Police hamstrung by UK's outdated computer laws

Police investigations into thefts of company databases are being hampered by out-of-date computer crime laws, Scotland Yard's...

Police investigations into thefts of company databases are being hampered by out-of-date computer crime laws, Scotland Yard's computer crime unit said this week, in a move that will intensify calls for a review of the UK's Computer Misuse Act.

The disclosure follows reports from leading law firms that database theft has increased sharply during the economic slowdown, prompting businesses to resort to the civil courts to recover company secrets from former employees.

Detective sergeant Steve Santorelli, a senior investigator at the computer crime unit, said information theft has become a multimillion-pound industry, but out-of-date laws are making it impossible for the police to take action.

"We are talking about a huge amount of money being made by people stealing networked data. It is just an anachronism that stealing data is not illegal. The bottom line is that if someone phones up and says my database has been stolen, I can only refer them to a civil remedy."

Since February last year, business and IT industry leaders have backed Computer Weeky's campaign to re-examine the laws designed to protect companies against computer crime.

Santorelli said companies call his unit every week to report staff who have walked out with floppy discs containing confidential data. But short of arresting someone for stealing a 25p floppy disc, there is little the police can do.

Police have also had difficulty prosecuting those responsible for denial of service attacks because some forms of attack are not covered by the Computer Misuse Act 1990, said Santorelli.

In the past, the computer crime unit has been able to prosecute denial of service attackers by seizing computer equipment and using the evidence gathered to bring prosecutions for other types of computer crimes.

"This is not very satisfactory. There will come a time when someone will have so much encryption on their computer we will not be able to make a case to prosecute them for other offenses," said Santorelli.

Dan Morrison, partner at law firm Mishcon De Reya, said some firms have suffered heavy losses because of database theft and at least one company has been forced out of business after a rival firm used a stolen database to undercut its prices.

But he said it would be difficult to develop a criminal law that would adequately cover the theft of commercial data, which is difficult to define legally. Attempts by other parliaments in Europe had failed, he said.

  • Hackers and those spreading viruses could be sent to jail for five years under proposals for new laws on cybercrime approved by EU justice ministers last week. Ministers agreed to create a new criminal offence of "illegally accessing an information system". The proposals will be written into national laws after the European Parliament has given its opinion on the text.

Read more on IT risk management