Out-Law Guide | 30 Mar 2005 | 3:01 pm | 13 min. read
Any business is at risk from online crime. A business can also be held criminally responsible for the actions of its employees – so it's worth knowing the risks, even if you are neither a hacker nor a thief.
Hacking is the popular term for what is properly called 'cracking'. We use the term hacking as a synonym for cracking, though strictly speaking a cracker is one who breaks into someone else's computer system, while a hacker is just a computer programmer.
Under the Computer Misuse Act 1990, the following are offences:
The maximum penalty for the section 1 offence (unauthorised access to computer material) is two years' imprisonment and a fine. For a section 2 offence, the maximum penalty is 5 years' imprisonment and a fine. For a section 3 offence, the maximum penalty is 10 years' imprisonment and a fine.
These offences are potentially wide in scope: even guessing the password to access someone else's webmail account could be prosecuted as an offence of unauthorised access to computer material.
Depending on the circumstances, an employer could be held criminally responsible where, say, a member of its IT team hacks into a third party's system. This is due to the legal concept of vicarious liability. An employer is vicariously liable for the wrongful or negligent acts of his or her employee committed within the general scope of his or her employment. Employers should not tolerate any unauthorised access by staff to third party systems.
When companies commission penetration testing, a contract should be signed before testing begins, to ensure that the testing company's actions are authorised. The testing firm's techniques may include social engineering – where staff are tricked into disclosing personal details that will provide access to a system. A contract will help to minimise the risks for both parties. The contract should put in place a process that, among other things, helps to distinguish the penetration tester from a criminal – for example, to avoid a member of staff alerting the police to the penetration testing due to a misunderstanding. It should also deal with liability issues: what happens if the tester takes down a critical part of the organisation's website and the organisation suffers loss?
The maximum penalties were lighter when the 1990 Act was passed (up to six months' imprisonment and a fine for a section 1 offence; up to 5 years and a fine for either a section 2 or 3 offence). The Act was amended by The Police and Justice Act 2006, which increased the penalties. These amendments took effect in Scotland in October 2007 and in England and Wales in October 2008.
The Police and Justice Act 2006 also banned denial of service attacks and the supply of hacking tools. These issues are addressed below.
Viruses, worms and Trojan horses are known collectively as 'malware' or malicious software. Malware can cause harm by corrupting data or slowing the performance of a computer or a network.
A computer virus is a program that can infect a computer without the knowledge or permission of the owner and then copy itself. A virus is only transferred by the owner of the infected computer, albeit unwittingly – e.g. when emailing an infected file to another machine.
A worm is like a virus, with the difference that it does not need to attach itself to an existing program. It can spread among many computers by itself – i.e. with no need for any action on the part of the infected computer's owner.
A Trojan horse is a program that appears harmless but has a hidden agenda – e.g. a program appears to be just a game, but also monitors all keystrokes on the infected computer and forwards the information to a criminal who can then work out that user's passwords.
Developing a virus or other malware and/or disseminating it is an offence under the Computer Misuse Act.
Depending on the circumstances, there could be a section 1, section 2 or section 3 offence (each of which is described above). The Police and Justice Act 2006 expanded the section 3 offence (unauthorised modification of computer material) to include actions designed to impair the operation of any program or computer. The maximum penalty is 10 years' imprisonment and a fine.
The Computer Misuse Act has also been changed to make it an offence to make, adapt, supply or offer to supply any article which is "likely to be used to commit, or to assist in the commission of, [a hacking or unauthorised modification] offence". It is also an offence to supply an article "believing that it is likely" to be used to commit such an offence.
The meaning of 'article' includes any program or data. The provisions would cover the supply of toolkits designed for launching Denial of Service attacks (see below) or viruses. Anyone convicted of breaking this section of the Act could be jailed for up to two years.
This part of the law has been controversial because security researchers have said that it could impede their work, restricting their ability to share information about security vulnerabilities (on the basis that if criminals use that information to attack a system, the researcher could be held responsible).
It is possible that malware could also give rise to civil liability – i.e. a lawsuit rather than a prosecution. If your company unwittingly introduced a virus to another company's network, that company could sue, alleging that your company was negligent in failing to detect and block the dissemination of viruses. Evidence might be that anti-virus software in use in the company spreading the virus was not up to date. There is an obvious defence of contributory negligence, though: if the other company had up-to-date anti-virus protection in place, the virus should have been blocked. Accordingly, we have never heard of such a lawsuit being filed.
