On 24 May 2017, legislation specifically dedicated to the issues of hacking and cybercrime was enacted for the first time in Ireland. Once this legislation is brought into force, five new cybercrime offences will become part of Irish law.
The enactment of the Criminal Justice (Offences Relating to Information Systems) Act 2017 (the “Act”) may seem timely and appropriate given the large scale hacking and cybercrime activities that have afflicted the globe in recent weeks and months. However, in reality, this Act has been on the legislative agenda in Ireland for a long time. The Act finally gives effect to a number of commitments to which Ireland is subject at EU and international level (such as under the Council of Europe Convention on Cybercrime1 and the EU Cybercrime Directive2), which require Ireland to create specific crimes in domestic law in respect of hacking and other harmful cyber activities.
While there have been offences of some relevance to computer-related crime on the Irish statute book for many years, these offences were created by legislation focussed on other areas of criminality (such as criminal damage or theft and fraud). As a result, they have not been well suited to prosecuting cybercrime activities, nor do they appear to be sufficiently flexible to move with on-going developments in this area. The Act addresses these weaknesses in domestic law by creating dedicated and more technologically focussed cybercrime offences in Ireland. From an international perspective, the Act will also have the effect of finally aligning Ireland with international and EU-level commitments in this area.
The Act provides for the creation of five new, dedicated cybercrime offences:
- Accessing an information system without lawful authority;
- Interfering with an information system without lawful authority so as to intentionally hinder or interrupt its functioning;
- Interfering with data without lawful authority;
- Intercepting the transmission of data without lawful authority; and
- Use of a computer, password, code or data for the purpose of the commission of any of the above offences.
An “information system” is defined in the Act as “(a) a device or group of interconnected or related devices, one or more than one of which performs automatic processing of data pursuant to a programme, and (b) data stored, processed, retrieved or transmitted by such device or group of devices for the purposes of the operation, protection or maintenance of the device or group of devices, as the case may be.”
The Act also enables members of An Garda Síochána to obtain District Court warrants granting them wide ranging and technologically-specific powers (e.g. in respect of entry, search and seizure) when investigating the commission of any of the new cybercrime offences. It is hoped that these powers will enhance the deterrent effect of the new offences and help to address some of the many obstacles faced in preventing, detecting and apprehending cybercrime offenders.
As recent developments have shown, cybercrime is an increasingly pressing concern for businesses, both in Ireland and internationally. The creation of the specific cybercrime offences in Irish law is a worthwhile and necessary step from a domestic perspective in the context of the fight against cybercrime. By transposing the requirements of the EU Cybercrime Directive, the Act also addresses the cross-border impact of cybercrime by contributing to a harmonious approach to the issue across the EU.
However, while the introduction of the Act is welcome, it remains to be seen how effective its provisions will be in preventing cybercrime or catching cyber-criminals. From the perspective of an organisation seeking to deal with the risk of cyber-attacks, the implementation of effective and appropriately monitored cyber security policies, procedures and measures will continue to be more important in safeguarding against cyber-attacks than reliance on the deterrent effects of criminal law.
The Act will also have no impact on the obligations of organisations who are the victims of cybercrime. For example, notwithstanding the provisions of the Act, an organisation which suffers a data security incident as a result of cybercrime may, depending on the nature of the organisation, be subject to a number of separate incident notification obligations, including under financial services regulation, payment services rules, data protection legislation, and/or network and information security regulations. The Act will enter into force upon the making of a commencement order by the Minister for Justice. At the time of writing, no indication has been given by the Department of Justice as to when this commencement order is expected to be made.
Also contributed by Ruairi Madigan.