BCL partners Michael Drury and Julian Hayes have written the chapter titled ‘Investigations In England & Wales: Practitioners’ Perspective’ for Global Investigations Review: The Guide to Cyber Investigations – Second Edition.
Here is a brief blurb on this publication:
“Data breaches and similar incidents pose a unique challenge – those targeted must both respond and investigate simultaneously. It is an art that is impossible without preparation. Businesses wishing to prepare will find this volume, The Guide to Cyber Investigations, invaluable. It identifies every issue to consider when creating a response template and implementing it, giving both the law and plenty of practical and tactical advice.
Written by leading contributors, all with broad experience of serious data incidents, it is an indispensable desktop guide and a worthy companion to GIR’s larger volume on cross-border investigations, The Practitioner’s Guide to Global Investigations.”
Below is a short extract from their chapter. The full chapter can be read as a pdf here.
“There is no dedicated, comprehensive cybersecurity law as such in England and Wales. Rather, there is a patchwork of statute-based laws, underpinned by the possibility of civil actions at common law. These laws criminalise unauthorised interference with computers (the Computer Misuse Act 1990 (CMA)); criminalise the interception of communications (Part 1 of the Investigatory Powers Act 2016 (IPA) and the Wireless Telegraphy Act 2006 (WTA)); impose obligations to protect personal data by the application of appropriate technical and organisational security measures (the United Kingdom General Data Protection Regulation (the UK GDPR), Data Protection Act 2018 (DPA), and Network and Information Systems Regulations 2018 (NISR)); and provide state agencies with the power lawfully to interfere with personal property (Part III of the Police Act 1997 (PA) and Intelligence Services Act 1994 (ISA)).
Computer Misuse Act 1990
The CMA, implementing the Budapest Convention on cybercrime, is the principal criminal law deterrent to computer interference. Its basic criminal offence is committed where(1) a person causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured; (2) the access the person intends to secure or to enable is unauthorised; and (3) the person knows at the time when he or she causes the computer to perform the function, that this is the case.
Securing access to a computer or a program encompasses many different actions. ‘Computer’ is not defined in the CMA. Access is unauthorised if it is obtained by a person who is not entitled to control access to the program or data and is done without the consent of such a person. The CMA creates further offences where unauthorised access is sought with a view to committing other offences (e.g., theft or fraud); or to impair the operation of a computer, which would include the implanting of viruses or spyware and distributed denial-of-service (DDoS) attacks. The CMA also criminalises the obtaining, making, adapting, supplying or offering of articles for use in committing CMA offences.
The most serious offence under the CMA is committed if a person (1) does any authorised act in relation to a computer; (2) at the time of doing the act the person knows that it is unauthorised; (3) the act causes or creates a significant risk of serious damage of a material kind; and (4) the person intends to cause serious damage of a material kind or is reckless as to whether such damage is caused. For the purposes of this offence, damage is of a ‘material kind’ if it is, for example, to the national security of any country.”