Amidst the unprecedented ransomware breach on the NHS a little while ago, with hackers threatening to delete files unless a ransom was paid, now more than ever is the time to brush up on the laws behind cyber-attacks.

The most known piece of legislation is the Computer Misuse Act 1990, however there are a whole host of laws that form protection against cybercrime and help you to protect against cyber-attacks.

Communications Act 2003

The Communications Act 2003 covers various different communications in the media. The main protections that the act affords is:

  1. Piggybacking;
  2. Threatening behaviour online; and
  3. Offensive and indecent images.

Piggybacking is a term used to describe the process of using someone else’s internet connection without their permission or any intention to pay for access. For example, using a neighbour’s WiFi connection is a prime example of piggybacking. However, using a free WiFi access point in local coffee shops is not piggybacking as the company have given express permission to the consumer to use their WiFi connection.

The Communications Act 2003 also protects against receiving threats online – social media is a dangerous tool and can be used to bully and threaten people. Often people post comments online which deliberately cause distress – this is “trolling”. Some parts of the Communications Act 2003 protect against trolling but the law is to be revised to extensively cover this form of behaviour.

Sending offensive or indecent images of others is an offence covered by the Communications Act 2003. In today’s society, everyone is a cameraman – everyone has easy access to a smart phone with a camera! This means that offensive or indecent images can be captured and disseminated more easily than before – deliberately sharing such images on social media can be an offence.

The Privacy and Electronic Communications Regulation

These regulations give people specific privacy rights in relation to electronic communications – It recognises that widespread public access to digital mobile networks and the internet opens up new possibilities for businesses and users, but also new risks to their privacy.

Organisations that wish to send electronic marketing messages by phone, fax, email or text need to adhere to these regulations.

The regulations aim to keep customer privacy at the forefront and deal with location data, itemised billing, line identifications and directory listings. The regulations even cover cookies and unwanted marketing calls!

Do the Privacy and Electronic Communications Regulation apply to me?

Some of the rules only apply to organisations that provide a public electronic communications network or service. But even if you aren’t a network or service provider they will apply if you:

  1. market by phone, email, text or fax;
  2. use cookies or a similar technology on your website; or
  3. compile a telephone directory (or a similar public directory).

Remember that these regulations are in conjunction with the Data Protection Act 2018 – watch out for more information in this as it is being rewritten. See some useful ICO information here.

Computer Misuse Act 1990

The Computer Misuse Act 1990 is the most common piece of legislation when you think about cyber-attacks and covers:

  1. accessing computer material without permission (for example looking at someone else’s files);
  2. accessing computer material without permission with intent to commit further criminal offences, (for example hacking into a bank’s computer and wanting to increase the amount in your account);
  3. altering computer data without permission (for example writing a virus to destroy someone else’s data).

Official Secrets Act 1989

The Official Secrets Act 1989 encapsulates the unauthorised disclosure of information by Government employees. This means an employee that works with the Government cannot disclose information “in the public interest” and this includes:

  • Security and intelligence;
  • Defence;
  • International Relations;
  • Information which might lead to the commission of crime; and
  • Foreign confidences.

General Data Protection Regulations (“GDPR”)

The GDPR was designed to ensure that all data privacy laws are updated across all EU member states and ensures that the privacy of EU citizens is put first. The UK has stated that it will be implementing the GDPR and that means all UK businesses will need to abide by the same regulations.

The GDPR now considers that any data that can be used to identify an individual as personal data. Will include, things such as genetic, mental, cultural, economic or social information. Moreover, companies will need to show that they can prove valid consent for using personal information.

Cyber Essentials

Cyber Essentials is a UK government scheme which aims to set a standard of IT security for all UK businesses. It aims to help organisations to implement basic levels of protection against cyber-attacks, demonstrating to their customers and suppliers that they take cyber security seriously.

Cyber Essentials include five key areas which businesses should protect themselves including:

  • Boundary firewalls and internet gateways;
  • Secure configuration;
  • Access control;
  • Malware protection; and
  • Patch management.

Information Assurance for Small and Medium Enterprises (IASME) standard and ISO 27001

IASME is designed to ensure businesses are securing their data as much as possible. The goal of the IASME standard is to provide a cyber-security standard for SMEs and is based on ISO 27001 (which is currently the industry standard for management of information and covers all aspects of business and how you interact with security). The IASME standard is tailored for specifically for SMEs.

The NCSC has published fantastic resources to guide small businesses which can be accessed and downloaded for free here.

Let us know if we can help you!

Author: Yvonne Morris



twitter: @CloudLegals


CloudLegal is a tech-enabled legal support consultancy which promises practical commercial and jargon-free advice. We support all company matters, commercial contracts/ Ts & Cs (including software and IT), employment & HR as well as data protection matters. We have various services including: