Embed Size (px)
Citation preview
GL14-1662
1
TABLE OF CONTENTS
Executive Summary…………………………………………………………….1
1. Professional Practice Dissertation Elective Choice…………………..1
2. Report Outline…………………………………………………………….1
3. Research Conclusion…………………………………………………….2
Research………………………………………………………………………….7
4. The Government’s Response to Battling Cybercrime………………..7
5. Practical Measures for Businesses to Prevent Cyber-Attacks………8
Critical Evaluation………………………………………………………………10
6. Law Firms - Advising Their Commercial Clientele……………………10
7. Domestic and EU Legislation – Effective Protection?.......................12
Analysis…………………………………………………………………………..16
8. UK vs. USA– A Brief Comparison……………………………………...16
9. Law Firms – Combatting the Threat……………………………………18
10.Protection from Cybercrime – The Future.…………………………….23
Concluding Remarks…………………………………………………………...27
Bibliography……………………………………………………………………...29© Gran
t Ush
er 20
15
GL14-1662
2
To What Extent Have the Government, Law Firms and Businesses
Successfully Combated the Threat of Cyber Attacks in the United Kingdom?
EXECUTIVE SUMMARY
My Professional Practice Dissertation (PPD) reports on the success, or lack of
success, the United Kingdom has achieved in the 21st Century battle against cyber-
attacks and analyses how businesses and law firms in the United Kingdom are
practically coping against the pressures cyber-attacks pose. During my PPD, I shall
use ‘cybercrime,’ ‘cyber-attack,’ and ‘cyber warfare’ and any plurals of the
aforementioned words interchangeably, unless I specify a definition of one or more
of the above words due to its particular context.
1. Professional Practice Dissertation Elective Choice
My PPD will be categorised under the elective heading ‘International Commercial
Law and Practice.’ I have chosen to categorise my PPD under this elective as my
dissertation is written from the angle of business, commerce, industry and the
commercial legal profession. Arguably, the title of my PPD could have lead my
dissertation to be categorised under the ‘International Intellectual Property Practice’
or ‘Advanced Criminal Practice’ electives, however, I have not focused in any depth
on the practical effect a cyber-attack has on intellectual property rights, nor have I
addressed copyright issues or data protection matters as a primary concern. Further,
I have not studied in any significant detail the criminal impact of a cyber-attack.
2. Report Outline
My research addresses the current cyber threats facing businesses, how law firms
are currently advising their clients about these threats and whether the government
is practically assisting commerce in the quest for computer security. In my Critical
Evaluation, I focus on the practical implications cyber-attacks have - or can have -
upon a business, how law firms need to be adaptable in the advice they give to their
© Gran
t Ush
er 20
15
GL14-1662
3
clients in order to cope with a threat which is constantly evolving and question
whether the current domestic and European laws are sufficiently robust to practically
protect commerce from such attacks. Prior to offering my concluding remarks, my
analysis offers a summary of the future state of play in the UK in the battle against
cybercrime; scrutinising the current legislation and enquiring how the role of a lawyer
can be enhanced when dealing with cyber security issues and how law firms
themselves need to be aware of the threat cybercrime poses to them, considering
they can possess particularly sensitive information about their clients and their
clients’ businesses. Further, I present a brief comparison of the legal frameworks
and practical repercussions of cyber-attacks on our nation and the United States of
America, so to compare and contrast the approach to managing a global threat
against a nation which culturally, economically and politically is an ally of the United
Kingdom.
3. Research Conclusion
Via my research and the subsequent analysis of my research, my opinion has
swayed from its original standpoint that the United Kingdom (UK) maintains a strong
defence and counter-attack against those committing cyber-attacks to a realisation
that the UK government, law firms and businesses up and down the country remain
in the grip of a long-term struggle to cope with dangerous, unpredictable and
sophisticated attacks, whereby there appears to be no clear end in sight to defeating
attacks that could have a potentially crippling effect on the nation’s businesses and
economy.
A key reason behind my original acceptance that cyber security was sufficiently
preventing attacks on UK businesses and the government was the media coverage,
or, more pertinently, the absence of media coverage. Whilst one international cyber-
attack has featured predominantly in the media in recent months – the attack on
Sony allegedly carried out by North Korea1, following the production of the cinematic
1Heavey S, ‘U.S. Stands by Assertion that North Korea behind Sony Attack: NSC Spokesman’ (20th
December 2014) <http://www.reuters.com/article/2014/12/20/us-sony-cybersecurity-usa-
idUSKBN0JY0L420141220> accessed 20th February 2015.
© Gran
t Ush
er 20
15
GL14-1662
4
film, ‘The Interview’2 – it is rare that the media focuses on less ‘high-profile’ attacks.
It is this author’s conclusion that, somewhat paradoxically, the sheer volume of
cyber-attacks faced by the UK means that each attack is dubbed ‘not newsworthy.’3
Information Security expert Chris Wysopal corroborates this author’s viewpoint,
suggesting that ‘cyber-warfare’ is becoming ‘commonplace.’4
Furthermore, a secondary reason for this author’s original standpoint was that
businesses are unlikely to confess that their online security systems have been
penetrated due to the reputational damage this will cause. A public announcement of
this kind could have a catastrophic effect on a business, regardless of their size or
value. Shareholders would instantly greet such news with abundant anxiety about
their investment, as the company’s share price may decrease, as a result of
concerns from clients that their corporate data may not be safe with the hacked
company. Moreover, a company’s reputation would undoubtedly suffer as a result of
an attack. Trust, confidence and goodwill which may have been developed over
decades could instantly be endangered by such a proclamation. Customers simply
may no longer feel safe spending their money or investing in institutions where an
attack has happened (and could happen again), which could lead to the erosion of
the business’s customer base. Should a company choose to announce they have
been victim to a cyber-attack, they will be forced into ‘damage limitation mode’ and
will be keen to convince its customers, shareholders and the general public that the
situation is being managed and dealt with. For smaller businesses, a cyber-attack
may even stop the business from trading completely due to the above effects.
Conversely, it is the unembellished statistics which expose the accurate impact
cyber-attacks are having on UK commerce and industry. Remarkably, 96 per cent of
UK businesses fear their security functions are not strong enough, thus leaving them
2The Official Website of ‘The Interview’ <http://www.theinterview-movie.com/> accessed 5
thFebruary
2015.
3Rosenblatt S, ‘Four Security Trends Defined 2012, Will Impact 2013’ (21
stDecember 2012)
<http://www.cnet.com/uk/news/four-security-trends-defined-2012-will-impact-2013/> accessed 13th
February 2015.
4ibid.
© Gran
t Ush
er 20
15
GL14-1662
5
ripe for attack.5 This revealing indicator helped alter my preliminary estimation during
the development of my research, as did the stark caution from Ernst & Young’s
Global Information Security Leader, Ken Allan, who powerfully pronounced that
‘cybercrime is the greatest threat for organisations’ survival today.’6 Further, global
computer security firm McAfee’s June 2014 report, ‘Estimating the Global Cost of
Cybercrime’7 calculated that cybercrime cost the UK economy $11.4bn in 2013,
which equated to 0.16% of our country’s Gross Domestic Product (GDP). It is only
when statistics such as these are revealed that the true threat of cyber-attacks on
UK business – including law firms – becomes clear. Cybercrime ‘has become a
growth industry; the returns are great, and the risks are low,’8 according to McAfee’s
Chief Technology Officer, Raj Samani.
