Here's the (familiar) scenario for HR professionals or company directors - a disgruntled employee/director thinks they can do better elsewhere and may have promised their new employers that they will bring in tens of/hundreds of/thousands/millions of pounds worth of business. The only snag - their contacts are your business' contacts or your systems would be of immense value to your competitors. Nobody will notice the tiny little USB stick hidden in their sandwich box; everyone is out to lunch/gone home - 5 minutes and all that data is secured and off to your nearest and fiercest competitor.
You go to the Police. You are told this is a potential fraud and the beat bobbies don't deal with those anymore. You are told to call Action Fraud. You go online, fill in the bits of information you do have and wait for a couple of weeks before getting so fed up you call them up for a progress report to see which police officer has been allocated. You are told it's a commercial matter, that somebody has looked into it and the Police have decided there is insufficient evidence to investigate.
The problem here is that all too often insufficient evidence has been gathered in a police friendly way. Action Fraud sift information, pass it through their systems to ascertain if there are common links with ongoing investigations, and if there are then hey presto. If there are not then commonly victims are informed that the Police do not have the resources to investigate.
Alternatively we frequently see the Police label such offending as "civil" and refuse to investigate.
Sadly the above scenario is all too common. However, a number of criminal offences have been committed, not least fraud by abuse of position and possession of articles for use in fraud, but also offences under the Computer Misuse Act 1990.
There are several offences available under this legislation -
1. to knowingly cause a computer to perform any function with intent to secure unauthorised access to data or programs held in any computer - this offence is committed if:
1.1 a person causes the computer to perform any function with intent to secure access to any program or data held in any computer, or to enable such access to be secured
1.2 the access s/he intends to secure is unauthorised, and
1.3 s/he knows at the time when s/he causes the computer to perform the function that it is unauthorised
2. to commit the section 1 offence with intent to commit, or to facilitate the commission of, other serious offences
3. to do an unauthorised act in relation to a computer either intending to impair, prevent or hinder the operation of any computer, or being reckless as to whether the unauthorised act will do any of those things
4. to produce, adapt, supply or offer tools, any data (in electronic form) or program intending it for use in connection with the section 1 or section 3 offences above
5. to do an unauthorised act causing, or creating risk of, serious damage of a material kind
The intent need not be directed at any particular program or data, kind of program or data or particular computer. Recklessness as to whether unauthorised access is to be secured is not sufficient criminal intent.
'Securing access' is broadly defined to include alteration, erasure, copying, movement, use or output of any program or data.
Offences committed under the Computer Misuse Act 1990 carry up to 2 years imprisonment on indictment.
The risks to the business of such offending are self-evident. Even if the Police refuse to take a case on the important thing to note is that businesses do have access to lawyers specialising in bringing private prosecutions who in turn have relationships with private investigators who can assist the internal investigation and obtain the evidence required to lead to conviction.