Late last year, a group of information security experts gathered with government officials to hack into the deep intestinal computers of London’s financial district. The purpose of the exercise, dubbed “Waking Shark II”, was to test whether the UK’s banks and stock exchanges – that is to say, the UK financial system – could withstand a major cyber-security attack.
While the exercise was just a simulation, real incidents do occur with astonishing frequency. In January this year, for example, Tony Colston-Hayter, who achieved notoriety in the late 1980s as the foppish progenitor of rave, admitted to conspiring to steal £1.3m by taking control of computer systems at a popular UK high-street bank through a surreptitiously placed desktop device.
The exploitation of weaknesses in an organisation’s IT systems can result not only in significant losses through data theft or reputational damage, it also poses a real risk of civil action or regulatory enforcement and fines. Technical and organisational measures to prevent hacking are necessary not only to shore up defences against data breaches, but also a legal obligation under the seventh data protection principle under the Data Protection Act 1998.
In the event of a security breach, what legal action can be taken against digital aggressors? To answer this question, it is worth considering what “hacking” actually is. A working definition might be: deliberate unauthorised intrusion upon or interference with the operation of another’s computer systems, software or data.
As in the case highlighted above, in which Colston-Hayter admitted to having in his possession 400,000 documents – including personal mail and bank details – such intrusion or interference will involve some access by the perpetrator to confidential business information and the personal data of individuals. Civil actions may therefore be brought against a hacker on a number of grounds: misuse of confidential and/or private information, misuse of personal data and intellectual property infringement being the most common. Hackers may also be prosecuted for computer misuse, and the “data theft” offences in section 55 of the Data Protection Act 1998.
The advantages of criminal proceedings are, of course, rooted in the fact that the perpetrators of the attack will be punished, which theoretically serves as a deterrent against future attacks.
The disadvantages, however, are significant. The criminal law affords no direct remedy to the targets or victims of hacking. Unlike a civil claim, there is no compensation available, and criminal proceedings consume management time which could otherwise have been spent investigating the security breach and mitigating any losses sustained.
Criminal proceedings can also lead to adverse publicity, much of which, with proceedings sub judice, a company would be unable to rebut, and any publicity about the attack could encourage others to try their luck on what may be perceived to be a weak system.
Civil proceedings would allow an injunction to be obtained to prohibit further attacks. Injunctions are both prospective and preventative and, with a penal notice attached (meaning a breach amounts to contempt of court), help to focus the mind of the perpetrator with rather more acuity than some vague apprehension of being caught. Civil actions also provide financial redress for the victim of a cyber-attack, meaning that an organisation, which may have had to spend a significant sum to remedy a breach, could recoup some or all of its losses.
As with any legal action, the costs in time and resources can be prohibitive: there is no substitute for the implementation of a robust IT-security system, rigorous staff training and detailed policies and procedures. Cyber-attacks are, unfortunately, almost at the level of the inevitable and, with the attendant risks of reputational damage or regulatory action, prevention really is better than cure.