Unlike previous hacks in the past such as the Mossack Fonseca release of confidential information, these are financially motivated through the use of Ransomware. This is why it has never been more important for businesses to have full understanding of the requirements imposed on them by law to prevent financial and reputational loss to their business. Not only will a business suffer but individuals in that company, such as directors, may have criminal proceedings brought against them and could be subject to fines. This article will provide you with a quick overview of the cybersecurity legislation in place on the Isle of Man.
Types of threats
Historically the most common form of hacking is Phishing where a hacker will target an individual and through the use of either spam emails or fake websites, attempt to trick them into providing their personal details such as bank details or personal passwords. In the past few months, the threat of hacking has been growing at an alarming rate and hackers are deploying various new methods. They are deliberately targeting businesses that may potentially have overlooked their cybersecurity due to lack of threat in the past.
As mentioned, Ransomware has now been drawn into the public eye through many public attacks and due to the South Korean web provider Nayana paying out about $1 million in Bitcoins to the hackers. This may only further encourage others to pursue this potentially lucrative method. Ransomware is when software is maliciously deployed onto a computer that blocks access to data until a ransom is paid. In more elaborate attacks this can be combined with other hacking tools advertising a method preventing or removing the Ransomware in question, which in turn is malware software that causes further harm once downloaded.
Outline of the legal framework
In the Isle of Man at present there is no comprehensive piece of cybersecurity legislation, instead a number of different statues govern cybersecurity.
Data Protection Act 2002 (the DPA)
Regulates the storage of information and imposes obligations to protect personal data collected by a company through security measures under the Seventh Principle of the DPA. A breach of the obligation to keep data secure gives rise to potential criminal sanctions and/or financial penalties enforced by the Isle of Man Information Commissioner (the Commissioner).
Computer Security Act 1992 (the CSA)
The CSA criminalises the interference with computers without authority, including where the intention is to commit other crimes by means of accessing computers, altering computer programs or producing ‘hacking tools’. Offences under the CSA are not limited to the offenders being present in the Isle of Man.
View the below PDF version to find out more on who is responsible for cybersecurity in the Isle of Man, and what future development in this area may mean.