​Legal drivers in cyber security

What are the real drivers for Cyber Security? Certainly not the Data Protection legislation, which while theoretically being enforceable with a fine of up to 500 000 GBP is rarely enforced in this way. Most breaches of that legislation go unnoticed, let alone invoke a sanction. Most businesses will retort that they are concerned about their reputation, but does the truth match the perception?

Go to the profile of Dai Davis
Sep 04, 2017
0
0
Upvote 0 Comment

Author(s): Dai Davis

Abstract

This article explores the dangers of lack of security and what businesses can and do suffer as a result of lack of security. Criminal sanctions in the form of the Computer Misuse Act, 1990 are examined as is the civil fining regime of the Data Protection legislation. There is also the possibility under this latter data protection legislation for an aggrieved individual to claim damages, but as we see this also is a theoretical rather than a practical remedy. We examine the purely economic risk of "loss of reputation" as well as the special case of businesses falling under the remit of the Financial Conduct Authority. The article also examines the implications of lack of security in the Internet of things and whether there are legislative or other drivers to make the Internet of Things secure.

Introduction

Criminal Law and Civil Law: The law in this article is written about primarily from the perspective of the law prevailing in England and Wales. However, some of the law referred to, for example, the CE Marking legislation applies throughout the European Union. It should be noted, however, that there are significant differences between even Scottish law and that prevailing in England and Wales.

Criminal Law

In the United Kingdom, there are two basic types of law: Criminal law and Civil law. Criminal law is what happens when an individual or corporate entity does something which is wrong and which is seriously wrong. The State may, through the forces of ‘law and order’, discover that wrong and decide to prosecute that person. Obvious examples, to mention but a few, include motoring offences, assault, manslaughter and murder. The purpose behind criminal law is the punishment of the crime and the rehabilitation of offenders. There are a range of punishments, including a monetary fine, prison sentence, suspended prison sentence and a community service order. Sometimes the court may award a modest sum of compensation to victims of violence, but that is a secondary consequence, as is the confiscation of the profits from illegal activities such as drug dealing and money laundering.

The most wide-ranging criminal law impacting upon ‘Cyber Security’ is the Computer Misuse Act 1990, which is discussed later on in ‘Impact of Data Protection Legislation’. In the United Kingdom it is not just the Police who are responsible for investigating crimes and bringing prosecutions. For example, mechanical technology equipment, which is employed in the workplace and which is so unsafe as to breach criminal legislation concerned with mechanical safety [1], will generally be prosecuted by the Health & Safety at Work Executive. Local Trading Standards have the primary responsibility for enforcing some of the CE Marking safety legislation, such as regulating technology equipment which is unsafe from an electrical viewpoint [2] or because it interferes with other equipment from the perspective of electromagnetism [3].

Specialist agencies such as the Civil Aviation Authority, Information Commissioner (see ‘How important is the legislation’ (d)), Financial Conduct Authority, HM Revenue & Customs, Department of Work & Pensions and the Environment Agency may also prosecute within their specialist domains.

In England and Wales there is rarely (an example of an exception being prosecution for inciting racial hatred [4]) a monopoly given to the State to prosecute. It is normally possible for a private prosecution to be brought in lieu of the State, although in those circumstances the State still retains the power to take over the prosecution.

To the two basic types of law, criminal and civil must now be added a third type, termed ‘quasi crime’. This is a civil penalty in the form of a fine which, if not paid, will invoke the criminal sanction of the court. A good example of this third category is a data protection fine, discussed in ‘Data Subject's right to prevent processing generally’.

Civil Law

Civil law concerns itself with the righting of wrongs as between opposing parties, whether individuals or companies. Civil actions provide for the wronged entity to sue the other for compensation. A further remedy may be a court order (an injunction) preventing the continuation of the wrong: if the injunction is breached, the wrongdoer may be brought before the court and the miscreant punished for the criminal wrong of contempt of court. The ultimate sanction available to the court for any contempt of court is imprisonment.

Civil law can generally be divided into two categories: contract and tort. In the context of cyber security, a contract, for instance between a manufacturer and a component supplier, may provide for many things. The component supplier may make a number of technical promises about the quality of the component which it is supplying. Where the supplier breaks a promise, the manufacture may sue for the damages incurred as a consequence of supplying sub-standard components. That may include not just the cost of obtaining components of the correct quality, but also the costs associated with a product recall or even loss of profits. For these reasons, suppliers often seek to limit their liability flowing from a breach of contract (the extent to which this can be done is the subject of a textbook. In a word though, in many instances, a limitation is valid only if it passes a test of ‘reasonableness’).

As an example of the sort of contractual claim that can arise out of a cyber-security incident, consider the example breach suffered by Target Corp., based in Minneapolis just before Christmas 2013. Target is a discount retailer in the United States and one of the 50 largest companies in the United States. The breach is reported to have affected up to 110 million people. It included in the case of 40 million customers, the customer names, credit and debit card numbers, expiration dates and the security code numbers (so called CVV code numbers) of the cards. This is one of the world's largest cyber-security breaches to date, in terms of the number of customer records lost, involving some 40 million credit and debit card accounts. This affected shoppers between 27th November and 15th December 2013. Affected banks have, reportedly, already paid out some $200 million to date, and are scrutinising their contracts with Target with a view to recouping their losses [5]. In fact, some estimates have put the potential damages far in excess of this amount. Some analysts have said that the minimum cost which a bank will incur in having to replace a customer's compromised card is $100. Added to that, a further $10 for the cost of Target's promise to ensure that those customers have free credit monitoring and identity theft protection for a year. That makes 40 000 000 × $110 = $4.4 billion as an estimate for Target's total loss. That, of course, is only the direct loss to the banks. In addition, customers may claim damages for their own direct losses. There are reports of at least 70 class action law suits already initiated against Target. It also excludes the cost of loss of reputation.

A tort is a technical name for an actionable legal wrong. Torts include the laws of defamation, nuisance and, most importantly, negligence. Negligence can be briefly defined as failing to take reasonable care to avoid injuring those, whom it may be reasonably foreseen, would be injured by that failure. In the context of the cyber security example of a component supplier, suppose the end product is a ‘smart meter’ for a utility such as gas supply. A failure, such as a gas leak, could cause injury not just to the householder in whose home the smart meter is installed, but to anyone in the vicinity. A failure to take reasonable care in designing or manufacturing a component which led to a gas explosion would make the supplier of the component liable.

There is a complex relationship between the concept of ‘negligence’ and standards. Some standards are so old that if a supplier was to follow them, he would be negligent. While that is not true of a modern standard, just because a supplier fails to follow a standard does not necessarily make him negligent: there are often many ‘reasonable’ ways to make a product: if the supplier follows any one of them he will not be negligent.

Where there is potential for a negligently designed product to cause personal injury, this will provide a powerful driver for manufacturers and suppliers to ensure adequate safety. A further impetus to make products that are safe is the even more stringent liability introduced by product safety legislation. Product liability legislation stems from a 1985 European Union Directive to harmonise the laws of the Member States. The essential principle of product liability is that where damage is caused by a defect in a product, the producer is liable to compensate the injured party.

It appears from the wide definition given to ‘product’ under the legislation that computer software falls within this definition, although this fact has not yet been judicially settled. In any event, that question is not really relevant, since the product in which the computer software resides, for instance a smart meter or other electronically programmed device, is clearly a product that is caught by the legislation. Under the Product Liability legislation, a defect will be present in a product if the product is not as safe ‘as persons generally are entitled to expect’. Conversely, if a product is as safe ‘as persons generally are entitled to expect’, it will not contain a defect. In this context, safety relates not only to whether the product will kill or injure people (or animals) but also encompasses any risk of damage to property. In practice, this standard is relatively high, since people expect a high level of safety. In any event, it is a far higher requirement than the obligation to take ‘reasonable’ care in the law of negligence.

Computer Misuse Act 1990

Overview of the Act

The Computer Misuse Act 1990 criminalised computer hacking and introduced the offences of unauthorised access, unauthorised access with intent to commit or facilitate commission of further offences and unauthorised modification of computer material. The first offence of unauthorised access is punishable by 12 months’ imprisonment and a fine of up to £5 000. The second offence of unauthorised access with intent to commit or facilitate commission of further offences is punishable with a maximum penalty of 5 years’ imprisonment and an unlimited fine. The third and most serious offence under the Computer Misuse Act is that of causing an unauthorised modification of the contents of any computer. It is punishable with up to 10 years’ imprisonment and an unlimited fine and applies to the simple modification of data or programs, the destruction of data or programs or the circulation of viruses.

Application of the Act

The Computer Misuse Act 1990 is one of the most badly drafted pieces of criminal legislation on the statute books. This is because it criminalises actions that ought never to have been criminalised. A simple cyber security example can be used to illustrate this. Take a pre-programmed smart card that is given to you by your hotel. When you arrive back at the hotel later that evening, perhaps a little ‘worse for wear’, you cannot remember precisely which is your hotel room. Should you swipe your card against the incorrect room trying to gain access to what you believe is the correct room, you will not only have committed the first offence under the Act, but also the more serious third offence. The hotel's access control computer will have recorded the attempt to enter the incorrect room (to be fair, this depends upon the configuration and sophistication of the hotel's access control system, but it is certainly true of more sophisticated systems). The fact that you did not intend to enter the incorrect room is not relevant, the only intention that the law needs is that you intended to swipe the door licking mechanism not knowing whether it was your room or not.

