Cyber Security and the Law
There are several laws, or Acts of Parliament, in the UK relating to Cyber Security that are aimed at protecting against the growing threats to both privacy and security. These laws are briefly outline below, together with links to further reading.
Computer Misuse Act 1990
The Computer Misuse Act introduced a number of offences relating to computer hacking. These offences include:
- Unauthorised access to computer material. This offence covers where a person causes a computer to perform a function with the intent to gain access to software or data that is being held.
- Unauthorised access with intent to commit or facilitate commission of further offences.
- Unauthorised modification of computer material. This offence includes the deletion or modification of files with the intent to cause damage to an individual or organisation.
- Unauthorised acts causing, or creating risk of, serious damage.
- Making, supplying or obtaining anything which can be used in computer misuse offences. This covers computer viruses, worms, trojans, malware and other malicious scripts.
This legislation has been amended by a number of other Acts of Parliament, links to which can be found below, including offences brought in by the Police and Justice Act 2006, relating to denial of access or denial of service to legitimate users.
- Computer Misuse Act 1990 on legislation.gov.uk.
- The UK Computer Misuse Act 1990: Your essential guide.
- Other related Acts of Parliament which have amended the Computer Misuse Act 1990:
Data Protection Act 1998
This act enforces strict rules for the storage and processing of data stored electronically, which can be used to uniquely identify a living person. Its purpose is to stop data being obtained or stored unnecessarily, to prevent the data from being exchanged without good reason and to ensure that it is being held under secure conditions. All organisations that store information on living human beings must comply with this act.
Fraud Act 2006
The Fraud Act provides three definitions for fraud:
- False representation. This is defined in the act as any representation as to fact or law that is expressed or implied, which is known to be untrue or misleading.
- Failing to disclose information. This covers where a person fails to disclose any information to a third party when they are under a legal duty to disclose such information.
- Abusing power. This includes where a person is in a position where they are expected to safeguard the financial interests of another person and abuses that position.
Although this Act covers all types of fraud, not just that which is carried out via electronic means, section 11 of the Act is specific to electronic fraud. It includes offences relating to the following:
- Obtaining electronic communications services, such as a telephone, ISP or a satellite television subscription via dishonest means.
- Cloning a mobile phone so that calls made on one handset are billed to another.
- Reprogramming a mobile phone to interfere with its operation or change its unique identifier information.
- Breaking encryption on communications services such as subscription television services or telephone conversations.
Regulation of Investigatory Powers Act 2000
This Act regulates the use of surveillance equipment by public bodies such as local authorities, the police and intelligence services. The Act was introduced to take account of technological change such as the growth of the Internet and strong encryption. It has had a number of additions over the years, in December 2003, April 2005, July 2006 and February 2010.
Under the Act, certain public bodies are allowed access to communications records, when necessary and proportionate to do so for a specific investigation. More intrusive techniques are subject to higher levels of authorisation.