Information Technology Law – UJUULC-30-2

Facts
Mr Denton is the Managing Director of Omegatron Industries which is a data analytics
company. The company collects and processes clients' data and sells them to various
marketing companies. Mr Denton has some arrogance issues and always searching for short-
term profit. Another company named Echelon processes all the data provided by Omegatron
and acts accordingly with the instructions provided by Omegatron. The collected data by
Omegatron includes names, addresses, sexual orientation and ethnicity. The collected data
has discrepancies in the database. The company always collects data from its clients and
never informed them about the Echelon that processes data for them. Shilan works as a senior
cybersecurity officer at Omegatron. She informed Denton about the vulnerability the
company and its clients are facing. Though she was a senior cybersecurity officer in the
company, she was abused by Mr Denton and he informed her to work only on basic admin-
related works and told her to keep her nose out of security issues in future. Despite a
profitable year for the company, Mr Denton had cut the security budget. After this incident,
Shilan developed sophisticated malware to access Omegatron's internal system. She accessed
the data of the company and installed malware to access the database in future. On a later
date, Shilan activated the pre-installed malware on Omegatron's core server and got access to
the company's data which includes the heating system, fire safety system and database of the
client. She also left a notice saying, "You have been pwnd. Secure your systems and take this
seriously otherwise you will be blown to hell and back!" After this, Shilan blocked the
system of Omegatron for 2 days. 3 days after this Mr Denton informed Shilan to come to his
office. There he dismissed her by threatening police involvement in the case. She
downloaded the financial records and some files of clients and forwarded those to different
groups of cybercriminals who are active on the dark web. The cybercriminals had also
threatened some of the clients. Mr Denton was aware of all these incidents and directed all
the employees of Omegatron to erase all the emails and information related to this incident.
He thought that it would not come to light if they all conceal the incident.
 Issues
Whether Mr Denton, Omegatron and Shilan had committed potential liability and in
compliance with respect to Computer Misuse, General Data Protection concerns under the
UK-GDPR, and Abusive online communications?

Rule
 Computer Misuse

The Computer Misuse Act 1990 deals with the issue of computer misuse. According to
Section 1 of the act, if any person knowingly secures access to any computer in an
unauthorised manner, he/she commits an offence which can attract 12 months of
imprisonment.

The case of R v Bow Street Mags [2002] 2 AC 216, stated that Mens Rea is important to
establish the crime.

According to Section 2 of the act, if any person is guilty of an offence he/she commits further
offences.

Section 3 of the act states that if any person does any unauthorised act with the computer then
he/she is liable for unauthorised impairment. This section also talks about recklessness.

Section 3A also holds liable to any person who supplies any material to any third person with
the intention to commit a crime in future.

In the case of R v Brown (Charles) [2014] EWCA 695, the court held liable Charles Brown
and convicted him for the possession of an article intended to use for fraud.

Section 3ZA of this holds liable to a person who does any unauthorised act in relation to a
computer and the act may cause serious damage or have serious risks associated with it. The
damage may be of a material kind which includes damage to human welfare.

According to Section 17 of the Act, if anyone without any prior permission access any data or
information then he/she commits an offence.

 General Data Protection Concerns Under the UK-GDPR

Principle b of clause 1 of Article 5 of UK-GDPR discusses the legitimate and explicit use of
collected data. The collection of data must be adequate, relevant and limited in relation to the
necessity of the purpose of the data.

Principle d of clause 1 of article 5 of UK-GDPR of clause 1 of article 5 of UK-GDPR states

that the data must be accurate and up to date.

Principle f talks about appropriate security for personal data and keeping the confidentiality
of the data.

Clause 2 of Article 5 of the UK-GDPR holds the controller liable for any non-compliance
with Clause 1 of the same article.

The UK-GDPR also discusses the non-consensual processing of data. If there is no consent
then, the controller must act judiciously if any action is required. They must be in accordance
with the interest of the general public.

 Abusive Online Communications

Clause 1 of section 4 of The Public Order Act 1986 holds any person guilty of an offence if
he/she threatens or abuses others with insulting words or with insulting behaviour.

Section 4A of the Public Order Act 1986 states that any person is liable if he/she causes
personal harassment or distress or alarm to others by using threatening, abusive or insulting
words or behaviour.

Application
 Offences Committed under Computer Use

So, if we apply Section 1 of The Computer Misuse Act 1990, Shilan has committed an
offence under this section as she accesses the security system of the company without any
prior permission.

If we apply the case of R v Bow Street Mags [2002] 2 AC 216, she had the Mens Rea as she
threatened the customers and delivered the data to other suspicious people. This constitutes
her Mens Rea to commit the crime.
Shilan has committed the crime under section 2 of The Computer Misuse Act 1990, as she
further circulated sensitive data to a group of criminals. This constitutes her further act of
crime.

She has committed an offence under section 3 of The Computer Misuse Act 1990, as she
unauthorizedly used the computer system of the company after installing a malicious virus
into the system.

Shilan has committed an offence under Section 3A of The Computer Misuse Act 1990, as she
further distributed the materials or data of clients with cybercriminals and those criminals
threatened some of the clients with their personal data.

If we apply the case of R v Brown (Charles) [2014] EWCA 695, Shilan is liable as she kept
access to the system with her intention to commit further crimes.

Shilan has committed offences under section 3ZA of The Computer Misuse Act 1990, as her
unauthorised act caused serious damage and risk for the clients.

She committed an offence under section 17 of The Computer Misuse Act 1990 as she had no
prior permission to use the computer system of the company and use the personal data of
clients.

 Offences Committed under General Data Protection Concerns Under the UK-GDPR

Omegatron has committed an offence under Principle b of Clause 1 of Article 5 of UK-

GDPR, as their process of collecting data and processing was not legitimate and the collected
data were not relevant in many parts.

Omegatron has committed an offence under Principle d of clause 1 of article 5 of UK-GDPR,

as the collected data were not accurate in nature.

Omegatron has committed an offence under Principle f of clause 1 of article 5 of UK-GDPR,

as they failed to provide proper security for the data of the public and failed to keep it
confidential.

 Offences Committed Under Abusive Online Communications

Mr Denton is liable under clause 1 of section 4 of The Public Order Act 1986, as he
threatened and abused Shilan with insulting words and behaviour.

Mr Denton has committed an offense under Section 4A of the Public Order Act 1986, as he
harassed Shilan personally with abusive language and insulting behaviour.

Conclusion
In the conclusion, we can say that everyone has committed offences on their part and there
were issues related to serious privacy concerns. The Company has committed many serious
crimes from time to time. And even after knowing the fact that data were leaked to the cyber
criminals, the Managing Director took no steps to cater for the problem. This is a grave
offence committed against a large number of people.