| Preface |
|
vii | |
| Table of Cases |
|
xv | |
| Table of Statutes |
|
xxi | |
| Table of Statutory Instruments |
|
xxvii | |
| Table of European Materials |
|
xxix | |
| Part 1 The Legal Framework |
|
|
|
|
3 | (50) |
|
|
|
3 | (1) |
|
Offences under the Computer Misuse Act 1990 |
|
|
4 | (23) |
|
Unauthorised access to a computer (s 1) |
|
|
6 | (3) |
|
Unauthorised access with intent to commit further offences (s 2) |
|
|
9 | (1) |
|
Unauthorised acts with intent to impair the operation of a computer (s 3) |
|
|
10 | (3) |
|
Making, adapting, supplying or offering to supply an article (s 3A) |
|
|
13 | (2) |
|
Unauthorised acts causing or creating the risk of serious damage (s 3ZA) |
|
|
15 | (2) |
|
|
|
17 | (1) |
|
|
|
17 | (4) |
|
|
|
21 | (2) |
|
|
|
23 | (1) |
|
|
|
23 | (1) |
|
Serious crime prevention orders |
|
|
24 | (1) |
|
|
|
24 | (3) |
|
|
|
24 | (2) |
|
|
|
26 | (1) |
|
|
|
27 | (4) |
|
|
|
28 | (3) |
|
False or offensive social media profiles |
|
|
31 | (1) |
|
|
|
32 | (6) |
|
|
|
32 | (2) |
|
Failure to register as a data controller |
|
|
34 | (1) |
|
Unlawfully obtaining or disclosing personal data |
|
|
35 | (1) |
|
|
|
36 | (2) |
|
|
|
38 | (6) |
|
Dishonestly obtaining electronic communications services (ss 125-126) |
|
|
39 | (1) |
|
Improper use of public electronic communications network (s 127) |
|
|
40 | (1) |
|
|
|
41 | (2) |
|
The Guidelines on Prosecuting Cases involving Communications sent via Social Media |
|
|
43 | (1) |
|
|
|
44 | (9) |
|
Malicious Communications Act 1988 |
|
|
45 | (3) |
|
|
|
48 | (5) |
|
Chapter 2 Civil Liability under the Data Protection Act 1998 |
|
|
53 | (16) |
|
Liability for personal data |
|
|
53 | (1) |
|
Data Protection Act 1998 - an overview |
|
|
53 | (1) |
|
Definition of key terms (s 1) |
|
|
54 | (1) |
|
The data protection principles (s 4) |
|
|
54 | (6) |
|
The first principle - 'data must be processed fairly and lawfully' |
|
|
55 | (1) |
|
The second principle - 'data must be obtained only for one or more specified purpose' |
|
|
56 | (1) |
|
The third principle - 'personal data shall be adequate, relevant and not excessive' |
|
|
56 | (1) |
|
The fourth principle - 'personal data shall be accurate and, where necessary, kept up to date' |
|
|
57 | (1) |
|
The fifth principle - 'personal data shall not be kept for longer than is necessary' |
|
|
57 | (1) |
|
The sixth principle - 'personal data shall be processed in accordance with the rights of data subjects under this Act' |
|
|
58 | (1) |
|
The seventh principle - appropriate technical and organisational measures to secure personal data |
|
|
58 | (1) |
|
The eighth principle - data not be transferred outside the EEA unless that country ensures an adequate level of protection for the processing of personal data |
|
|
59 | (1) |
|
Application of the Act (s 5) |
|
|
60 | (1) |
|
Right of access to personal data (s 7) |
|
|
61 | (2) |
|
Enforced subject access request (s 56) |
|
|
63 | (1) |
|
Right to prevent processing likely to cause damage or distress (s 10) |
|
|
64 | (2) |
|
Rights in relation to automated decision making (s 12) |
|
|
66 | (1) |
|
Compensation for breach (s 13) |
|
|
66 | (3) |
|
Chapter 3 Civil Liability and Redress |
|
|
69 | (10) |
