Legal Aspects of Computer System Security “Security - Protecting Our Resources”

Legal Aspects of Computer System Security

“Security - Protecting Our Resources”


Presentation Contents

• Introduction• Current Legislation

– Overview– Data Protection Act 1998– Criminal Damage Act 1991– Criminal Evidence Act 1992

• Sources, References and Disclaimer


Introduction

• IT rapidly integrating into society

• International context - US and EU influences

• IT law invades on “traditional” turf

• Lack of clear definition - good or bad?

• Specific and Regular crime


Current Legislation - Overview

• Data Protection Act 1998– control personal information

– regulate data processing

• Criminal Damage Act 1991– actual or threatened damage to property

– unauthorised access to computers

– possession with intent to damage property

• Criminal Evidence Act 1992– regulate admissibility of computerised records into

evidence


Data Protection Act 1998

• Background and Origin

• Definitions and Provisions

• Data Protection Crimes

• The Data Protection Commissioner


DPA - Origins

• “designed to provide adequate safeguards to individuals against any abuse of their privacy arising from the automatic processing of personal data concerning them”

• Based on principles of Strasbourg Convention


DPA - Definitions

• Personal Data: data relating to a living individual who

can be identified either from the data or from the data in

conjunction with other information in the possession of the

data controller.

• Data subject: person who is the subject of personal data.

• Data Controller: person who controls contents and use

of personal data.

• Data Processing: automatic logical operations on data

including extraction of constituent data.

• Data: information in a form which can be processed.


DPA - Provisions

• Computerised files only

• Personal Data only

• Exceptions– security of the State

– must be available by law/court order

– kept by individual for family affairs/recreational purposes

– required urgently to prevent injury or serious

loss/damage

– held or processed outside the State


DPA - Provisions IIRequirements of a Data Controller

• Information obtained and processed fairly/lawfully

• Information is accurate and current

• Kept for only 1 or more specified purposes

• Not used or disclosed except for specified purpose

• Relevant and limited to purpose

• Not kept longer than required

• Security against unauthorised access


DPA - Provisions IIIRights of a Data Subject

• Establish the existence of data

• Access to data

• Correct and/or erase data


DPA - Crimes

• Data processor knowingly disclosing personal

information without consent of data controller.

• Any person disclosing personal data to a third

party without consent of the data controller.

• “a data subject whose data has been attacked or

copied by a hacker [may] take a civil action against the

data controller. There is clearly a premium, therefore,

on each data controller taking all reasonable care in

relation to personal data (s)he holds.”


Data Protection Commissioner

• Enforcement Notice

• Information Notice

• Prohibition Notice

• Prosecution

• Prepare Codes of Practice

• Produce Annual Report

• International Assistance

• Maintain Data Protection Register


Criminal Damage Act 1991

• General Points

• Offences under the Act

• Interesting Provisions

• Proof and Defences


CDA - General Points

• Defining criminal activity is difficult

• Evidence is hard to produce

• Legal counsel is invaluable

• Legal notion of “property” extended to include data

• No definition of “computer”

• Computer areas are untested

• Damage of data: add to, alter, corrupt, erase or move or any act that contributes to the above.


CDA - OffencesDamage to Property

• “a person who without lawful excuse damages any property…shall be guilty of an offence”

• Accidental/coincidental damage

• Recklessness

• Damage must be intentional

• Specifically outlaws– damage to property which endangers life

– damage to property with intent to defraud

• Data damaged within the State by persons outside


CDA - Offences IIThreatening to Damage to Property

• “a person who without lawful excuse make to another a threat intending that that other would fear it would be committed”

• Inability to carry-out threat is not a defence


CDA - Offences IIIPossession of Anything with intent to Damage

Property

• “a person who has anything is his custody or under his control intending without lawful excuse to use it…to damage property”

• Intentionally broad

• Intent to damage


CDA - Offences IIIUnauthorised Access to Data

• Computer specific

• “any person who without lawful excuse operates a computer…with intent to access data…whether or not he access any data…shall be guilty of an offence”

• Is all activity criminal?


CDA - Interesting Provisions

• Wide-ranging powers of arrest

• Signs of lack Garda know-how

• Compensation Order


Criminal Evidence Act 1992

• Hearsay or Real Evidence

• Record generated in the normal course of business, without intervention of humans provided machine is reliable.

• Assumed to be working correctly - Good or bad?


Sources and Reference

• “Information Technology Law in Ireland”

Denis Kelleher & Karen Murray.

Butterworth Ireland, 1997.http://www.ncirl.ie/itlaw/

• Government Publications Sales Office

• The Irish Timeshttp://www.ireland.com/

• The Journal of Information, Law and Technology (JILT)

http://elj.warwick.ac.uk/jilt/

• CERThttp://www.cert.org/


Inevitable Disclaimer

I am not a lawyer!

Although I believe thisto be accurate don’tbase a life or deathdecision on it!

This does not necessarily

represent UCD’s views.

Documents

Legal Aspects of Computer System Security “Security - Protecting Our Resources”