The Love Bug virus, the Code Red worm, identity theft, denial of service attacks, hacking - cyber crime is increasingly impacting on our lives. Unfortunately, existing law is not always equipped to deal with the perpetrators of cyber crime.
In its Computer Misuse report, (1999) the Law Commission concluded that existing New Zealand law was inadequate to deal with cyber crime. In response, the Government introduced a Bill to amend the Crimes Act 1961 including the creation of a number of new computer crimes. The proposed new computer crimes are outlined below.
Accessing computer system for dishonest purpose The Bill creates a new offence of accessing a computer system for a dishonest purpose. Anyone who accesses a computer system and dishonestly, or by deception, either:
obtains some form of property or advantage; or causes loss to any person;can be sentenced to up to 7 years imprisonment.
Anyone who accesses a computer system with intent to either cause loss or obtain property is liable for up to 5 years imprisonment.
The new offence will catch a range of cyber crimes that have recently featured in the news, including stealing credit card information from Web sites, industrial espionage, the unauthorised transfer of funds from company bank accounts, and the destruction of data by hackers or disgruntled employees.
Damaging or interfering with computer system It will be an offence to intentionally or recklessly destroy, damage or alter any computer system where the person doing such acts knows (or ought to know) that danger to life is likely to result. Any person doing so can be sentenced to up 10 years imprisonment.
Denial of service attacks Anyone who intentionally or recklessly:
damages, deletes, adds to, modifies, or otherwise interferes with any data or software in a computer system; or causes any computer system to fail or deny service to any authorised users;could be liable for up to 7 years imprisonment.
This new offence will catch "denial of service attacks", defacing Web sites, and creating or releasing viruses or worms.
Software to commit crimeSelling "hacking" software will also be an offence. Anyone who makes, sells, distributes or possesses software that allows access to a computer system in order to commit a crime can be imprisoned for up to 2 years. Advertising software for a legitimate purpose, but hinting that it may be useful for hacking, would also fall within this offence.
In addition, anyone who has hacking software in their possession and intends to use it to commit a crime can be imprisoned for up to two years.
Accessing a computer system without authorisationAccessing a computer system without authorisation will become a new crime punishable by up to 2 years imprisonment. This new provision is intended to cover "hacking". This crime will not apply to anyone who is authorised to access a computer system for one purpose, but accesses that computer system for different (unauthorised) purpose.
For example, an employee who does not have authorisation to access his or her employer's computer system and does so may be caught by the new provision but, an employee who is authorised to access his or her employer's computer systems for one purpose, but takes advantage of that access for another purpose will not be caught by the new provision. It is therefore important for employers to ensure that they have in place clear computer access policies for all employees.
Hacking exceptions for the police, the SIS and the GCSBThe new anti-hacking provision contains exceptions for the SIS, the Government Communications Security Bureau (GCSB) and other law enforcement agencies (such as the police).
The police may access a computer system without authorisation if they do so under a search or interception warrant, or if they do so under legislation or common law.
The SIS may access a computer system without authorisation if they have a warrant to do so. Anyone who is requested to give assistance to the SIS will also fall within this exception. This exception has lead some commentators to raise concerns that the public could be required to hand over encryption keys to the SIS.
The GCSB collects intelligence about foreign people and organisations, and is exempt from the anti-hacking provision if it collects information within the scope of its authority. The definition of a foreign organisation is very broad and includes companies incorporated outside New Zealand and even New Zealand subsidiaries of foreign companies.
Status of the BillThe Bill is currently before Parliament awaiting its second reading, which is expected to occur before the end of the year.
Although these amendments are a step towards making cyberspace a safer place, the key issue for business and individuals is to defend their own computer systems from attack by ensuring effective security systems and policies are in place.
Key issues;
in 2000, a hacker broke into the Web site of online retailer CD Universe and stole the credit card details of 300,000 customers. When the hacker's demand for $100,000 was not met, the hacker published the credit card details on the Internet. Last year, the BBC ran a story about the hacking of the control systems for a Chinese military exercise using live ammunition. The exercise was aborted after these hacking attacks due to safety concerns. Hundreds of Web sites were hacked and defaced in a "cyberwar" between United States and Chinese citizens, sparked by the collision of a United States plane and a Chinese fighter jet in April 2001.This is a general summary only and should not be taken as a substitute for specific advice.
x-tech group Simpson Grierson
Web site:
Simpson Grierson Contacts
Michael Sage, Partner michael.sage@simpsongrierson.com
Earl Gray, Partner earl.gray@simpsongrierson.com
Karen Ngan karen.ngan@simpsongrierson.com
Sarah Plumley, Solicitor sarah.plumley@simpsongrierson.com