The reality is that the Computer Misuse Act 1990 covers almost any misdemeanour imaginable which can be classified as a cyber-security ‘breach’. Consider any of the following, all of which will involve a breach of the Act, either directly or indirectly:

  • The creation or dissemination of a computer virus. This includes malicious software of all types including that which wrongly and unknowingly collects data about an individual, before transmitting it back to a hacker who can perhaps then use that data as part of an identity theft felony. However, for these purposes, a ‘virus’ can be thought of any code which does something unusual that the installer does not permit or expect. The computer misuse legislation would also catch a piece of software that is impossible for most people to remove, because of the manner in which it installs itself.
  • Any ‘app’ that does more than it appears to do, or more than it obtains permissions for. For example, the ‘Jackeey Wallpaper’ app which targeted Android devices, collected a user's phone number, subscriber identification, and even voicemail phone number and sent that data to an unknown destination in China.
  • The next ‘big thing’ in the Internet is undoubtedly the ‘Internet of Things’ or the ‘Internet of Everything’ as it is sometimes termed. This is a reference to the ability for simple objects to be connected to the Internet. However, without adequate security, those objects can be hacked into and the computer data and software within them modified. As an example, consider the hacking of a baby monitor that is not properly secure, such as the ‘Foscam’ baby camera [6]. This is a good example of what can happen when a remote controlled ‘internet of things’ device is not sufficiently secure. See the discussion ‘The Internet of Things’.

Prosecutions?

The mere collection of data on one's own computer system, however, is not an offence under the Computer Misuse Act. To be an offence under the Computer Misuse Act, the offender must be using another computer system which he does not control. At the time of writing, the trial of Andy Coulson and Rebecca Brooks for allegedly hacking the telephone of the murdered schoolgirl Millie Dowler is continuing. However, they have not been charged under the Computer Misuse Act 1990. Rather they are charged under Section 1 of the Regulation of Investigatory Powers Act, 2000 with ‘conspiring to intercept communications in the course of their transmission without lawful authority’. In an initial decision before the trial itself, the Court of Appeal [7] held, in the context of the wide definition given to this phrase in the Act, which in this context ‘transmission’ includes ‘storage’.

The Computer Misuse Act has extraterritorial effect. The English courts may apply the Act to hackers who are based overseas but whose actions are directed at and affect computers located in the UK. However, in practice, the police do not prosecute under the Act. It simply falls under the ‘too difficult’ or ‘too expensive’ category. Consider that you are a Chief Constable with limited resource: how much money would you spend on ‘computer crime’ rather than ensuring that the ‘streets are safe’? So, while millions of computers in England are attacked in breach of the Act each day, few are ever prosecuted. Even where a prosecution could take place under the Act, it seems that, in the United Kingdom, we cannot find the money to do so even in very high profile cases: consider the story of Gary McKinnon [8]. After a long battle to avoid extradition to the United States after allegedly hacking into various military systems in the United States, his extradition was eventually refused in 2012 by the Home Secretary, Theresa May. This was after a long and ultimately successful campaign by his supporters many of whom complained that, if he had committed an offence he had also committed an offence in England and therefore should be prosecuted here.

In practice, the best policy is ‘prevention’ rather than ‘cure’. Therefore, it is essential that users of all information technology equipment ensure that proper firewalls are put in place. While that is possible with ‘large’ devices like servers and laptops, it becomes increasingly difficult the smaller the device. There are some partial solutions for mobile telephones, but ‘Bring Your Own Device’ policies are fraught with danger because security is an afterthought: by definition ‘Bring Your Own Device’ starts from the premise that a user wants to use an item that is a ‘fashion’ item. In the case of the Internet of things, the user is left entirely in the hands of the manufacturer. If even military systems such as drones are insecure [9], what hope is there for commercial systems?

While many crimes are committed, given in particular the scope of the Computer Misuse Act, that criminal legislation provides no practical protection for businesses, let alone individuals.

