cyber crime laws and legal framework cyber crime laws and legal framework datalaws information...
TRANSCRIPT
Cyber Crime Laws Cyber Crime Laws and Legal and Legal FrameworkFramework
DATALAWSInformation Technology Law Consultants
Presented by F. F Akinsuyi (MSc, LLM)MBCS
ServicesServices Computer CrimeComputer Crime Data ProtectionData Protection Electronic and Mobile Commerce LawElectronic and Mobile Commerce Law Identity TheftIdentity Theft Information Security Law and ComplianceInformation Security Law and Compliance IT Contract NegotiationsIT Contract Negotiations IT Governance incorporating SOXIT Governance incorporating SOX Risk AssessmentsRisk Assessments Training and Awareness ProgramsTraining and Awareness Programs Virtual In-House Technology Law Advisory ServiceVirtual In-House Technology Law Advisory Service
Track PresenterTrack PresenterF. Franklin AkinsuyiF. Franklin Akinsuyi
2 Masters Degrees IT and IT Law2 Masters Degrees IT and IT Law Over 15 Years ExperienceOver 15 Years Experience Internet BankingInternet Banking Data ProtectionData Protection IT GovernanceIT Governance Information SecurityInformation Security E-Government Risk AssessorE-Government Risk Assessor Provided evidence to House of Lords Technical Provided evidence to House of Lords Technical
CommitteeCommittee
Presentation OutlinePresentation Outline
Identify latest trends in computer related Identify latest trends in computer related crimecrime
Highlight EU/US legislative reaction to Highlight EU/US legislative reaction to computer crimecomputer crime
Overview of these legislationsOverview of these legislations Review African cyber law landscapeReview African cyber law landscape Propose a cybercrime legislative Propose a cybercrime legislative
frameworkframework
Traditional Computer Crime Traditional Computer Crime ActivitiesActivities
Identity TheftIdentity Theft: Fastest growing computer crime trend: Fastest growing computer crime trend HackingHacking: Breaking into online and network environments: Breaking into online and network environments Virus AttacksVirus Attacks: Infecting computer systems so that they : Infecting computer systems so that they
crashcrash PhishingPhishing: Masquerading to gain passwords of internet : Masquerading to gain passwords of internet
banking banking Privacy BreachPrivacy Breach: Leaking and/or obtaining personal : Leaking and/or obtaining personal
information information Denial of Service AttacksDenial of Service Attacks: Making a system becomes : Making a system becomes
unavailable for useunavailable for use Unauthorised Database AccessUnauthorised Database Access: Typically to gain access to : Typically to gain access to
personal informationpersonal information Key Stroke LoggingKey Stroke Logging: Attaching devices to computers to see : Attaching devices to computers to see
what has been typed in to capture passwords, prominently what has been typed in to capture passwords, prominently used in financial organisationsused in financial organisations
New Trend Attacking New Trend Attacking Critical Infrastructure Critical Infrastructure
New attack strategies with specific intent to bring down New attack strategies with specific intent to bring down critical systemscritical systems
Stuxnet discovered in June 2010Stuxnet discovered in June 2010 This was specifically written to attack Supervisory Control This was specifically written to attack Supervisory Control
And Data Acquisition (SCADA) systems used to control and And Data Acquisition (SCADA) systems used to control and monitor industrial processesmonitor industrial processes
It is also the first known worm to target critical industrial It is also the first known worm to target critical industrial infrastructureinfrastructure
According to news reports the infestation by this worm According to news reports the infestation by this worm might have damaged Iran's nuclear facilitiesmight have damaged Iran's nuclear facilities
Critical infrastructure Attacks can come from Botnets Critical infrastructure Attacks can come from Botnets making it difficult to identify true sourcemaking it difficult to identify true source
In protecting critical infrastructure, We now need to In protecting critical infrastructure, We now need to condition our minds to attacks outside of traditional methodscondition our minds to attacks outside of traditional methods
US/EU Legislation ExamplesUS/EU Legislation Examples Computer Misuse Act UK 1990Computer Misuse Act UK 1990 CALEA US 1994CALEA US 1994 Data Protection Directive EU 1995Data Protection Directive EU 1995 Identity Theft Act US 1998Identity Theft Act US 1998 Digital Millennium Copyright Act US 1998Digital Millennium Copyright Act US 1998 Security Breach Legislation US 2002 (California first)Security Breach Legislation US 2002 (California first) Federal Information Security Management Act US 2002Federal Information Security Management Act US 2002 Privacy of Electronic Communications Directive EU 2002Privacy of Electronic Communications Directive EU 2002 Sarbanes-Oxley US 2004Sarbanes-Oxley US 2004 Personal Data and Security Act US 2005Personal Data and Security Act US 2005 European Cybercrime Convention (Treaty) European Cybercrime Convention (Treaty)
Data Protection DirectiveData Protection Directive
Personal data must be processed:Personal data must be processed:
Fairly and lawfully Fairly and lawfully Processed for limited purposesProcessed for limited purposes Adequate, relevant and not excessiveAdequate, relevant and not excessive Accurate Accurate Not kept- longer than necessary Not kept- longer than necessary Processed in accordance with the data subject’s rights Processed in accordance with the data subject’s rights Securely Securely Not transferred to countries without adequate Not transferred to countries without adequate
protection. protection.