|
|
|
69 | (1) |
|
|
|
70 | (1) |
|
|
|
71 | (1) |
|
|
|
72 | (1) |
|
|
|
73 | (1) |
|
|
|
73 | (2) |
|
'Unlawful means conspiracy' |
|
|
74 | (1) |
|
'Lawful means conspiracy' |
|
|
74 | (1) |
|
Liability to third parties |
|
|
75 | (1) |
|
|
|
75 | (2) |
|
|
|
77 | (2) |
|
|
|
79 | (12) |
|
|
|
79 | (1) |
|
Misuse of private information |
|
|
80 | (3) |
|
Misuse of private information in a cyber context |
|
|
82 | (1) |
|
|
|
83 | (1) |
|
|
|
83 | (2) |
|
|
|
85 | (1) |
|
Interception of telecommunications |
|
|
86 | (3) |
|
Compulsion to provide private information |
|
|
88 | (1) |
|
The Freedom of Information Act 2000 |
|
|
89 | (2) |
|
Chapter 5 Employer Liability and Protection |
|
|
91 | (38) |
|
|
|
91 | (1) |
|
|
|
92 | (7) |
|
Crowson Fabrics Ltd v Rider |
|
|
94 | (3) |
|
Brandeaux Advisers (UK) Ltd v Chadwick |
|
|
97 | (1) |
|
|
|
98 | (1) |
|
Protecting confidential information |
|
|
99 | (2) |
|
|
|
101 | (1) |
|
The Trade Secrets Directive |
|
|
101 | (1) |
|
|
|
102 | (10) |
|
|
|
102 | (2) |
|
Copyright, Designs and Patents Act 1988 |
|
|
104 | (2) |
|
|
|
106 | (3) |
|
Nova Productions Ltd v Mazooma Games Ltd |
|
|
109 | (1) |
|
SAS Institute Inc v World Programming Ltd |
|
|
110 | (2) |
|
|
|
112 | (7) |
|
Copyright and Rights in Databases Regulations 1997, Part III |
|
|
114 | (1) |
|
Databases to protect software |
|
|
115 | (1) |
|
Cantor Gaming Ltd v GameAccount Global Ltd |
|
|
115 | (1) |
|
|
|
116 | (1) |
|
Flogas Britain Ltd v Calor Gas Ltd |
|
|
117 | (2) |
|
|
|
119 | (5) |
|
|
|
119 | (1) |
|
|
|
120 | (1) |
|
|
|
121 | (3) |
|
Employer measures, systems and procedures |
|
|
124 | (5) |
|
Cyber terms of use and the employee contract |
|
|
124 | (2) |
|
|
|
126 | (1) |
|
|
|
126 | (3) |
|
Chapter 6 Commercial Espionage |
|
|
129 | (24) |
|
|
|
129 | (2) |
|
Intelligence Services Act 1994 |
|
|
130 | (1) |
|
|
|
131 | (3) |
|
|
|
132 | (1) |
|
|
|
133 | (1) |
|
|
|
134 | (10) |
|
|
|
134 | (7) |
|
|
|
136 | (1) |
|
|
|
137 | (2) |
|
|
|
139 | (2) |
|
Copyright, Designs and Patents Act 1988 |
|
|
141 | (1) |
|
|
|
142 | (2) |
|
Difference between trade marks and patents |
|
|
143 | (1) |
|
|
|
144 | (3) |
|
|
|
144 | (3) |
|
Passing off and cyber squatting |
|
|
147 | (3) |
|
Passing off and trade marks |
|
|
149 | (1) |
|
International/European approach |
|
|
150 | (3) |
|
Chapter 7 Control Mechanisms for Embedded Devices |
|
|
153 | (32) |
|
|
|
153 | (1) |
|
|
|
154 | (5) |
|
Awareness of threats to embedded systems |
|
|
154 | (3) |
|
|
|
155 | (1) |
|
|
|
156 | (1) |
|
|
|
157 | (2) |
|
|
|
159 | (1) |
|
The legal and regulatory context |
|
|
160 | (11) |
|
|
|
160 | (4) |
|
|
|
163 | (1) |
|
|
|
164 | (1) |
|
|
|
165 | (1) |
|
Conditional Access Directive |
|
|
165 | (1) |
|
|
|
166 | (1) |
|
Copyright, Designs and Patents Act 1988 |
|
|
166 | (4) |
|
Circumvention of technical devices applied to computer programs (s 296) |
|
|
167 | (1) |
|
Circumvention of technological measures (ss 296Z-296ZG) |
|
|
168 | (1) |
|
Unauthorised decoders: s 297A |
|
|
169 | (1) |
|
European Union Agency for Network and Information Security |
|
|
170 | (1) |
|
Protection through litigation |
|
|
171 | (7) |
|
|
|
172 | (1) |
|
|
|
173 | (5) |
|
|
|
178 | (1) |