Impact of data protection legislation

Data protection in context

Most people associate data protection with the Data Protection Acts, most recently the Data Protection Act 1998, which is the national instantiation of European legislation. However, it should be appreciated that the Act is merely one means, albeit an important means, by which an individual or company can seek to protect data. Other methods, which are sometimes relevant, include Intellectual Property rights such as the law of confidence (which seeks to protect confidential commercial information), patent rights (which may prevent the use of certain information without the permission of the patent owner) and database rights. Under this Database Rights Legislation [10], the creator of a database has the right to prevent the extraction or re-utilisation of the whole or a substantial part of the contents of the database. The legislation applies to databases created on or after 1 January 1998.

Where does the data protection legislation come from?

In the United Kingdom, the first data protection legislation, the Data Protection Act 1984, stems not from membership of the European Union, but from the United Kingdom's membership of the European Court of Human Rights. The more recent Data Protection Act 1998 stems from a European Community Directive of 1995 [11]. The purpose of the Data Protection Directive is to provide a ‘common market’ throughout the European Union for data protection. By abiding with the legislation, the ‘benefit’ is that no member State can prevent data flowing freely within the European Community on the grounds that any other European country does not have as strong protection of data as it does. In practice, large differences do exist between various member States. For example, in Scandinavia criminal prosecutions for breach of the Data Protection legislation are far more common than in the United Kingdom where they are a rarity.

Furthermore, there have been a series of cases culminating in the Court of Appeal decision in the case of Durant v Financial Services Authority [12] which have somewhat limited the legislation by narrowing the concept of what may be regarded as ‘personal data’ in some circumstances in the United Kingdom. However, that case does not have any application outside the United Kingdom. At the time of writing, the European Union is attempting to harmonise the legislation across Europe, to a greater degree, by enacting a Data Protection Regulation. Unlike a Directive, which requires country-specific instantiation, a Regulation has direct effect across the whole of Europe.

How important is the legislation?

Most breaches of the Data Protection Act go unnoticed. When they are noticed, there is often a public outcry, but little else changes. In particular, there is little practical means for financial redress for the person who breaches the Data Protection legislation. This is because the primary means of enforcement of the legislation is by means of a civil court case. However, the costs of bringing such a case in the United Kingdom, vastly exceeds the amount of damages which would be obtained as a result of court enforcement. Take for example, the case of HFC Bank (then a subsidiary of HSBC Bank), which in September 2004 e-mailed 2600 people. However, instead of blind copying the recipients, it accidentally carbon copied all the recipients, so all 2600 could see one another's e-mail addresses.

The matter was further compounded because some customers had their automatic ‘out of office’ responses on, which responded to all 2600, giving them further personal details. HFC Bank immediately apologised and credited the affected customer's accounts with £50 compensation. There was still an outcry by disgruntled customers. In fact, £50 compensation was reasonable for the wrongful publication of the e-mail addresses. Certainly, there are no reported cases of any customers suing HFC Bank for greater damages.

To the general statement that the existing legislation is largely toothless, there are four main exceptions. It is these exceptions which can be considered to be the real drivers behind compliance with the Data Protection legislation.

  • The Financial Conduct Authority (the ‘FCA’): Where a company is regulated by the FCA, then the FCSA has power to apply an unlimited fine for breaches of the Data Protection legislation. The predecessor to the FCA, the Financial Services Authority had even let it be known that, in appropriate cases, it would consider imposing criminal sanctions against individuals within organisations, where they were shown to be in breach. Although the Financial Services Authority had a history of enforcing the Data Protection legislation (e.g. in February 2007, Nationwide Building Society was fined £980 000 for issues arising out of a stolen laptop. In January 2008, Norwich Union was fined £1.26 million for administrative failures leading to a data breach), its successor, the FCA, has yet to show much appetite to do so, having concentrated more on the direct regulation and policing of the financial markets.
  • Existing criminal offences: The primary criminal offence under the Data Protection legislation applies where an organisation fails to register under the Data Protection Act. Although, in theory, a mistaken registration can also lead to criminal proceedings, the registrar has never been known to prosecute anybody who simply makes a mistake in registration. Indeed, if he did so, he would probably end up prosecuting potentially every company in the land: registration is almost impossible to affect with complete accuracy in most organisations where many individuals may be involved in the collection, use and dissemination of personal data. Even where registration is initially relatively accurate, most organisations hardly ever regularly review whether new uses of that data are covered by their data protection registrations or amend those registrations. There is a further offence under the legislation for wrongfully trading in data (Section 55 of the Data Protection Act). This offence is used from time to time against, for example, miscreants in the Drivers and Vehicle Licensing Agency or Police authorities who purport to sell details of drivers and motor vehicles by wrongly accessing the DVLA database.
  • New legislation: The Criminal Justice and Immigration Act 2008 contained a new section 77 which permits the Secretary of State to increase, by way of a statutory instrument, the general offence of wrongfully trading in data (Section 55 of the Data Protection Act 1998). Section 77 provides for a maximum penalty of two years plus an unlimited fine, as opposed to the current maximum of an unlimited fine but not imprisonment. However, this power has not been exercised by the government.
  • The power of the Information Commissioner: The Information Commissioner is responsible for the enforcement of the data protection legislation. As has already been noted, the Data Protection Act 1998 does in fact provide for some criminal enforcement. The Information Commissioner has from time to time prosecuted those who fail completely to register, such as second-hand car dealers, financial advisers and even plumbers [13]. However, the Information Commissioner has a very limited budget and is unable to enforce the legislation comprehensively through prosecutions.

Rather the Information Commissioner must cajole people into complying with the legislation through the issue of good practice guides. One recent improvement from the Information Commissioner's perspective is that the Information Commissioner has had the power, since 6th April 2010, to levy civil fines (while the distinction is mostly academic, it is unclear whether this fine is of a criminal or a civil nature) of up to £500 000. Some 6 months later the Commissioner flexed his muscles, fining Hertfordshire County Council £100 000 for sending details of child abuse cases to the wrong recipients. At the same time, he also fined the employment firm A4e £64 000, for losing an unencrypted laptop, containing details of some 24 000 individuals. To date, the Information Commissioner has fined some 100 organisations, the majority of those being public bodies such as Local Authorities and NHS Trusts. One reason for this is that public bodies feel obliged to report security breaches. However, there is no duty to do so. What the Information Commissioner does not know about, he cannot punish.

These offences can be committed as easily in cyberspace as in the physical world. Where an app aimed at the English market collects personal data about English citizens, the data controller should register under the Data Protection Act 1998. If he fails to do so, the probability of the data controller actually being prosecuted is minimal where most of its assets are overseas. This is because it will be regarded as a ‘difficult’ case by the Information Commissioner and he will seek an easier target. The difference is simply that the Information Commissioner has insufficient resources to police cyberspace to any meaningful degree. The exceptions are those situations where there is political or public pressure which forces him to do so. An example is the data security breach by Sony. In April 2011, owing to ineffective security measures in its PlayStation Network Platform, Sony allowed hackers to obtain access to the personal information of millions of customers, including their names, addresses, dates of birth, account passwords and, potentially, payment card details. Some reports suggested as many as 77 million PlayStation users worldwide were affected. In January 2011, the Information Commissioner imposed a £250 000 fine. Although Sony initially said that it would appeal the £250 000 fine, it has since stated that it would not, since to do so would be to reveal sensitive details about its network security!

Despite the fine imposed on Sony, relatively few fines have been issued against purely commercial organisations. A freedom of information request showed that of 29 fines issued from 2011 to 2013, only five of the 29 fines issued were against commercial organisations. Why? The reason is that the Information Commissioner, in common with most underfunded, overworked public enforcement bodies concentrates on easy targets. In this context, public authorities and NHS Trusts are easy targets since they are unlikely to mount a robust defence. Also, the type of data that the ICO has been concerned with in these organisations – data about vulnerable children, medical record and criminal convictions – is the sort of data which is clearly sensitive and ought to be securely protected.

When it comes to private companies with real clout, the United Kingdom Information Commissioner has been much more cautious. So, to use another cyber security example, despite the wrongful acquisition of Wi-Fi data by Google when sending cars out to roam the British streets to collect data for Google maps, the United Kingdom Information Commissioner has not taken any robust action. In comparison, other countries, such as France, Switzerland and Germany have all taken significant enforcement action.

Brief overview of the legislation

The most important principle of the legislation is that one must register with the United Kingdom Information Commissioner: what personal data is collected and from where; how that personal data is processed and to whom that personal data is disclosed. Registration requires completion of a multiple choice application form. It is then necessary to abide not only by the registration details that one has filed but also by the eight Data Protection Act principles. In summary, these principles are as follows:

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained for a specified and lawful purpose.
  3. Personal data shall be adequate, relevant and not excessive for the purpose for which it is processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data shall be kept for no longer than is necessary for the required purpose.
  6. Personal data shall be processed in accordance with the legislation.
  7. Appropriate technical organisational measures shall be taken against unauthorised loss or destruction of the personal data.
  8. Personal data shall not be transferred outside the European economic area unless the country recipient has an adequate level of data protection legislation.

