The Macrobox Computer System and Servers - Essay Example

?TASK ONE: In advising MacroBox regarding their legal position regarding the DNS attacks and attempted intrusions it is necessary to consider the provisions of the Computer Misuse Act 1990 and the Police and Justice Act 2006. The main legislative provisions dealing with computer misuse is the Computer Misuse Act 1990 (“the Act”), which was drafted without foresight of the practical implications of Internet growth. In its previous form, the Act covered two types of computer related offences; firstly the unauthorised access to computer material and unauthorised modification of computer material. However, the increasing difficulty of prosecuting under the Act and its failures to address the continuous developments in technology led to criticisms of its ability to address the increasing reality of cyber criminal activity (Lloyd, 2004). An attempt to address these problems in the Act was implemented in controversial amendments, which came into force in October 2008 through the Police and Criminal Justice Act 2006 . With regard to the unauthorised access and attempted intrusions this could constitute an offence under the Act of the conduct satisfies the requirements as follows: 1) Unauthorised access to computer material (Section 1 of the Act); 2) Access to computer material without authorisation with intent to commit or assist the commission of offences (Section 2 of the Act); and 3) Modification of computer data without authorisation (Section 3 of the Act). With regard to the current factual scenario, it is evident that there have been attempts to hack the Macrobox system without success so far. Accordingly, whilst there has clearly been an intention to commit the office, there does not appear to have been actual access to the computer system or computer material. However, the Police and Criminal Justice Act 2006 significantly widened the definition of misuse and Section 36(2) of the 2006 Act widens the ambit of Section 3 of the Act by providing that “unauthorised acts” within the Section 3 definition include intention to do the following: “a) Impair the operation of any computer; b) To prevent or hinder access to any program or data held in a computer; or c) To impair the operation of any such program or the reliability of any such data; or d) To enable any of the things mentioned in paragraphs (a) to (c) above to be done” (Section 36(2) Police and Criminal Justice Act 2006). Accordingly, if we apply this to the current scenario, whilst the access to Macrobox’s computer and servers were not successful, the attempt to hack will constitute a criminal offence under Section 3 of the Act. With regard to potential penalties, the Police and Criminal Justice Act 2006 provides for criminal liability on the following basis to be included in the Act for the Section 3 offence: 1. On summary conviction a prison sentence of up to 12 months and a fine not exceeding the statutory minimum; or 2. On conviction on indictment, imprisonment for a term not exceeding ten years or a fine or both (Section 36(6) of the Police and Criminal Justice Act 2006). Additionally, as the forum users have been trying to encourage others to hack Macrobox, this also potentially falls within incitement offences, which have now been removed from the Act and inserted into the inchoate offences section of the Serious Crime Act 2007. Furthermore, it is important to highlight that the encouragement on online forums to hack Macrobox’s computer systems could also constitute a potential offence under the Terrorism Act 2000. Section 2(e) of the Terrorism Act provides that an act of terrorism includes any act which is “designed seriously to interfere with or seriously disrupt an electronic system” if the act is undertaken with the objective of furthering a political, religious or ideological cause. In the current scenario, it is evident that the attempts to hack and interfere with Macrobox’s computer systems and servers were as a result of the disclosure on public forums that Macrobox is a major software supplier for Staffordshire Pets, who are involved with animal testing. With regard to the denial of server attacks, under the Act, the term “misuse” has been extended to criminalize computer security research and defence software tools, making it illegal to download, write, amend or modify anything which could be used to commit a computer hacking or denial of service attack. However, as highlighted above, Section 36 of the Police and Justice Act 2006 specifically extends the Act’s provisions regarding unauthorised modification of computer material and as a result provides that denial of server attacks constitute a criminal offence. Furthermore, the 2006 Act highlights that it is not necessary to demonstrate that the criminal intention was directed to a specific program or computer. Accordingly, the denial of server attack will constitute a criminal offence and be subject to the same penalties as provided for in Section 36(6) of the Police and Criminal Justice Act 2006. Accordingly, if we apply this to the current scenario it is evident that the denial of server attacks will constitute a criminal offence under the Act and the Police and Criminal Justice Act 2006. In summary, the attempts to hack into the Macrobox computer system and servers will constitute a criminal offence under Section 3 of the Act. Furthermore, as the criminal conduct has been incited on forums in support of being against animal testing, it is also possible that the hacking attempts will constitute an act of terrorism under the Terrorism Act 2000. Similarly, the denial of server attacks will also constitute a criminal offence under the Act and potentially fall within the Terrorism Act provisions. TASK 2: DATA PROTECTION ISSUES The factual scenario indicates that potential