Cyber Crime Laws Cyber Crime Laws and Legal and Legal FrameworkFramework

DATALAWSInformation Technology Law Consultants

Presented by F. F Akinsuyi (MSc, LLM)MBCS

ServicesServices Computer CrimeComputer Crime Data ProtectionData Protection Electronic and Mobile Commerce LawElectronic and Mobile Commerce Law Identity TheftIdentity Theft Information Security Law and ComplianceInformation Security Law and Compliance IT Contract NegotiationsIT Contract Negotiations IT Governance incorporating SOXIT Governance incorporating SOX Risk AssessmentsRisk Assessments Training and Awareness ProgramsTraining and Awareness Programs Virtual In-House Technology Law Advisory ServiceVirtual In-House Technology Law Advisory Service

Track PresenterTrack PresenterF. Franklin AkinsuyiF. Franklin Akinsuyi

2 Masters Degrees IT and IT Law2 Masters Degrees IT and IT Law Over 15 Years ExperienceOver 15 Years Experience Internet BankingInternet Banking Data ProtectionData Protection IT GovernanceIT Governance Information SecurityInformation Security E-Government Risk AssessorE-Government Risk Assessor Provided evidence to House of Lords Technical Provided evidence to House of Lords Technical

CommitteeCommittee

Presentation OutlinePresentation Outline

Identify latest trends in computer related Identify latest trends in computer related crimecrime

Highlight EU/US legislative reaction to Highlight EU/US legislative reaction to computer crimecomputer crime

Overview of these legislationsOverview of these legislations Review African cyber law landscapeReview African cyber law landscape Propose a cybercrime legislative Propose a cybercrime legislative

frameworkframework

Traditional Computer Crime Traditional Computer Crime ActivitiesActivities

Identity TheftIdentity Theft: Fastest growing computer crime trend: Fastest growing computer crime trend HackingHacking: Breaking into online and network environments: Breaking into online and network environments Virus AttacksVirus Attacks: Infecting computer systems so that they : Infecting computer systems so that they

crashcrash PhishingPhishing: Masquerading to gain passwords of internet : Masquerading to gain passwords of internet

banking banking Privacy BreachPrivacy Breach: Leaking and/or obtaining personal : Leaking and/or obtaining personal

information information Denial of Service AttacksDenial of Service Attacks: Making a system becomes : Making a system becomes

unavailable for useunavailable for use Unauthorised Database AccessUnauthorised Database Access: Typically to gain access to : Typically to gain access to

personal informationpersonal information Key Stroke LoggingKey Stroke Logging: Attaching devices to computers to see : Attaching devices to computers to see

what has been typed in to capture passwords, prominently what has been typed in to capture passwords, prominently used in financial organisationsused in financial organisations

New Trend Attacking New Trend Attacking Critical Infrastructure Critical Infrastructure

New attack strategies with specific intent to bring down New attack strategies with specific intent to bring down critical systemscritical systems

Stuxnet discovered in June 2010Stuxnet discovered in June 2010 This was specifically written to attack Supervisory Control This was specifically written to attack Supervisory Control

And Data Acquisition (SCADA) systems used to control and And Data Acquisition (SCADA) systems used to control and monitor industrial processesmonitor industrial processes

It is also the first known worm to target critical industrial It is also the first known worm to target critical industrial infrastructureinfrastructure

According to news reports the infestation by this worm According to news reports the infestation by this worm might have damaged Iran's nuclear facilitiesmight have damaged Iran's nuclear facilities

Critical infrastructure Attacks can come from Botnets Critical infrastructure Attacks can come from Botnets making it difficult to identify true sourcemaking it difficult to identify true source

In protecting critical infrastructure, We now need to In protecting critical infrastructure, We now need to condition our minds to attacks outside of traditional methodscondition our minds to attacks outside of traditional methods

US/EU Legislation ExamplesUS/EU Legislation Examples Computer Misuse Act UK 1990Computer Misuse Act UK 1990 CALEA US 1994CALEA US 1994 Data Protection Directive EU 1995Data Protection Directive EU 1995 Identity Theft Act US 1998Identity Theft Act US 1998 Digital Millennium Copyright Act US 1998Digital Millennium Copyright Act US 1998 Security Breach Legislation US 2002 (California first)Security Breach Legislation US 2002 (California first) Federal Information Security Management Act US 2002Federal Information Security Management Act US 2002 Privacy of Electronic Communications Directive EU 2002Privacy of Electronic Communications Directive EU 2002 Sarbanes-Oxley US 2004Sarbanes-Oxley US 2004 Personal Data and Security Act US 2005Personal Data and Security Act US 2005 European Cybercrime Convention (Treaty) European Cybercrime Convention (Treaty)

Data Protection DirectiveData Protection Directive

Personal data must be processed:Personal data must be processed:

Fairly and lawfully Fairly and lawfully Processed for limited purposesProcessed for limited purposes Adequate, relevant and not excessiveAdequate, relevant and not excessive Accurate Accurate Not kept- longer than necessary Not kept- longer than necessary Processed in accordance with the data subject’s rights Processed in accordance with the data subject’s rights Securely Securely Not transferred to countries without adequate Not transferred to countries without adequate

protection. protection.

Personal Data and Security Act USPersonal Data and Security Act US

Enacted after breaches at Choicepoint and LexisnexisEnacted after breaches at Choicepoint and LexisnexisRequires the government to establish rules protecting privacy and security Requires the government to establish rules protecting privacy and security

when it uses data broker information, to conduct audits of government when it uses data broker information, to conduct audits of government contracts with data brokers and impose penalties on government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirementscontractors that fail to meet data privacy and security requirements

Increasing criminal penalties for identity theft involving electronic personal Increasing criminal penalties for identity theft involving electronic personal data by: data by:

Increasing penalties for computer fraud when such fraud involves Increasing penalties for computer fraud when such fraud involves personal data, personal data,

Makes it a crime to intentionally or wilfully conceal a security breach Makes it a crime to intentionally or wilfully conceal a security breach involving personal data;involving personal data;

Gives individuals access to, and the opportunity to correct, any personal Gives individuals access to, and the opportunity to correct, any personal information held by data brokers;information held by data brokers;

Computer Misuse ActComputer Misuse Act

Three aspects to computer misuseThree aspects to computer misuse

Unauthorised accessUnauthorised access

Intent to commit a further offenceIntent to commit a further offence

Unauthorised ModificationUnauthorised Modification

Information Security LawsInformation Security Laws

Applicable to public, private and military Applicable to public, private and military sectorssectors

Information security must be mandatory and Information security must be mandatory and enforcedenforced

Follow principles of IS027001. Follow principles of IS027001. Security breach notificationsSecurity breach notifications Appropriate sanctionsAppropriate sanctions Constantly reviewedConstantly reviewed SOX has shown the waySOX has shown the way

Federal Information Security Federal Information Security Management Act of 2002Management Act of 2002

Comprehensive framework Comprehensive framework for ensuring the for ensuring the effectiveness of information security controls over effectiveness of information security controls over information resources that support federal operations information resources that support federal operations and assets; and assets;

provide effective provide effective government wide management government wide management and and oversight of the related information security risks, oversight of the related information security risks, including coordination of information security efforts including coordination of information security efforts throughout the throughout the civilian, national security, and law civilian, national security, and law enforcement communitiesenforcement communities; ;

provide for development and maintenance of minimum provide for development and maintenance of minimum controls required to protect federal information and controls required to protect federal information and information systeminformation systems; s;

Anti-Spam LawsAnti-Spam Laws

Does not go as far as to ban all unsolicited junk mail. Does not go as far as to ban all unsolicited junk mail. Demands that spammers use subject lines that Demands that spammers use subject lines that

identify what is inside their messagesidentify what is inside their messages Bans junk mailers from harvesting e-mail addresses Bans junk mailers from harvesting e-mail addresses

from websites. from websites. Spam e-mail include a mechanism that lets people Spam e-mail include a mechanism that lets people

tell the sender that they do not want to receive any tell the sender that they do not want to receive any more messages. more messages.

Opt-out scheme that means businesses are free to Opt-out scheme that means businesses are free to send mail until people say they do not want it. send mail until people say they do not want it.

Data Retention Data Retention OverviewOverview

Geared toward the telecommunications industry, the law requires phone companies and Internet service providers (ISPs) to store information about all customers' phone calls and electronic communications for up to two years

To ensure data is available for investigation, detection To ensure data is available for investigation, detection and prosecution of serious crimeand prosecution of serious crime

Applies to traffic and location data and related data Applies to traffic and location data and related data necessary to identify the subscribernecessary to identify the subscriber

Does not apply to the contentDoes not apply to the content Recognised that it will generate significant costs for Recognised that it will generate significant costs for

electronic communications providerselectronic communications providers

Digital Millennium Copyright Act 1998 Digital Millennium Copyright Act 1998

OverviewOverview Makes it a Crime to circumvent anti-piracy measures Makes it a Crime to circumvent anti-piracy measures

built into commercial software.built into commercial software. Outlaws the manufacture, sale, or distribution of code-Outlaws the manufacture, sale, or distribution of code-

cracking devices used to illegally copy software.cracking devices used to illegally copy software.   Permits the cracking of copyright protection devices, Permits the cracking of copyright protection devices,

to conduct encryption research, assess product to conduct encryption research, assess product interoperability, and test computer security systemsinteroperability, and test computer security systems

Limits Internet service providers from copyright Limits Internet service providers from copyright infringement liability for simply transmitting infringement liability for simply transmitting information over the Internetinformation over the Internet

Computer Crime ConventionComputer Crime Convention

Sample Provisions for computer related offences:Sample Provisions for computer related offences: Title 1 – Offences against the confidentiality, Title 1 – Offences against the confidentiality,

integrityintegrityand availability of computer data and systemsand availability of computer data and systems

Article 2 – Illegal accessArticle 2 – Illegal access Article 3 – Illegal interceptionArticle 3 – Illegal interception Article 4 – Data interferenceArticle 4 – Data interference Article 5 – System interferenceArticle 5 – System interference Article 6 – Misuse of devicesArticle 6 – Misuse of devices

Computer Crime ConventionComputer Crime Convention

Sample Provisions for forensic investigationsSample Provisions for forensic investigations Title 4 – Search and seizure of stored computer Title 4 – Search and seizure of stored computer

datadata Title 5 – Real-time collection of computer dataTitle 5 – Real-time collection of computer data Article 16 –Preservation of stored computer dataArticle 16 –Preservation of stored computer data Articles 20 – Real-time collection of traffic dataArticles 20 – Real-time collection of traffic data Article 21 – Interception of content dataArticle 21 – Interception of content data Articles 29-34 Mutual Assistance Articles 29-34 Mutual Assistance

African Country Cyber LawsAfrican Country Cyber Laws GhanaGhana: : Electronic Transactions and National Electronic Transactions and National

Information Technology Agency Act in the Information Technology Agency Act in the process of Developing Data Protection Lawsprocess of Developing Data Protection Laws

SenegalSenegal: : Legislation to govern the development Legislation to govern the development of ICT covers cyber law, protection of data and of ICT covers cyber law, protection of data and electronic transactionselectronic transactions

South AfricaSouth Africa: : Electronic Transactions ActElectronic Transactions Act TunisiaTunisia: : Electronic Exchanges and Electronic Electronic Exchanges and Electronic

Commerce ActCommerce Act Nigeria is on the starting blocks “Bills Nigeria is on the starting blocks “Bills

are in the house”are in the house”

Computer Crime Legislative Computer Crime Legislative FrameworkFramework

Computer Crime FrameworkComputer Crime Framework

Information Security Law

Information Security Law

Lawful Interception

Lawful InterceptionComputer MisuseComputer MisuseElectronic

Commerce

Electronic Commerce

Data RetentionData Retention

Data ProtectionData Protection

BenefitsBenefits

Imposes a positive imageImposes a positive image International acclaim for job well doneInternational acclaim for job well done Opens itself to possibility of offshore Opens itself to possibility of offshore

outsourcingoutsourcing Foreign investment Foreign investment Possibility of new types of business being Possibility of new types of business being

establishedestablished New Job opportunities for graduatesNew Job opportunities for graduates

Way Forward Other IssuesWay Forward Other Issues

Inclusion of information technology Law in legal Inclusion of information technology Law in legal curriculum curriculum

Development of an advanced learning institution to Development of an advanced learning institution to develop and cross train lawyers and law develop and cross train lawyers and law enforcement agencies on information technology and enforcement agencies on information technology and its use in combating crimeits use in combating crime

Development of an information technology abuse Development of an information technology abuse response team liasing with global response and response team liasing with global response and incident handling teamsincident handling teams

Food for Thought ?Food for Thought ?

Use! Use! Abuse!! Abuse!! Laws!!! Laws!!! Communications deviceCommunications device

Business toolBusiness tool Musical InstrumentMusical Instrument Gaming deviceGaming device LocationLocation device device Device to be Device to be hackedhacked into into Identity theft toolIdentity theft tool Terrorist equipmentTerrorist equipment Network SabotageNetwork Sabotage Data Protection Data Protection Privacy of CommunicationsPrivacy of Communications Data RetentionData Retention Information SecurityInformation Security

Contact UsContact Us F. Franklin Akinsuyi F. Franklin Akinsuyi fakinsuyi@datalaws.com +44 208 854 1391+44 208 854 1391 + 44 208 854 9734+ 44 208 854 9734 info@datalaws.com www.datalaws.comwww.datalaws.com

COPYRIGHT 2010COPYRIGHT 2010

End Of SessionEnd Of Session