A full discussion of these principles is outside the scope of this paper. However, the most important from a cyber-security perspective, is the seventh principle. The full principle is that the data controller (i.e. the company processing the personal data) must take ‘appropriate technical and organisational measures … against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data’. The principle is to be interpreted having regard to:

  • the state of technological development;
  • the cost of implementing any measures;
  • the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
  • the nature of the data to be protected.

The overriding principle is that the security measures adopted must be ‘appropriate’.

In the context of cyber security, some obvious conclusions can be drawn:

  • The security of a system should be regularly reviewed. LinkedIn is one example of a well-known company caught out by having out-of-date security [14];
  • More security should be offered where the loss of data might cause greater damage, for example as with credit card or identity data; and
  • More security should be offered where the data is more sensitive, for example, in respect of health data.

Rights of a data subject

Individual’s entitlement to information

An individual is entitled to be informed by a data controller whether that data controller is processing personal data about that individual. Where the data controller is processing personal data about an individual, that individual (the data subject) is entitled to be given:

  • a description of the personal data of which that individual is the data subject;
  • a description of the purposes for which the personal data is being or is to be processed;
  • a description of the recipients or classes of recipients to whom the personal data may be disclosed;
  • a copy of the personal data of which that individual is the data subject; and
  • any information available to the data controller as to the source of that data.

Procedure to be followed where a data subject requires information

The data subject must request the information in writing and must pay the fee requested by the data controller (the fee is subject to a statutory maximum – which is currently £10). The data controller is entitled to demand reasonable evidence of the identity of the data subject. A data controller should consider this entitlement seriously, since the data controller would be in breach of the Act if he releases information about a data subject to the wrong individual.

Where a data controller has complied with one request for information from a data subject, he is not required to comply with a second request from the same data subject until a reasonable time after the first request.

There are some exceptions to the right to obtain data, in the fields of health, education and research.

Data subject's right to prevent processing generally

A data subject can require the data controller to stop processing data about himself. To do so, the data subject must send a written notice to the data controller giving reasons as to why the processing of the data is causing or would cause him or her ‘unwarranted’ substantial damage or substantial distress. Within 21 days the data controller must state in writing that he will comply with the data subject's notice or else state why he regards the data subject's notice as unjustified and the extent (if any) to which he intends to comply with it. If the data subject and the controller continue to disagree, either party can ask the Court to decide who is right and whether the data controller must stop processing that data. This is subject to exceptions such as where the data subject has already consented to the processing or where the processing of the data is necessary for the performance of or as a preliminary to a contract with the data subject.

A data subject has further rights to require that a data controller stops processing his Personal Data for the purpose of direct marketing and related to automated decision-taking.

Data subject's rights as legal driver

Do the rights of a data subject matter in the context of cyber security? The answer is a resounding ‘no’. The reality is that an individual has no real financial interest in claiming an abuse of his data. The reason is that the damages the individual would receive are greatly outweighed by the costs of bringing such an action. Even where an individual has suffered real financial hardship, perhaps through identity theft, the individual will invariably be well advised not to claim damages. In the case of identity theft or abuse of stolen credit card details, the greatest challenge faced by an individual is being able to show that a given data breach had led to the individual's loss. Usually that will be insurmountable. How can an individual show that a given loss, no matter how well publicised, has caused the loss suffered by the individual?

Consider again the example of the cyber-security breach suffered by Target Corp. mentioned in ‘Computer misuse’. The contract claims mentioned in that section do not take into account the effects of the data loss of names, phone numbers as well as email and mailing addresses of as many as 70 million customers as part of the same successful attack. It is unlikely that any of those customers would sue for damages if the incident had happened in the United Kingdom, as for example with the Sony breach mentioned in ‘Data subject's right to prevent processing generally’. In the United States, class actions are much more common, as indeed is the case of Target. However, in such cases in the United States, the plaintiffs can almost never have an award of costs made against them, even if they lose the case. In the United States therefore, even without legislation that is equivalent to the United Kingdom Data Protection legislation, it would appear that redress is likely, but that is not the case in the United Kingdom where litigation costs are high compared to the damages likely to be awarded. Therefore, civil claims arising out of data breaches could be regarded as a driver for cyber security in the United States, but less so in the United Kingdom, and indeed for similar reasons in Europe generally.

Privacy law

In 2000, the Human Rights Act 1998 came into law and incorporated the European Convention on Human Rights into English Law. Article 8.1 requires the judiciary to have regard to the right to respect an individual's private and family life, home and correspondence when making judgments. There have been some recent cases which tend towards increasing the respect for an individual's private life. However, it has yet to emerge as a driver for cyber security.

