There is no dedicated comprehensive cybersecurity law as such in England and Wales. Rather, there are numerous statute-based laws, underpinned by the possibility of civil actions in common law. These:
- criminalise unauthorised interference with computers - including where there is an intention is to commit other crimes by means of accessing computers, altering computer programs or producing ‘hacking tools’, or where the result is one of serious damage to the economy, environment, national security or human welfare, or where there is a significant risk of that (the Computer Misuse Act 1990 (CMA), as amended by the Serious Crime Act 2015 (SCA));
- criminalise the interception of communications - including communications sent or received by computers (the Investigatory Powers Act 2000 Part 1 (IPA));
- impose obligations to protect personal data (rather than data more generally) by the application of security measures. The three key pieces of legislation are the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA), and the Network and Information Systems Regulation 2018 (NISR), which implements the EU’s Network and Information Security Directive; and
- criminalise actions amounting to fraud (Fraud Act 2006 (FA)) and infringing intellectual property rights (Copyright, Designs and Patents Act 1988).
It is important to note that significant changes have been brought about by the implementation of the GDPR and the Network and Information Security Directive agreed by the EU institutions in December 2015 (see question 3 and ‘Update and trends’).
Aside from emphasising in policy the benefits of good cybersecurity, therefore, English law predominantly seeks to encourage cybersecurity by punishing breaches (notably in failures by data controllers and processors to keep personal data secure) rather than by reward.
Acts that would otherwise be considered breaches of law are made lawful where conducted by state agencies principally in the interests of national security, and for the prevention and detection of serious crime, in accordance with the authorisation regimes established under IPA (see question 9), the Police Act 1997 and the Intelligence Services Act 1994.
Parliament has not legislated to promote cybersecurity as such, and the offences described have been created in a rather piecemeal fashion. The UK government has approached the issue of cybersecurity by seeking to raise awareness and to enhance cybersecurity safeguards against (and to mitigate the risks and effects of) cyberattacks. In November 2016, the five-year National Cyber Security Strategy containing three core pillars - to defend against and to deter cyberattacks, and to develop cyberdefence - was approved. The strategy is underpinned by £1.9 billion of transformational investment, more than double the budget of the first such strategy (2011-2016) (www.gov.uk/government/speeches/chancellor-speech-launching-the-national-cyber-security-strategy). The strategy is supported by the National Cyber Security Centre (NCSC), which, in its 2018 Annual Review, noted that from September 2017 to August 2018, it had handled 557 cyber incidents; removed 138,398 unique phishing sites and issued 134 pieces of cybersecurity guidance. When businesses, government bodies or academic organisations report a significant incident, the NCSC may bring together and deploy the full range of technical skills from across government and beyond. The NCSC also links up with law enforcement, helps mitigate the impact of incidents, seeks to repair the damage and assists in the identification and prosecution of those responsible.
Of fundamental importance, the GDPR applies to personal data processing carried out by organisations operating within the EU and to those operating outside the EU that offer goods or services to individuals in the EU. It does not apply to processing carried out for law enforcement purposes (eg, the police, criminal courts), for national security purposes or to processing by individuals for purely domestic or household activities. Article 5 of the GDPR stipulates that personal data must be processed in accordance with seven principles:
- it must be processed lawfully, fairly and transparently (lawfulness, fairness and transparency);
- it must not be processed in a manner incompatible with the specific, explicit and legitimate purposes for which it was originally collected (purpose limitation);
- it must be limited to what is necessary in relation to the purpose for which it was collected (data minimisation);
- it must be accurate and kept up to date (accuracy);
- it must not be kept for longer than is necessary (storage limitation); and
- it must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality); and
- finally, data controllers must be able to demonstrate compliance with the principles relating to personal data processing (accountability).
A breach of the data processing principles - significantly in the context of security breaches - can lead to the imposition of substantial administrative fines imposed by the Information Commissioner’s Office (ICO). The ICO may also prosecute offenders in the criminal courts for offences under the DPA. Those suffering damage (including distress) from breaches of the data protection legislation may also seek compensation from the controller or processor concerned.
The DPA enacts the EU’s Law Enforcement Directive, which regulates the processing of data by various authorities such as the Serious Fraud Office, the Financial Conduct Authority (FCA) and the National Crime Agency (NCA). In addition, the DPA complements and amplifies the provisions of the GDPR.
NISR applies to operators of essential services (OES) (eg, water, transport and energy) and relevant digital service providers (RDSPs) (eg, online search engines available to the public, online markets and cloud computing services). NISR requires appropriate and proportionate technical and organisational measures to manage risk of disruption. Incidents that have a significant impact on the continuity of an essential service must be notified to the applicable competent authority. Where incidents are suspected of having a cybersecurity element, operators are also strongly encouraged to contact the NCSC.
In terms of the principal criminal law deterrent, the CMA, implementing the Budapest Convention on cybercrime, provides for criminal offences on the basis that: (i) a person causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured; (ii) the access he or she intends to secure or to enable to be secured is unauthorised; and (iii) he or she knows at the time when he or she causes the computer to perform the function that this is the case, he or she is guilty of an offence. Such offences are punishable by imprisonment, some carrying a maximum sentence of life imprisonment where the attack causes or creates a significant risk of serious damage to human welfare or national security.
Securing access to a computer or a program encompasses many different actions. ‘Computer’ is not defined in the CMA. Access is said to be unauthorised if done by a person other than one who has responsibility for the computer and is entitled to determine whether the act may be done, or is done without the consent of such a person.
The CMA creates further offences where unauthorised access is sought with a view to committing other offences (eg, theft or fraud), or to impair the operation of a computer, which would include the implanting of viruses or spyware and DDoS attacks. In such cases, the penalty can be up to 10 years’ imprisonment. The CMA also criminalises the obtaining, making, adapting, supplying or offering of articles to be used in committing the CMA offences.
Subject to particular statutory defences, the DPA criminalises certain behaviour in relation to personal data, including knowingly or recklessly obtaining or disclosing it without the consent of the controller (blagging). It is also an offence to retain personal data without the consent of the controller from whom it was obtained; to offer or sell ‘blagged’ personal data; to ‘re-identify’ personal data that has been de-identified (ie, processed in such a manner that, without more, it can no longer be attributed to a particular data subject) without the controller’s consent; or to process such re-identified data. Other criminal offences are dealt with under the relevant questions below.
Back to top