While there have been offences of some relevance to computer related crime on the Irish statute book for lots of years, these offences were created by legislation focussed on other areas of criminality (such as theft or criminal damage and fraud). As a result, they have not been well suited to prosecuting cybercrime activities, they dont appear to be sufficiently flexible to move with on-going developments in this area. It addresses these weaknesses in domestic law by creating dedicated and more technologically focussed cybercrime offences in Ireland. From an international perspective, the Act will also have the effect of finally aligning Ireland with international and EU-level commitments in this area.
The Act provides for the creation of five new, dedicated cybercrime offences:
- Accessing an information system without lawful authority;
- Interfering with an information system without lawful authority so as to intentionally hinder or interrupt its functioning;
- Interfering with data without lawful authority;
- Intercepting the transmission of data without lawful authority; and
- Use of a computer, password, code or data for the purpose of the commission of any of the above offences.
An “information system” is defined in the Act as “(a) a device or group of interconnected or related devices, one or more than one of which performs automatic processing of data pursuant to a programme, and (b) data stored, processed, retrieved or transmitted by such device or group of devices for the purposes of the operation, protection or maintenance of the device or group of devices, as the case may be.”
The Act also enables members of An Garda Síochána to obtain District Court warrants granting them technologically-specific powers and wide ranging (e.g. in respect of entry, search and seizure) when investigating the commission of any of the new cybercrime offences. It is hoped that these powers will enhance the deterrent effect of the new offences and help to address some of the many obstacles faced in preventing, detecting and apprehending cybercrime offenders.
As recent developments have shown, cybercrime is an increasingly pressing concern for businesses, both in Ireland and internationally. The creation of the specific cybercrime offences in Irish law is a worthwhile and necessary step from a domestic perspective in the context of the fight against cybercrime. By transposing the requirements of the EU Cybercrime Directive, the Act also addresses the cross-border impact of cybercrime by contributing to a harmonious approach to the issue across the EU.
While the introduction of the Act is welcome, it remains to be seen how effective its provisions will be in preventing cybercrime or catching cyber-criminals. From the perspective of an organisation seeking to deal with the risk of cyber-attacks, the implementation of effective and appropriately monitored cyber security policies, procedures and measures will continue to be more important in safeguarding against cyber-attacks than reliance on the deterrent effects of criminal law.
The Act will also have no impact on the obligations of organisations who are the victims of cybercrime. For example, notwithstanding the provisions of the Act, an organisation which suffers a data security incident as a result of cybercrime may, depending on the nature of the organisation, be subject to a number of separate incident notification obligations, including under financial services regulation, payment services rules, data protection legislation, and/or network and information security regulations. The Act will enter into force upon the making of a commencement order by the Minister for Justice. At the time of writing, no indication has been given by the Department of Justice as to when this commencement order is expected to be made.