Michael Drury and Julian Hayes write for The GIR Guide to Cyber Investigations

Michael Drury and Julian Hayes write for The GIR Guide to Cyber Investigations

BCL partners Michael Drury and Julian Hayes have written the chapter titled ‘Investigations In England & Wales: Practitioners’ Perspective’ for Global Investigations Review: The Guide to Cyber Investigations – Second Edition.

Here is a brief blurb on this publication:

“Data breaches and similar incidents pose a unique challenge – those targeted must both respond and investigate simultaneously. It is an art that is impossible without preparation. Businesses wishing to prepare will find this volume, The Guide to Cyber Investigations, invaluable. It identifies every issue to consider when creating a response template and implementing it, giving both the law and plenty of practical and tactical advice.

Written by leading contributors, all with broad experience of serious data incidents, it is an indispensable desktop guide and a worthy companion to GIR’s larger volume on cross-border investigations, The Practitioner’s Guide to Global Investigations.”

Below is a short extract from their chapter. The full chapter can be read as a pdf here.

“There is no dedicated, comprehensive cybersecurity law as such in England and Wales. Rather, there is a patchwork of statute-based laws, underpinned by the possibility of civil actions at common law. These laws criminalise unauthorised interference with computers (the Computer Misuse Act 1990 (CMA)); criminalise the interception of communications (Part 1 of the Investigatory Powers Act 2016 (IPA) and the Wireless Telegraphy Act 2006 (WTA)); impose obligations to protect personal data by the application of appropriate technical and organisational security measures (the United Kingdom General Data Protection Regulation (the UK GDPR), Data Protection Act 2018 (DPA), and Network and Information Systems Regulations 2018 (NISR)); and provide state agencies with the power lawfully to interfere with personal property (Part III of the Police Act 1997 (PA) and Intelligence Services Act 1994 (ISA)).

Computer Misuse Act 1990

The CMA, implementing the Budapest Convention on cybercrime, is the principal criminal law deterrent to computer interference. Its basic criminal offence is committed where(1) a person causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured; (2) the access the person intends to secure or to enable is unauthorised; and (3) the person knows at the time when he or she causes the computer to perform the function, that this is the case.

Securing access to a computer or a program encompasses many different actions. ‘Computer’ is not defined in the CMA. Access is unauthorised if it is obtained by a person who is not entitled to control access to the program or data and is done without the consent of such a person. The CMA creates further offences where unauthorised access is sought with a view to committing other offences (e.g., theft or fraud); or to impair the operation of a computer, which would include the implanting of viruses or spyware and distributed denial-of-service (DDoS) attacks. The CMA also criminalises the obtaining, making, adapting, supplying or offering of articles for use in committing CMA offences.

The most serious offence under the CMA is committed if a person (1) does any authorised act in relation to a computer; (2) at the time of doing the act the person knows that it is unauthorised; (3) the act causes or creates a significant risk of serious damage of a material kind; and (4) the person intends to cause serious damage of a material kind or is reckless as to whether such damage is caused. For the purposes of this offence, damage is of a ‘material kind’ if it is, for example, to the national security of any country.”

Michael Drury’s expertise in data collection and surveillance matters by state entities is unparalleled in the United Kingdom. As a former director of legal affairs at GCHQ, the largest of the UK’s security and intelligence agencies, for 14 years; founder member of the Serious Fraud Office; and for the last 10 years a partner in BCL providing advice on national security and criminal investigations to both corporate and individual clients, his breadth of experience both in terms of developing legislation (particularly the Regulatory Investigatory Powers Act as the forerunner to the current Investigatory Powers Act 2016) and practical casework gives him unique insights into how the law has developed and the practical consequences that follow. He has already provided advice on the US-UK Bilateral Data Sharing Agreement due to commence this autumn and brings his breadth of knowledge to bear on what is a new departure in a field that is inherently controversial.

Julian Hayes advises companies and individuals in the rapidly developing field of data protection, especially in the context of data breaches and law enforcement investigations, where necessary litigating to ensure that the actions of state authorities are properly constrained. A partner at BCL for four years, he has vast experience of all types of criminal inquiries, including the unlawful obtaining of data and computer misuse offences. He is well-known and highly regarded commentator on cybersecurity and privacy issues. He advises telecommunications operators on their obligations under UK investigatory powers legislation and provides practical guidance on how to handle demands placed upon them, including in establishing systems that work to ensure legal compliance and protection for the operator. He has advised in relation to US-UK Bilateral Data Sharing Agreement and forthcoming UK online harms legislation.