Ireland: Cybercrime In Ireland - Recent Legislative Developments

Last Updated: 30 January 2013

Article by Pearse Ryan, Andrew Harbison and Claire O'Brien

The Criminal Justice Act 2011 (the "2011 Act") came into effect on 9th August 2011 and was enacted with the aim of granting An Garda Síochána (the Irish national police service) more extensive powers to investigate "serious and complex offences"1 . The main areas which the 2011 Act deals with are the supply of information at investigation, detention, questioning and the summoning of witnesses. Much attention has focused on the 2011 Act as a tool in the fight against white collar crime, a topic of much interest since Ireland's economic crisis. In the press statement released by the Minister for Justice, Equality and Defence, Mr Alan Shatter, it was stated that the 2011 Act is "an important step in delivering on the Government's strong commitment to tackle white collar crime as set out in the Programme for Government".2

This article focuses on the 2011 Act as a tool in the fight against cybercrime, a specific sub-species of white collar crime. While cybercrime may not pose the same threat to national economic well-being as some of the criminal acts, the investigation and accordingly the prosecution of which the 2011 Act was intended to assist, with particular reference to the financial services sector, cybercrime is a material and ever increasing area of criminal activity. Also, it is an area in which the Gardaí were previously severely hampered in their ability to investigate, with a knock-on effect on prosecutions.

This article follows on from an earlier article entitled 'Computer Fraud in Ireland'.3

Purpose of 2011 Act

The problems which the 2011 Act attempts to tackle are problems which potentially both significant delay and potentially hamper the investigation and prosecution of white collar crime. Cybercrime in particular, is frequently orchestrated on a large if not massive scale and in an increasingly complex manner, as technology develops at a rapidly increasing pace.

The level of resources deployed by organisations to secure their IT systems has increased substantially in recent years. Correspondingly, the level of technical sophistication necessary to establish a breach in most organisations' IT networks, and particularly those in the financial services industry, has also had to increase. Organisations' cyber-defences now typically take a lot more effort and wherewithal to breach. Now, more than ever to become a success in cybercrime it is necessary to be intelligent, patient, innovative and well resourced, none of which are characteristics typicalof most criminals. Cybercrime, or at least those areas of it that are more than computerised petty theft, therefore falls increasingly within the domain of organised criminals.4

National authorities responsible for investigation of all forms of cybercrime are almost invariably at a technological disadvantage, as the criminals make the running. The 2011 Act attempts to go some way towards lessening delays which hamper the investigative process.

Scope of 2011 Act

Section 3(1) of the 2011 Act brings a number of relevant offences within its ambit, among them Section 9 of the Criminal Justice (Theft and Fraud Offences) Act 2001 (the "2001 Act") and Sections 2, 3 and 4 of the Criminal Damage Act 1991 (the "1991 Act"). These offences are summarised below, but are discussed in some detail in the previous article referenced above.

Additionally, Section 3(2) provides that the Minister may, by order, specify as a relevant offence, any arrestable offence relating to criminal acts involving the use of electronic communication networks and information systems or against such networks or systems or both, if the Minister is of the opinion that the nature of the offence is such that it would benefit from the powers conferred on the authorities in the 2011 Act, due to, for example, the complexity of transactions involved and the prolonged period of time usually required for investigation. It remains to be seen whether any such offences will be specified pursuant to Section 3(2).

Section 3(2) appears to be a recognition that the 1991 Act and 2001 Act were rendered effectively obsolete by technological innovations quickly after being passed. Nevertheless, it does not solve the problem that an offence has to be rendered arrestable before it can also be designated as reportable, a problem when Irish authorities have historically had difficulty keeping up with the apparently boundless imaginations of cyber criminals when applied to developing new varieties of IT fraud and cybercrime.

Sections 2 and 3 of the 1991 Act respectively create the offences of damage to, and threat of damage to, property, including damage with an intention to defraud. Section 4 of the 1991 Act created the offence of possessing anything with intent to damage property with a similar intention to defraud another. Section 9 of the 2001 Act relates to the dishonest operation of a computer whether within or outside the State with the intention of making a gain, or of causing loss to another.

