Legal

New Legislation to Tackle CybercrimeThe growing awareness in recent years of the dangers posed by cybercrime and high-profile incidents such as the WannaCry ransomware attack have brought the issue of cyber attacks into sharp focus

The Irish Government’s National Cyber Security Strategy 2015-2017 promised new legislation on cybercrime to implement European Union Directive 2013/40. It is therefore timely that new legislation in this area, the Criminal Justice (Offences Relating to Information Systems) Act 2017, was recently passed by the Irish Parliament.

Overview of the Criminal Justice (Offences Relating to Information Systems) Act 2017

The Act took effect from 12 June 2017 and modernises Irish law on cybercrime by partially implementing the Cybercrime Directive.  In particular, the Act creates a number of specific criminal offences for cybercrime-related activities, such as hacking. The offences carry penalties of up to 5 years imprisonment, with a stricter penalty of up to 10 years imprisonment for the main offence of interfering with an information system without lawful authority.

The Act repeals and replaces offences relating to hacking and criminal damage to data, which were previously contained in the Criminal Damage Act 1991, and creates a number of new offences, aimed at tackling the use of ransomware and other cyber security threats.

The offences under the Act are:

  • accessing an information system without lawful authority (Section 2);
  • interfering with an information system so as to hinder or interrupt its functioning (Section 3);
  • interfering with data without lawful authority (Section 4);
  • intercepting the transmission of data without lawful authority (Section 5); and
  • use of a computer programme, password code or data for the purpose of the commission of any of the above offences (Section 6).

The Act strengthens investigatory powers for Gardaí by authorising District Court judges to issue search warrants where the Gardaí have reasonable grounds to suspect there may be evidence relating to the commission of an offence under the Act. Further, the new cybercrime offences are ‘reportable’ offences under Schedule 1 of the Criminal Justice Act 2011.  This means that failing to report to the Gardaí information which a person knows or believes might be of material assistance to preventing or investigating a cybercrime is, in itself, a criminal offence.

Comment

Cybercrime is a crime without any frontiers and is one of the greatest emerging security and financial threats to all businesses  A robust system for protecting companies’ data is vital and the Act is a welcome step in the right direction, but there is still more to be done.  Not all features of the Cybercrime Directive are contained in the Act, for example, provisions for the urgent exchange of information between Member States were excluded.  Not all developments in this area will be legislative, and the National Cyber Security Strategy discusses other important steps to reducing cybercrime, such as the introduction of a memorandum of understanding between the Department of Justice and Equality and the specialist National Cyber Security Centre. This is an evolving area and future developments will be watched closely by all companies operating in and through Ireland.

By Carina Lawlor, Claire McLoughlin & Karen Reynolds of Matheson.