Loss of reputation

For many commercial entities, of greater importance than a fine is the possibility of a loss of reputation. Indeed, that is the primary driver for most businesses to comply with the data protection legislation and, more generally, to take cyber security seriously. A simple search of a web search engine for the words ‘cyber-security breach’ immediately brings up household names, including ‘E-bay, Facebook, Linked In, Twitter, Adobe, AOL, Monster.com and even the security firm RSA’.

Where the cyber-security breach is caused by a third party, such as an outsourcing service provider or a cloud service provider, a good publicist may well be able to deflect some of that bad publicity. Many press releases often blame others in the supply chain when ‘things go wrong’ and there is no difference when a publicist is faced with the same problem as regards a client company which has suffered – a cyber-security ‘loss’.

What is perhaps more interesting is whether, in reality, companies suffer any real loss of reputation. While there is no doubt that companies fear a loss of reputation following a security breach, the reality is that this may not actually occur.

Take for example the incident involving Target described in ‘Civil law’. There have been many reports of the potential loss of profit which Target may suffer as a result of the security breach. For example, many banks are reportedly suing Target as a result of the breach. The claims from the banks are not for loss of profit, but rather for direct losses, such as those associated with having to warn customers about credit and debit cards whose details have been stolen and issuing replacement cards. However, it is less clear whether Target is actually losing customers. There was an initial dip in Target's turnover of about 3%. However, looking at Target's continuing turnover figures, there is little evidence to show that the company is suffering from any continuing actual loss of reputation [15].

Internet of Things

The Internet of Things, or as it is sometimes called, the Internet of Everything, is still in its infancy. The Internet of Things allows objects to be connected. The key to the Internet of Things is the coming together of three technologies, low power usage, unique internet addressability [which has arrived in the form of Internet Protocol 6 (Internet Protocol 6 is the latest means of uniquely identifying computers which are connected to the Internet)] and a means of near field communication such as radio-frequency identification (RFID) (RFID is a means of communicating between a wireless tag and a base station using an electromagnetic field. RFID tags are often used in shop stores to prevent theft of goods that have not been sold) or devices using the Bluetooth or ZigBee protocols. (ZigBee is a standard for transmitting information using miniature, low power digital radios over short distances based on radio transmission using the IEEE 802.15 standard.)

Classic examples include airport baggage having electronic tags attached to ensure that bags are placed in the correct planes, the Google car and Samsung's smart fridge that will warn you when you are running out of milk. That there is real money in the Internet of Things cannot be denied. For example, Google Inc. bought the company Nest Labs Inc. for $3.2 billion in February 2014. Nest collect data about the actual power usage in a home and about weather forecasts to reduce power usage. However, these examples involve ‘large’ ‘things’. The true potential of the Internet of Things will only be reached when smaller everyday objects such as clothing (e.g. Nike + and Samsung Gear bracelets to track your exercise routine) and even crockery are ‘connected’.

Organisations have different predictions for the precise growth of the Internet of Things. However, they all agree that the growth will be enormous. Consultancy company Gartner has reported that by 2020 there will be some 26 billion Internet of Things devices [16], while ABI research predicts 30 billion devices [17]. Not all these devices will be as secure as they should be. Even today there have been stories regarding the insecurity of Internet of Things devices. For example, at the beginning of 2014 an internet-connected fridge was discovered to have been hacked with malware and used to send out spam e-mails [18].

In the future data, cyber-security breaches will occur in ‘Internet of Things’ devices which may have a more direct effect on people's lives. In a world in which many objects are connected, there are many more diverse applications. At the moment, there are already devices such as the Philips Motiva which monitors certain physical parameters in patients with chronic conditions and transmit the associated data to their healthcare providers. This is clearly a safety-related device. Although there is nothing to suggest that these devices have not been designed with security in mind, more worrying is the fact that in the latest versions of these systems, the data can be collected and disseminated via android ‘smart phones’. Such devices are for the most part wholly unsecure. At the moment some 62% of all mobile devices being sold are Android devices. According to a survey by TrendMicro, less than 61/2% of those devices have the most current version of the operating system available. The majority of users fail to update the operating system. Even that assumes that the device manufacturer updates the operating system and makes it available for the user. In July 2013 HTC reached an agreement in a civil case brought by the United States Federal Trade Commission for failing to do just that.

Why would anyone want to hack into such a system to damage health data collected in such a way? There have always been people who have, consider the rare but not unknown cases of nurses who have murdered patients all of whom seem to have been dubbed ‘Angels of Death’ in the press [19]. Certainly, ex United States Vice President, Dick Cheney, had the remote wireless device on his heart pacemaker disabled to protect against a remote assassination attempt [20].

