Over the past year, there has been a significant increase in cyber-related attacks with solicitors and their clients being specifically targeted for attacks.
In light of this, in this piece we explore the nature of these offences, the legal redress available to those who have been subjected to them and the recently published Law Society Guidelines for solicitors and their clients.
What is cybercrime?
The Law Society defines cybercrime as a criminal activity using computers and the internet. Cybercrime comprises:
- Traditional offences such as fraud, forgery and identity theft,
- Content related offences such as distribution of illicit material,
- Offences unique to information systems such as attacks against systems, spread of malware, hacking to steal personal data and attacks to cause financial or reputational damage.
In recent years, the Oireachtas has legislated to allow for the prosecution of cybercrime offences in Ireland. The Criminal Justice (Offences Relating to Information Systems) Act 2017 (“the 2017 Act”) introduced a consolidated approach to cybercrime in Ireland for the first time.
Phishing
Of late, phishing has been a persistent threat to law firms and their clients. Phishing is the practice of sending fraudulent communications that appear to come from a reputable source, generally through email. The goal is to steal sensitive data like credit card and login information, install malware or induce parties to make bank transfers to third party bank accounts. Phishing in itself does not constitute an offence in Ireland. However, the activity is caught under more general criminal legislation, depending on the circumstances. For example, Section 6 of the Criminal Law (Theft and Fraud Offences) Act of 2001 governs Deception Offences. Deception Offences are defined in the act as ‘’making gain or causing loss by deception’’.
Hacking and Malware
Both hacking and malware are also two terms synonymous with cybercrime. Hacking is housed in Section 2 of the 2017 Act which defines the offence as ‘a person who, without lawful authority or reasonable excuse, intentionally accesses the information systems by infringing a security measure.”. Commonly, once the assailant gains access to the system they will use this access to install malware.
Malware, or Malicious software, consists of programming designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorised access to system resources or other abusive behaviour. Cybercriminals typically use it to extract data that they can leverage over victims for financial gain. Infection of IT systems with malware is an offence under section 4 of the 2017 Act.
The penalties under the 2017 Act range from a maximum imprisonment of one year and a maximum fine of €5,000 for summary charges (less serious offences), to a maximum of five year’s imprisonment and an unlimited fine for more serious offences.
Of course, legislation alone is not enough to stop cybercrime. Criminal sanctions can only ever be one weapon in the armoury of preventing and responding to cyber-attacks. The Law Society has recently published a set of preventative guidelines for firms and their clients which includes a series of standard precautions such as securing computers and ensuring software is up to date, ensuring there are backups of data, avoiding clicking through emails, ensuring employees are trained to a high level and having a risk management policy in place. It is also imperative that firms have sufficient professional indemnity insurance and cyber insurance cover for cybercrime.
For further information regarding cybercrime and claims in Ireland, please contact Lavelle Partners in confidence on (01) 644 5800 or by email to Ciarán Leavy at cleavy@lavellepartners.ie.