A STUDY ABOUT AWARENESS OF CYBER LAW  IN UK

This article is written by Komal Prabhakar, an intern under Legal Vidhiya.

“In protecting the U.K. from cyber-attack, we are not starting from zero.”

                                                                                                                      –George Osborne’s

   (Announcement to Increase U.K. Cyber Security)

INTRODUCTION

The way we interact, work, and live has been completely transformed by the internet. The growth of the digital age has brought along new difficulties, such as online fraud and cybercrime. As a result, the UK government has put in place a number of cyber regulations to safeguard people and businesses from these dangers. These regulations have changed throughout time to reflect the shifting technological environment. The UK has been at the forefront of digital innovation, but with the rise of cybercrime, the country must also ensure that its legal system is equipped to deal with the challenges posed by the digital age. This study examines the level of cyber law awareness among UK citizens, businesses and organizations, and seeks to shed light on the gaps that exist in our understanding of this complex legal landscape. From data protection and online privacy to intellectual property and e-commerce regulations, this study delves deep into the legal intricacies of the digital world, and highlights the need for greater awareness and education to ensure a safe and secure online environment for all.

EARLY CYBER LAWS IN THE UK

1. COMPUTER MISUSE ACT 1990[1] – The earliest cyber laws in the UK can be traced back to the Computer Misuse Act 1990. This act was introduced to tackle the growing problem of computer-related crime by criminalizing unauthorized access to computer systems. The act made it illegal to gain access to a computer system without permission, to modify computer data without authorization, and to create or distribute computer viruses. The act also introduced penalties for those found guilty of these offenses, including fines and imprisonment.

• DATA PROTECTION ACT 1998[2] – Another important early piece of cyber legislation in the UK was the Data Protection Act 1998. This law was designed to control how companies and organisations utilise customers’ personal information. It required organizations to register with the Information Commissioner’s Office (ICO) and to comply with a set of data protection principles. The act also granted people the right to see their personal data and, if required, ask that it be updated or omitted. The misuse, falsification, unlawful use, or unlawful acquisition of personal data, as well as information modification to prevent disclosure to the data subject, are all cybercrimes covered by the DPA 2018. The Data Protection Act of 2018 (DPA 2018) guarantees that UK citizens have the freedom to know how their data is used by UK organisations and governmental agencies and to seek the deletion, updating, or reuse of their data, as well as to object to how it is handled.

• PECR (PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS)[3]– The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) regulate privacy rights for electronic communication networks and services in the UK in compliance with the Data Protection Act and the UK-GDPR. PECR makes it illegal to send automated and recorded marketing messages through phone, email, fax, or text without the subscriber’s authorization and plays a significant role in preserving the security of UK communication services, consumer privacy, and location data. Furthermore, it controls the use of tracking cookies.

Despite these early efforts, cybercrime continued to grow in the UK, and new laws were needed to address the changing nature of the threat.

CURRENT CYBER LAWS IN THE UK

1. AMENDED COMPUTER MISUSE ACT 1990– Today, the UK has a range of cyber laws in place to protect individuals and businesses from cybercrime. These include the Computer Misuse Act 1990, which has been amended several times to keep up with the changing nature of cybercrime. The act now covers a wide range of offenses, including hacking, denial of service attacks, and the creation and distribution of malware. Penalties for these offenses range from fines to imprisonment, depending on the severity of the offense.

• GDPR[4]– Another important piece of cyber legislation in the UK is the General Data Protection Regulation (GDPR), which came into effect in May 2018. The GDPR applies to all businesses and organizations that process personal data and requires them to comply with a set of data protection principles. The regulation also gives individuals greater control over their personal data, including the right to access it, to have it corrected, and to have it deleted. Failure to comply with the GDPR can result in significant fines, up to 4% of a company’s global turnover. The UK-GDPR acknowledges seven key principles for how businesses handle personal data:
• Legality, equity, and transparency
• purpose restriction
• Data compression
• The accuracy 
• Storage Restrictions
• Integrity and security (confidentiality)
• Accountability

• CYBER ESSENTIALS SCHEME– In addition to these laws, the UK government has also launched a number of initiatives to help businesses and individuals protect themselves from cybercrime. These include the Cyber Essentials scheme, which provides a set of basic security controls that businesses can implement to protect themselves from common cyber threats.

