BCL partners Julian Hayes and Michael Drury have written for the Third Edition of Global Investigations Review’s Guide to Cyber Investigations explaining the patchwork of statutes and common law that are in place to regulate cybersecurity in England and Wales.
*Here is a short extract from the guide. If you wish to read the full guide, please visit the GIR website.
England and Wales has no single corpus of cybersecurity law; instead, cybersecurity is regulated by a patchwork of statutes and the common law. These laws operate to criminalise both unauthorised interference with computers (Computer Misuse Act 1990 (CMA)) and the interception of communications (Investigatory Powers Act 2016 (IPA), Part 1 and Wireless Telegraphy Act 2006 (WTA)); to impose obligations to protect personal data through the application of appropriate technical and organisational security measures (United Kingdom General Data Protection Regulation (the UK GDPR), Data Protection Act 2018 (DPA) and Network and Information Systems Regulations 2018 (NISR)); and to authorise state agencies to interfere with personal property (Police Act 1997 (PA), Part III and Intelligence Services Act 1994 (ISA)).
Computer Misuse Act 1990
The CMA is the principal criminal law deterrent to computer interference. Its basic criminal offence is committed where:
(1) a person causes a computer to perform any function with the intent to secure access to any program or data held in any computer, or to enable any such access to be secured,
(2) the access the person intends to secure or to enable is unauthorised, and
(3) the person knows at the time of causing the computer to perform the function, that this is the case.[2]
Securing access to a computer (which is not defined in the CMA[3]) or a program encompasses many different actions, including using the computer or data, altering or erasing data, or copying or moving data.[4] Access is unauthorised if it is obtained by a person who is not entitled to control access to the program or data and is done without the consent of such a person.[5] There is no ‘public interest’ defence for unauthorised access.[6]
The CMA creates further offences where unauthorised access is sought with a view to committing other offences (e.g., theft or fraud)[7] or to impair the operation of a computer,[8] which would include implanting viruses or spyware and distributed denial-of-service (DDoS) attacks. The CMA also criminalises the obtaining, making, adapting, supplying or offering of articles for use in committing CMA offences.[9] The most serious offence under the CMA is committed if (1) a person carries out any authorised act in relation to a computer, (2) at the time of carrying out the act, the person knows that the act is unauthorised, (3) the act causes or creates a significant risk of serious damage of a material kind and (4) the person intends to cause serious damage of a material kind or is reckless as to whether damage is caused.[10] For the purposes of this offence, damage is of a ‘material kind’ if it constitutes damage to human welfare or the environment in any place, to the economy of any country, or to any country’s national security.[11]
Prosecutions for computer misuse offences are infrequent,[12] with Crown Prosecution Service guidance stating that when a CMA offence is committed to facilitate a more serious offence (such as fraud or blackmail), prosecutors should consider charging only the more serious offence.[13]
In February 2023, the Home Office launched a consultation on possible amendments to the CMA as part of its national cyber strategy.[14] Proposals include increased penalties for existing offences, a new offence of possessing illegally obtained data, the introduction of a statutory defence for those protecting the United Kingdom in cyberspace, who might otherwise technically commit an offence, and introducing new powers for law enforcement agencies to require the preservation of data and to seize domain names and internet protocol addresses used for criminal purposes.
Investigatory Powers Act 2016
The IPA was introduced in response to heightened scrutiny of the surveillance activities of UK public authorities, including the collection and use of communications and communications data. The IPA provides a comprehensive framework for public authorities to obtain communications and communications data, undertake electronic surveillance more generally (including through hacking) and access personal data held in large data sets. The powers provided by the IPA cover five primary areas of activity:
- interception warrants (specific and bulk);
- obtaining communications data (including bulk acquisition warrants);
- retention of communications data;
- equipment interference (including bulk equipment interference); and
- using bulk data sets.
A telecommunications operator,[15] whether based within or outside the United Kingdom, can be mandated to take steps to give effect to a relevant authorisation by way of a technical capability notice (TCN)[16] (except in the case of retention of communications data or bulk data sets). When issuing a TCN, the Secretary of State for the Home Department must be satisfied as to its necessity and proportionality,[17] and approval must be sought from an independent judicial commissioner.[18]
The IPA provides the framework for oversight, which included establishing the Investigatory Powers Commissioner and the Investigatory Powers Tribunal.[19] It also aims to ensure compliance with the Human Rights Act 1998 and the European Convention on Human Rights.
The Annual Report of the Investigatory Powers Commissioner 2021 highlighted concern about the key statutory definitions of ‘telecommunications operator’ and ‘communications data’.[20]
In February 2023, the Home Office published a statutory report on the operation of the IPA, which signalled forthcoming updates to the key statutory definitions of ‘telecommunications operator’ and ‘communications data’ to keep pace with technological developments.[21]
Wireless Telegraphy Act 2006
Where ‘bugging’ would not already be caught by the prohibition on unlawful interception contained in the IPA, it may nevertheless be criminalised by the WTA if wireless telegraphy apparatus is used without lawful authority and with the intention of obtaining information about the sender, content or addressee of a message, or where information obtained in this way is disclosed.[22] The use of hidden recording devices for covert surveillance may be caught by these provisions.
*The guide was first published by Global Investigation Review on 09 June 2023. If you wish to read the full guide please visit Global Investigation Review website.
Footnotes
[2] Computer Misuse Act 1990 (CMA), Section 1, carrying a maximum sentence of two years’ imprisonment.
[3] In DPP v. McKeown; DPP v. Jones [1997] 2 Cr. App. R. 155 HL, Lord Hoffman defined a ‘computer’ as ‘a device for storing, processing and retrieving information’. The Budapest Convention on Cybercrime defines a ‘computer system’ as ‘any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data.
[4] CMA, Section 17(2).
[5] ibid., Section 17(5).
[6] R v. Coltman [2018] EWCA Crim 2059.
[7] CMA, Section 2, carrying a maximum sentence of five years’ imprisonment.
[8] ibid., Section 3, carrying a maximum sentence of 10 years’ imprisonment.
[9] ibid., Section 3A, carrying a maximum sentence of two years’ imprisonment.
[10] ibid., Section 3ZA, carrying a maximum sentence of life imprisonment.
[11] ibid., Section 3ZA(2)(d).
[12] In 2020, there were only 45 prosecutions under the CMA (https://hansard.parliament.uk/commons/2022-04-19/debates/AE9413F3-D4F2-44EC-890E-75B0250328C4/ComputerMisuseAct1990#:~:text=Coupled%20with%20that%2C%20there%20were,average%20fine%20just%20%C2%A31%2C203 (last accessed 29 March 2023)).
[13] CMA – see ‘Alternative Offences’ (https://www.cps.gov.uk/legal-guidance/computer-misuse-act (last accessed 4 April 2023).
[14] https://www.gov.uk/government/consultations/review-of-the-computer-misuse-act-1990 (last accessed 29 March 2023).
[15] Defined in the Investigatory Powers Act 2016 (IPA) at Section 261(10).
[16] IPA, Section 253.
[17] ibid., Section 253(1).
[18] ibid., Section 254.
[19] See ibid., Part 8, Chapters 1 and 2.
[20] Investigatory Powers Commissioner’s Office, Annual Report of the Investigatory Powers Commissioner 2021 (published March 2023), paras. 2.9–2.16 (https://ipco-wpmedia-prod-s3.s3.eu-west-2.amazonaws.com/Annual-Report-2021.pdf (last accessed 6 April 2023)).
[21] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1134783/E02825581_Investigatory_Powers_Act_2016_ELAY.pdf (last accessed 29 March 2023).
[22] Wireless Telegraphy Act 2006, Section 48.
More like this
Cyber Security experts respond to global Microsoft outage
BCL Partner Julian Hayes comments on the recent global CrowdStrike x Microsoft outage in IT Brief.
Supermarket to let shoppers pay with ‘hand swipe’
BCL partner Julian Hayes comments on the use of biometrics and technology in France, which reads vein patterns and links them to customers' card details, in The Telegraph.