Law firms are not immune from this threat. For an industry so reliant on trust and
relationships, arguably the legal profession faces the biggest threat of all. The
Secretary General of the Council of Bars and Law Societies of Europe, Jonathan
Goldsmith, describes cybersecurity as ‘one of the most significant – and challenging
– items on the agenda’9 for law firms and calls for firms to ‘think very seriously about
data protection’10 in light of the latest Edward Snowden revelations11 in an article
entitled ‘Cyber Security – An Urgent Priority.’12 Simply put, law firms must take stock
5Sanghani R, ‘Cyber-attacks are the Greatest Threats UK Businesses Face’ (29
thOctober 2013)
<http://www.telegraph.co.uk/technology/internet-security/10409330/Cyber-attacks-are-the-greatest-threats-UK-businesses-face.html> accessed 12th February 2015.6
Ernst & Young, Under Cyber Attack: EY’s Global Information Security Survey 2013, October 2013.
7ibid.
8Williams R, ‘Cyber Crime Costs Global Economy $445bn Annually’ (9
thJune 2014)
<http://www.telegraph.co.uk/technology/internet-security/10886640/Cyber-crime-costs-global-economy-445-bn-annually.html> accessed 14th February 2015.
9Goldsmith J, ‘Cybersecurity – An Urgent Priority’ (18
thFebruary 2014) <
http://www.lawgazette.co.uk/law/cybersecurity-an-urgent-priority/5040006.article> accessed 4th
February 2015.
10ibid.
11Kirschbaum E, ‘Snowden Says NSA Engages in Industrial Espionage’ (26
thJanuary 2014)
<http://www.reuters.com/article/2014/01/26/us-security-snowden-germany-idUSBREA0P0DE20140126> accessed 2nd February 2015.
12Goldsmith J, ‘Cybersecurity – An Urgent Priority’ (18
thFebruary 2014) <
http://www.lawgazette.co.uk/law/cybersecurity-an-urgent-priority/5040006.article> accessed 4th
February 2015.
© Gran
t Ush
er 20
15
GL14-1662
6
of the advice they give to their clients and ensure their own computer systems are as
secure as possible too.
In summary, my research and analysis revealed the startling threat facing our
government, banks, law firms, Small and Medium Enterprises (SME’s) and industries
across the UK and the impact cyber-attacks can have on these institutions. My
research and analysis highlights that there is far more to be done to offer sufficient
protection to our institutions – European legislation is, finally, due to receive the
dramatic improvement it needs in order to preserve a united front against the global
battle against cybercrime, legal practitioners must be far more aware of the security
threats they and their clients face and there is a profound need for lawyers to be able
to show a deep understanding of the key issues surrounding cyber security in 2015.
Further, businesses must take greater responsibility for ensuring their computer
systems are robust. They need to be prepared to invest time, money and resources
in order to protect themselves properly, regardless of their size. As pronounced by
Clough, ‘what could be said of the automobile in the 1920s is equally apposite of
digital technology today. It is trite, but nonetheless true, to say that we live in a digital
age.’13
RESEARCH
My research has revealed that the threat of a cyber-attack on any given business in
the 21st century cannot be underestimated. As I have already detailed, the statistics
show the sheer quantity of attacks taking place in the world. I have also learned that
13Clough J, Principles of Cybercrime (2
ndedn, Cambridge University Press, 2013).
© Gran
t Ush
er 20
15
GL14-1662
7
businesses are being advised to use a range of different strategies to cope with the
current threat of attacks but that there is much more that can presently be done to
further strengthen a business’s cyber security defences.
4. The Government’s Response to Battling Cybercrime
Somewhat bizarrely, the UK government has proffered that businesses must ‘get
comfortable’14 with the uncertainty and practical threat of a cyber-attack. It is
submitted by this author that the government is therefore implying that dealing with
the threat posed by cyber-attacks in 2015 is, in fact, a rather reactionary measure.
Moreover, the government’s guidance offers little optimism that the fight towards
ending cybercrime is anywhere near at an end point, rather instead suggesting the
somewhat pessimistic viewpoint that ‘cyber security incidents and mistakes will
happen, so plan for this.’15
Nonetheless, the UK government have been more pro-active in other areas. In
November 2011, the government published a cyber-security strategy,16 which was
reviewed in December 2012, whereby a number of initiatives designed to help
businesses were introduced. The strategy offered a more joined-up approach to
tackling the big issues in cyber security. For instance, in the strategy, the
government pledged to work with a number of authorities, including the Institute of
Chartered Secretaries and Administrators, the Audit Committee Institute and
Company Secretaries of the FTSE 100 to put cyber security at the forefront of each
organisation’s mind-set and establish cyber security as ‘a significant business risk
requiring the attention of company boards.’17 Further, the initiative promised the
14Huseyin R, ‘Privacy and Data Protection’ [2015] PDP 15 3 (17).
15National Technical Authority for Information Assurance, Risk Management of Cyber Security in
Technology Projects, January 2015.
16Cabinet Office, The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital
World, November 2011.
17ibid.
© Gran
t Ush
er 20
15
GL14-1662
8
launch of ‘Cyber Security Challenge UK,’18 which would run not-for-profit and form an
interactive way of learning about cyber security and offering job opportunities in that
area. Having visited the initiative’s YouTube channel19 and listened to the opinions of
those who have taken part in the series of online competitions run by the initiative, it
appears that the program has been successful thus far and is introducing the
younger generation to the importance of safety online and allowing talented young
people to test their computing skills in a safe environment. In summary, the
government’s 2012 strategy appears to have had some practical effect in raising
awareness of the key issues surrounding cyber security, yet it is therefore somewhat
strange to read of such negative guidance delivered to those affected most by cyber
threats – businesses – in January 2015.
5. Practical Measures for Businesses to Prevent Cyber-Attacks
Additionally, via my research, I have discovered the practical steps businesses can
currently take to prevent cyber-attacks and the typical advice being given to business
owners by lawyers to handle the challenges cyber-attacks pose. Moreover, I have
discovered that self-education is crucial for business owners, who need to be
focused at all times on the possibility their business may suffer a cyber-attack and,
should this occur, what should be done to mitigate the damage.
From the point of view of any business or organisation, listening to and implementing
the advice they receive from lawyers and reading the guidance from the Department
of Business, Innovation & Skills, amongst others, is going to be crucial in the fight
against cyber warfare, it is submitted. Shooter and Williams proffer helpful practical
advice to businesses, in their article, ‘Cyber-attacks: shoring up the defences.’20
Here, to prevent an attack, they argue that education is key. The authors suggest
18The Official Website of ‘Cyber Security Challenge UK’ <http://cybersecuritychallenge.org.uk/>
accessed 10th
February 2015.
19The Official YouTube Channel of ‘Cyber Security Challenge UK’
<https://www.youtube.com/user/CyberChallengeUK/videos> accessed 10th
February 2015.
20Shooter S & Williams R, ‘Cyber Security: Shoring Up The Defences’ (27th March 2013) <
http://uk.practicallaw.com/3-525-0011> accessed 21st February 2015.
© Gran
t Ush
er 20
15
GL14-1662
9
that ‘every company has a potential cyber weak spot in its employees.’21 Human
error inevitably costs businesses money and time, however, it is a problem which
cannot be eradicated entirely. Hence, with regards to cyber security, education is so
vitally important because the consequences of a cyber-attack affecting a business
can be severe. Examples of human error which can lead to a business’s systems
being susceptible to an attack are poor password selection, a lack of understanding
of information technology and oversight or carelessness when using the business’s
systems.
Shooter and Williams also suggest that businesses should turn to law firms to draft a
wide number of company policies for the benefit and education of its employees.
These include a user security management policy explaining how staff are required
to use the business’s computer systems securely and safely and a home and mobile
working policy – something becoming more and more common in the 21st century –
explaining the ‘serious potential risk’22 working at home poses, especially when
employees connect smartphones, iPads and laptop computers to the company’s
internal network. This policy should describe the measures necessary to keep their
data and the company’s network secure.
CRITICAL EVALUATION
In my Critical Evaluation, I will focus further on the effect cyber-attacks are having on
businesses and the Government and how law firms are advising their clients in order
to cope with an ever-evolving and progressively prominent and treacherous menace.
21ibid.
22ibid.
© Gran
t Ush
er 20
15
GL14-1662
10
Further, I will evaluate whether current domestic and European laws go far enough
to practically protect businesses and the United Kingdom in a general sense from
harm from cyber-attacks and, if not, I will query what needs to change to protect
businesses and enable law firms to advise their clients in a more expedient and
preventative manner.
6. Law Firms - Advising Their Commercial Clientele
As eluded to in my Executive Summary, law firms are having to advise businesses of
the multi-faceted nature of cyber-attacks as well as the threats they cause to the
smooth running of a business, the far-reaching impact an attack has on all areas of a
business and the long-term and short-term significances an attack can have on a
business. In this section, I shall consider the practical advice being provided to
clients and deliberate whether lawyers truly understand and appreciate the current
situation facing their clients.
The threats faced by businesses, which lawyers are advising on, are three-fold;
financial, reputational and litigious. Law firms have had to be increasingly flexible
and versatile in their giving of advice in this area, due to the ever-changing
landscape of technology, the ever-increasing use of the internet and the ever-
improving intelligence and knowledge of those carrying out cyber-attacks, which are
becoming more and more sophisticated, so to breach defences put in place to stop
the attacks in the first place.
Aside from the financial and reputational implications discussed in my Executive
Summary, businesses suffer a potentially substantial litigation risk as a consequence
of a cyber-attack. With 93% of large organisations (those employing more than 250
people) and 87% of smaller businesses having suffered one or more security
breaches between April 2012 and April 2013, according to the Department for
Business, Innovation & Skills,23 the risk of litigious proceedings being brought
23Department of Business, Innovation & Skills, 2013 Information Security Breaches Survey, 2013.
© Gran
t Ush
er 20
15
GL14-1662
11
against a business which has been breached is a widespread concern which must
be addressed by businesses and their legal advisors.
Lawyers are having to advise clients of two primary key litigation risks – breach of
contract and negligence. Breach of contract becomes a possibility not because of the
cyber-attack itself, but because the disruption to the business – discussed in further
depth above – can render the business unable to complete its contractual
obligations, due to the time, cost and manpower being spent on ‘plugging’ the attack
and ensuring the business is safe to resume trading after the cyber-attack. Bushell,
Crawford and Waldron summarise the advice law firms are having to provide to
clients to mitigate or prevent litigation claims against them following a breach of
contract. Ideally, a business will have a force majeure clause inserted into their
contracts which will contemplate a failure to perform the contract as a consequence
of a cyber-attack. In the absence of this, the authors suggest ‘even relatively minor
interruptions can result in liability for breach of contract.’24 Lawyers are also coping
with the threat of cyber-attacks on their clients by suggesting businesses be safe and
prudent and permit their chosen law firm to review their key agreements to ensure
that liability as a result of failing to deliver their contractual promise as a result of a
cyber-attack is addressed, so far as is possible.
7. Domestic and EU Legislation – Effective Protection?
24Bushell S, Crawford G & Waldron T, ‘Cyber Security: Litigation Risk and Liability’ (29
thMay 2014) <
http://uk.practicallaw.com/1-568-4185> accessed 25th
February 2015.
© Gran
t Ush
er 20
15
GL14-1662
12
Whilst the above are all measures businesses and law firms can take to protect
themselves from cybercrime, this author submits that taking these steps will only be
effective if there is potent domestic and European legislation in place.
The key domestic legislation aimed to combat cybercrime in the UK is the Computer
Misuse Act 1990.25 Introduced in order to ‘prevent the UK from trailing behind many
European Union Member States in relation to technological development,’26 the Act27
made it a criminal offence to gain unauthorised access to computer material.28
Despite the UK arguably being behind the technological curve, the nation was ‘the
first European country to enact a law to address computer crime specifically.’29 A
conviction under the Act30 could lead to a maximum penalty of six months
imprisonment and a fine of £2000. The Act31 – in the view of this author – was long
overdue at a time when technology was beginning to dramatically develop. Previous
to the Act,32 sufficiently robust legislation to deal with cybercriminals simply did not
exist. One only needs to consider R v Gold & Schifreen,33 whereby two computer
hackers gained access to the personal messages of the Duke of Edinburgh via
breaching British Telecom’s ‘Prestel’ service. Charged under section 1 of the Forgery
and Counterfeiting Act 1981,34 the pair were fined just £1350 between them.
Thankfully, over time, UK domestic law has recognised the increasing threat
cybercrime poses and has developed more robust laws to tackle the issue. In
25The Computer Misuse Act 1990.
26A summary of the Computer Misuse Act 1990. <http://www.inbrief.co.uk/offences/hacking-of-
computers.htm> accessed 17th
February 2015.
27The Computer Misuse Act 1990.
28ibid.
29Casey E, Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (3
rd
edn, Elsevier Academic Press, 2004).
30The Computer Misuse Act 1990.
31ibid.
32ibid.
33R v Gold & Schifreen [1988] 1 AC 1063.
34Forgery and Counterfeiting Act 1981.
© Gran
t Ush
er 20
15
GL14-1662
13
keeping with recent technological developments – such as the growth of the use of
the internet, further advanced hacking knowledge and the introduction of mobile
devices – the Act35 was modified by the Police and Criminal Justice Act 2006.36 The
1990 Act37 was broadened by the amendments made in the 2006 Act38 to include
two new offences; committing an unauthorised acts with intent to impair, or with
recklessness as to impairing, the operations of computers and making, supplying or
obtaining articles for use in computer misuse offences. As previously discussed, the
seriousness with which law firms, businesses and the UK government take
cybercrime was increased significantly over time. This is mirrored by the possible
penalties of a successful conviction under the 2006 Act.39 This is best demonstrated
by section 36 of the 2006 Act,40 - committing an unauthorised act with intent to
impair, or with recklessness as to impairing, the operations of computers - where a
successful conviction can result in a term not exceeding ten years imprisonment.41
Evidently, this points towards the legislature’s desire to deter cybercriminals as much
as possible and offers a far more severe punishment than has historically been the
case in the United Kingdom.