• NIS REGULATIONS, 2018[5]– The Network and Information Systems (NIS) Regulations of 2018, which were adapted from the EU Cybersecurity Directive before Brexit, are one of the most important pieces of cybersecurity legislation in the UK. The NIS Regulations’ main goal is to “detect and manage the threats to the security of network and information systems in an acceptable and proportional manner.” While cybersecurity is the main concern, it also covers non-cyber dangers like black outs, disruptive incidents, or network failures brought on by natural disasters.

• TELECOMMUNICATIONS (SECURITY) ACT 2021[6]– The Telecommunications (Security) Act is a stringent, comprehensive law that governs the network security against cyberattacks of all mobile carriers in the UK. It came into force in November 2021, with full implementation scheduled by March 2024. The National Cyber Security Centre assists Ofcom in developing and enforcing the new regulations, which follow the Communications Act of 2003. The motivations to safeguard the software, hardware, and data processed by networks and services are covered, as is how telecommunications carriers acquire infrastructure and services like 5G networks.

• UK eIDAS (ELECTRONIC IDENTIFICATION AND TRUST SERVICES FOR ELECTRONIC TRANSACTIONS REGULATIONS 2016)[7] – The Electronic Identification and Trust Services for Electronic Transactions Regulation, or eIDAS Regulation, governs UK services that authenticate electronic records and documents and verify the identities of UK residents as well as their businesses online. The eIDAS Regulation is a legal framework that specifies what service providers must do to become eligible to act as trusted service providers for electronic signatures, time stamps, digital documents, and certificate services. An organization’s reputation and its customer’s ability to trust it with the validity and verification of its electronic data are demonstrated by the presence of a trust service certificate.

RECENT CYBER LAWS IN THE UK

1. WannaCry ransomware attack[8]– Despite these measures, cybercrime continues to be a significant threat in the UK, and there have been a number of high-profile cyber law cases in recent years. One of the most notable was the WannaCry ransomware attack in May 2017, which affected thousands of businesses and organizations around the world, including the UK’s National Health Service (NHS). The attack was caused by a vulnerability in Microsoft Windows, which had been exploited by hackers to spread the malware. The attack highlighted the need for businesses and organizations to take cybersecurity seriously and to implement appropriate measures to protect themselves from cyber threats.

• Facebook–Cambridge Analytica data scandal[9]– Another recent case was the Facebook/Cambridge Analytica scandal, which saw the personal data of millions of Facebook users being harvested without their consent and used for political purposes. The scandal led to increased scrutiny of data protection practices and the role of social media companies in the political process.

• R v. Thompson– In R v. Thompson, the Kuwaiti appellant cheated a bank by ordering it to credit a number of English bank accounts. Although the access was permitted, it was nonetheless exploited in an illegal manner. Application of the Theft Act of 1968 was desired. Identification of the victim and jurisdiction (Kuwait or England) were the main issues. The court determined that identifying a human victim is a requirement before the Theft Act can be applied. However, in this instance, a computer system rather than a human mind was tricked. This demonstrated how inadequate the current judicial system was to handle situations where a computer was the actual victim of a crime rather than merely a facilitator.

• R v. Gold and Schifreen[10]-In R v. Gold and Schifreen, some people were able to access the files on the British Telecom Prestel Network by looking over the shoulder of the authorised person who had input the login and password. The Forgery and Counterfeiting Act of 1981 was used to bring charges against the defendants. The court determined that the use of recorded electronic material did not meet the criteria for a “false instrument,” and so the accused cannot be prosecuted under the aforementioned Act. As a result, the accused’s actions do not fall under the Forgery and Counterfeiting Act’s purview. The verdict, in this case, demonstrated that modern crimes (cybercrimes) cannot be punished in accordance with established criminal legislation.

