Member Article

Closure threat to businesses who don't contain hacking

Businesses could be wound up if they engage in cyber attacks or fail to have sufficient controls in place to prevent staff engaging in computer hacking or other cyber crimes under draft new laws backed by the European Parliament.

MEPs last week voted to support a new EU Directive on attacks against information systems. The new framework would require member states to “take the necessary measures” to ensure businesses can be held liable for offences such as the illegal accessing of information systems, illegal system or data interference or illegal interception.

Under the Directive member states would be able to levy a number of sanctions on companies engaged in such cyber attacks. Member states would also be able to serve punishments on companies where failings in their “supervision or control” has allowed “a person under its authority” to commit any of the listed offences.

Sanctions could include “exclusion from entitlement to public benefits or aid; temporary or permanent disqualification from the practice of commercial activities; placing under judicial supervision; judicial winding-up; temporary or permanent closure of establishments which have been used for committing the offence”, according to the Directive. Sanctions imposed would have to be “effective, proportionate and dissuasive” in order to be justified.

The European Commission said that the new laws, which would update an existing framework in place since 2005, have been particularly designed to combat cyber crime such as “the illegal entering of or tampering with information systems” and “the massive spread of malicious software creating ‘botnets’ - networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks”.

Individual perpetrators of the crimes could face at least five years in prison in some cases where the crime they have committed “cause serious damage” or “are committed against a critical infrastructure information system”.

EU member states will have two years from the date that the new Directive is published in the Official Journal of the EU to implement the new laws.

“This is an important step to boost Europe’s defences against cyber-attacks,” the EU’s Commissioner for Home Affairs, Cecilia Malmström, said in a statement. “Attacks against information systems pose a growing challenge to businesses, governments and citizens alike. Such attacks can cause serious damage and undermine users’ confidence in the safety and reliability of the Internet.”

“The perpetrators of increasingly sophisticated attacks and the producers of related and malicious software can now be prosecuted, and will face heavier criminal sanctions. Member States will also have to quickly respond to urgent requests for help in the case of cyber-attacks, hence improving European justice and police cooperation,” she said.

On Friday the UK’s Ministry of Defence announced that it had formed a new Defence Cyber Protection Partnership (DCPP) with a range of security industry organisations.

“By sharing experience of operating under the constant threat of sophisticated cyber attack, the DCPP will identify and implement actions that have a real impact on the cyber defences of its members and the UK defence sector as a whole,” a MoD statement said. “In particular they will highlight the need for protective measures which should increase the security of the wider defence supply chain and define an approach to implementing cyber security standards across its members and its supply chain partners.”

The MoD, intelligence agency GCHQ and the Centre for the Protection of National Infrastructure will work with BAE Systems, BT, Cassidian, CGI, Hewlett Packard, Lockheed Martin, Rolls-Royce, Selex ES and Thales UK under the new partnership.

Article from international law firm Pinsent Masons’ Out-Law legal news and guidance site.

This was posted in Bdaily's Members' News section by Pinsent Masons .

Explore these topics

Our Partners