1.1 Would any of the following activities constitute a criminal or administrative offence in your jurisdiction? If so, please provide details of the offence, the maximum penalties available, and any examples of prosecutions in your jurisdiction:
Hacking (i.e. unauthorised access)
Hacking is an offence under section 2 of the Criminal Justice (Offences Relating to Information Systems) Act 2017 (the "2017 Act"). A person who, without lawful authority or reasonable excuse, intentionally accesses an information system by infringing a security measure, commits an offence.
Denial-of-service attacks are an offence under section 3 of the 2017 Act. A person who, without lawful authority: intentionally hinders or interrupts the functioning of an information system by inputting data on the system; transmits, damages, deletes, alters or suppresses, or causes the deterioration of, data on the system; or renders data on the system inaccessible, commits an offence.
Phishing does not, per se, constitute a specific offence in Ireland. However, it is possible that the activity would be caught by certain other, more general criminal legislation, depending on the circumstances (for instance, relating to identity theft or identity fraud). In this regard, see below.
Infection of IT systems with malware (including ransomware, spyware, worms, trojans and viruses)
Infection of IT systems with malware is an offence under section 4 of the 2017 Act. A person who, without lawful authority, intentionally deletes, damages, alters or suppresses, or renders inaccessible, or causes the deterioration of data on an information system commits an offence.
Distribution, sale or offering for sale of hardware, software or other tools used to commit cybercrime
Distribution, sale or offering for sale hardware, software or other tools used to commit cybercrime also constitutes an offence under the 2017 Act (section 6). It occurs when a person who, without lawful authority, intentionally produces, sells, procures for use, imports, distributes, or otherwise makes available, for the purpose of the commission of an offence under the 2017 Act, certain hacking tools.
Possession or use of hardware, software or other tools used to commit cybercrime
As above, possession or use of hardware, software or other tools used to commit cybercrime constitutes an offence under the 2017 Act (section 6).
Identity theft or identity fraud (e.g. in connection with access devices)
Although there is no precise, standalone offence of identity theft or identity fraud in this jurisdiction, it can nonetheless potentially be captured by the more general offence referred to as "making a gain or causing a loss by deception" (as contained in section 6 of the Criminal Justice (Theft and Fraud Offences) Act 2001 (the "2001 Act")). This occurs where a person who dishonestly, with the intention of: making a gain for himself, herself or another; or causing loss to another, by any deception induces another to do or refrain from doing an act. In addition, sections 25, 26 and 27 of the 2001 Act cover specific forgery offences.
Separately, under section 8 of the 2017 Act, identity theft or fraud is an aggravating factor when it comes to sentencing, in relation to "denial-of-service attack" or "infection of IT systems" offences.
Electronic theft (e.g. breach of confidence by a current or former employee, or criminal copyright infringement)
Electronic theft is covered by the relatively broad offence of "unlawful use of a computer", as provided for in section 9 of the 2001 Act. This occurs where a person who dishonestly, whether within or outside the State, operates or causes to be operated a computer within the State with the intention of making a gain for himself, herself or another, or of causing loss to another.
Unsolicited penetration testing (i.e. the exploitation of an IT system without the permission of its owner to determine its vulnerabilities and weak points)
Unsolicited penetration testing is an offence under the 2017 Act (section 2) where it involves intentionally accessing an IT system by infringing a security measure without lawful authority (i.e. permission of the system owner/right holder or where otherwise permitted by law) or "reasonable excuse". This term is not defined under the 2017 Act, and its application will depend on future judicial interpretation.
Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data
Section 5 of the 2017 Act creates the offence of "intercepting the transmission of data without lawful authority". This occurs when a person who, without lawful authority, intentionally intercepts any transmission (other than a public transmission) of data to, from or within an information system (including any electromagnetic emission from such an information system carrying such data).
With regard to penalties, in relation to offences under the 2017 Act, the penalties range from maximum imprisonment of one year and a maximum fine of €5,000 for charges brought "summarily" (i.e. for less serious offences), to a maximum of five years' imprisonment (10 years in the case of denial-of-service attacks) and an unlimited fine for more serious offences. The above offences under the 2001 Act are only tried in the Circuit Court, with "making a gain or causing a loss by deception" carrying a maximum penalty of five years' imprisonment and an unlimited fine, and forgery and "unlawful use of a computer" offences carrying a maximum of 10 years and an unlimited fine.
