You've been hacked - what are the legal issues?

We don’t want to be over-legalistic or moralistic. But paying a hacker and covering over the problem could turn out to be more damaging to you and your customers than dealing properly with the issue.

You've been hacked - what are the legal issues?

Eden Legal really does not like hackers. We have had some interesting times on Twitter, usually starting with one of us stating “There is no such thing as white hat”.

We don’t want to be over-legalistic or moralistic. We know, you run a business and if someone did get hold of a database and threaten to publish it online, it might be easier to “thank them” and pay them off, avoiding bad publicity and knowing that you already have enough on your plate in terms of auditing and rebuilding your systems. Problem solved.

Not really.

What are the issues here?

1. Hacking is a crime

Under the UK Computer Misuse Act 1990, the following are offences:

  • Unauthorised access to computer material (which includes attempts to gain access and need not be directed at any particular data or computer) (section 1);
  • Unauthorised access with intent to commit or facilitate commission of other offences (section 2); and
  • Unauthorised acts with intent to impair operation of a computer (section 3).

These are serious offences that may carry sentences of fines and/or imprisonment.

2. Blackmail is also a crime

In the UK, the offence of blackmail is set out in the Theft Act 1968. Under the Act, blackmail consists of making an unwarranted demand with menaces with a view to making a gain or causing a loss. The sentence for blackmail can be up to 14 years imprisonment.

3. Data protection

If you are a public communications provider (telecommunications, ISP etc.) then exposure of personal data by an attack may also be a “personal data breach” (i.e., a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”) which must be notified to the information commissioner, or other relevant data protection authority, and possibly also to users.

Even if you are not obliged to, in case of a major security breach that effects a large number of customers then notifying the data protection authority and enabling users to take steps to limit any consequences for them may be best practice.

In the US during January 2015 new legislation was announced which may also lead to an obligation to notify users of a security breach affecting their data.

4. Does this pass audit?

Are you expecting a VAT invoice? How do you account for the payment?

5. Is this money laundering?

Any payments to the hacker are likely to be “Proceeds of Crime”. Under the UK Proceeds of Crime Act 2002, it is an offence to enter into or become concerned in an arrangement which one knows or suspects facilitates the acquisition, retention, use or control of criminal property… It may be going too far to say that by paying a hacker you should be regarded as being concerned in a money laundering arrangement. After all you are the victim. On the other hand, if your business is the “regulated sector” (which includes banking, investment services, accountancy, tax advisers, estate agents, legal services, cash businesses, casinos etc.) you could be obliged to report the matter to the relevant authorities. Similar offences exist in the area of terrorist financing.

This is why paying off a hacker is a problem. Not only does it embolden them but it also involves you in supporting crime.

Eden Legal tries to be pragmatic and business-like. Eden Legal is not asking you to be like Guzmán el Bueno. In cases like this there is always a price to pay. However, while paying the hacker and covering over the problem may initially seem less painful, it could turn out actually to be more damaging to you and your customers than dealing properly with the issue.


READ THIS NEXT: Someone has complained over libellous statements posted on my website – can I just take them down?