Amazingly, despite cybercrime being a global problem, there are no pan-European
laws in place. This is a clear indicator that the European Union simply has not kept
up with the pace of the problem. It is submitted that the European Union is long
overdue in adopting a law applicable to all its Member States. Mercifully, progress is,
at last, being made. The European Commission has recognised the importance of
cyber security in the 21st century, commenting that ‘securing network and information
systems in the EU is essential to ensure prosperity and to keep the online economy
35The Computer Misuse Act 1990.
36Police and Criminal Justice Act 2006.
37The Computer Misuse Act 1990.
38Police and Criminal Justice Act 2006.
39ibid.
40ibid.
41S 36 6 c, Police and Criminal Justice Act 2006.
© Gran
t Ush
er 20
15
GL14-1662
14
running.’42 Nevertheless, only in February 2013 did the European Commission begin
to act in a legislative sense. In an effort to achieve ‘cyber resilience,’43 ‘enhance the
EU's international cyberspace policy to promote EU core values’44 and ‘foster the
industrial and technological resources required to benefit from the Digital Single
Market,’45 the Commission adopted a strategy entitled ‘Cybersecurity Strategy of the
European Union – An Open, Safe and Secure Cyberspace.’46 This outlined the
Commission’s goal to ‘make the EU’s online environment the safest in the world’47
but more importantly, it is an indicator that cyber security is growing in importance,
not only domestically, but on a European level too.
However, it is the Network and Information Security Directive,48 approved by the
European Parliament in March 2014, which will have the biggest impact in the
ongoing battle against cyber warfare, should it be adopted by the Council of
Ministers. Currently, at the time of writing, the Directive is before the Transport,
Telecommunications and Energy Council.49 The Directive50 has three key points
which are relevant to the UK. Firstly, each Member State is to adopt a national
strategy in tackling cyber security. This author commends the UK government for
achieving this aim already. Thanks to the adoption of CISP, the cyber essentials
scheme51 and recent government guidance, the UK has, in recent years at least,
42Digital Agenda for Europe (European Commission), ‘Cybersecurity’ (2
ndMarch 2015)
<http://ec.europa.eu/digital-agenda/en/cybersecurity> accessed 2nd
March 2015.
43Editor Connect (European Commission), ‘Communication on a Cybersecurity Strategy of the
European Union – An Open, Safe and Secure Cyberspace’ (7th
February 2013)<http://ec.europa.eu/digital-agenda/en/news/communication-cybersecurity-strategy-european-union-–-open-safe-and-secure-cyberspace> accessed 5
thFebruary 2014.
44ibid.
45ibid.
46ibid.
47ibid.
48Network and Information Security Directive 2014.
49Practical Law EU, ‘Cyber Security: Legislation Tracker’ (27th November 2014)
<http://uk.practicallaw.com/7-572-8308> accessed 26th February 2015.
50Network and Information Security Directive 2014.
51HM Government, Cyber Essentials Scheme, June 2014.
© Gran
t Ush
er 20
15
GL14-1662
15
been successful in adopting an interconnected strategy to tackle cybercrime on a
domestic level. Secondly, the relevant authorities in each Member State will form a
coalition to co-ordinate against risks and incidents affecting computer
systems. Further, any relevant information discovered as a result will be shared
between the Member States, allowing a cohesive security plan to be drawn up to
tackle individual cyber threats on a European scale. Finally, the Directive will have a
direct impact on businesses. As William Long, Partner at Sidley Austin LLP,
comments, ‘the Directive will also require many businesses to apply procedures that
will demonstrate effective use of security policies and measures.’52 For the first time,
there will be an emphasis on businesses demonstrating that proficiency in
maintaining effective computer systems.
ANALYSIS
A layman may not stop to contemplate the sheer scale of cyber-attacks and data
breaches that occur on a daily basis. However, the statistics show the legal and
commercial problems faced – not only in the UK, as discussed above, but in the
United States of America too. Put simply, cyber security is a worldwide problem; it
52Long W, ‘What to Expect from Europe’s NIS Directive’ (September 2014)
<http://www.computerweekly.com/opinion/What-to-expect-from-European-NIS-Directive> accessed1st March 2015.
© Gran
t Ush
er 20
15
GL14-1662
16
can and will affect every civilised nation in the world. One only needs to study the
sheer volume of attacks taking place every day on computer systems around the
globe. Staggeringly, in eight years, between 2005 and 2013, there were 616 million
data rights breaches in the United States.53 This included data theft by authorised
employees, errors by data holders – in particular, relating to lost or stolen computers,
USB keys and portable hard drives – and deliberate attacks by hackers.
8. United Kingdom vs. United States of America – A Brief Comparison
I have chosen to briefly compare and contrast our nation against the United States of
America due to both countries being technologically advanced, with computers
commonplace in businesses and homes, as well as both nations being political,
cultural and economic allies, thereby equating to a very similar nation to our own, in
many respects. Both nations are taking the threat of cyber-attacks increasingly more
seriously. President Barack Obama in fact stated that the future of the American
economy rested on the nation being able to manage and eliminate cyber-attacks -
“It's been estimated that last year alone cyber criminals stole intellectual property
from businesses worldwide worth up to $1 trillion. In short, America's economic
prosperity in the 21st century will depend on cybersecurity.”54 In sync with President
Obama’s comments was the announcement from David Cameron prior to meeting
the President of the United States in January 2015 that ‘the UK is already leading the
way in cyber security and this government is committed to ensuring it continues to be
a leader in this multi-billion dollar industry’55 and that ‘We need to make sure the UK
remains one of the most cyber secure places in the world to do business.’56
However, this being said, one must consider the practical implications of the leaders’
comments and contemplate the real-world bearing of cyber-attacks in both nations.
53Data Breach Statistics Website www.privacyrights.org/data-breach/new accessed 16th February
2015.
54Halbert D, ‘The Politics of IP Maximalism’ [2011] WIPO Journal.
55Department of Business, Innovation & Skills, Cyber Security Boost for UK Firms, January 2015.
56ibid.
© Gran
t Ush
er 20
15
GL14-1662
17
In terms of the proliferation of legal claims as a result of cyber-attacks, the two
nations suffer a potent divergence. The United States has seen several high-profile
claims reach court or see both parties reach out of court settlements. Arguably the
most notable example in this instance would be the cyber-attack on Heartland
Payment Systems, who suffered the largest ever attack where 130 million credit card
records were hacked into and stolen. Here, a claim for breach of contract was made
by a number of world-renowned credit card companies including American Express,
Visa and Mastercard in respect of losses incurred by the aforementioned card
providers due to the companies having to cancel and reissue compromised credit
cards and reimburse cardholders who had been affected due to fraudulent activities
from their credit cards. This matter was eventually settled out of court for a sum of
over $100 million. This illustrates the sheer scale the effect a cyber-attack can have
on a business and how the effect of the attack affects not only the attack’s target, but
causes a ‘ripple’ and results in damage and loss to other businesses too.
What is important to note about the above example is that is it not the loss or theft of
personal information which is actionable in the courts, it is the practical effect this
causes the party which believes it has suffered loss. In the above instance, this was
the time and financial and practical inconvenience of replacing the compromised
credit cards. As such, claims brought before courts in the United States are not
necessarily successful simply because there has been a loss of personal data. There
must be a practical consequence resulting from the loss of that data. As a
consequence of this, the Heartland case above offers an extreme example of what
can occur following a security breach but does not paint a reality of the legal picture
in the United States, whereby claims are not routinely successful.