1.2 Do any of the above-mentioned offences have extraterritorial application?
All of the above offences under the 2017 Act have certain extraterritorial application, and so offenders may therefore be tried in Ireland, so long as they have not already been convicted or acquitted abroad in respect of the same act.
Although broader concepts such as, for instance, the "European arrest warrant" may be of relevance for Irish prosecutors, none of the above-mentioned offences under the 2001 Act carry, in and of themselves, extraterritorial application.
1.3 Are there any factors that might mitigate any penalty or otherwise constitute an exception to any of the above-mentioned offences (e.g. where the offence involves "ethical hacking", with no intent to cause damage or make a financial gain)?
Each of the above offences under the 2017 Act contain the ingredient that it was committed without "lawful authority" (i.e. permission of the system owner/right holder or where otherwise permitted by law). Accordingly, prosecution of these offences will require, necessarily, that such authority or lawful permission was absent.
In addition, the offence relating to "hacking" carries a further qualification, i.e., where the person or company had a "reasonable excuse". This term is not defined under the 2017 Act, and so its application will depend on future judicial interpretation.
If a company is charged with any of the above 2017 Act offences where the offence was committed by an employee for the benefit of that company, it will be a defence for that company that it took "all reasonable steps and exercised all due diligence" to avoid the offence taking place.
It can be expected that judges will continue to take established factors into account when considering the appropriate penalty on foot of a conviction of a cybersecurity-related crime (e.g. remorse, amends, cooperation with investigators, criminal history, and extent of damage).
2 Cybersecurity Laws
2.1 Applicable Law: Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation and management of Incidents. This may include, for example, data protection and e-privacy laws, intellectual property laws, confidentiality laws, information security laws, and import/export controls, among others.
Apart from the above-referenced statutes in respect of criminal activity, Applicable Laws include the following:
- Data Protection: The General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR") and the Data Protection Acts 1988 to 2018 ("DPA") govern the manner in which personal data is collected and processed in Ireland. Data controllers are required to take "appropriate security measures" against unauthorised access, alteration, disclosure or destruction of data, in particular where the processing involves transmission of data over a network, and comply with strict reporting obligations in relation to Incidents. The DPA also provides for offences related to disclosure and/or sale of personal data obtained without prior authority.
- e-Privacy: The e-Privacy Regulations 2011 (S.I. 336 of 2011), which implemented the e-Privacy Directive 2002/58/EC (as amended by Directives 2006/24/EC and 2009/136/EC) (the "e-Privacy Regulations"), regulate the manner in which providers of publicly available telecommunications networks or services handle personal data and require providers to take appropriate technical and organisational measures to safeguard the security of its services and report Incidents. It also prohibits interception or surveillance of communications and the related traffic data over a publicly available electronic communications service without users' consent. It was intended that a revised EU e-Privacy Regulation be introduced in May 2018 to replace the existing e-Privacy Directive and e-Privacy Regulations, expanding the current regime to cover all businesses which provide online communication services. That new regulation is still in draft form.
- Payments Services: The Payments Services
Directive II (Directive 2015/2366/EU or
"PSD2"), was transposed by the European
Union (Payment Services) Regulations 2018 (S.I. 6 of 2018) (the
"Payment Services Regulations"), and
introduced regulatory technical standards (which were published by
the European Banking Authority) to ensure "strong customer
authentication" and payment service providers will be required
to inform the national competent authority in the case of major
operational or security Incidents. Providers must also notify
customers if any Incident impacts the financial interests of its
payment service users.
The Security of Network and Information Systems Directive 2016/1148/EU (the "NISD") was transposed into Irish law under S.I. 360/2018 European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 ("NISD Regulations").
- Other: If there is a security breach which results in the dissemination of inaccurate information, persons about whom the inaccurate data relates may seek a remedy under the Defamation Act 2009 or at common law for breach of confidence or negligence.
See also sections 1 and 5.
2.2 Critical or essential infrastructure and services: Are there any cybersecurity requirements under Applicable Laws applicable to critical infrastructure, operators of essential services, or similar, in your jurisdiction?
The NISD Regulations and Commission Implementing Regulation (EU) 2018/151, which specifies further elements to be taken into account when identifying measures to ensure security of network and information systems, will apply.
The National Cyber Security Strategy 2019–2024 provides a mandate for the National Cyber Security Centre ("NCSC") to engage in activities to protect critical information infrastructure.
Enforcement powers under the NISD Regulations also allow NCSC-authorised officers to conduct security assessments and audits, require the provision of information and issue binding instructions to remedy any deficiencies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.