Many organisations have been the victims of Denial of Service (DoS) attacks. These are deliberate attacks designed to disable a website or network. A company's email servers can be brought to a standstill by a barrage of email messages and web servers can be brought to a standstill by a flood of requests for information, causing websites to crash.
Such attacks are illegal. They were banned in Scotland in 2007 and in England and Wales in 2008 when section 3 of the Computer Misuse Act was amended (by the Police and Justice Act 2006).
Before the Computer Misuse Act's amendment, there was doubt about the legality of DoS attacks. The 1990 law criminalised unauthorised access to or modification of data; but there was an argument that in a DoS attack there is no such access. Such access did exist in so-called Distributed Denial of Service (DDoS) attacks, in which many computers are hijacked and used to launch an attack on a single target; but in a 'simple' DoS attack, there might be no such access.
There was a school of thought that, in England and Wales, a DoS attack could be prosecuted under the Criminal Damage Act. In Scotland, a DoS attack could be prosecuted as common law 'malicious mischief'.
The illegality of DoS attacks under the 1990 legislation was confirmed by the Queen's Bench Division of the High Court in the case of R v Lennon in 2006. David Lennon had sent five million email messages to his former employer, causing its server to crash. See: Denial of Service attacker sentenced to curfew, OUT-LAW News, 24/08/2006.
The amendments to the Computer Misuse Act put the illegality of DoS and DDoS attacks beyond doubt.
If a Wi-Fi network is hacked, there will be an offence under the Computer Misuse Act. But using an open wireless network without permission can also be an offence, under the Communications Act 2003.
Section 125 of the Communications Act describes an offence of dishonestly obtaining communications services. It states: "A person who (a) dishonestly obtains an electronic communications service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service, is guilty of an offence."
See: Man arrested for Wi-Fi leeching, OUT-LAW News, 23/08/2007
According to a study commissioned by the Business Software Alliance (BSA) in 2008, 27% of software installed on personal computers in the UK is unlicensed.
The unlicensed use of software is copyright infringement. It is generally dealt with as a civil matter, resulting in an award of damages. However, in some circumstances, software piracy will be prosecuted in a criminal court where the maximum penalty is an unlimited fine and up to 10 years' imprisonment.
Lawyers acting for the BSA and another trade body, the Federation Against Software Theft (FAST), frequently send warning letters to organisations in the UK that are alleged to be using unlicensed software. These letters typically demand an audit of the software in use in the target company. They will seek the total number of computers and servers in the organisation; an inventory of all software (including fonts) installed in the organisation; and the number of licences held, with evidence such as receipts.
Faced with an allegation that unlicensed software is being used, an organisation might be asked to settle the complaint by paying for the missing licences. If the matter is taken to court and infringement is established, the sum of damages payable is likely to match the sum that should have been paid for the missing licences.
Damages tend to be compensatory in the UK, not punitive. However, a court can award "additional damages" under section 97(2) of the Copyright Designs and Patents Act. These will be determined with regard to the "flagrancy" of the infringement and "any benefit accruing to the defendant by reason of the infringement".
The BSA and FAST typically learn of infringements from employees at infringing organisations. The BSA offers a reward of up to £10,000 for every report to the BSA that leads to a court judgment or settlement.
If your organisation receives such a letter, we recommend that you seek legal advice.
Bear in mind that, even if it is individual employees obtaining and using software without a licence, your business and/or its directors and other officers can be held liable.
Large organisations typically put controls in place to prevent staff downloading software. However, an employee handbook can be used to explain to each employee, among other matters, that:
If covering such matters in a handbook or by any other means, make sure they are read and understood by each employee.
Under the Fraud Act 2006 there is a general offence of fraud which can be committed by false representation, by failing to disclose information or by abuse of position. The offence carries a maximum sentence of 10 years' imprisonment. The legislation does not apply in Scotland, where there is a common law crime of fraud, committed when someone achieves a practical result by a false pretence.
Phishing attacks could be prosecuted as fraud. These attacks usually involve sending thousands of emails that purport to come from a bank or another trusted brand in the hope that passwords or account details can be lured from recipients.
The Fraud Act also provides that it is an offence for a person to be in possession of articles for use in fraud (including software). The maximum penalty is five years' imprisonment and/or a fine. It is also an offence under the Fraud Act to make or supply articles for use in fraud, which is punishable by up to 10 years' imprisonment and/or a fine.
The Obscene Publications Acts of 1959 and 1964 make it an offence to publish any content whose effect will tend "to deprave and corrupt persons who are likely … to read, see or hear the matter contained or embodied in it".