FUTURE CYBER LAWS IN THE UK

Looking to the future, cyber laws in the UK are likely to continue to evolve to keep up with the changing nature of cybercrime. One area of focus is likely to be the Internet of Things (IoT), which is expected to see a significant growth in the coming years. The IoT refers to the network of devices, vehicles, and appliances that are connected to the internet, and which can be controlled remotely. As the number of IoT devices grows, so too does the potential for cyber-attacks.

To address these threats, the UK government has launched a number of initiatives, including the Secure by Design code of practice, which aims to improve the security of IoT devices. The government has also established a new National Cyber Security Centre, which is responsible for providing advice and guidance on cybersecurity issues.

CHALLENGES FACED BY UK

1. GLOBAL NATURE OF CYBERCRIME – Despite these initiatives, there are still significant challenges facing cyber laws in the UK. One of the biggest challenges is the global nature of cybercrime, which means that criminals can operate from anywhere in the world. This makes it difficult for law enforcement agencies to track down and prosecute cyber criminals.

• RAPID SHIFT IN TECHNOLOGY – Another challenge is the rapid pace of technological change, which means that cyber threats are constantly evolving. This makes it difficult for cyber laws to keep up, and means that new laws and regulations are needed to address emerging threats.

• ETHICAL HACKING-The regulation of ethical hacking, which is legally prohibited under the act since it classifies all non-consensual system access as a criminal offence, regardless of cybersecurity benefits, is the most frequent issue raised by the legal provisions of the Computer Misuse Act 1990[11]. Although it has since been revised, the Computer Misuse Act of 1990 is more than 30 years old, and UK organisations and corporations argue that it unintentionally hinders the work of ethical hackers. Operating within the parameters of the regulation presents challenges for penetration testers, cyber threat analysts, and cybersecurity researchers. Updated provisions of the law that more clearly distinguish between ethical and harmful hacking may be beneficial. Although this act does not provide much room for cybersecurity professionals to engage in ethical hacking, no instances of UK cybersecurity teams being fined for ethical hacking have been documented to date.

• NO CERT OR CSIRT – Although there is no national CERT (computer emergency response team) or CSIRT (computer security incident response team) in the UK, the NCSC plays a vital role in educating UK businesses and organisations about reporting cyber events and offering technical support and recommendations but still it is not able to reach people at large.

IMPACT OF BREXIT ON CYBER LAWS IN THE UK

The UK’s decision to leave the European Union is likely to have an impact on cyber laws in the UK. The GDPR will still apply to UK businesses that process the personal data of EU citizens, but the UK will no longer be able to influence the development of EU cyber laws. The UK may also need to negotiate new agreements with other countries to ensure that it can continue to collaborate on cybersecurity issues.

IMPORTANCE OF CYBER AWARENESS

One of the key challenges of cyber law is the lack of awareness and understanding among the general public. Many people are not aware of their rights and responsibilities in the digital world, and as a result, they may inadvertently put themselves at risk. For example, they may share sensitive information online without realizing the potential consequences. This is why cyber law awareness is so important. By educating people about the risks and regulations of the digital world, we can help to create a safer and more secure online environment for everyone.

CYBER LAW AWARENESS IN UNITED KINGDOM:

1. MORE AWARENESS, LESS RESPONSIBILITY – According to Ipsos Mori’s 2017 Cyber Security Tracker, a growing awareness of cybercrime has not been matched by a corresponding rise in the notion that protecting one’s online identity is a personal obligation or a rise in protective behaviour.

• LACK OF CONCERN – The attitude that “it is someone else’s responsibility to protect my online security” shows lack of care. According to BritainThinks’ 2017 Qualitative Tracking Research, 72% of customers agree that businesses should give them the resources they need to safeguard their online reputation, privacy, and security. According to research based on focus groups with decision-makers and SME employees, employees firmly think that someone else in their organization—not themselves—is in charge of cyber security.

