In May 2017, the then Tánaiste and Minister for Justice Frances Fitzgerald brought forward new legislation in the form of the Criminal Justice (Offences Relating to Information Systems) Act 2017. She described the act as “landmark legislation in this jurisdiction”, being “the first Irish statute specifically and solely dedicated to cybercrime”.
Chancing your arm
In tandem with advancements in, and an increased reliance on, technology, came recognition that specific laws were needed to address the rise of computer-related offences. As early as 1989, the Council of Europe sought to address the matter, and issued guidelines for member states listing a minimum of eight offences necessary for a uniform criminal policy concerning computer-related crime.
The 1991 Criminal Damage Act was the first piece of legislation in Ireland that addressed computer-related offences, in any form, by criminalising the offence of hacking. Section 5 of the act defined, for the first time in Irish law, the offence of “unauthorised accessing of data”, making it an offence for “a person who without lawful excuse operates a computer (a) within the State with intent to access any data kept either within or outside the State, or (b) outside the State with intent to access any data kept in the State”.
Property was defined as including data, and ‘data’ was defined as meaning information in a form that could be accessed by means of a computer and included a program.
It is clear from the wording that the offence is extremely wide in its application. Firstly, it is immaterial whether the offender succeeds in accessing data. Rather unusually for Ireland, this is an ‘attempt’ offence, which is complete whether or not the offender does in fact access any data.
When one considers the sparsity of prosecutions under section 5, an issue with the previous law on hacking becomes clear. Its status as a summary offence made it difficult to prosecute. The limited 12-month time frame within which the prosecution must be initiated was problematic.
The Garda Computer Crimes Investigation Unit, which deals with such investigations, often require months to properly establish and reconcile the internet protocol (IP) addresses in cases. Given the often complex and technical nature of such investigations, it is clear that this time frame was unsatisfactory in some cases.
Stop the lights
Prior to evaluating the new offence created by the 2017 act, let us first consider the directive to which it gives effect.
The objective of Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems is the approximation of the criminal law of the member states in the area of attacks against information systems, by the establishment of minimum rules regarding the definition of offences, relevant sanctions, and improved cooperation.
The directive recognises that information systems are a key element of political, social, and economic interaction and, to ensure the safety of the common market, such systems must be protected through an effective comprehensive framework of prevention measures accompanying criminal law responses to cybercrime.
The directive comprises five categories of offences. The first category, stipulated by article 3 of the directive, refers to illegal access to information systems, namely the offence of hacking.
The offence involves intentionally accessing, without right, the whole or any part of an information system by infringing a security measure. This article must be considered in conjunction with paragraph 11 of the directive, which provides that criminal penalties be applied by member states for cases “which are not minor”.
It provides clarity on when a case may be considered minor – for example, “where the damage caused by the offence and/or the risk to public or private interests, such as to the integrity of a computer system or to computer data, or to the integrity, rights or other interests of a person, is insignificant or is of such a nature that the imposition of a criminal penalty within the legal threshold or the imposition of criminal liability is not necessary”.
Further, the offender must infringe a security measure in the commission of the offence. The most commonly encountered security measures used to prevent or hinder illegal or unauthorised access to an information system are passwords, access codes, and encryption codes.
The Criminal Justice (Offences Relating to Information Systems) Act 2017 is a welcome move towards a more consolidated approach to cybercrime. Section 2 of the act has repealed the offence of hacking contained in section 5 of the 1991 act. It has also introduced a new definition of ‘information system’ and ‘data’, both of which replicate the definitions set out in the EU directive.
Section 2 provides that it shall be an offence for a person, without lawful authority or reasonable excuse, to intentionally access an information system by infringing a security measure.
Therefore, to establish an offence, the prosecution must prove that the accused accessed an information system, with intent, by circumventing a security measure, and that he did so without lawful authority or reasonable excuse. It is evident that the newly enacted offence corresponds closely with the provision contained in the directive.
Section 2 applies where the person carrying out the offence is in Ireland, and also where the data is located in the jurisdiction but the person committing the offence is located outside Ireland. Significantly, the 2017 act also increases the penalties that may be imposed for an offence under section 2.
Section 8 provides that, on summary conviction, the court may impose a fine of up to €5,000 or a term of imprisonment not exceeding 12 months, or both. The commission of the offence can also now be the subject of a prosecution on indictment.
Anyone buying or selling?
What is the effect of these changes in practical terms?
Let us consider the following scenario, where ‘P’, an employee of XYZ Ltd, is authorised to access certain information on the company’s server.
P uses his password and login details on the company computer to access information for which he is not authorised. He downloads it and provides this information to a third party, who uses it to steal clients from the business. Has P committed an offence?
Under the previous law in Ireland, it is arguable that P committed an offence. However, if we consider the elements of section 2 of the 2017 act, it would appear that he has not committed a crime.
Firstly, P has lawful authority to access the information system. Secondly, he has not infringed a security system to gain such access. The scope of the original hacking offence has, therefore, been considerably restricted.
When considering the actions of P, one must wonder whether it is indeed appropriate that such action would not be the subject of a criminal offence. The previous approach to unauthorised access was extremely broad. In the drafting of the new offence, the legislature has sought to limit the scope to cases involving the circumvention of code-based restrictions, such as a password gate, before criminal liability would be triggered. Clearly, this was the premise on which the provisions of the 2013 directive were framed
Indeed, the criminal justice system may not be the appropriate response to P in our above scenario. The scope of a criminal offence should not be so broad as to allow its intrusion into what amounts to a potential breach of employment law or data protection law. The availability of civil remedies to deal with P’s wrongdoing may offer the most suitable avenue for redress.
The requirement for an offender to infringe a security system before triggering criminal sanctions may allow for a fairer application of the offence. It may also serve to encourage individuals and businesses to protect their privacy in the way most likely to be technically effective, by creating effective firewalls and password schemes to protect unwanted access to data.
I’ll look into it
There is little doubt that, following decades of inactivity, it is a welcome step forward that Ireland has finally enacted a single unifying piece of legislation dedicated to dealing with cybercrime.
The 2017 act is a long overdue and necessary addition to the law’s capacity to tackle new waves of cybercrime.
The State is clearly cognisant of the need for legislation and action to address the problems of cybercrime and, together with the publication of the National Cyber Security Strategy and the establishment of the National Cyber Security Centre, Ireland is acknowledging that cybercrime investigation and prevention is a national priority.
Of course, legislation alone is not a panacea for cybercrime, nor indeed any form of criminality. Criminal sanctions can only ever be one weapon in the armoury of preventing and responding to hacking attacks.
Increased public awareness of the risks, provision of appropriate training, and employment of adequate security systems are essential protections for individuals and businesses.