Getting ready for the EU Cybercrime Directive

Back in July, the EU formally adopted a directive on attacks against information systems (otherwise known as the “Cybercrime Directive”).

The new Directive aims to tackle the increasingly sophisticated and large-scale forms of attacks on information systems (including increased use of botnets) and is intended to enlarge the scope of criminal offences, increase the level of sanctions and provide a reinforced framework for cooperation between relevant EU agencies, such as Eurojust, Europol, the European Cybercrime Centre, and the European Network and Information Security Agency.

The UK – and other EU countries (except for Denmark, which has decided to opt out of the Directive) – has two years to enact the new Directive into national law.

Criminal offences

The Directive establishes the following criminal offences, where committed intentionally and without authorisation or otherwise permitted by law:

• Illegal access to information systems: accessing the whole or part of any information system by infringing a security measure.
• Illegal system interference: seriously hindering or interrupting the function of an information system inputting computer data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible.
• Illegal data interference: deleting, damaging, altering or suppressing computer data on an information system, or rendering such data inaccessible.
• Illegal interception: intercepting, by technical means, non-public transmissions of computer data to or from an information system.

It will also be an offence intentionally to produce or sell (i) a computer program designed or adapted primarily for the purpose of committing an offence or (ii) a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed.

In addition to these offences, it will also be an offence to incite, or aid and abet, another person to commit any of the offences.

Penalties

The Directive implements a scale of criminal penalties from two years in prison to at least five years in cases where the offence is committed within the framework of a criminal organisation, causes serious damage, or is committed against critical infrastructure. Also, where an offence is committed using an innocent party’s personal data this may be regarded as aggravating circumstances.

Organisations as well as individuals may be liable for the criminal offences if: (a) an offence is committed for the organisation’s benefit by any person having a leading position within the organisation; and/or (ii) the lack of supervision or control of a person allows the commission, by a person under the organisation’s authority, of any offence for the benefit of that organisation.

The Directive requires that sanctions for organisations should include fines and may include other sanctions, such as: (i) temporary or permanent disqualification from the practice of commercial activities; (ii) judicial winding-up; and (iii) temporary or permanent closure of establishments which have been used for committing the offence.

Although the cybercrime directive is welcome, only time will tell whether it’s of any use in helping to address the huge increase and variety of cybercrime.  There are some obvious drawbacks, such as that the need to prove intent on the part of a perpetrator, and that offences only apply in “cases that are not minor” – and it’s not clear how this will apply, for example, to non-malicious cases where legal interests are not harmed such as the activities of so-called ethical hackers.

And, of course, the Directive doesn’t solve the more practical problems of preventing and tracking down the perpetrators of cybercrime, which will remain a huge challenge both for affected organisations and the law enforcement authorities.