The proliferation of cyber-based attacks and cybercrime activities over the last few months has been undeniable. Phrases such as ‘Eternal Blue’ and ‘WannaCry’ may have meant little to the general public in the past, but attacks in May and June of this year have ensured that national and international awareness has reached an all-time high. With 20% of Irish businesses suffering ransomware attacks in 2016, the commencement of the Criminal Justice (Offences Relating to Information Systems) Act 2017 (the “2017 Act”) on 12 June last could not be timelier.
The 2017 Act, in implementing an EU Directive from 2013, repeals existing laws on cybercrime which were to be found under the Criminal Damage Act 1991 and supplements the offence of “unlawful use of a computer” under the Criminal Justice (Theft and Fraud Offences) Act 2001 (the “former legislation”) - neither of which were specifically drafted or designed to address online crime. The main re-formulated provisions are as follows:
- it shall be an offence for a person, without lawful authority or reasonable excuse, to intentionally access an information system by infringing a security measure (s. 2: unauthorised access); and
- it shall be an offence for a person to intentionally delete, damage, alter or suppress, render inaccessible, or cause the deterioration of, data on an information system (s.4: damage to digital property).
Note that s. 4 would not extend to the copying of materials in the absence of an element of destruction; such actions instead fall within the remit of s. 2.
Both of the above replace and re-word existing offences under the former legislation mentioned above. The update to the offence of unauthorised access under s. 5 of the Criminal Damage Act 1991, by removing the need to “operate a computer… without lawful excuse”, is particularly welcome.
The 2017 Act also creates new offences for the following digital acts:
- without lawful authority, intentionally hindering or interrupting the functioning of an information system by inputting data on the system, transmitting, damaging, deleting, altering or suppressing, or causing the deterioration of, data on the system, or rendering data on the system inaccessible (s. 3: interference);
- intercepting any transmission (other than a public transmission) of data to, from or within an information system (s. 5: interception); and
- intentionally producing, selling, procuring for use, importing, distributing, or otherwise making available, for the purpose of the commission of any of the above offences any computer programme that is primarily designed or adapted for use in connection with the commission of such an offence, any device, computer password, unencryption key or code, or access code, or similar data, by which an information system is capable of being accessed (s. 6: making tools available).
Note that the above provisions have “extra-territorial effect”, meaning that they can be applied not only to a person carrying out such activities within Ireland, but also to a person located outside Ireland who is accessing data/damaging digital property within Ireland. Also, the 2017 Act significantly increases the penalties which may be imposed: an offence under any of ss. 2-7 carries, on summary conviction, a €5,000 fine or imprisonment for a term not exceeding 12 months, or both, and offences under ss. 2-6 can also be the subject of conviction on indictment. Furthermore, in imposing a sentence in respect of ss. 3 or 4 the Court may regard as an aggravating factor the fact that the offence was committed by misusing the personal data of another person, with the aim of gaining trust of a third party, thereby causing prejudice to that other person.
It is also important to highlight the interaction between the 2017 Act and the existing Criminal Justice Act 2011 (the “2011 Act”) which was enacted to give An Garda Síochána more extensive powers to investigate serious and complex ‘white collar-type’ offences in an effective manner. These powers include the ability to apply to court for orders requiring the disclosure of documents or information (including passwords and access) for investigation purposes, allowing for presumptions to be made regarding authorship/exchange of documents (i.e. linking physical persons to virtual accounts), and making it an offence to withhold information which the Gardaí believe might be of material assistance in preventing the commission of an offence. Powers under the 2011 Act may only be used in relation to offences which are specifically designated to benefit as such (“relevant offences”).
As white-collar crime often includes an online element, and with the increased sophistication of cybercriminals, the 2011 Act could be an important tool in fighting cybercrime. However, the effectiveness of the 2011 Act remains questionable: in the absence of further resources being allocated to the Gardaí the ability of the force to actually exercise their powers thereunder is limited. Nonetheless, it should be noted that the offences under the 2017 Act outlined above are deemed to be “relevant offences” under 2011 Act, which will give the 2017 Act, at least on paper, more vigour. Importantly, investigations under s. 2 of the 2017 Act regarding unlawful accessing of information systems are included within the scope of these greater powers – this was not the case with regard to the equivalent provision under the former legislation making that provision, effectively, toothless.
The fact that Ireland, finally, has dedicated laws relating to cybercrime must be regarded as a major step forward. The legislation specifically addresses the ransomware-style attacks described above, amounting to a welcome and necessary addition to the law’s capacity to tackle a new wave of cybercrime. Furthermore, the extension of the powers of investigation given to Gardaí under the 2011 Act to the investigation of offences under the 2017 Act, including s. 2 relating to the accessing of information systems without lawful authority remediates the previously incongruous position with regard to its old incarnation. Along with the publication, last year, of a National Cyber Security Strategy and the establishment of the National Cyber Security Centre, it is clear that the State is placing a greater and much-needed emphasis on national cyber security matters from a policy and strategy perspective. Combining this with greater financial investment in both public and private digital security infrastructure would demonstrate that cybercrime investigation and prevention is truly a national priority.
Nonetheless, laws and legal systems are likely to find themselves perennially on the back foot when it comes to virtual criminality. Reliance on criminal sanctions can only ever be one string in the bow of organisations in prevention and response - awareness, staff training and constant vigilance, implementation of adequate security systems as well as an effective and properly communicated attack response plan are must-haves for any modern-day business. And, as helpful as criminal legislation can be, most businesses are unlikely to want to find themselves involved in criminal proceedings, with the attaching negative publicity and damage to reputation and public confidence.
In summary, Irish businesses should welcome this positive step towards tackling internet-based offences, but should also use it as an encouragement to re-evaluate their own existing systems and prioritise the development of a cyber-security strategy.