• VICTIMLESS CRIME – People frequently believe that being a victim of cybercrime will solely result in financial loss, which is consistent with the idea that cybercrime is just another type of financial fraud. However, in contrast to other types of fraud, there is a common perception that banks will compensate victims without question. Because of this, victims frequently don’t think of themselves in this way, and for many, cybercrime is seen as having no victims.

• NOT SEEN AS REAL CRIME – According to BritainThinks’ Cyber Behaviours and Financial Fraud Messaging Research from 2017, underreporting of cybercrime may occur because people don’t view it as a “real crime” and believe there is no value in informing authorities about events. Qualitative research has also revealed that it is difficult for consumers and SMEs to comprehend the advantages of reporting cybercrime to law enforcement or other pertinent parties. Business owners in particular worry that reporting may harm their reputation and connections with clients and customers.

• GENERAL FINDINGS – In October 2019, Statista published the results of a poll on the awareness of cybercrime dangers in the United Kingdom (UK). During the survey period, it was discovered that 47% of participants said they felt largely knowledgeable about the dangers of cybercrime. 9 percent of respondents felt completely uninformed on the subject during the evaluation period, while 23% felt really poorly informed.

• RAISING AWARENESS – About 10% of Slovenian primary schools will receive blended learning instruction via the UK government LMS programme eCampus in order to guarantee the adoption of efficient and contemporary teaching techniques. We conducted a preliminary study to determine the level of knowledge that each set of learners already has before developing appropriate e-content that was tailored to their needs. We also conducted a great deal of theoretical study in the area.

COMPARISON WITH OTHER COUNTRIES

The UK is not alone in its efforts to tackle cybercrime, and there are a number of other countries that have implemented strong cyber laws. The United States has a range of federal and state cyber laws, including the Computer Fraud and Abuse Act and the Cybersecurity Information Sharing Act. The European Union has also introduced a range of cyber laws, including the GDPR and the Network and Information Systems Directive.

However, there are also many countries that have weaker cyber laws, or no cyber laws at all. This creates a global patchwork of cybersecurity standards, which can make it difficult for businesses to operate across borders.

CONCLUSION

The evolution of cyber laws in the UK has been driven by the need to protect individuals and businesses from cybercrime. While early laws focused on criminalizing unauthorized access to computer systems, today’s laws cover a wide range of offenses, including hacking, malware, and data protection. Looking to the future, cyber laws are likely to continue to evolve to keep up with the changing nature of cybercrime, with a particular focus on the Internet of Things. However, there are still significant challenges facing cyber laws, including the global nature of cybercrime and the rapid pace of technological change. Despite these challenges, the UK remains committed to tackling cybercrime and keeping its citizens safe online.

---

[1]S. 4|Computer Misuse Act 1990 (United Kingdom)

[2] S. 5|Data Protection Act 1998 (United Kingdom)

[3] S.4| The Privacy and Electronic Communications (EC Directive) Regulations 2003 (United Kingdom)

[4] C.2| General Data Protection Regulation (GDPR) (United Kingdom)

[5] S.2| The Network and Information Systems Regulations 2018 (United Kingdom)

[6] S.10| Telecommunications (Security) Act 2021 (United Kingdom)

[7] S.3 | The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (United Kingdom)

[8] Linda Rosencrance, WannaCry ransomware, https://www.techtarget.com/searchsecurity/definition/WannaCry-ransomware , last seen on 18/04/2023

[9] Case study: Facebook–Cambridge Analytica data breach scandal, Fotis Law Firm, available at https://fotislaw.com/lawtify/case-study-on-facebooks-data-breach/ , last seen on 17/04/2023

[10] R v Gold and Schifreen 2 WLR 984 (1988, House of Lords)

[11] Ibid, at 1