The Criminal Justice (Offences Relating to Information Systems) Act 2017 (the Act) came into force on 12 June 2017 yet David Young is the first person to be charged under the legislation. He is 28 years old and from Cork. He is charged of committing nine offences. It is important to remember that Mr Young has just been charged at this point so we will need to wait to see if he is prosecuted.
He was charged by the Garda National Cyber Crime Bureau of:
- hacking into a computer parking system in September 2018;
- interrupting the functioning of an information system at the Vodafone Data Centre between May 2018 and September 2018;
- operating a computer with the intention of making a gain for himself and others and causing a loss to others between May 2018 and September 2018; and
- making a demand by threatening to release information from 12,000 accounts of ParkMagic Mobile Solutions customers in September 2019.
With the ever-increasing numbers of cyber breaches and data breaches, it is to be hoped that we will see more charges brought by the Garda National Cyber Crime Bureau.
The Act was implemented to give effect to the EU Cybercrime Directive and help prosecute cybercrime by creating specific offences. It was designed to update Irish legislation with respect to such crimes. Previous legislation referred to ‘unlawful use of a computer’ which did not provide adequate address for cybercrime.
Sections 2 and 3 of the Act provide:
“2. A person who, without lawful authority or reasonable excuse, intentionally accesses an information system by infringing a security measure shall be guilty of an offence.
3. A person who, without lawful authority, intentionally hinders or interrupts the functioning of an information system by—
(a) inputting data on the system,
(b) transmitting, damaging, deleting, altering or suppressing, or causing the deterioration of, data on the system, or
(c) rendering data on the system inaccessible,
shall be guilty of an offence.”
What is not apparent from first view of the alleged actions of Mr Young are the ramifications of these breaches:
- It is not clear whether, in each situation, personal data was accessed or breached;
- If so, were data subjects affected?
- If they were, what was the risk to those data subjects?
- Were notifications required to the Data Protection Commission and / or data subjects?
- Were funds stolen and needed to be traced?
- Were funds stolen from third parties?
- What costs were incurred by the organisations impacted for legal, PR, IT forensics or otherwise?
- Did these organisations face claims for the cyber or data breaches?
- Did these organisations have a cause of action against any of its providers with respect to the breaches?
What is important to remember is that data and cyber breaches can result in a myriad of issues, all of which need to be considered immediately. It is critical that organisations have cyber breach, data breach and disaster recovery protocols and policies in place to follow in such situations.
Cyber and data breaches are consistently increasing. If an organisation suffers a cyber or data breach, it should notify its cyber insurers immediately if they have cyber insurance. If it does not, it should contact a solicitor with experience of dealing with cyber and data breaches.
The Cyber team at Leman Solicitors provide advice with respect to Cyber matters including pre-event management, incident response and post event matters. If you have any queries, please get in touch with Stephen O’Connor at 01 6393000.