Legal Advice for Macrobox Computing - Assignment Example

Task one Information Technology (IT) is essential to global development and its use is deeply ingrained into our systems that its full potential mustbe tapped solely for legitimate purposes. The advent of information technology has facilitated interconnection between public and private institutions making information available at real time and transactions to be concluded and transmitted within seconds (Francalanci, 2010). However, the expediency and convenience offered by IT is similarly subject to abuse if adventurous individuals or entities and malicious intentions are to prosper thus appropriate measures should be undertaken to protect information procured and data harvested against insidious attacks or malevolent acts which could create havoc to the institutions which may lead to financial disaster by interfering with the use or transmission of data and more importantly, introducing or targeting computer servers where data or information are stored (Kapaella, 2003). In instances when attack is attempted or launched against a computer system which caused the breakdown or slowdown of its services, who shall be held liable? It is the task of this paper to examine culpability, if any, of the perpetrators, including the service provider which is parallel to the problem presented by Macrobox, a software supplier, where one of its clients is Staffordshire Pets Inc. (SP) which is engaged in animal testing. In summary, Macrobox alleged that it not only suffered actual damages but also damages on its customer good will due to several DNS attacks launched by activist groups to compel them to cease and desist from providing software services. According to Macrobox, the actual perpetrators cannot be determined although a blogger has been traced to have provided the online guide to successfully hack the Macrobox server not to mention that it has likewise recorded several attempts to invade its system. Under the foregoing circumstances, the blogger by providing online guidance to direct the computer attack or server intrusion and all those persons who may have conspired and confederated with the blogger may be held liable under the Computer Misuse Act 1990 (CMA) as amended by the Police and Justice Act 2006 (PJA) and Serious Crime Act 2007 (SCA) where the following acts were defined as unlawful or criminal acts—unauthorized access to computer material; unauthorized access with intent to commit a further offence; and unauthorized modification of computer material. Section 1 of the CMA provides that in cases of unauthorized access to computer material a person may be found guilty when (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure; and (c) he knows at the time when he causes the computer to perform the function that that is the case. This provision was modified by Section 35 sub-section (2) of the PJA where the phrases were inserted in sub-section (1) in paragraph a to read “…or to enable any such access to be secured” while in paragraph (b) “…or to enable to be secured” however this amendatory provision was again superseded by Section 61 of the SCA by omitting altogether subsection (2). While Section 2 finds a person guilty under unauthorized access with intent to commit or facilitate commission of further offences if it is committed with intent (a) to commit an offence to which this section applies; or (b) to facilitate the commission of such an offence (whether by himself or by any other person); and the offence he intends to commit or facilitate is to be committed on the same occasion as the unauthorized access offence or on any future occasion and it is further stated that guilt may still be adjudged even though the facts are such that the commission of the further offence is impossible. While Section 3 formerly referred to as unauthorized modification of computer material was substituted as unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. under the PJA. Pursuant to this Section it shall be deemed unlawful if any person knowingly performs an unauthorized act in relation to a computer which shall impair its operation; to prevent or hinder access to any program or data held in any computer; to impair the operation of any such program or the reliability of any such data; or to enable any of the foregoing acts to be done. Section 37 of PJA inserts Section 3A to CMA which essentially provides that a person is equally liable by making, supplying or obtaining articles for use in computer misuse offences when such person makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of unlawful acts earlier specified. So also, a person shall be held liable if any article is obtained with a view to its being supplied for use to commit, or to assist in the commission of the aforementioned unlawful acts. The European Union (EU) Convention on Cybercrime (CoC) buttresses the need for its Member States and other signatory countries to craft legislative measures to prosecute and punish offenders who intentionally access a computer system without right, whether wholly or partially, which is committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system. The illegal acts shall include intentional interception without right through technical means of non-public transmissions of computer data to and from or within a computer system, including electromagnetic emissions; intentional and unauthorized infliction of damage, deletion, deterioration, alteration or suppression of computer data; and intentionally and seriously hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data. There are three areas of concern that will prevent the prosecution of a cybercrime in this case. First is the identification of the perpetuator/s, no sufficient data or any form of identification can be done to positively identify the actual perpetuators of the break-in or hacking of the computer system of Macrobox. Second, is the very nature of the crime itself it is at the moment not clear if the downtime was the consequence of the hacking or if it was attributable to Macrobox lack of protection. Third is the deficiency of Macrobox to diligently protect itself and the information that is left to its care (Barnes, 2001). It should be noted that the mere presence or declaration in a blog cite of an intent to do harm does not necessarily imply the commission thereof if in case the harm did come to pass. Task Two Following the discussion from the previous chapter, this chapter shall discuss the series of evidence discovered by the local press and other violation that Macrobox itself violated in the course of doing its business. Macrobox could be culpable or be held liable for “breach of confidence” by its employees who were exposed when some of its computers were found in a huge bin. The Local Social Services on behalf of the abused children can also hold Macrobox liable for “breach of confidence” when their personal details were exposed during the same time the Macrobox computers were found by journalists. Macrobox’ failure to protect information that has been entrusted by its employees and customers is a violation of the provisions of the Data Protection Act of 1998. Evidence Against Macrobox The following are indicative of Macrobox culpability (1) Collating huge range of information related to its staff members that are not essential to its business or central to the employees’ performance of their duties in Macrobox. (2) The discovery of readily readable data is an indication of the failure of Macrobox to implement rudimentary protection such as encryption or passwords to information entrusted to it. (3) The discovery of the two old computers with all the information contained therein is an indication of the lack of security processes or procedures that would properly dispose or destroy information entrusted to it. (4) The number of times its system was hacked is indicative of its lack of security processes to protect information entrusted to it. Central to this is also Macrobox lack of priority to provide protection to information entrusted to it. This was apparent when they opted to spend a lot of money in order to restore their services that would further expose the information entrusted to it instead of protecting the interest of its clients and employees. (5) Failure to act on the intruder alarms or being passive to the alarms that was being sent by its system that detects intrusion. It should be noted that Macrobox does not have any certification as an implementer of any information security framework therefore it is clear that it does not have anything in place at all to protect the data or information in its possession and control (Bing, 2008). Violation of Macrobox The following are the violations of Macrobox: (1) Failure to protect potentially damaging information entrusted by its employees. (2) Failure to protect the damaging information entrusted by the Local Social Services. (3) Failure by Macrobox to diligently protect by providing even rudimentary protection or security procedure to protect private information entrusted to it by its employees and clients. Breach of Confidence For “Breach of Confidence” to settle the following factors should exist; the information being illegally obtained or exposed should be of extreme importance that it has the potential to cause injury or harm if not violate the rights of the owner. The entity that gathered the information was duty bound to provide adequate protection to the information and can only release information if it is in accordance to a set of processes. There was a disclosure to people who are not supposed to have the information in the first place (Health and Safety Executive, 2009). Data Protection Act of 1998 Seventh Principle of the Data Protection Act mandates that diligent implementation of both technical and procedural protection should be undertaken by parties entrusted to keep such information. Protection that would include appropriate measures against loss, destruction or damage should be included (Data Protection Act, 1998). The enormous cost associated in implementing the maximum protection that can be given to information against events that could or may not happen should be balanced with the cost of what is being protected. Risk Assessment is a process that can be utilized to provide this balance to ensure that the right protection is given to the right threat (Liberty, 2009). CONCLUSION It is ironic that in this situation the entity that is most likely to be prosecuted is Macrobox for “Breach of Confidence”. The breach is heavily anchored on Macrobox’s failure to diligently protect itself through its network and its system that ultimately led to the hacking of its own system. The failure of Macrobox, was highlighted with the evidence of its transgressions by the media no less. It was discovered that Macrobox does not have a process at all that will diligently protect the information it was entrusted with. However, Macrobox could argue that it has installed a device that is capable of giving reports of intrusion and to its mind, it can constitute as an attempt to diligently protect itself. A counter argument however is—a device without a process to support it is not a diligent compliance to the requirements (Kapaella, 2003) of the Data Protection Act of 1998 that calls for “both technical and Procedural measures”. It should be noted that COBIT, ITIL and ISO17799 are frameworks that will provide an entity like Macrobox processes that would enable it to protect itself from hackers, malicious software and other similar threats. It can even provide companies like Macrobox with processes that can be adapted to its operation or type of business. However, Macrobox is not following any kind of framework, in order to comply with the requirements of the law, and it is in this context that it can be held culpable for breach of confidence (Davidson, Business Continuity and Data Planning Redundancy). Bibliography Baker, W., Goudie, M., Hutton, A., Hylender, D., Niemantsverdriet, J., Novak, C., et al. (2010). 2010 Data Breach Investigations Report. Retrieved December 29, 2010, from Verizonbusiness.com: http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf Barnes, J. (2001). A guide to Business Continuity Planning. West Sussex: John Wiley & Sons Ltd. Bing, G. (2008). Due Diligence Techniques and Analysis: Critical question for Business Decision. London: British Library. Data Protection Act. (1998). Data Protection Act 1998. United Kingdom Parliament. legislation.gov.uk. Davidson, E. (n.d.). Business Continuity and Data Planning Redundancy. Davidson, E. (2010). Business Continuity and Data Planning Redundancy. Retrieved December 29, 2010, from ehow.com: http://www.ehow.com/way_5379303_business-continuity-data-planning-redundancy.html European Council. 2001. Convention on Cybercrime. [online] Avalaible from http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm [Accessed 30 March 2011] Francalanci. (2010). Measuring the Impact of Investment in Information Technologies on Business Performance. Retrieved July 26, 2010, from Industrial and Electrical Engineering: http://ieeexplore.ieee.org.ezproxy.liv.ac.uk/stamp/stamp.jsp?tp=&arnumber=323458 Health and Safety Executive. (2009, July 7). Breach of Confidence. Retrieved March 17, 2011, from Health and Safety Executive: http://www.hse.gov.uk/enforce/enforcementguide/court/reporting-breach.htm Kapaella, V. (2003, April). A Framework for Incident and Problem Management. Retrieved December 29, 2010, from http://www.kwesthuba.co.za/downloads/02_ins_incident_management_0403.pdf Liberty. (2009, June 15). Overview of the Data Protection Principles. Retrieved March 18, 2011, from Yourrights.org.uk: http://www.yourrights.org.uk/yourrights/privacy/data-protection/overview-of-data-protection-principles.shtml Myhrverg, E. V. (2009). A Practical Field Guide for ISO 9001:2008. Milwaukee: American Society for Quality . United Kingdom. Computer Misuse Act 1990. 1990 c.18. [online] Available from http://www.legislation.gov.uk.ukpga/1990/18/contents [Accessed 30 March 2011] United Kingdom. Police and Justice Act 2006. 2006 c.48. [online] Available from http://www.legislation.gov.uk.ukpga/2006/48 [Accessed 30 March 2011] United Kingdom. Serious Crime Act 2007. 2007 c.27. [online] Available from http://www.legislation.gov.uk/ukpga/2007/27/contents [Accessed 30 March 2011] Read More