A recent highly publicized electronic attack on Eircom, the former national telephone operator which was privatized just over one year ago, has focused attention on the growing problem of computer crime. In this case a 'hacker' obtained access to 30,000 internet accounts, and was reportedly able to read private e-mails, send false messages from customer accounts and alter web sites. While the incident grabbed media headlines for several days and was reported to be the first such major security breach in Ireland, these offences have in fact been on the increase throughout the world. This case seems just another instance of the growing menace of cyber-crime. The individual responsible for this particular incident, a 17 year old from County Wicklow, has been arrested and the police are preparing a file for the Director of Public Prosecutions.
The heightened computerization of operations in industry and the increased utilization of open systems such as the Internet mean that the potential for hacking has greatly increased. Further, the possible damage that such attacks can cause - which is measured not only in terms of actual damage to web sites or corruption of records and databases, but also in negative publicity, adverse customer relations, and costs associated with redesigning systems and rectifying and re-verifying records - means that this issue is becoming a priority throughout the world. Ireland, which is seeking to position itself as a global telecommunications hub and which has seen massive recent investment in telecommunications infrastructure, is particularly keen to be seen to address this issue. The Irish legislature has taken the problem on board and legislation was specifically enacted some years ago expressly criminalizing hacking.
The Criminal Damage Act 1991 effectively rendered hacking illegal in Ireland by providing that anyone who operates a computer with intent to access data without lawful excuse commits an offence. The offence is committed under the act when an attempt is made, regardless of whether any data is actually accessed. Therefore, if a security system successfully repels an attempted break-in it will still be possible to prosecute the would-be hacker where sufficient evidence exists. Convicted offenders are liable to a fine or imprisonment, or both.
This specific legislation was enacted to ensure that a prosecution can be secured even where a hacker does not actually commit any damage, fraud or theft, but only accesses data. However, if such further offence is committed then more severe charges can be levelled. For example, if a hacker commits damage by altering a database or web site, he may be charged for this criminal damage under the 1991 act and will be liable for up to 10 years' imprisonment or a £10,000 fine if convicted on indictment. This hefty potential penalty applies even where damage is done not deliberately, but only recklessly. Prospective hackers should thus beware that where they break into a computer system, even for 'fun' or as a 'joke', they are committing a criminal offence with serious potential consequences. In addition to imposing penal sanctions on hackers or would-be hackers, the courts also have the power to make compensation orders under the terms of this act. Under Section 9 compensation orders can be made not just against the actual offender, but also against the parents or guardians of a child or young offender. If the case is held in the High Court then the amount of damages obtainable is unlimited.
Similarly, if other offences such as theft occur subsequent to hacking, for example where a hacker moves money into his account following a successful breach of a bank's systems, then charges could be brought for larceny.
Hackers typically attempt to extract money from corporations not through direct theft from accounts, but rather through threats that they will undermine computer systems or corrupt records unless the victim pays them off. The Irish legislation expressly provides that this is an offence under Section 3 of the act. This activity also carries up to a 10-year prison sentence.
Section 4 of the Criminal Damage Act makes it illegal to possess "any thing" with intent to damage property or to defraud others. Thus, mere possession of a computer program used for hacking or deception, such as a 'Trojan horse' program, could give rise to criminal liability if coupled with this intent, even if the program was never used in practice.
The existing Irish legislation also has an express extra-jurisdictional scope. It applies not only to hackers within the state seeking to access data held on computers within the state, but also where the data is held outside the state and the hacker is operating from inside the state, or where the data is located inside the state and the hacker is operating from abroad. This international aspect is essential to fight cyber-crime effectively, which typically operates across international terrestrial borders.
Hacking may also involve the breach of other statutory provisions. For example, under the terms of the Electronic Commerce Act 2000, which provides for the legal recognition of digital signatures, it is an offence to misuse, copy or alter the digital signature of a third party. Hacking into a third party's computer and utilizing a digital signature would constitute such an offence. Similarly, under the terms of the Data Protection Act 1988 anyone who obtains unauthorized access to personal data and discloses this data to a third party is guilty of an offence. Therefore, a hacker who seeks to sell, publish, or even merely tell others about data which he has obtained without authorization will be guilty of this offence.
Investigators are assisted in prosecuting hackers by the Criminal Evidence Act 1992, which provides for the admissibility of computer-generated records as evidence. This act holds that where information is compiled in the ordinary course of business and it can be shown that the system concerned was operating normally, then such information will be admissible in court as evidence. Hence, records from a computer system which detects and records hacking could be used as evidence in a subsequent trial.
In addition to statutory breaches, hackers may be exposed to civil liability to third parties under common law rights of action existing in tort and contract law. For example, where a hacker does damage to a program or database through deletion or alteration of its contents, an action may lie in tort for trespass to chattels by the affected party against the hacker. Services are only normally provided subject to terms and conditions, and such terms will typically include a term expressly prohibiting illegal or improper conduct. Therefore, for example, where use of a site providing online services is provided pursuant to an undertaking not to attempt to access unauthorized areas or data therein, an action would lie with the service provider for breach of contract if this condition was breached. Irish anti-hacking legislation is thus very broad in its ambit and its stiff penalties should act as a real deterrent.
However, a worrying aspect of hacking for firms is that in addition to any loss or damage that may be caused by the hacker or the adverse publicity generated by his actions, the victim may also be exposed to legal liability as a result of being hacked.
This liability may arise in a number of ways. For example, under the terms of the Irish Data Protection Act 1988 persons who collect, store or process personal data are obliged to ensure that appropriate security measures are taken against unauthorized access to the data. Where a hacker obtains access to such data due to insufficient safeguards, the data controller may be held to be in breach of these statutory obligations.
Similarly, under the common law data controllers will in certain circumstances be subject to a duty of confidentiality and consequently obliged to protect confidential data adequately. Companies in possession of commercially sensitive third-party information or data may thus find themselves the subject of lawsuits brought by the third parties for dereliction of this duty or negligence if their security systems are breached by hackers. Directors, who as fiduciaries owe an especially high duty of care to companies, are particularly vulnerable in this regard. Thus, in cases where a company with a poor or negligible security system suffers loss or damage due to hacking, the responsible directors may find themselves the target of a lawsuit for negligence or breach of duty of care. Similarly, managers or IT professionals working in companies may find that a security breach exposes them to allegations of negligence or dereliction of duty, and as such constitutes grounds for dismissal.
To protect themselves from such legal threats companies, their officers, directors and concerned employees should ensure that they have put in place security procedures to safeguard their computer systems and data. Hackers seem to be continually one step ahead of security systems, and there is thus a need to strive constantly to upgrade and modify computer systems in order to cope with new threats. Many companies will not be able to protect themselves successfully from hackers or computer attacks on every occasion, but in order to protect themselves from charges of negligence and associated lawsuits continual improvements and upgrading should be implemented. The positive aspect to this is that adherence to accepted industry norms or standards may serve to protect companies, if not from hackers, at least from the lawyers of aggrieved parties.
For further information on this topic please contact David Sanfey at A & L Goodbody by telephone (+353 1 649 2000) or by fax (+353 1 649 2649) or by e-mail ([email protected]).
The materials contained on this web site are for general information purposes only and are subject to the disclaimer.