Transcript Information Technology, Security and the Law

Cyber Crime Laws and
Legal Framework
DATALAWS
Information Technology Law Consultants
Presented by F. F Akinsuyi (MSc, LLM)MBCS
Services










Computer Crime
Data Protection
Electronic and Mobile Commerce Law
Identity Theft
Information Security Law and Compliance
IT Contract Negotiations
IT Governance incorporating SOX
Risk Assessments
Training and Awareness Programs
Virtual In-House Technology Law Advisory Service
Track Presenter
F. Franklin Akinsuyi








2 Masters Degrees IT and IT Law
Over 15 Years Experience
Internet Banking
Data Protection
IT Governance
Information Security
E-Government Risk Assessor
Provided evidence to House of Lords Technical Committee
Presentation Outline





Identify latest trends in computer related crime
Highlight EU/US legislative reaction to computer
crime
Overview of these legislations
Review African cyber law landscape
Propose a cybercrime legislative framework
Traditional Computer Crime
Activities








Identity Theft: Fastest growing computer crime trend
Hacking: Breaking into online and network environments
Virus Attacks: Infecting computer systems so that they crash
Phishing: Masquerading to gain passwords of internet banking
Privacy Breach: Leaking and/or obtaining personal information
Denial of Service Attacks: Making a system becomes unavailable for
use
Unauthorised Database Access: Typically to gain access to personal
information
Key Stroke Logging: Attaching devices to computers to see what has
been typed in to capture passwords, prominently used in financial
organisations
New Trend Attacking Critical
Infrastructure







New attack strategies with specific intent to bring down critical systems
Stuxnet discovered in June 2010
This was specifically written to attack Supervisory Control And Data
Acquisition (SCADA) systems used to control and monitor industrial
processes
It is also the first known worm to target critical industrial infrastructure
According to news reports the infestation by this worm might have
damaged Iran's nuclear facilities
Critical infrastructure Attacks can come from Botnets making it difficult
to identify true source
In protecting critical infrastructure, We now need to condition our minds
to attacks outside of traditional methods
US/EU Legislation Examples











Computer Misuse Act UK 1990
CALEA US 1994
Data Protection Directive EU 1995
Identity Theft Act US 1998
Digital Millennium Copyright Act US 1998
Security Breach Legislation US 2002 (California first)
Federal Information Security Management Act US 2002
Privacy of Electronic Communications Directive EU 2002
Sarbanes-Oxley US 2004
Personal Data and Security Act US 2005
European Cybercrime Convention (Treaty)
Data Protection Directive
Personal data must be processed:








Fairly and lawfully
Processed for limited purposes
Adequate, relevant and not excessive
Accurate
Not kept- longer than necessary
Processed in accordance with the data subject’s rights
Securely
Not transferred to countries without adequate protection.
Personal Data and Security Act US
Enacted after breaches at Choicepoint and Lexisnexis
Requires the government to establish rules protecting privacy and security when it uses data
broker information, to conduct audits of government contracts with data brokers and
impose penalties on government contractors that fail to meet data privacy and security
requirements
Increasing criminal penalties for identity theft involving electronic personal data by:

Increasing penalties for computer fraud when such fraud involves personal data,
 Makes it a crime to intentionally or wilfully conceal a security breach involving personal
data;
 Gives individuals access to, and the opportunity to correct, any personal information
held by data brokers;
Computer Misuse Act
Three aspects to computer misuse
Unauthorised
Intent
access
to commit a further offence
Unauthorised
Modification
Information Security Laws







Applicable to public, private and military sectors
Information security must be mandatory and enforced
Follow principles of IS027001.
Security breach notifications
Appropriate sanctions
Constantly reviewed
SOX has shown the way
Federal Information Security Management Act of
2002



Comprehensive framework for ensuring the effectiveness of
information security controls over information resources that
support federal operations and assets;
provide effective government wide management and
oversight of the related information security risks, including
coordination of information security efforts throughout the
civilian, national security, and law enforcement communities;
provide for development and maintenance of minimum
controls required to protect federal information and
information systems;
Anti-Spam Laws





Does not go as far as to ban all unsolicited junk mail.
Demands that spammers use subject lines that identify what is
inside their messages
Bans junk mailers from harvesting e-mail addresses from
websites.
Spam e-mail include a mechanism that lets people tell the
sender that they do not want to receive any more messages.
Opt-out scheme that means businesses are free to send mail
until people say they do not want it.
Data Retention
Overview





Geared toward the telecommunications industry, the law requires phone
companies and Internet service providers (ISPs) to store information
about all customers' phone calls and electronic communications for up to
two years
To ensure data is available for investigation, detection and prosecution of
serious crime
Applies to traffic and location data and related data necessary to identify
the subscriber
Does not apply to the content
Recognised that it will generate significant costs for electronic
communications providers
Digital Millennium Copyright Act 1998
Overview




Makes it a Crime to circumvent anti-piracy measures built into
commercial software.
Outlaws the manufacture, sale, or distribution of code-cracking
devices used to illegally copy software.
Permits the cracking of copyright protection devices, to
conduct encryption research, assess product interoperability,
and test computer security systems
Limits Internet service providers from copyright infringement
liability for simply transmitting information over the Internet
Computer Crime Convention
Sample Provisions for computer related offences:
 Title 1 – Offences against the confidentiality, integrity
and availability of computer data and systems
 Article 2 – Illegal access
 Article 3 – Illegal interception
 Article 4 – Data interference
 Article 5 – System interference
 Article 6 – Misuse of devices
Computer Crime Convention
Sample Provisions for forensic investigations






Title 4 – Search and seizure of stored computer data
Title 5 – Real-time collection of computer data
Article 16 –Preservation of stored computer data
Articles 20 – Real-time collection of traffic data
Article 21 – Interception of content data
Articles 29-34 Mutual Assistance
African Country Cyber Laws





Ghana: Electronic Transactions and National Information
Technology Agency Act in the process of Developing Data
Protection Laws
Senegal: Legislation to govern the development of ICT
covers cyber law, protection of data and electronic transactions
South Africa: Electronic Transactions Act
Tunisia: Electronic Exchanges and Electronic Commerce Act
Nigeria is on the starting blocks “Bills are in the
house”
Computer Crime Legislative
Framework
Computer Crime Framework
Information
Security Law
Data Protection
Electronic
Commerce
Data Retention
Computer Misuse
Lawful
Interception
Benefits






Imposes a positive image
International acclaim for job well done
Opens itself to possibility of offshore outsourcing
Foreign investment
Possibility of new types of business being established
New Job opportunities for graduates
Way Forward Other Issues



Inclusion of information technology Law in legal curriculum
Development of an advanced learning institution to develop
and cross train lawyers and law enforcement agencies on
information technology and its use in combating crime
Development of an information technology abuse response
team liasing with global response and incident handling teams
Food for Thought ?
Use! Abuse!! Laws!!!













Communications device
Business tool
Musical Instrument
Gaming device
Location device
Device to be hacked into
Identity theft tool
Terrorist equipment
Network Sabotage
Data Protection
Privacy of Communications
Data Retention
Information Security
Contact Us





F. Franklin Akinsuyi [email protected]
+44 208 854 1391
+ 44 208 854 9734
[email protected]
www.datalaws.com
COPYRIGHT 2010
End Of Session