Companies should require customers and staff to promise
to abide by acceptable use of information systems and not to breach
theComputer Misuse Act(CMA).
This emerged from new guidelines from the
Crown Prosecution Service that anticipate anti-hacking
provisions coming into force in the
Police and Justice Act 2006.
The guidelines do not ban the legitimate use of hacking tools
and activities to emulate unauthorised access to computer systems
and data.
The CPS said there is a "legitimate industry that generates
'articles' to test and/or audit hardware and software. Some
articles will therefore have dual use, and prosecutors need to
ascertain that the suspect has a criminal intent."
It asks prosecutors to consider, before deciding to prosecute,
whether the victim had robust and up-to-date contracts, terms and
conditions or acceptable-use polices whether staff, customers and
others were made aware of the CMA and what was lawful and whether
they had to formally acknowledge their intention not to contravene
the CMA.
To secure a prosecution, the CPS said the offender had to know
that their access was unauthorised. "Mere recklessness is not
sufficient. This covers not only hackers, but also employees who
deliberately exceed their authority and access parts of a system
officially denied to them," it said.
Penalties for unlawful access to systems and data or for
distributed denial of service attacks include up to two years in
jail and/or a fine, but making and using hacking tools with
criminal intent attract 10 years and five years respectively.