|
|
|
178 | (7) |
|
British Phonographic Industry Ltd v Mechanical-Copyright Protection Society Ltd |
|
|
180 | (5) |
| Part 2 Responding to a Data Breach |
|
|
Chapter 8 Responding to a Data Breach |
|
|
185 | (6) |
|
|
|
185 | (1) |
|
|
|
185 | (2) |
|
|
|
187 | (1) |
|
|
|
188 | (2) |
|
|
|
190 | (1) |
|
Chapter 9 Investigating Incidents and Powers of Investigators |
|
|
191 | (40) |
|
|
|
191 | (1) |
|
|
|
192 | (4) |
|
The investigating authorities |
|
|
192 | (1) |
|
|
|
193 | (3) |
|
Data Retention and Investigatory Powers Act 2014 |
|
|
196 | (3) |
|
Investigatory Powers Act 2016 |
|
|
199 | (11) |
|
|
|
202 | (1) |
|
|
|
203 | (1) |
|
Regulation of Investigatory Powers Act 2000 (RIPA 2000) and interception of communications |
|
|
204 | (4) |
|
The Investigatory Powers Tribunal |
|
|
208 | (2) |
|
|
|
210 | (3) |
|
The Intelligence Services Act 1994 |
|
|
213 | (2) |
|
|
|
215 | (6) |
|
|
|
216 | (1) |
|
|
|
216 | (5) |
|
|
|
221 | (1) |
|
|
|
221 | (1) |
|
|
|
222 | (9) |
|
Legally privileged material |
|
|
222 | (1) |
|
|
|
223 | (1) |
|
Special procedure material |
|
|
223 | (8) |
| Part 3 Litigation, Evidence and Remedies |
|
|
Chapter 10 Remedial Steps and Mitigating the Loss |
|
|
231 | (14) |
|
|
|
231 | (1) |
|
|
|
232 | (1) |
|
Injunctions in cases of copyright infringement |
|
|
233 | (3) |
|
Stop and desist notices: Data Protection Act 1998 |
|
|
236 | (1) |
|
Where the s 10 notices do not apply |
|
|
236 | (1) |
|
Who or what is a data controller? |
|
|
237 | (1) |
|
What must the data controller do upon receipt of as 10 notice? |
|
|
237 | (1) |
|
What if damage has already been suffered? |
|
|
238 | (1) |
|
|
|
238 | (1) |
|
|
|
238 | (1) |
|
|
|
239 | (1) |
|
Data Protection Act 1998: the criminal offences |
|
|
240 | (1) |
|
Unlawful obtaining etc of personal data (s 55(1)) |
|
|
240 | (1) |
|
|
|
241 | (4) |
|
Chapter 11 Litigating and Rules of Evidence |
|
|
245 | (14) |
|
|
|
245 | (2) |
|
Good Practice Guide for Computer Based Electronic Evidence |
|
|
246 | (1) |
|
Practical issues facing law enforcement and other officials in evidence gathering in computer and electronic storage devices cases |
|
|
247 | (2) |
|
Significant distinction between 'directed' and 'intrusive surveillance' |
|
|
249 | (2) |
|
Jurisdictional issues and 'forum shopping' |
|
|
251 | (1) |
|
|
|
251 | (2) |
|
Wintersteiger AG v Products 4U Sondermaschinenbau GmbH |
|
|
252 | (1) |
|
Evidence obtained abroad - general principles including letters of request |
|
|
253 | (2) |
|
Obtaining evidence from abroad |
|
|
253 | (2) |
|
Evidence obtained illegally - general principles |
|
|
255 | (4) |
| Part 4 The Future |
|
|
Chapter 12 The Legal Environment post-Brexit |
|
|
259 | (14) |
|
|
|
259 | (1) |
|
|
|
259 | (1) |
|
|
|
260 | (1) |
|
|
|
260 | (1) |
|
Different interconnectivity models |
|
|
261 | (1) |
|
Where does that leave GDPR? |
|
|
262 | (7) |
|
|
|
264 | (1) |
|
How extensive are the new proposals? |
|
|
265 | (4) |
|
What can be done now to ensure that the transition to compliance with the GDPR or UK equivalent is as smooth as possible? |
|
|
269 | (1) |
|
Directive on Security of Network and Information Systems (NIS Directive) |
|
|
269 | (4) |
| Index |
|
273 | |