It is notable that Section 5 of the 1991 Act remains outside of the remit of the 2011 Act. Section 5 is a computer-specific offence and deals with persons who, without lawful excuse, operate a computer within the State with intent to access any data kept either within or outside the State, or outside the State with intent to access any data kept within the State, whether or not any data is actually accessed. Given the specific acknowledgements in the 2011 Act of the role played by technology in serious and complex offences, it is surprising that Section 5, with its obvious focus on hacking and data security has been excluded from its application. It is possible that the drafters of the 2011 Act doubted the ability of citizens to reliably and accurately identify the kind of offences covered under Section 5 of the 2001 Act, which would render any legal obligation to report such offences excessively onerous. Hacking offences can be difficult to identify where the perpetrators intention was to remain undetected, which is frequently the case and particularly with more sophisticated hacking. It might also be noted that resource allocation to the Gardai's Computer Crime Investigation Unit have failed to keep up with growth rates in IT usage over recent years. An obligation to report computer offences would thus not necessarily be reflected in an increase in investigative activity.

Key Provisions of 2011 Act

Under Section 15 of the 2011 Act a member of the Garda Síochána may apply to a judge of the District Court for an order to make available particular documents or described documents available or to give information for the purposes of the investigation of a relevant offence. In the case of documents being handed over under this section which are illegible or inaccessible, the court order may also stipulate that any relevant access or passwords be given. Failure to provide passwords can be punished by a fine or prison term of up to 12 months on summary conviction or 2 years on indictment.

Requiring passwords is a significant power, given that without the key the lock remains unopened. Investigation of cybercrime offences can clearly be substantially frustrated by the lack of access to encrypted documents, as demonstrated, for example, in recent Garda investigations at Anglo Irish Bank5. This section provides the Gardai with considerable additional leverage. The 2001 Act only allowed for penalty of IR£500 or 6 months for failure to disclose passwords and as far as we are aware these penalties were never imposed.

The Superior Courts in Ireland have on occasion in recent years issued Anton Pillar Orders and other civil warrants which required individuals to disclose passwords to representatives of Civil plaintiffs, under threat of being held in contempt and summarily jailed. In practice this has meant that private persons have potentially had more scope to force other parties to disclose their password than have the police. A fact of necessary concern to Gardai.

Section 16 deals with the assertion of privilege over documents which fall subject to an application under Section 15 and allows for the Garda Síochána to apply for a determination as to whether privilege can be claimed, which application may be made in camera. This provision will be of benefit in the context of the speed at which cybercrime offences can become opaque and tackles a significant area of delay in criminal prosecution.

Section 18 of the 2011 Act allows for certain reasonable presumptions to be made in the context of the Criminal Evidence Act 1992 in relation to the authorship or exchange of documents by virtue of the circumstances in which the document is found or purports to be exchanged. In IT forensics, it is typically relatively straightforward for expert investigators to establish that actions were carried out on a computer by persons using a particular user account or other privileges. It has historically been far more difficult to link specific individuals with user accounts – to place their hands on the keyboard. The new provision allows the Courts to assume that the individual in possession of a certain set of user credentials was the same person who carried out any acts on the computer using those credentials. It is up to the defence to demonstrate that others might have been able to use the same credentials to carry out a crime. These provisions will be of particular relevance to the use of electronic documents in the course of investigation and the use of evidence in criminal trials.

Under Section 19(1) of the 2011 Act it is an offence for a person to withhold information which they believe might be of material assistance in preventing the commission by another person of a relevant offence or securing the apprehension, prosecution or conviction of any person for a relevant offence and the person fails without reasonable excuse to disclose the information to the Gardaí. This offence attracts a penalty of a class A fine (maximum €5,000) and/or 12 months imprisonment on summary conviction and an unlimited fine and/or imprisonment not exceeding a period of five years on conviction on indictment. The Gardaí may arrest and detain, for up to 24 hours, an individual without a warrant if they are suspected of withholding information.6

It is our understanding that this obligation may apply retrospectively so that, in theory, matters that individuals and organisations might have thought long closed should be reported to the Gardai regardless. This is an area of concern amongst those likely obliged to report offences, although not an area that has attracted much public comment.

Section 19 is the provision of the 2011 Act which has attracted most attention within the public and private sectors. This provision represents a clarification in the law, creating for the first time a specific obligation to report relevant information to the authorities. While this provides obvious advantages for the Garda Síochána in investigation of serious crime, it has caused a degree of concern to public and private sector organisations, who may now be guilty of an offence if they fail to report information covered by the provision. This could potentially apply in circumstances of omission by default, where the organisation may not be actively aware that relevant information is in their possession. While it is assumed that the normal rules in relation to knowledge and possession of evidence, together with normal Gardai operational practice and procedure, will apply in the application of this Section, there is an element of doubt here which is a cause for concern amongst public and private sector organisations who may be have suffered cybercrime, together with third parties, such as IT security or forensics consultants brought in to investigate technical aspects of an incident, which may take some time to be identified as a crime. This Section was introduced to solve a perceived problem, but the tariffs applicable to the new offence in particular have caused disquiet amongst those under an obligation to report.

