Upload
wendy-randall
View
220
Download
1
Tags:
Embed Size (px)
Citation preview
Legal Aspects of Computer System Security
“Security - Protecting Our Resources”
Legal Aspects of Computer System Security
Presentation Contents
• Introduction• Current Legislation
– Overview– Data Protection Act 1998– Criminal Damage Act 1991– Criminal Evidence Act 1992
• Sources, References and Disclaimer
Legal Aspects of Computer System Security
Introduction
• IT rapidly integrating into society
• International context - US and EU influences
• IT law invades on “traditional” turf
• Lack of clear definition - good or bad?
• Specific and Regular crime
Legal Aspects of Computer System Security
Current Legislation - Overview
• Data Protection Act 1998– control personal information
– regulate data processing
• Criminal Damage Act 1991– actual or threatened damage to property
– unauthorised access to computers
– possession with intent to damage property
• Criminal Evidence Act 1992– regulate admissibility of computerised records into
evidence
Legal Aspects of Computer System Security
Data Protection Act 1998
• Background and Origin
• Definitions and Provisions
• Data Protection Crimes
• The Data Protection Commissioner
Legal Aspects of Computer System Security
DPA - Origins
• “designed to provide adequate safeguards to individuals against any abuse of their privacy arising from the automatic processing of personal data concerning them”
• Based on principles of Strasbourg Convention
Legal Aspects of Computer System Security
DPA - Definitions
• Personal Data: data relating to a living individual who
can be identified either from the data or from the data in
conjunction with other information in the possession of the
data controller.
• Data subject: person who is the subject of personal data.
• Data Controller: person who controls contents and use
of personal data.
• Data Processing: automatic logical operations on data
including extraction of constituent data.
• Data: information in a form which can be processed.
Legal Aspects of Computer System Security
DPA - Provisions
• Computerised files only
• Personal Data only
• Exceptions– security of the State
– must be available by law/court order
– kept by individual for family affairs/recreational purposes
– required urgently to prevent injury or serious
loss/damage
– held or processed outside the State
Legal Aspects of Computer System Security
DPA - Provisions IIRequirements of a Data Controller
• Information obtained and processed fairly/lawfully
• Information is accurate and current
• Kept for only 1 or more specified purposes
• Not used or disclosed except for specified purpose
• Relevant and limited to purpose
• Not kept longer than required
• Security against unauthorised access
Legal Aspects of Computer System Security
DPA - Provisions IIIRights of a Data Subject
• Establish the existence of data
• Access to data
• Correct and/or erase data
Legal Aspects of Computer System Security
DPA - Crimes
• Data processor knowingly disclosing personal
information without consent of data controller.
• Any person disclosing personal data to a third
party without consent of the data controller.
• “a data subject whose data has been attacked or
copied by a hacker [may] take a civil action against the
data controller. There is clearly a premium, therefore,
on each data controller taking all reasonable care in
relation to personal data (s)he holds.”
Legal Aspects of Computer System Security
Data Protection Commissioner
• Enforcement Notice
• Information Notice
• Prohibition Notice
• Prosecution
• Prepare Codes of Practice
• Produce Annual Report
• International Assistance
• Maintain Data Protection Register
Legal Aspects of Computer System Security
Criminal Damage Act 1991
• General Points
• Offences under the Act
• Interesting Provisions
• Proof and Defences
Legal Aspects of Computer System Security
CDA - General Points
• Defining criminal activity is difficult
• Evidence is hard to produce
• Legal counsel is invaluable
• Legal notion of “property” extended to include data
• No definition of “computer”
• Computer areas are untested
• Damage of data: add to, alter, corrupt, erase or move or any act that contributes to the above.
Legal Aspects of Computer System Security
CDA - OffencesDamage to Property
• “a person who without lawful excuse damages any property…shall be guilty of an offence”
• Accidental/coincidental damage
• Recklessness
• Damage must be intentional
• Specifically outlaws– damage to property which endangers life
– damage to property with intent to defraud
• Data damaged within the State by persons outside
Legal Aspects of Computer System Security
CDA - Offences IIThreatening to Damage to Property
• “a person who without lawful excuse make to another a threat intending that that other would fear it would be committed”
• Inability to carry-out threat is not a defence
Legal Aspects of Computer System Security
CDA - Offences IIIPossession of Anything with intent to Damage
Property
• “a person who has anything is his custody or under his control intending without lawful excuse to use it…to damage property”
• Intentionally broad
• Intent to damage
Legal Aspects of Computer System Security
CDA - Offences IIIUnauthorised Access to Data
• Computer specific
• “any person who without lawful excuse operates a computer…with intent to access data…whether or not he access any data…shall be guilty of an offence”
• Is all activity criminal?
Legal Aspects of Computer System Security
CDA - Interesting Provisions
• Wide-ranging powers of arrest
• Signs of lack Garda know-how
• Compensation Order
Legal Aspects of Computer System Security
Criminal Evidence Act 1992
• Hearsay or Real Evidence
• Record generated in the normal course of business, without intervention of humans provided machine is reliable.
• Assumed to be working correctly - Good or bad?
Legal Aspects of Computer System Security
Sources and Reference
• “Information Technology Law in Ireland”
Denis Kelleher & Karen Murray.
Butterworth Ireland, 1997.http://www.ncirl.ie/itlaw/
• Government Publications Sales Office
• The Irish Timeshttp://www.ireland.com/
• The Journal of Information, Law and Technology (JILT)
http://elj.warwick.ac.uk/jilt/
• CERThttp://www.cert.org/
Legal Aspects of Computer System Security
Inevitable Disclaimer
I am not a lawyer!
Although I believe thisto be accurate don’tbase a life or deathdecision on it!
This does not necessarily
represent UCD’s views.