Preventing the hacking of data is a logistical problem rather than a legal one, argue Magnus Boyd and Natalie Sherborn.
The last month has seen reports of data breaches at Vodafone, Marks & Spencer and TalkTalk.
The information obtained by the TalkTalk hackers was a jigsaw of sensitive and personal data, including the names of account holders, addresses, dates of birth, telephone numbers and email addresses, as well as some bank account details. This valuable data could expose the victims to fraud and identity theft, and TalkTalk to claims of up to £20m, to say nothing of the damage to the company’s reputation. It raises the question of whether the legal architecture built to deal with data theft is adequate.
The principal legal deterrents to hacking are the offences created under the Computer Misuse Act 1990. It is an offence for a person to access computer material without authorisation, regardless of whether there is an intention to use the information obtained. The aggravated offence requires the accessing of material with intent to commit or facilitate the commission of further offences, such as stealing from the bank accounts of hacked victims or selling their personal data.
Both offences are punishable by imprisonment and a fine, determined largely by the scale of the hack and the sensitivity of the information stolen. If prosecuted for the aggravated offence, a hacker could potentially be liable for the intended further offence, covering a host of other criminal acts including fraud, forgery, counterfeiting, theft and criminal damage. These offences can attract separate substantial sentences of imprisonment.
It is worth noting that the Theft Act 1968 has no application to the theft of personal data in hacking cases – the definition of ‘property’ does not extend to information. It is perhaps unsurprising when one considers that the act came into force when Steve Jobs and Bill Gates were both aged 13.
A potential weakness of the Computer Misuse Act arises when dealing with insider hacking. In those circumstances, the onus is on the employer to have clearly defined limits on the employee’s authority to access a program or data; otherwise the act offers little protection against hacking by an employee. If the TalkTalk hackers had been employees with permission to access the personal data, but unlawfully copied that data, it is arguable whether an offence would have been committed if no ‘unauthorised access’ had taken place.
Section 55 of the Data Protection Act 1998 provides an alternative offence of unlawfully obtaining the personal data of a data subject, where a person knowingly or recklessly obtains, discloses, sells or offers for sale, personal data. The information obtained in the course of the TalkTalk hack was clearly personal data, but with the offence carrying a maximum sentence of a fine under the DPA, as a standalone offence it is unlikely to deter would-be hackers.
Where hackers steal databases, as alleged in the TalkTalk hack, this could breach the Copyright, Designs and Patents Act 1998 by infringing the copyright of the creator of the database, which is, for the purposes of the act, a literary work. TalkTalk could sue the hackers for damages and an account of profits. If, as reported, the hackers have been offering the database for sale on the ‘dark web’ they may also be criminally liable pursuant to section 107, having made for sale an article that infringes the copyright of another. This carries a maximum sentence of three months’ imprisonment and a fine.
The commentary surrounding the TalkTalk hack suggests there is a void in the law when it comes to dealing with cybercrime. In fact, the law has evolved to offer victims of hacking legal redress and there is the legal architecture in place to prosecute offenders. With hackers able to obscure their identities behind proxy servers, virtual private networks and encrypted data, it is the logistical architecture to catch them that poses the bigger problem.
Metropolitan Police Commissioner Sir Bernard Hogan-Howe recently announced the creation of a task force of 300 police officers specifically to deal with cybercrime. This number will increase to 500 officers within a year. By his own admission, the police are ‘merely skimming the surface’ of cybercrime; it is a logistical problem, not a legal one.
Magnus Boyd is a partner and Natalie Sherborn is a senior associate at Schillings