Legislation
Objectives
- First
Legislation refers to the process of making or enacting laws. The government has the responsibility of making the laws and seeing they are upheld through various authorities. Our legal system and the laws it upholds serve as a framework for regulating various aspects of public and private life.
Computer use has brought new concerns and new crimes. With the rise of the internet, computers are increasingly being used for illegal activities. There are a number of laws that directly impact how we use our own personal computers as well as how organisations handle our data and their network infrastructure.
The main areas being considered here are:
- Data Protection: e.g. GDPR and Similar Regulations for the handling of personal data, impacting how companies collect and process user information.
- Data and Network Breaches: e.g. Computer Misuse Act covering unauthorised access to data and computer systems
- Intellectual Property Issues: e.g. Copyright and digital piracy
- Artificial Intelligence (AI) and Autonomous Systems: The legal framework around emerging technologies like AI and autonomous systems is still evolving, with questions about liability and accountability.
The "big ones" are:
- Computer Misuse Act 1990
- UK-GDPR (UK General Data Protection Regulation)
- DPA (Data Protection Act 2018)
Note
The links above are for reference only, there is no need to dig into the detail of these laws, the key points will be covered here.
Computer Misuse Act 1990
The Computer Misuse Act 1990 is a legal framework in the United Kingdom designed to address and prevent unauthorized access to computer systems and data. The act identifies three primary offenses:
- unauthorized access to computer material,
- unauthorized access with intent to commit or facilitate the commission of further offenses, and
- unauthorized modification of computer material.
By "unauthorized" it simply means the person gaining access to the data, programs or other information is doing so without permission. This is unlikely to happen accidentally and the notion of intent is important especially the intent to use this data for other offences such as blackmail, industrial espionage or theft of funds.
Modifying computer material without permission is also a criminal offense. This includes altering, deleting, or adding data to a computer system without authorization. Under tis heading would also come the triggering of Denial of Service attacks and distribution of viruses into a network. This latter category would carry the most serious penalty.
Individuals found guilty of offenses under the Computer Misuse Act can face legal consequences, including fines and imprisonment. The severity of the penalties depends on the nature and impact of the offense. This can also apply if the offense is committed outside of the UK, by UK nationals.
There are exemptions such as network testing for security purposes but this only applies if being carried out with the express consent of the system owner.
Understanding the Computer Misuse Act is essential for individuals working in the field of cybersecurity. It highlights the legal and ethical considerations surrounding computer systems' security and data protection.
Some recent cases involving CMA-1990:
- Unauthorised searches on a police computer system (2024)
- Unauthorised searches on a police computer system (2023)
- Personal Data breached at the RAC (2020)
- Microsoft hacked (2017)
GDPR
GDPR (General Data Protection Regulation) is a comprehensive data protection regulation that aims to give individuals (you and me) increased privacy rights and control over their (our) personal data. It was introduced to address the challenges posed by evolving digital technologies and ensure the responsible handling of personal information.
GDPR applies to the processing of personal data within the European Union (EU) and the European Economic Area (EEA). It also affects organizations outside the EU/EEA if they process the personal data of EU/EEA residents.
Personal data includes any information related to an identified or identifiable person. This can include names, addresses, identification numbers, online identifiers, and other factors that contribute to an individual's identity. That is, from the data held can that person be identified.
The individual, that is the data subject (you and me) can exercise certain rights under the conditions of this legislation over their (our) personal data. This includes the right to access, correct, remove and restrict the processing of this information.
For the organisation holding our data it means they have to obtain explicit consent from the data subject for their data to be used.
There are six principles:
Personal information must: 1. be used fairly and lawfully 2. be used only for specific purposes for which it was collected 3. be adequate, relevant and not excessive 4. be accurate and kept up to date 5. not be kept for longer than is necessary and deleted when it is no longer needed 6. be kept secure against unauthorised access
GDPR distinguishes between data controllers (entities determining the purpose and means of processing) and data processors (entities processing data on behalf of controllers). Both have specific responsibilities and obligations under the regulation.
GDPR mandates organizations to report data breaches to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Data subjects must also be informed if the breach poses a high risk to their rights and freedoms.
GDPR places restrictions on the transfer of personal data outside the EU/EEA to ensure that such transfers meet the necessary data protection standards.
Firms found to be in breach of GDPR face fines of up to 4% of their annual global turnover - it's a big deal - as illustrated in the following examples of huge fines being levied against companies under the GDPR legislation: