Journal

Where should the law’s nib land in drawing the divide between chasing hackers and enforcing businesses’ duties?

By on
4

It’s a balancing act

If the archetypal criminal was once the man in a black and white striped sweater donning a domino mask with a sack bearing the word ‘LOOT’ slung over his shoulder, then it is now fast becoming, in the words of the 45th US President, Donald Trump, “a guy sitting on their bed who weighs 400 pounds”.

That is, like a lot of things, large and organised crime has for a while been making the transition from real life to the Tron-world of the internet.

Cyber crime comes in many guises: international hacking to influence elections or steal state secrets, cyber bullying, or cyber attacks on businesses and important individuals to steal information or implement denial of service attacks.

When it comes to cyber attacks on businesses, profit margins can be severely dented and service ceased depending on the attack, and customers can be made vulnerable — their personal data potentially leaked to the furthest corners of the web.

This gives rise to a dual position so far as the motivations of the law are concerned in tackling such attacks. There is the criminal law aspect, which involves going after, adequately disciplining and removing hackers’ ability to hack, and the civil law aspect, which involves enforcing the duty on businesses to protect the interests of their customers.

Briefly, it is worth noting that cyber crime offers an apt example of the necessity for the law and its enforcement mechanisms to quicken in adapting to the hastily morphing society that they are there to regulate and mediate relations within.

The National Cyber Crime Unit leads the charge in apprehending cyber criminals and bolstering Britain’s infrastructural capabilities in preventing cyber crime; it works in conjunction with a number of other agencies, among which the Metropolitan Police Cyber Crime Unit. It is concerned with ensuring hackers are brought to justice.

The Information Commissioner’s Office (ICO) is charged with upholding data protection in the public interest and ensuring freedom of information. It therefore holds private and public entities to account and acts to enforce their duties to their customers.

The TalkTalk hack

In October 2015 a hacker accessed one of TalkTalk’s databases containing the names, addresses, dates of birth, telephone numbers, email addresses and financial information of 156,959 customers.

The case exemplifies the balancing exercise involved in making sure that, on the one hand, businesses satisfy their duty of care to their customers, and on the other that too much emphasis is not placed on this aim to the abandonment of that of pursuing and deterring hackers themselves.

The Information Commissioner in October 2016 issued TalkTalk with a monetary penalty to the tune of £400,000 pursuant to her powers under section 55A of the Data Protection Act 1998 (DPA).

To arrive at such a decision, the ICO first had recourse to part 1, schedule 1 of the DPA, specifically principle 7, that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

This principle, one of eight duties on ‘data controllers’, is laid down in adequately broad terms so as to retain relevance even as the technological mediums to which they apply develop and evolve beyond the feasible expectations of the legislation drafters. The wording gives the ICO wide leeway in interpretation and application.

The Information Commissioner made her decision on the basis of the civil standard of the balance of probabilities. In doing so she weighed up two factors: 1) the reasonable expectation that TalkTalk should have been aware of the technology that posed a threat to their system and thereafter have acted in an appropriate manner to protect against it, and 2) the seriousness of the contravention due to the number of data subjects, the nature of the personal data and the consequences of its theft.

For instance, the hacker used a bug that was first publicised in 2012 and for which a fix had soon been made available by the software vendor. The Information Commissioner deemed, therefore, that the technological capability to defend against it was sufficiently available and reasonably enough priced to oblige TalkTalk to implement it.

As well, as under section 55A(1) of the DPA, the Information Commissioner looked at whether the contravention was one that was likely to cause substantial damage or distress. With much of business, monetary transactions and communication transferring or having already transferred online, and computers ubiquitous, consumers have no choice but to trust ‘data controllers’ (defined under section 1(1) of the DPA as someone who determines the purpose and manner in which data is processed).

Their data, their lives, is held by people to whom they entrust it under the presumptions that they will take proper measures to ensure its safety. It is therefore reasonable to expect that the breach of a massive ‘data controller’s’ security will cause “substantial distress and damage”.

The power of data, and the responsibility

Data is a currency in its own right (Facebook, Google and Twitter’s business models function off third parties paying these intermediaries to connecting them to consumers for the collection of data), so its collection, safe-keeping and dissemination over the internet, which is necessarily entirely out of the hands of those whose data it is, needs to be adequately protected by the law.

One in five UK businesses was attacked by hackers in 2016 and a study by the National Crime Agency in early 2017 found that hackers are generally motivated by morals, not money — wanting to make a political point from hacking businesses’ databases.

Hackers are, to paraphrase Machiavelli in The Prince, the enemy who ignores their own harm to harm their target. The businesses are usually massive entities that make their money from the data they hold. It behooves the law therefore to place emphasis on enforcing the duty of businesses to protect their customers’ interests.

William Richardson is a former paralegal who is now studying the BPTC LLM at the University of Law. He completed his law with business degree at Brighton University and then a master of laws degree at UCL. This post was one of the standout entries we received for the BARBRI International Cyber Crime Blogging Prize.

Want to write for the Legal Cheek Journal?

Find out more

Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.

4 Comments

Patrick

“Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We’d be grateful if you could keep your comments constructive.”

OK. Then I am off to return some video tapes.

John

I don’t get it? Why are you returning video tapes?

Patrick

John, did you know that Whitney Houston’s debut LP, called simply Whitney Houston, had four no.1 singles on it?

Did you know that John?

Anonymous

Good article William.

Every business is the potential victim of a cyber attack. There is a lot you can do to minimise the chance of it happening, but the key word there is minimise. The ICO will be notified of a great deal more cyber incidents than the public ever find out about. In coming to a decision regarding enforcement, two considerations (amongst others) will be the strength of systems in place to prevent cyber attacks, and the manner in which the incident is handled.

I am also inclined to disagree with National Crime Agency conclusions that hackers are generally motivated by morals and not money. A lot of phishing emails and ransomware attacks are designed to target large numbers of businesses on a mass scale with the purpose to make money by extortion or committing fraud against large numbers of businesses or their customers. Targeted attacks for political purposes are not so common from my experience.

Join the conversation