2 Laws and computers
Now that you have a broader understanding of the kind of things that can go wrong, you’ll look at some of the most important laws in the UK that help to protect us against these cyber security threats. These are the Data Protection Act 2018, the Regulation of Investigatory Powers Act 2016, the Computer Misuse Act 1990 and the Fraud Act 2006.
First though, we’ll start with a brief introduction to the UK legal system. If you live outside the UK (or work with a multinational organisation) you’ll also get a chance to find out what legal frameworks exist in your own country. It is still useful to learn about the UK laws so that you can look for the equivalent in your country.
Criminal and civil law
Law in Britain can be broadly divided into two categories:
- Criminal law is concerned with punishing behaviour that is considered unacceptable (murder, serious injury, fraud and so on). The majority of criminal cases are brought by the State against individuals and companies and require a high standard of proof to secure a conviction (‘beyond reasonable doubt’). Criminal cases can punish guilty parties with either fines or imprisonment, depending on the nature and severity of the offence.
- Civil law is concerned with disputes and these are usually brought before the court by individuals. Civil cases concern (among other things) property law, contracts and noise. There is a lower standard of proof (‘on the balance of probabilities’) than with criminal law and punishments are usually financial in nature.
Bills, Acts and Laws
An Act of Parliament is a law that has been approved by the British Parliament (Britain has a second type of law that has not been passed through Parliament known as Common Law).
An Act starts as a draft called a Bill which is debated in the elected House of Commons. If it is approved, the Bill is passed to a specialist committee made up from Parliamentarians for revision. Their changes are discussed further in the House of Commons and possibly revised further.
After a formal vote, the Bill passes from the House of Commons to the House of Lords for further scrutiny and possible amendments. The Lords will vote on the Bill before returning it to the House of Commons which considers their amendments. If the two houses agree (and sometimes they do not), the Bill is given Royal Assent and becomes an Act.
Some Acts take immediate effect, but often there is a delay between enactment and implementation as there may need to be processes put in place in order to achieve compliance.
So a Bill does not become law until it becomes an Act.
Keeping up with threats
It is worth remembering that cyber security is a fast moving area and therefore, legislation is constantly being revised based on new threats and court cases. In particular, the outcomes of trials can result in changes to the interpretation of existing laws as well as prompting creation of new laws. Additionally, because cyber threats are global, they can be affected by legislation from other jurisdictions.
Case study: Gary McKinnon
In 2002, the British hacker Gary McKinnon was accused of ‘the biggest military computer hack of all time’ against US Department of Defence and NASA computer systems, resulting in a demand for his extradition to the United States.
McKinnon fought extradition for 10 years, including an appeal to the House of Lords and the European Court of Human Rights, until the British Government blocked extradition in late 2012. He was not prosecuted in the UK due to the logistics of moving evidence and witnesses from the United States, the passage of time and the difficulties of bringing a case in England and Wales.