According to the Internet Watch Foundation (an organisation that operates a hotline for reporting illegal images), this "could include images of extreme sexual activity such as bestiality, necrophilia, rape or torture".
Possession of 'extreme pornographic images' was criminalised in England and Wales by the Criminal Justice and Immigration Act 2008. An extreme image is one which is "grossly offensive, disgusting or otherwise of an obscene character" and which portrays any of the following in an explicit and realistic way:
"(a) an act which threatens a person’s life,
(b) an act which results, or is likely to result, in serious injury to a person’s anus, breasts or genitals,
(c) an act which involves sexual interference with a human corpse, or
(d) a person performing an act of intercourse or oral sex with an animal (whether dead or alive),
and a reasonable person looking at the image would think that any such person or animal was real."
A similar offence has been proposed for the law of Scotland.
It is an offence to take, permit to be taken, make, possess, show, distribute or advertise indecent images of children in the UK under the Protection of Children Act 1978.
The definition of children includes those under the age of 18 and those giving the impression that they are under 18. Prior to 1st May 2004, the relevant age was 16.
Indecent photographs include 'pseudo-photographs' and tracings of photographs. They also include data that can be converted into an indecent photograph.
The maximum penalty for possession of an indecent photograph of a child is five years' imprisonment. The maximum penalty for making such a photograph is 10 years' imprisonment.
The IWF provides a more detailed summary of the relevant laws. It uses the term 'child abuse images', not child pornography, to reflect the gravity of the images involved.
Downloading lawful pornography or illegal content may make an employee liable for summary dismissal. However, this will depend on whether dismissal is an appropriate sanction in the particular circumstances, so it should not be considered a general rule. No dismissal should take place until a full and proper investigation is carried out and fair disciplinary procedures followed.
Any employer should have a suitable internet and e-mail policy (read our article, Internet and email policies). The policy should specifically prohibit downloading pornography and unlawful content and make it clear to employees that this behaviour will not be tolerated and is likely to lead to instant dismissal. Having such a policy not only clarifies the rules for the employee but might also help the employer if there is a question of vicarious liability.
Threatening, abusive or insulting words or behaviour can be an offence under the Public Order Act 1986 where these acts are intended or likely to stir up racial hatred. Racial hatred is defined (at section 17) as meaning "hatred against a group of persons in Great Britain defined by reference to colour, race, nationality (including citizenship) or ethnic or national origins".
The Act was amended by the Racial and Religious Hatred Act 2006 to criminalise hatred against a person on the grounds of their religion. Hatred on the grounds of sexual orientation is addressed by the Criminal Justice and Immigration Act 2008 but is not in force at the time of writing.
According to the UK's Terrorism Act of 2000, it is an offence to provide or receive instructions in the making or use of firearms, explosives, or chemical, biological or nuclear weapons. Bomb-making instructions landed a US webmaster in prison in 2003 under US laws.
In a well publicised case, German prosecutors brought charges against the local manager of CompuServe in connection with child pornography on the internet.
Under the E-commerce Directive and the UK's equivalent E-commerce Regulations (see our article, The UK's E-commerce Regulations), generally speaking, ISPs will have no liability for data content when they only provide access or transmission services. Even if they take a more active role and host a website, they will not be liable for the content of that website, provided that:
Under UK legislation, the owner of a decryption key can be prosecuted and sent to jail if he or she fails to comply with a demand to hand over the key to the police, intelligence services or customs and excise. This is provided for in the Regulation of Investigatory Powers Act 2000.
The Data Protection Act 1998 created a criminal offence of knowingly or recklessly obtaining personal data from a data controller e.g. by breaking into the computer system of a company to retrieve information. In addition, there are responsibilities on website operators to protect the security of their systems.
Data controllers are required by the Data Protection Act to take "appropriate technical and organisational measures" against unauthorised or unlawful processing. What is an appropriate level of security will vary according to the type of information stored. For example, medical and financial details would demand greater security than details of interests and hobbies. The business operating the website is also obliged to ensure the reliability of any employees with access to personal data.
Failure to comply with the Act can lead to the serving of an enforcement notice; failure to comply with the notice is a criminal offence. It is also possible that the directors and other officers of the company will be guilty of the offence. In addition, the individual whose data is compromised can sue the business for compensation and, depending on the circumstances, distress. For further information on this Act, you should see our legal information about Data protection.
Occasionally, the UK courts have encountered difficulties in applying domestic law when considering offences, where part of the activity occurs overseas. However, the Computer Misuse Act deals with this, provided that at the time of the commission of the offence there was a significant link to this country.