Personal Data and Security Act USPersonal Data and Security Act US
Enacted after breaches at Choicepoint and LexisnexisEnacted after breaches at Choicepoint and LexisnexisRequires the government to establish rules protecting privacy and security Requires the government to establish rules protecting privacy and security
when it uses data broker information, to conduct audits of government when it uses data broker information, to conduct audits of government contracts with data brokers and impose penalties on government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirementscontractors that fail to meet data privacy and security requirements
Increasing criminal penalties for identity theft involving electronic personal Increasing criminal penalties for identity theft involving electronic personal data by: data by:
Increasing penalties for computer fraud when such fraud involves Increasing penalties for computer fraud when such fraud involves personal data, personal data,
Makes it a crime to intentionally or wilfully conceal a security breach Makes it a crime to intentionally or wilfully conceal a security breach involving personal data;involving personal data;
Gives individuals access to, and the opportunity to correct, any personal Gives individuals access to, and the opportunity to correct, any personal information held by data brokers;information held by data brokers;
Computer Misuse ActComputer Misuse Act
Three aspects to computer misuseThree aspects to computer misuse
Unauthorised accessUnauthorised access
Intent to commit a further offenceIntent to commit a further offence
Unauthorised ModificationUnauthorised Modification
Information Security LawsInformation Security Laws
Applicable to public, private and military Applicable to public, private and military sectorssectors
Information security must be mandatory and Information security must be mandatory and enforcedenforced
Follow principles of IS027001. Follow principles of IS027001. Security breach notificationsSecurity breach notifications Appropriate sanctionsAppropriate sanctions Constantly reviewedConstantly reviewed SOX has shown the waySOX has shown the way
Federal Information Security Federal Information Security Management Act of 2002Management Act of 2002
Comprehensive framework Comprehensive framework for ensuring the for ensuring the effectiveness of information security controls over effectiveness of information security controls over information resources that support federal operations information resources that support federal operations and assets; and assets;
provide effective provide effective government wide management government wide management and and oversight of the related information security risks, oversight of the related information security risks, including coordination of information security efforts including coordination of information security efforts throughout the throughout the civilian, national security, and law civilian, national security, and law enforcement communitiesenforcement communities; ;
provide for development and maintenance of minimum provide for development and maintenance of minimum controls required to protect federal information and controls required to protect federal information and information systeminformation systems; s;
Anti-Spam LawsAnti-Spam Laws
Does not go as far as to ban all unsolicited junk mail. Does not go as far as to ban all unsolicited junk mail. Demands that spammers use subject lines that Demands that spammers use subject lines that
identify what is inside their messagesidentify what is inside their messages Bans junk mailers from harvesting e-mail addresses Bans junk mailers from harvesting e-mail addresses
from websites. from websites. Spam e-mail include a mechanism that lets people Spam e-mail include a mechanism that lets people
tell the sender that they do not want to receive any tell the sender that they do not want to receive any more messages. more messages.
Opt-out scheme that means businesses are free to Opt-out scheme that means businesses are free to send mail until people say they do not want it. send mail until people say they do not want it.
Data Retention Data Retention OverviewOverview
Geared toward the telecommunications industry, the law requires phone companies and Internet service providers (ISPs) to store information about all customers' phone calls and electronic communications for up to two years
To ensure data is available for investigation, detection To ensure data is available for investigation, detection and prosecution of serious crimeand prosecution of serious crime
Applies to traffic and location data and related data Applies to traffic and location data and related data necessary to identify the subscribernecessary to identify the subscriber
Does not apply to the contentDoes not apply to the content Recognised that it will generate significant costs for Recognised that it will generate significant costs for
electronic communications providerselectronic communications providers
Digital Millennium Copyright Act 1998 Digital Millennium Copyright Act 1998
OverviewOverview Makes it a Crime to circumvent anti-piracy measures Makes it a Crime to circumvent anti-piracy measures
built into commercial software.built into commercial software. Outlaws the manufacture, sale, or distribution of code-Outlaws the manufacture, sale, or distribution of code-
cracking devices used to illegally copy software.cracking devices used to illegally copy software. Permits the cracking of copyright protection devices, Permits the cracking of copyright protection devices,
to conduct encryption research, assess product to conduct encryption research, assess product interoperability, and test computer security systemsinteroperability, and test computer security systems
Limits Internet service providers from copyright Limits Internet service providers from copyright infringement liability for simply transmitting infringement liability for simply transmitting information over the Internetinformation over the Internet
Computer Crime ConventionComputer Crime Convention
Sample Provisions for computer related offences:Sample Provisions for computer related offences: Title 1 – Offences against the confidentiality, Title 1 – Offences against the confidentiality,
integrityintegrityand availability of computer data and systemsand availability of computer data and systems
Article 2 – Illegal accessArticle 2 – Illegal access Article 3 – Illegal interceptionArticle 3 – Illegal interception Article 4 – Data interferenceArticle 4 – Data interference Article 5 – System interferenceArticle 5 – System interference Article 6 – Misuse of devicesArticle 6 – Misuse of devices
Computer Crime ConventionComputer Crime Convention
Sample Provisions for forensic investigationsSample Provisions for forensic investigations Title 4 – Search and seizure of stored computer Title 4 – Search and seizure of stored computer
datadata Title 5 – Real-time collection of computer dataTitle 5 – Real-time collection of computer data Article 16 –Preservation of stored computer dataArticle 16 –Preservation of stored computer data Articles 20 – Real-time collection of traffic dataArticles 20 – Real-time collection of traffic data Article 21 – Interception of content dataArticle 21 – Interception of content data Articles 29-34 Mutual Assistance Articles 29-34 Mutual Assistance
African Country Cyber LawsAfrican Country Cyber Laws GhanaGhana: : Electronic Transactions and National Electronic Transactions and National
Information Technology Agency Act in the Information Technology Agency Act in the process of Developing Data Protection Lawsprocess of Developing Data Protection Laws
SenegalSenegal: : Legislation to govern the development Legislation to govern the development of ICT covers cyber law, protection of data and of ICT covers cyber law, protection of data and electronic transactionselectronic transactions
South AfricaSouth Africa: : Electronic Transactions ActElectronic Transactions Act TunisiaTunisia: : Electronic Exchanges and Electronic Electronic Exchanges and Electronic
Commerce ActCommerce Act Nigeria is on the starting blocks “Bills Nigeria is on the starting blocks “Bills
are in the house”are in the house”
Computer Crime Legislative Computer Crime Legislative FrameworkFramework
Computer Crime FrameworkComputer Crime Framework
Information Security Law
Information Security Law
Lawful Interception
Lawful InterceptionComputer MisuseComputer MisuseElectronic
Commerce
Electronic Commerce
Data RetentionData Retention
Data ProtectionData Protection
BenefitsBenefits
Imposes a positive imageImposes a positive image International acclaim for job well doneInternational acclaim for job well done Opens itself to possibility of offshore Opens itself to possibility of offshore
outsourcingoutsourcing Foreign investment Foreign investment Possibility of new types of business being Possibility of new types of business being
establishedestablished New Job opportunities for graduatesNew Job opportunities for graduates
Way Forward Other IssuesWay Forward Other Issues
Inclusion of information technology Law in legal Inclusion of information technology Law in legal curriculum curriculum
Development of an advanced learning institution to Development of an advanced learning institution to develop and cross train lawyers and law develop and cross train lawyers and law enforcement agencies on information technology and enforcement agencies on information technology and its use in combating crimeits use in combating crime
Development of an information technology abuse Development of an information technology abuse response team liasing with global response and response team liasing with global response and incident handling teamsincident handling teams
Food for Thought ?Food for Thought ?
Use! Use! Abuse!! Abuse!! Laws!!! Laws!!! Communications deviceCommunications device
Business toolBusiness tool Musical InstrumentMusical Instrument Gaming deviceGaming device LocationLocation device device Device to be Device to be hackedhacked into into Identity theft toolIdentity theft tool Terrorist equipmentTerrorist equipment Network SabotageNetwork Sabotage Data Protection Data Protection Privacy of CommunicationsPrivacy of Communications Data RetentionData Retention Information SecurityInformation Security
Contact UsContact Us F. Franklin Akinsuyi F. Franklin Akinsuyi [email protected] +44 208 854 1391+44 208 854 1391 + 44 208 854 9734+ 44 208 854 9734 [email protected] www.datalaws.comwww.datalaws.com
COPYRIGHT 2010COPYRIGHT 2010
End Of SessionEnd Of Session