‘computer misuse’, of which there were 2.0 million offences. Those computer misuse offences are made up of either virus-related offences (68%, or 1.4 million) or the unauthorised accessing of personal information (32%, or 0.6 million).
Fighting Cyber Crime and bolstering Cyber security has long been a top priority for government with reports as to the impact on business of cyber breaches frequently in the headlines. PWC’s Global Economic Crime Survey 2016 reported, earlier this year, that cyber crime holds the number 2 slot as most reported economic crime affecting 32% of organisations. The recent Cyber Crime assessment report from the National Crime Agency estimated that the cost of cyber crime to the UK economy is billions of pounds per annum – and growing. A real and immediate threat to UK business
The Cyber Crime Assessment for 2016 (jointly produced by the National Crime Agency (NCA) and the Strategic Cyber Industry Group (SCIG)) set out a picture of real and immediate threat to UK businesses from cyber crime and emphasises the need for law enforcement and the private sector to work together. Putting not too fine a point on it the report sets out that a cyber attack “that poses an existential threat to one or more major UK businesses is a realistic possibility.” The long-term impact of such a cyber attack could include “substantial loss of revenue and margin, of valuable data, and of other company assets. The impact of litigation costs (and, with the arrival of new regulations, potential fines), the loss of confidence from reputational damage and possible executive-level dismissals could also result in immediate and material loss of shareholder value.”
Cyber Security – holding companies to account
The recent Cyber Security Breaches survey (see our related blog) reported that the most common attacks detected involving viruses, spyware or malware. Moreover both these reports stated that many companies are not adequately prepared for, or even understand, the risks faced, and many have not taken any recommended actions to identify and address vulnerabilities.
In a bid to tackle this a recent Culture, Media and Sports Committee took what could be seen as a “stick” rather than “carrot” approach with their report into Cyber Security. Along with enhancing consumer rights and protection, the focus on the recommendations from MPs rests on a system of requirements and sanctions on company Directors and CEOs in the field of cyber security including: having someone responsible for cyber security on a day-to-day basis who can be fully sanctioned in the company has not taken steps to protect itself from a cyber attack; link a portion of CEO compensation to effective cyber security; and, on accountability, companies must not only report their cyber security and data protection strategies to the Information Commissioner's Office (ICO), they should also include this in their annual reports. Moreover, one of the proposals from the MPs was that the ICO should also have a robust system of escalating fines at its disposal to sanction those who fail to report, prepare for or learn from data breaches.
Harsh consequences for “data-abusers”
Looking at implications for individuals, a further recommendation from the Committee was to develop effective sanctions for those convicted of unlawfully obtaining and selling personal data with calls to “jail data abusers”. MPs called for the introduction of a new custodial sentence of up to two years in this area.
On 19 July, the EU Directive (2016/1148) concerning measures for a high common level of security of network and information systems across the Union – the “Cyber Security Directive” – was formally published. This sets a deadline of 9 May 2018 for implementation into national law. It is likely that the UK will still be a full member of the EU at that point and going through the negotiation process around conditions for withdrawal and future model of co-operation. Will provisions relating to cyber security and law enforcement be on the table? Interesting times for the new National Cyber Security Centre opening in London in October this year.
Article written with Christopher Sykes, Paralegal, Criminal Litigation.