In contrast, the United Kingdom has seen very few claims from customers who have
had data lost or stolen. The aforementioned authors surmise that this is due to the
practical difficulties of an individual to bring a claim against a company. Primarily,
cost is the chief factor, whereby a lengthy lawsuit is likely to be outside financial
capabilities of the ordinary man. Furthermore, some may suggest that, due to the
nature of cyber-attacks, groups of individuals are likely to be targeted and suffer from
a cyber-attack and thus these individuals should bring a claim under a group
litigation order or via a representative claim – in a similar fashion to a ‘class action’; a
more common occurrence in the United States of America – however, due to the
© Gran
t Ush
er 20
15
GL14-1662
18
uncertainty of whether an individual has suffered any loss or damage and how this is
to be quantified, it is far from commonplace for collective groups of individuals to
bring joint claims.
Nonetheless, similarly to the United States of America, it is likely to be large financial
institutions or credit card issuers which ‘represent a potentially more significant threat
to businesses operating in the UK,’57 the authors believe. Clearly, the
aforementioned institutions have the financial potency individuals do not to bring
large-scale claims in the event of a security breach.
9. Law Firms – Combatting the Threat
I have also chosen to analyse how law firms have been affected by cyber-attacks
and the threats this poses to the legal profession and the business of running and
managing a law firm. Undoubtedly, law firms are not immune from the threat of a
cyber-attack. Law firms, like any business, face this threat. However, the distinction
between law firms and other businesses is that law firms hold large amounts of
sensitive data about their clients, which, particularly in large commercial law firms,
could be worth millions of pounds. Worryingly, it has been suggested that law firms
are falling behind the curve and are not implementing the necessary precautions to
ward off cyber-attacks. Seth Berman, executive managing director of Stroz
Friedberg, pointedly remarks that ‘the failure of UK law firms to tackle online security
is leaving clients increasingly vulnerable to attacks. As custodians of clients’
intellectual property and commercially sensitive information, law firms are particularly
attractive to hackers.’58 Further, the threat cyber-attacks pose has made some
impact on the legal profession. An unnamed Chief Executive Officer of a ‘large law
firm’ commented in the report59 that the issue of cyber terrorism and espionage has
really gone up the agenda of law firms. Large corporates now have a huge focus on
57Bushell S, Crawford G & Waldron T, ‘Cyber Security: Litigation Risk and Liability’ (29
thMay 2014) <
http://uk.practicallaw.com/1-568-4185> accessed 25th
February 2015.
58Legal Week, Locked Down? A Closer Look at the Rise of Cyber Crime and the Impact on Law
Firms, May 2013.
59ibid.
© Gran
t Ush
er 20
15
GL14-1662
19
this area and we need to ensure their interests are protected.”60 Clearly, from this,
cyber security is on the legal profession’s radar, however, there is clearly much to be
done to truly combat the threat facing firms, and the actions law firms need to take to
practically cope with the threat cyber-attacks pose is what I discuss below.
A report by accountants PriceWaterhouseCoopers (PwC) summarises the abilities of
those behind cyber-attacks – Shane Sims, a director in the firm’s Forensic Services
group, warns that ‘it is imperative to understand the organisations involved in
cybercrime are well funded, extremely sophisticated and relentless… and they grow
more so every day.’61 Further, and perhaps most worryingly, ‘there is no way to
predict the likelihood that any given law firm will be attacked,’62 according to David
Gaulin, co-leader of PwC’s Law Firm Services. As such, law firms need to heed the
advice they provide to their clients and ensure their own computer systems are as
secure as possible.
PwC offers helpful advice to law firms in ensuring their systems remain secure.
Interestingly, and in keeping with a running theme of my research, PwC comment on
the frequency of cybercrime; ‘So prevalent is hacking that PwC’s advice to major
organisations (law firms included) is to assume that their systems have been
compromised and then proceed from that assumption in testing and improving their
defences.’63
In their report entitled ‘Safeguarding Your Firm from Cyber Attacks,’64 PwC offers a
six-point plan to address cyber security. The firm highlights a combination of the two
key elements this author has suggested are behind a successful cyber security
policy: technological improvements implemented by the firm and a reduction in
human error and development in education. With regards to the former element,
PwC insist law firms must ensure they update ‘spam’ or ‘junk mail’ filters on a regular
60ibid.
61PriceWaterhouseCoopers, Safeguarding Your Firm From Cyber Attacks, 2012.
62ibid.
63ibid.
64ibid.
© Gran
t Ush
er 20
15
GL14-1662
20
basis, install (and up-keep) anti-virus security software and implement an ‘analysis
program,’ which ‘detects unusual behaviours, activities, or programs in the
[computer] system.’65 Alongside the practical technological methods law firms are
recommended to introduce to cope with the threat of a cyber-attack, PwC’s report
highlights the importance of humans ensuring they keep their company’s computer
systems as safe as possible. PwC places equal emphasis on this, advising law firms
should educate their lawyers and support staff on the problems cyber-attacks pose
and how best to practically protect the firm against them. It is suggested law firms
should introduce and develop a ‘culture of awareness’66 of cyber security via regular
training sessions and highlighting best practices in this area. Further, law firms
should take the practical step of ensuring that from the top of the hierarchy to the
bottom, staff are made aware of the firm’s response should an attack on the firm
occur. A response should be developed and staff should be informed of what steps
to take immediately after an attack - including protecting the data as much as
possible – pinpointing who breached the computer systems and how it occurred and
how to minimise the damage caused by the cyber-attack insofar as possible. Finally,
PwC recommends that law firms can manage, on a practical basis, the possibility of
a cyber-attack by appointing a senior member of staff, ideally an equity partner or
equity partners, as chair of an internal ‘IT Committee’ which, in PwC’s view ‘provides
an open communications channel from the IT people to senior management and
ensures that data security has the attention of the highest levels of management.’67
It is not just PwC who advocate the importance of training and the raising awareness
of cybercrime. The Law Society’s deputy vice-president Robert Bourns has been at
the forefront of a new initiative launched by the Law Society in order to achieve a
more digitally robust legal profession. The Law Society, in October 2014, announced
the creation of a free training course for professional lawyers, which will educate and
raise awareness of cybercrime. The course will ‘provide advice on how to safeguard
digital information, raise awareness of cyber issues amongst clients and gives
examples of how to deal with issues such as information breaches in the
65ibid.
66ibid.
67ibid.
© Gran
t Ush
er 20
15
GL14-1662
21
workplace.’68 This, it is submitted, is a positive step by the Law Society. It recognises
the practical reality a breach of cyber security poses to lawyers and their clients and
offers a cost-effective method of educating lawyers further of the risks posed.
Perhaps most significantly of all, the above reports and articles offer no distinction
between smaller ‘high street’ law firms, the mid-tier commercial firms and
international firms or ‘the Magic Circle.’ Strikingly, it is submitted, this is because the
threat is undiscriminating. Regardless of the size of the firm, a cyber-attack is a real
danger and firms of every size and stature need to implement measures to
safeguard themselves against this treacherous menace. In fact, there are
suggestions that small ‘high-street’ law firms could be faced with the biggest dangers
from cybercrime. The Cyber Security Information Sharing Partnership (CISP), set up
by the Cabinet Office, Government Communications Headquarters (GCHQ) and the
National Crime Agency, claims that smaller law firms may be viewed as an ‘easy
target’69 by hackers and committers of cybercrime, as they have fewer resources to
dedicate to ensuring their computer systems are secure than many larger law firms.
James Crawford, the head of situational awareness at CISP claims that ‘scammers
realise that larger companies have [dedicated] resources, so they are looking down
the supply chain to smaller firms.’70
One particular ‘weak spot’ is prominent in law firms who are those involved in
mergers & acquisitions. Often, law firms use virtual data rooms, which are run by
third parties, such as Ansarada,71 to store documentation of the client involved in a
sale or purchase. Hackers target data rooms – a cloud-based storage facility – for
one key reason; all the documentation of their target, the client, will be in one
68Cross M, ‘Cyber Training ‘Essential’ for Lawyers’ (7
thOctober 2014) <
http://www.lawgazette.co.uk/practice/cybersecurity-training-essential-for-lawyers/5043931.article>accessed 25
thFebruary 2015.
69Hall K, ‘Cyber Threat Warning to Small Law Firms’ (17
thMarch 2014)
<http://www.lawgazette.co.uk/practice/cyber-threat-warning-to-small-law-firms/5040389.article>accessed 17th February 2015.
70ibid.
71The Official Website of data room provider ‘Ansarada’ <http://www.ansarada.com/> accessed 13
th
February 2015.
© Gran
t Ush
er 20
15
GL14-1662
22
location and thus will be ripe for a hacker’s use. However, law firms are taking note
of this particular vulnerability. International law firm White & Case, a major player in
mergers & acquisitions work,72 are particularly cautious when using cloud storage.
As Tony Caldeiro, White & Case’s Chief Information Officer, explains that the firm
‘requires the use of encrypted connections and restricts the use by attorneys
[lawyers] of vulnerable file-hosting sites like ‘DropBox.’73 Firms are also beginning to
realise the benefits having a secure computer system can have in the legal
marketplace. Savvy partners are now marketing the safety of their internal computer
systems to potential clients. White & Case are an example of this, whereby they can
‘sell’ the firm to potential clients by showing off the fact that they are ‘one of a handful
of firms to receive an accreditation for information protection.’74 In the UK legal
marketplace – particularly the commercial mid-tier, where so many firms are vying
for clients in order to survive or grow as a firm – every advantage is crucial and, it is
submitted, the capability and security of law firms’ computer systems will be used
more and more in the near future as a pitching tool to potential clients.
10.Protection from Cybercrime – The Future
With cybercrime an ever-evolving beast, the government reacted in 2014 to attempt
to reform the current law and ensure that those who committed cybercrime were
sufficiently punished. In another demonstration that cybersecurity is ever-growing in
importance in the eyes of the UK government, in the Queen’s Speech in June 2014,
the introduction of a Serious Crime Bill75 was announced. The Bill76 proposes
tougher sentences still for those committing cyber offences, with a potential fourteen-
year prison sentence facing the perpetrator of such an attack. The government
72Legal 500 Rankings of White & Case LLP <http://www.legal500.com/firms/51054-white-case-
llp/9137-london> accessed 21st
February 2015.
73Riley M & Pearson S, ‘China-based Hackers Target Law Firms to get Secret Deal Data’ (31
st
January 2012) <http://www.bloomberg.com/news/articles/2012-01-31/china-based-hackers-target-law-firms> accessed 17th February 2015.
74ibid.
75Cabinet Office, Queen’s Speech 2014: What it Means for You, June 2014.
76ibid.
© Gran
t Ush
er 20
15
GL14-1662
23
justified their manoeuvre by insisting that tougher sentences will ‘ensure…attacks on
computer systems fully reflect the damage they [the cyber-attacks] cause.’77
Throughout the corporate world, there has been widespread praise for the practical
effect this Bill78, if made an Act, will have. The head of Ernst & Young’s cybercrime
investigations team, Simon Placks, confirms that this shows the government are
serious about tackling cybercrime in the United Kingdom and that the Bill79 will ‘play
an important role in helping to reduce the rates of cyber-attacks and deter criminal
activity in this space.’80 Additionally, he speculates that the business world will be in
support of the Bill;81 ‘any move towards tougher sentencing for cybercriminals is a
move in the right direction, and will be welcomed by business…’82 Further, Chief
Technology Officer, Greg Day, of FireEye, a leading cyber security company,
comments that ‘it is very encouraging that the government is taking cyber-attacks
more seriously; amending the Computer Misuse Act 199083 on computer systems
fully reflect the damage is a big step forward.’84
However, both Placks and Day offer words of caution about the practical implications
of the Bill.85 Day warns that it will be difficult for businesses to quantify the cost of the
damage the have suffered – ‘most companies are unable to qualify the extent of the
77ibid.
78ibid.
79ibid.
80Drinkwater D, ‘UK Law Could Propose Life Sentences for Cyber Crimes’ (5
thJune 2014)
<http://www.scmagazineuk.com/uk-law-could-propose-life-sentences-for-cyber-crimes/article/351153/> accessed 1
stMarch 2015.
81Cabinet Office, Queen’s Speech 2014: What it Means for You, June 2014.
82Drinkwater D, ‘UK Law Could Propose Life Sentences for Cyber Crimes’ (5
thJune 2014)
<http://www.scmagazineuk.com/uk-law-could-propose-life-sentences-for-cyber-crimes/article/351153/> accessed 1
stMarch 2015.
83Computer Misuse Act 1990.
84Drinkwater D, ‘UK Law Could Propose Life Sentences for Cyber Crimes’ (5
thJune 2014)
<http://www.scmagazineuk.com/uk-law-could-propose-life-sentences-for-cyber-crimes/article/351153/> accessed 1
stMarch 2015.
85Cabinet Office, Queen’s Speech 2014: What it Means for You, June 2014.
© Gran
t Ush
er 20
15
GL14-1662
24
attack or the commercial damage it [the attack] has on their business, meaning that it
[the Bill] will continue to be hard to implement…’86 Additionally, Placks remarks that
‘attribution continues to be one of the major difficulties when it comes to prosecuting
cyber-criminals.’87 Businesses and prosecutors have real difficulties in locating the
origins of a cyber-attack.
Further, with the Directive88 in the process of enactment, pan-European standards
on tackling cybercrime look set to emerge in the near future. The success of such a
Directive remains to be seen, however, it nonetheless represents a positive
intervention by the European Union and presents the European Union with the
opportunity to tackle cyber warfare in a consistent, joined-up and organised fashion,
something which prior to 2013 and the introduction of the European Commission’s
strategy,89 was totally lacking on a European level.
Whilst much is being studied and contemplated to prevent cyber-attacks more
effectively on a European and domestic legal level, as discussed above, one must
also consider the effect that a security breach has on a business’s customer base.
Lost or stolen data can have a major ‘knock on effect’ for a customer, as
demonstrated by the Heartland matter in the United States, discussed above.
It is possible that those victim to cyber-attacks may face an easier route to obtaining
compensation payments for the loss of their data than is currently available. At the
time of writing, the Consumer Rights Bill90 is in the process of being passed through
Parliament and made into law. Currently, the Bill91 has been accepted by the House
of Commons and the House of Lords and is in the final stage before royal assent is
86ibid.
87ibid.
88Network and Information Security Directive 2014.
89Editor Connect (European Commission), ‘Communication on a Cybersecurity Strategy of the
European Union – An Open, Safe and Secure Cyberspace’ (7th
February 2013)<http://ec.europa.eu/digital-agenda/en/news/communication-cybersecurity-strategy-european-union-–-open-safe-and-secure-cyberspace> accessed 5
thFebruary 2014.
90Consumer Rights Bill (HC Bill 161).
91ibid.
© Gran
t Ush
er 20
15
GL14-1662
25
granted, whereby currently both Houses are considering amendments to the final
Bill92.Should this Bill93 be granted, the planned availability of enhanced consumer
measures may dramatically improve. Although not impacting directly the practical
steps a customer could take should their data suffer a security breach, Schedule 5 of
the Bill94 offers the opportunity for ‘enforcers’ of the consumer legislation to
investigate and, if necessary, bring claims on behalf of the customers affected by the
breach or breaches. Examples of ‘enforcers’ include the Competition and Markets
Authority, English district councils and the British Hallmarking Council.95 It would be
for these organisations to eventually bring a claim, following any investigation. This
author’s initial reaction to this Bill96 is a positive one which offers a step in the right
direction as those who have actually fallen victim at the hands of the hackers will be
more likely to receive compensation payments because a firmer structure is in place
to manage litigation proceedings from security breaches whereby the individual who
has suffered is not alone in their quest to bring a successful claim against the
company which has suffered the attack and lost their data.
Moreover, in keeping with the above, Bushell, Crawford and Waldron submit that, the
number of claims brought as a direct result of cyber-attacks and cyber security
issues are likely to increase in the future, even though the number of claims ‘remain
a nascent area in the UK at present.’97 As a result of a predicted rise of claims being
brought against those who have suffered a cyber-attack, lawyers are going to have
to adapt to the zeitgeist and mould their advice to their clients, who, in circumstances
such as those projected by the aforementioned authors, are going to be increasingly
cautious in their handling of business transactions and drafting of contracts.
92ibid.
93ibid.
94ibid.
95ibid.
96ibid.
97Bushell S, Crawford G & Waldron T, ‘Cyber Security: Litigation Risk and Liability’ (29
thMay 2014) <
http://uk.practicallaw.com/1-568-4185> accessed 25th
February 2015.
© Gran
t Ush
er 20
15
GL14-1662
26
Finally, lawyers are going to have to provide sharper commercial and practical
advice on this topic in the future. As well as ensuring their clients’ contracts ensure
their liability is at a minimum as a result of a cyber-attack, lawyers and their firms are
going to have to be innovative and provide an educational service to their clients too.
As the UK government has already indicated in its guidance98 to businesses in 2015
and Ernst & Young have highlighted in their report,99 education is key for businesses
to successfully manage the threat of cyber-attacks in the 21st century. Law firms are
going to have to reach out to their clients through new methods and on a regular
basis to ensure their clients remain fully educated about such an important aspect to
their business and one which is so susceptible to frequent change. It is submitted
that law firms should provide frequent updates to their clients via mediums such as
webinars, online newsletters and six-monthly briefings. Whilst forming part of the
‘added-value’ service for a client, a law firm which successfully grasped the
realisation of the importance of cyber security would benefit too, as client
relationships would strengthen due to the helpfulness of the information given to the
client and the frequency with which the client would be in contact, either directly or
indirectly, with the law firm. In turn, potentially, clients may choose this law firm to
carry out work on further matters on their behalf.
CONCLUDING REMARKS
My research and report into the extent to which law firms, businesses and the
government have combatted cybercrime successfully thus far has revealed four key
points.
Firstly, that a greater level of education is required on the part of law firms and
businesses in order to tackle the threat of cyber-attacks more effectively. It is
submitted that this, mirrored by further investment in computer resources and
structures, will have the most potent effect in combating cybercrime. Secondly,
lawyers need to consistently be up-to-date with technological developments and be
98National Technical Authority for Information Assurance, Risk Management of Cyber Security in
Technology Projects, January 2015.
99Ernst & Young, Under Cyber Attack: EY’s Global Information Security Survey 2013, October 2013.
© Gran
t Ush
er 20
15
GL14-1662
27
aware of new and future potential threats to their clients’ businesses. In sync with
this, lawyers therefore need to gain an even deeper understanding of their clients’
businesses in order to provide the most appropriate commercial and legal advice to
the particular client in question. Thirdly, law firms themselves need to accept that
they are not immune from cybercrime and must ensure their computer systems are
robust enough to protect the data of the firm and of their clients. Whilst some
progress has been made on this front, particularly from the world’s largest law firms,
such as White & Case, it would be erroneous to suggest their internal practices, as
discussed above, were the norm for all law firms. Whilst it is accepted that not all
firms can spend the financial resources on cyber security that an international law
firm does, there are measures even ‘high street’ firms can take, such as signing up
to the new free training course for lawyers offered by the Law Society.
Finally, despite the three points above, arguably the most pertinent discovery from
the PPD is that the UK government must ensure it constantly remains able to combat
the threat of cyber-attacks on businesses and industry across the country. It has
made positive steps - such as forming CISP – and is well supported by the Law
Society’s efforts to educate the legal profession further on cybercrime, however, it is
submitted that we, as a nation, are now at a critical juncture in the battle against
cyber warfare. With the volume and sophistication of attacks on the rise, the
government must act on its proposal to introduce the Serious Crime Bill and ensure
the perpetrators of cybercrime face tough sentences. In summary, the prosperity of
business and commerce in the UK is reliant on safe computer systems, particularly
in an increasingly globalised world. Without the legal protection, education and
defences put in place, our economy will suffer greatly. The sooner businesses and
law firms accept, manage and fight the present digital threats, the sooner real
progress can be made by the legislature and commerce to eliminate cyber-attacks
once and for all.
Date: 2nd March 2015.
Word Count: 7496.
© Gran
t Ush
er 20
15
GL14-1662
28
Bibliography
Table of Cases
DPP v Bignall [1998] 1 Cr App R8.
R v Bow Street Magistrates ex parte Government of the United States
of America; In re Allison [1999] UKHL 31.
R v Gold & Schifreen [1988] 1 AC 1063.
Table of Legislation
© Gran
t Ush
er 20
15
GL14-1662
29
Computer Misuse Act 1990.
Consumer Rights Bill (HC Bill 161).
Forgery and Counterfeiting Act 1981.
Network and Information Security Directive 2014.
Police and Criminal Justice Act 2006.
Secondary Sources
Books
Brenner S W., Cybercrime and the law: challenges, issues and
outcomes (1st edn, Northeastern University Press, 2012).
Casey E, Digital Evidence and Computer Crime: Forensic Science,
Computers and the Internet (3rd edn, Elsevier Academic Press, 2004).
Clough J, Principles of Cybercrime (2nd edn, Cambridge University
Press, 2013).
© Gran
t Ush
er 20
15
GL14-1662
30
Embley J, Bamford K & Hancock N, Commercial and Intellectual
Property Law and Practice (1st edn, College of Law Publishing, 2014).
Fafinski S, Computer Misuse: Response, Regulation and the Law (1st
edn, Willan Publishing, 2009).
Grabosky P N. & Smith R G., Crime in the Digital Age: Controlling
Telecommunications and Cyberspace (1st edn, Transaction Publishers,
1998).
Thomas D & Loader B D., Cybercrime: Law Enforcement, Security and
Surveillance in the Information Age (2nd edn, Routledge Publishing,
2003).
Journals
Halbert D, ‘The Politics of IP Maximalism’ [2011] WIPO Journal.
Huseyin R, ‘Privacy and Data Protection’ [2015] PDP 15 3 (17).
Articles
Bushell S, Crawford G & Waldron T, ‘Cyber Security: Litigation Risk
and Liability’ (29th May 2014) < http://uk.practicallaw.com/1-568-4185>
accessed 25th February 2015.
© Gran
t Ush
er 20
15
GL14-1662
31
Cross M, ‘Cyber Training ‘Essential’ for Lawyers’ (7th October 2014)
<http://www.lawgazette.co.uk/practice/cybersecurity-training-essential-
for-lawyers/5043931.article> accessed 25th February 2015.
Digital Agenda for Europe (European Commission), ‘Cybersecurity’
(2nd March 2015) <http://ec.europa.eu/digital-agenda/en/cybersecurity>
accessed 2nd March 2015.
Drinkwater D, ‘UK Law Could Propose Life Sentences for Cyber
Crimes’ (5th June 2014) <http://www.scmagazineuk.com/uk-law-could-
propose-life-sentences-for-cyber-crimes/article/351153/> accessed 1st
March 2015.
Editor Connect (European Commission), ‘Communication on a
Cybersecurity Strategy of the European Union – An Open, Safe and
Secure Cyberspace’ (7th February 2013) <http://ec.europa.eu/digital-
agenda/en/news/communication-cybersecurity-strategy-european-
union-–-open-safe-and-secure-cyberspace> accessed 5th February
2014.
Goldsmith J, ‘Cybersecurity – An Urgent Priority’ (18th February 2014)
< http://www.lawgazette.co.uk/law/cybersecurity-an-urgent-
priority/5040006.article> accessed 4th February 2015.
Hall K, ‘Cyber Threat Warning to Small Law Firms’ (17th March 2014)
<http://www.lawgazette.co.uk/practice/cyber-threat-warning-to-small-
law-firms/5040389.article> accessed 17th February 2015.
Heavey S, ‘U.S. Stands by Assertion that North Korea behind Sony
Attack: NSC Spokesman’ (20th December 2014)
<http://www.reuters.com/article/2014/12/20/us-sony-cybersecurity-usa-
idUSKBN0JY0L420141220> accessed 20th February 2015.
© Gran
t Ush
er 20
15
GL14-1662
32
Kirschbaum E, ‘Snowden Says NSA Engages in Industrial Espionage’
(26th January 2014) <http://www.reuters.com/article/2014/01/26/us-
security-snowden-germany-idUSBREA0P0DE20140126> accessed
2nd February 2015.
Long W, ‘What to Expect from Europe’s NIS Directive’ (September
2014) <http://www.computerweekly.com/opinion/What-to-expect-from-
European-NIS-Directive> accessed 1st March 2015.
Pinsent Masons, ‘UK Law Makes Hacking an Act of Terrorism’ (21st
February 2001) <http://www.out-law.com/en/articles/2001/february/uk-
law-makes-hacking-an-act-of-terrorism/> accessed 20th February
2015.
Practical Law EU, ‘Cyber Security: Legislation Tracker’ (27th November
2014) <http://uk.practicallaw.com/7-572-8308> accessed 26th February
2015.
Riley M & Pearson S, ‘China-based Hackers Target Law Firms to get
Secret Deal Data’ (31st January 2012)
<http://www.bloomberg.com/news/articles/2012-01-31/china-based-
hackers-target-law-firms> accessed 17th February 2015.
Rosenblatt S, ‘Four Security Trends Defined 2012, Will Impact 2013’
(21st December 2012) <http://www.cnet.com/uk/news/four-security-
trends-defined-2012-will-impact-2013/> accessed 13th February 2015.
Sanghani R, ‘Cyber-attacks are the Greatest Threats UK Businesses
Face’ (29th October 2013)
<http://www.telegraph.co.uk/technology/internet-
© Gran
t Ush
er 20
15
GL14-1662
33
security/10409330/Cyber-attacks-are-the-greatest-threats-UK-
businesses-face.html> accessed 12th February 2015.
Shooter S & Williams R, ‘Cyber Security: Shoring Up The Defences’
(27th March 2013) < http://uk.practicallaw.com/3-525-0011> accessed
21st February 2015.
Williams R, ‘Cyber Crime Costs Global Economy $445bn Annually’ (9th
June 2014) <http://www.telegraph.co.uk/technology/internet-
security/10886640/Cyber-crime-costs-global-economy-445-bn-
annually.html> accessed 14th February 2015.
Reports
Cabinet Office, The UK Cyber Security Strategy: Protecting and
Promoting the UK in a Digital World, November 2011.
Cabinet Office, Queen’s Speech 2014: What it Means for You, June
2014.
Department of Business, Innovation & Skills, 2013 Information Security
Breaches Survey, 2013.
© Gran
t Ush
er 20
15
GL14-1662
34
Department of Business, Innovation & Skills, Cyber Security Boost for
UK Firms, January 2015.
Ernst & Young, Under Cyber Attack: EY’s Global Information Security
Survey 2013, October 2013.
HM Government, Cyber Essentials Scheme, June 2014.
Legal Week, Locked Down? A Closer Look at the Rise of Cyber Crime
and the Impact on Law Firms, May 2013.
McAfee, Net Losses: Estimating the Global Cost of Cybercrime, June
2014
National Technical Authority for Information Assurance, Risk
Management of Cyber Security in Technology Projects, January 2015.
PriceWaterhouseCoopers, Safeguarding Your Firm From Cyber
Attacks, 2012.
Miscellaneous Sources
The Official Website of ‘The Interview’ <http://www.theinterview-
movie.com/> accessed 5th February 2015.
The Official Website of ‘Cyber Security Challenge UK’
<http://cybersecuritychallenge.org.uk/> accessed 10th February 2015.
© Gran
t Ush
er 20
15
GL14-1662
35
The Official YouTube Channel of ‘Cyber Security Challenge UK’
<https://www.youtube.com/user/CyberChallengeUK/videos> accessed
10th February 2015.
The Official Website of data room provider ‘Ansarada’
<http://www.ansarada.com/> accessed 13th February 2015.
A summary of the Computer Misuse Act 1990
<http://www.inbrief.co.uk/offences/hacking-of-computers.htm>
accessed 17th February 2015.
Legal 500 Rankings of White & Case LLP
<http://www.legal500.com/firms/51054-white-case-llp/9137-london>
accessed 21st February 2015.
Data Breach Statistics Website www.privacyrights.org/data-
breach/new accessed 16th February 2015.
© Gran
t Ush
er 20
15