In 2013 and 2014, a baby monitor manufactured by Foscam had inadequate security. As a result, a hacker was easily able to break into the device, download photographs and was eventually found out when he shouted ‘Wake up baby’ at the sleeping child [21].

At the moment, the consequences of most cyber-security breaches are an invasion of an individual's virtual security. In the future, a breach of a security of an Internet of Things device will often, unfortunately, lead to the invasion of an individual's physical security. Once this occurs, that will become a powerful driver for real cyber security and individuals will demand much more robust protection.

References

  1. ‘The Supply of Machinery (Safety) Regulations 2008 (2008 No. 1597)’, http://www.legislation.gov.uk/uksi/2008/1597/made, accessed June 2014.
  2. ‘Directive 2004/108/EC of the European Parliament and of the Council of 15 December 2004 on the approximation of the laws of the Member States relating to electromagnetic compatibility’, http://www.eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32004L0108, accessed June 2014.
  3. ‘The Electromagnetic Compatibility Regulations 2006 (2006 No. 3418)’, http://www.legislation.gov.uk/uksi/2006/3418/regulation/4/made, accessed June 2014.
  4. ‘An example of an exception being prosecution for inciting racial hatred under Part 3 of The Public Order Act 1986’, http://www.cps.gov.uk/legal/p_to_r/racist_and_religious_crime/#a06, accessed June 2014.
  5. ‘Banks suing Target over data breach’, http://www.hexiscyber.com/news/hot-topics/banks-suing-target-over-data-breach, accessed June 2014 .
  6. ‘Security Flaw Makes Baby Monitors Appear Possessed’, http://www.geekosystem.com/hacked-baby-monitors/, accessed June 2014.
  7. ‘Coulson & Anor v R [2013] EWCA Crim 1026 (28 June 2013)’, http://www.pitiableness3.rssing.com/browser.php?indx=3369136&item=8082, accessed June 2014.
  8. McKinnon G.: http://www.en.wikipedia.org/wiki/Gary_McKinnon, accessed June 2014.
  9. ‘Pentagon Looks to Fix ‘Pervasive Vulnerability’ in Drones’, http://www.wired.com/2012/12/darpa-drones/, accessed June 2014.
  10. In the United Kingdom, the Copyright and Rights in Databases Regulations 1997 (S.I. 1997 No. 3032) which implement Council Directive 96/9/EC of the European Union on the Legal Protection of Databases. http://www.daidavis.com/intellectual-property/database-protection-rights/, accessed June 2014.
  11. ‘Data Protection Directive, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L 281, 23/11/1995 P.0031-0050’, http://www.eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:31995L0046, accessed June 2014.
  12. ‘2003, EWCA Civ 1746’, http://www.bailii.org/ew/cases/EWCA/Civ/2003/1746.html, accessed June 2014.
  13. ‘Enforcement’, http://www.ico.org.uk/enforcement/prosecutions, accessed June 2014.
  14. ‘Lax Security at LinkedIn Is Laid Bare’, http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html?pagewanted=all&_r=0, accessed June 2014.
  15. ‘Target Corporation’, http://www.en.wikipedia.org/wiki/Target_Corporation#2013_Security_Breach, accessed June 2014.
  16. ‘Gartner Says the Internet of Things Installed Base Will Grow to 26 Billion Units By 2020’, http://www.gartner.com/newsroom/id/2636073, accessed June 2014.
  17. ‘More Than 30 Billion Devices Will Wirelessly Connect to the Internet of Everything in 2020’, https://www.abiresearch.com/press/more-than-30-billion-devices-will-wirelessly-conne, accessed June 2014.
  18. ‘Fridge sends spam emails as attack hits smart gadgets’, http://www.bbc.co.uk/news/technology-25780908, accessed June 2014.
  19. ‘10 Serial-Killing Nurses’, http://www.listverse.com/2013/09/16/10-serial-killing-nurses/, accessed June 2014.
  20. ‘Wireless feature disabled on pacemaker to stop hackers from assassinating Cheney’, http://www.networkworld.com/article/2225609/microsoft-subnet/wireless-feature-disabled-on-pacemaker-to-stop-hackers-from-assassinating-cheney.html, accessed June 2014.
  21. ‘Man Hacks Monitor, Screams at Baby Girl’ http://www.nbcnews.com/tech/security/man-hacks-monitor-screams-baby-girl-n91546, accessed June 2014.
Go to the profile of Dai Davis

Dai Davis

Principal, Percy Crow Davis & Co.

No comments yet.