Computer misuse legislation is relevant in two ways: authorities and organizations can take action under it against cyber-criminals, and organizations have to ensure they comply with it themselves. Directors can be personally accountable for any compliance failures.
Computer crime legislation is relatively new. An OECD expert committee recommended, in 1983, that member countries ensure their penal legislation also applied to computer crime. The Council of Europe in 1989 adopted a recommendation from its own expert committee that identified the offences - which should be dealt with in computer-related legislation. Meanwhile, in 1990, the UK passed the Computer Crime Act and, in 2001, the Council of Europe adopted a Convention on Cybercrime that identified and defined internet crimes, jurisdictional rights and criminal liabilities. The Convention, which comes into force in 2005, identifies the following types of crime:
offences against the confidentiality, integrity and availability of computer data and systems (illegal access, illegal interception, data interference, system interference, misuse of devices);
computer-related offences (computer-related forgery, computer-related fraud)
content-related offences (offences related to child pornography)
offences related to infringements of copyright and related rights
All organizations need to be aware of the Convention’s provisions in article 12, paragraph 2: ‘ensure that a legal person can be held liable where the lack of supervision or control by a natural person…has made possible the commission of a criminal offence established in accordance with this Convention’. In other words, directors can be responsible for offences committed by their organization simply because they failed to adequately exercise their duty of care. The Organization of American States (OAS) and APEC have both committed themselves to applying the European Convention of Cybercrime. More than seventy countries have enacted, or are in the process of enacting, computer crime laws.
The UK’s Computer Misuse Act 1990 was designed to set up provisions for securing computer material against unauthorized access or modification. It created three offences: the first is to knowingly use a computer to obtain unauthorized access to any program or data held in the computer; the second is to use this unauthorized access to commit one or more offences; the third is to carry out an unauthorized modification of any computer material. The Act allows for penalties in the form of both fines and imprisonment.
The Act basically outlaws, within the UK, hacking and the introduction of computer viruses. It hasn’t been entirely successful in doing so. It initially had a significant impact on the computer policies of universities, often seen as the source of much of this sort of activity. It does have other implications for computer users in the UK. Anyone using someone else’s user name without proper authorization is potentially committing an offence. Anyone copying data, that is not specifically authorized to do so, is potentially committing an offence. It also has relevance for organizations whose employees may be using organizational facilities to hack other sites or otherwise commit offences identified under the Act – not least because the source of any attack could be traced back to an organizational IP address.
The UK’s All Party Internet Group (APIG) reviewed this Act in mid-2004, recognized that it had been ineffective, largely through inadequate enforcement resourcing. It recommended a limited number of changes to CMA and a number of other actions, by other bodies, to improve the legal environment for computer security.
As computer misuse legislation becomes more powerful, those organizations that have already taken effective action – through deployment of an ISO 27001 information security management system – will be in a position where they are likely to be in line with the requirements of what are likely to be ill-aligned international laws.