liability of Macrobox for being in breach of Data Protection legislation for failure to protect against disclosure of its staff’s personal information along with client information. Firstly, the disclosure of this information raises issues of breach of confidence (Bainbridge, 2007). However, Bainbridge comments that the law of breach of confidence has developed on an ad hoc basis and remains narrow in application (2007). For example, the traditional premise for the law of confidence has assumed a relationship of confidentiality, which fails to cover instances of disclosure of information outside of such a relationship where disclosure may nevertheless be detrimental (Bainbridge, 2007). In the current scenario, the contractual relationship with customers and clients would imply a duty of confidence regarding information in order to bring a claim for breach of confidence (Bainbridge, 2007). Similarly, the employee relationship implies a mutual duty of trust and confidence and therefore the disclosure of personal employee information would also appear to point to a breach of confidence. Furthermore, the duty of confidence arises in equity on grounds of the equitable maxim “he who has received information in confidence should not take unfair advantage of it” (Bainbridge, 2007). Alternatively, the strongest basis for legal recourse against Macrobox for disclosure and the passing on of the employee and client information is the Data Protection Act 1998, which imposes obligations on all businesses handling customer information (Marcella & Stuck, 2007). In particular, the Data Protection Act 1998 requires protection of personal information and provides that anybody processing personal information (which includes customer information) must ensure the following: 1) Fair and lawful processing of data; 2) That processing of personal information is undertaken for limited purposes; 3) The processing is not excessive; 4) The information is kept up to date 5) The information is not kept for longer than necessary 6) The information is processed in line with the data subject’s rights 7) The information is secure 8) The information is not transferred abroad without reciprocal protection (Data Protection Act 1998). Additionally, as information was taken from employees and customers, it was not only Macrobox’s duty to register under the Data Protection Act 1998; but all staff, customers and indeed any “data subjects” have the legal right under the Data Protection Act 1998 to know what information is being held and whether or not the information has been passed to third parties (Carey, 2009). Therefore, if the information has been passed on, not kept secure and therefore unlawfully passed on to third parties as a result; then this could be in breach of the Data Protection Act 1998 for unlawful processing of personal information. In the current scenario, Macrobox would appear to have been in breach of the express obligation to ensure the information is held securely and therefore they are exposed to potential liability to its staff and any other data subjects for unlawful processing of data due to it being passed on to third parties beyond the limited purpose exception (Carey, 2009). As a result, any data subject whom Macrobox held information on could initiate proceedings under the Data Protection Act 1998 for compensation if they could establish “damage or distress”. Whilst this is very extreme and the customer bears the burden of proof, the factual circumstances of the current scenario clearly indicate a risk of a claim under the Data Protection Act 1998 (Carey, 2009). In summary, it is evident that as a data processor Macrobox had an express duty to register the information held and to ensure it was securely stored to prevent against unlawful processing. The fact that the information was not securely held and has now been passed on to third parties clearly constitutes a breach of the Data Protection Act 1998 in addition to potential claims for breach of confidence. As such, Macrobox is exposed to liability to data subjects for compensation for breaches of the Data Protection Act 1998. Additionally, the circumstances suggest that the failure to protect the data could constitute negligence and as such, the Information Commissioner could also impose a fine on Macrobox of up to a maximum of ?500,000 for the personal data security breaches (ICO, 2010). In order for the data breaches by Macrobox to attract a fine, the Information Commissioner would have to establish that the breach was serious, likely to cause distress and that Macrobox was negligent or failed to take reasonable steps to protect the information. As highlighted above, the nature of the data disclosed to the public is clearly sensitive and has potential to cause distress and damage. As such, the data breach by Macrobox will most likely satisfy the serious requirement. Additionally, the failures to ensure adequate protections were in place would also point to negligence and failure to take reasonable steps. On this basis, in addition to potential compensation claims by data subjects, Macrobox will most likely be subject to a fine by the Information Commissioner, the amount of which will be subject to the Commissioner’s discretion. Bibliography Bainbridge, D. (2007) Intellectual Property. London: Pearson Longman. Lloyd, I. (2004). Information Technology Law. Oxford: Oxford University Press. Marcella, A. Stuck C. (2007). Privacy Handbook: guidelines, exposures, policy implementation and international issues. London: Wiley Press Legislation Computer Misuse Act 1990 Data Protection Act 1998 Terrorism Act 2000 Serious Crime Act 2007 Police and Criminal Justice Act 2006 All Legislation Available at www.opsi.gov.uk accessed March 2011. Websites Information Commissioner at www.ico.gov.uk accessed March 2011. Read More