It should be noted that Section 19 has essentially reinstated the offence of Misprision, which had been removed from Irish law by the Criminal Law Act 19977 , for all but terrorist offences8. Misprision was formerly a common law misdemeanour committed by a person who knew that a felony had been committed but did not give information which could lead to the felon's request9. Minister Shatter stated at the Second Stage reading of the 2011 Act, in relation to Section 19, that "this particular offence is of major importance, as its creation in the Bill will ensure that those who become aware of persons engaging in white collar crime are under an obligation to bring what they know to the attention of the Garda Síochána"10.

One provision the 2011 Act does not include is any allowance to provide additional resources to the Gardai to investigate the offences which it is intended be reported to them under its provisions. Nor has the Government allocated any additional resources to the Garda Bureau of Fraud Investigation or to the Garda Computer Crime Unit in response to this new legislation. As a consequence it appears the main effect of the Act may be to deluge the law enforcement authorities with reports of possible offences without providing them any means to investigate them. It is therefore very much an open question whether in this regard the 2011 Act is anything more than a 'paper tiger'.

2011 Act Overview and Summary

The 2011 Act introduces a wide arsenal of powers aimed at aiding the investigation of serious offences which in the context of cybercrime are generally long overdue and are to be welcomed. The quite serious tariffs applicable under Section19 have been less welcomed by those likely to suffer cybercrime as well as the IT forensics sector, who may be ones who discover the crime.

The 2011 Act introduces a wide arsenal of powers aimed at aiding the investigation of serious offences which in the context of cybercrime are generally long overdue and are to be welcomed. The quite serious tariffs applicable under Section19 have been less welcomed by those likely to suffer cybercrime as well as the IT forensics sector, who may be ones who discover the crime.

While the 2011 Act incorporates approximately 130 offences into its remit, one significant omission is reference to Section 5 of the 1991 Act, which relates to unauthorised use of a computer with intent to access data, which was intended to deal with hacking. The reason for this omission is assumed to be attributed to the same logic which associates the offence under the 1991 Act with damage to property and applies comparatively small tariffs. Under the 1991 Act a general offence relating to damage to property is stated, with property defined to include data. This is thus a fairly basic cybercrime related offence. Notwithstanding, the relative merits of Section 5 of the 1991 Act, by omitting reference to it the 2011 Act has disregarded one of the main types of cybercrime offence, namely hacking (albeit a particular type of hacking) that the new broad powers of investigation would seem to have been intended to tackle.

Significant steps have been taken by the 2011 Act to make inroads on issues which hamper the effective investigation of complex and technical crimes. This is welcome. However, overall the law applicable to substantive cybercrime offences, as set out in the 1991 Act and 2001 Act, requires significant revision, to update what are by now elderly offences. Without a more focused and sophisticated legislative framework cybercrime will remain an area where the law lags behind the crime.

Pearse and Andrew wish to express their thanks to Claire for her valuable contribution to this article.

Footnotes

1 Criminal Justice Bill 2011 Second Stage Speech (Dáil) on Wednesday, 18 May 2011Minister for Justice, Equality and Defence, Mr Alan Shatter, T.D.

2 Press release of the Minister for Justice, Equality and Defence, Mr Alan Shatter T.D http://www.justice.ie/en/JELR/Pages/CrimJustBill2011_PR

3 Article published by the Society for Computers & Law, available at: http://www.scl.org/site.aspx?i=ed16653 . Also available at http://www.arthurcox.com/who-we-are/our-people/pearse-ryan.html

4 For example, 21/12/12 story entitled 'Facebook helps FBI take down $850m cyber-gang', available at: http://www.finextra.com/News/FullStory.aspx?newsitemid=24372

5 See: http://www.independent.ie/national-news/anglo-chiefs-facing-quiz-on-missing-passwords-2413749.html

6 For a general discussion of S19 see: http://www.arthurcox.com/uploadedFiles/Publications/Publication_List/Arthur%20Cox%20-%20The%20Criminal%20Justice%20Act%202011,%20September%202011.pdf

7 In this Act, Section 3 abolishes the distinction between felony and misdemeanour, thereby abolishing the felony of misprision.

8 Section 9 of the Offences Against the State Act, 1998 creates an offence similar to misprision. In this section it is an offence to withhold information which a person knows or believes might be of material assistance in preventing the commission of a serious offence or securing the apprehension prosecution or conviction of any other person for a serious offence.

9 See for example Sykes v. DPP [1961] 3 All ER.

10 http://debates.oireachtas.ie/dail/2011/05/18/00025.asp

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions