UJUULC-30-2 Legal Analysis of Omegatron Case: Cybersecurity and Data Case Study

Introduction - Addressing Liabilities in Omegatron's Legal Challenges

Engagement in data protection has been considered one of the significant imperative concerns in today's era. This study reflects the concern in the case study associated with Mr. Denton, Omegatron, and Shilan. The concerned issues associated in this case related to computer misuse have been aligned with the General Data Protection (UK-GDPR) and Abusive Online Communications”. In this study, the Potential Liability and Compliance have been discussed and the Assessment with module learning outcomes has been emphasized regarding the legal issues and possible solutions for the rights of Mr. Denton, Omegatron, and Shilan. This study provides the legal solutions and administrative structures to be followed that need to be known.

Computer Misuse

Misusing a computer is an offensive crime recorded under the “Computer Misuse Act 1990” and Section 1 of this act provides possible guidance regarding the same. It portrays that conducting “unauthorized access to computer material” is a criminal offense. As Shilan accessed the “core server with the highest-level credentials” of Omegatron and also “installed malware to secure access to the company's fire safety system, heating systems, and client database” it has been considered to be offensive that comes under “Section 1 of the Computer Misuse Act 1990” which will provide the consequence of facing “criminal charges” to her. Apart from that, Mr. Denton is similarly liable for not providing enough resources to Shilan to “prevent unauthorized access” to Omegatron’s core system. It portrays that Mr. Denton was not concerned regarding his duty as a Managing Director of the company and the “safety and security of Omegatron's systems” has been deduced based on the same.

General Data Protection 

The major provision of the company is to maintain confidentiality regarding the personal data of the clients regarding their “names, addresses, ethnicity, and sexual orientation data” and if in case used then their consent must be taken. This process has been breached under UK-GDPR and it requires that Omegatron must “obtain valid consent” for accessing the personal data of their clients. Besides this, Omegatron's “affiliate company”, Echelon Data Processing processes data while accumulating the raw data directly from the record of Omegatron, and the data regarding the clients have not been disclosed during the same from Omegatron as it violates “violation of the transparency principle under the UK-GDPR”. The clients have not been made aware regarding their data is being used and processed for updating data based on ethnicity. Mr. Denton, being the Managing Director, is responsible for complying with “the UK-GDPR” and has failed to do the same which can make him face “reputational damage” and fines.

Abusive Online Communications 

The tweet sent by Shilan conveyed “You have been pwnd. Secure your systems and take this seriously otherwise you will be blown to hell and back!” this is an “abusive online communication” and is an offense recorded under the “Malicious Communications Act 1988”. This act portrays that it is illegal or against the ethics to provide any “indecent or grossly offensive, threatening or contains information that is false or believed to be false”. Based on this act, Shilan has violated the rules and has followed “Abusive Online Communication” which must be treated with further serious proceedings.

Potential Liability and Compliance 

The case shows that Mr. Denton, Omegatron, and Shilan are supposed to face issues regarding “Computer Misuse, General Data Protection, and Abusive Online Communications”. Omegatron did not follow “the UK-GDPR” act and has processed inaccurate information from clients without disclosing it to Echelon for its clients. Mr. Denton has breached legal concerns as he did not take enough steps as per his responsibility while providing enough resources for preventing “unauthorized access to Omegatron's system”. Shilan has also breached the “Computer Misuse Act 1990” and has violated the “Malicious Communications Act 1988” while tweeting abusive threats. Besides, she also exposed “company's financial records” to cyber criminals who have targeted some clients of Omegatron. All of these considerations are indicating legal actions against Mr. Denton, Omegatron, and Shilan.

Assessment with module learning outcomes 

Omegatron

Omegatron is an organization controlling data analytics while processing client data for marketing and sale-based companies and has breached its legal line while not asking for the consent of clients before passing the information. Besides this, it also collected and utilized “sensitive personal data, such as ethnicity and sexual orientation” with irrelevant purpose and failed to expose Omegatron’s affiliate company “Echelon Data Processing” to its clients.

Legal Issues

• “Data protection compliance”: Omegatron has violated the rules that come under “General Data Protection Regulation (GDPR)” and “Data Protection Act 2018” and failed to manage “adequate transparency”.

• Breaching of confidentiality: Omegatron did not maintain confidentiality while disclosing the personal data of its clients without making them aware or asking for their consent.

• “Intellectual property infringement”: Omegatron has infringed the “intellectual property rights” of its clients while utilizing personal information without “proper authorization or licensing”.

Possible Solutions

• Improving “data protection compliance”: The provision of data distress has been portrayed in “2021’s Lloyd v. Google [2021] UKSC 50 (Lloyd v. Google)” and provides the solution of improving the security system while updating the cloud system and hiring liable and authentic software engineers. This must be followed by Omegatron to maintain privacy notice and if failed then must sanction “data protection laws”.

• Enhancing “transparency and accountability”: Transparency must be maintained while prevailing the leakage of information of private concerns of clients and regular testing must be followed for managing the security of information while reporting “relevant authorities and affected parties”.

• Addressing “legal disputes and liability”: Omegatron must claim “injunctive relief” while settling negotiations and considering the interest of clients and all associated parties. 

Mr. Denton

Mr. Denton is the Managing Director of the organization Omegatron possesses aggressive nature and a “short-sighted obsession with immediate profits”. He has reduced the budget for securing cybersecurity although Shilan informed him about the vulnerability of their data from cyberattacks.

Legal Issues

• Breach of “duty of care”: Mr. Denton has not provided sufficient resources to Shilan for managing cybersecurity and neglected the risks while focusing on revenue.

• Breach of “employment contract”: Mr. Denton has breached the “employment contract” of Shilan while “dismissing her without following proper procedures” and by conducting discriminating actions against her.

• Criminal liability: If cybercrime happens Mr. Denton is supposed to be liable for not securing and maintaining entire responsibility as the MD of the company and may be proven as an extorter or fraud.

Possible Solutions

• Improvement of “cybersecurity measures and risk management”: Attention must be provided to “adequate resources” and Mr. Denton must ensure the hiring of experts of “cybersecurity professionals and invest in modern and effective security systems and procedures”.

• Addressing “employment disputes and termination”: Mr. Denton must follow “fair and lawful procedures” before terminating an employee.

Shilan

Shilan is the “senior cybersecurity officer” of Omegatron and has asked for resources for security purposes of data protection. She developed “a sophisticated malware to gain access to Omegatron's systems” and later “incapacitated the entire system for two days”. After being terminated she accessed the financial records of the company and exposes these on the “dark web”.

Legal Issues

• Criminal liability: The “National Crime Agency” has reported multiple cases of breaching “The Computer Misuse Act 1990” and as Shilan has conducted the same she might face fines and relevant consequences.

• Breach of “employment contract”: Shilan accessed and manipulated the system of the company without authenticating which resulted in damage regarding exposing the confidential information of clients.

• Civil liability: Shilan has possessed “injunctive relief for breaching her duties of confidentiality, trust, and loyalty”.

Possible Solutions

• Seek “legal advice and representation”: Shilan must seek legal advice and consult for reducing the risks of cybercrime conducted by her. She must surrender to the police and honestly disclose her actions to cooperate with them in investigating for “compelled to self-incriminate”.

• Negotiating a “settlement or plea bargain”: As per the case of “The Protection from Harassment Act 1997 (PHA 1997)” section 2 suggests that harassment causes distress and needs to be negotiated for reducing the crime effect. Shilan must seek for minimizing her penalty while seeking advice and bargaining “legal and reputational consequences”.

• Mitigate “damages and protect clients”: The consequences faced by Omegatron has to be supported by Shilan while compensating with legal actions and following ethical possession. She must be aware so that no further legal issues do not reduce her reputation.

 Conclusion 

The advice provided throughout this study accommodated in the possible solution section is required to be availed and known to the organization to reduce the risk factors. The concern of "UK-GDPR", "The Computer Misuse Act 1990", and the "Malicious Communications Act 1988" have been analyzed in this study. The enclosing factor of data processing of Echelon has been focused on preventing unauthorized access and following "adequate security measures". Mr. Denton, Omegatron, and Shilan must possess legal advice and follow their responsibilities further. Mr. Denton must consider police involvement for securing further risk and provide the resources that are required to manage the security of Omegatron. The damage resulted in Shilan must be covered with "internal policies and procedures" by police and its cybercrime force. Omegatron's compliance must be sought with aligning the recommendations of case laws and raised legal advice provided by advisory and consultants.

References

AKDEMİR, Naci, Bülent SUNGUR, and Bürke BAŞARANEL. "Examining the Challenges of Policing Economic Cybercrime in the UK." Güvenlik Bilimleri Dergisi International Security Congress Special Issue (2020): 113-134. Available at: https://dergipark.org.tr/en/download/article-file/986496 (Accessed on: 06.04.23)

Buil-Gil, David, et al. "Cybercrime and shifts in opportunities during COVID-19: a preliminary analysis in the UK." European Societies 23.sup1 (2021): S47-S59. Available at: https://asiermoneva.com/publications/2020-08-11-cybercrime-and-shifts-in-opportunities/builgil_2020_cybercrime_and_shifts_in_opportunities.pdf (Accessed on: 06.04.23)

Collier, Ben, et al. "Influence, infrastructure, and recentering cybercrime policing: evaluating emerging approaches to online law enforcement through a market for cybercrime services." Policing and Society 32.1 (2022): 103-124. Available at: https://www.tandfonline.com/doi/pdf/10.1080/10439463.2021.1883608?needAccess=true&role=button (Accessed on: 06.04.23)

Curtis, Joanna, and Gavin Oxburgh. "Understanding cybercrime in ‘real world’policing and law enforcement." The Police Journal (2022): 0032258X221107584. Available at: https://journals.sagepub.com/doi/pdf/10.1177/0032258X221107584 (Accessed on: 06.04.23)

Davies, Gemma. "Shining a light on policing of the dark web: an analysis of UK investigatory powers." The Journal of Criminal Law 84.5 (2020): 407-426. Available at: https://journals.sagepub.com/doi/pdf/10.1177/0022018320952557 (Accessed on: 06.04.23)

Ico.org.uk, 2023, Guide to the UK General Data Protection Regulation (UK GDPR). Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ (Accessed on: 06.04.23)

Kemp, Steven, et al. "Empty streets, busy internet: A time-series analysis of cybercrime and fraud trends during COVID-19." Journal of Contemporary Criminal Justice 37.4 (2021): 480-501. Available at: https://journals.sagepub.com/doi/pdf/10.1177/10439862211027986 (Accessed on: 06.04.23)

legislation.gov.uk, 2023, Computer Misuse Act 1990, Available at: https://www.legislation.gov.uk/ukpga/1990/18/contents (Accessed on: 06.04.23)

legislation.gov.uk, 2023, Data Protection Act 2018. Available at: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted (Accessed on: 06.04.23)

legislation.gov.uk, 2023, Malicious Communications Act 1988. Available at: https://www.legislation.gov.uk/ukpga/1988/27/contents (Accessed on: 06.04.23)

legislation.gov.uk, 2023, Protection from Harassment Act 1997. Available at: https://www.legislation.gov.uk/ukpga/1997/40#:~:text=(1)A%20person%20whose%20course,on%20each%20of%20those%20occasions (Accessed on: 06.04.23)

McKoy, Coleman. "Law Enforcement Officers’ Reaction on Traditional Crimes to Fight Cybercrime Locally." ABC Journal of Advanced Research 10.2 (2021): 159-174. Available at: https://scholar.archive.org/work/isevr7vrtzgavkk6nnbe4mfs5u/access/wayback/https://i-proclaim.my/journals/index.php/abcjar/article/download/601/558 (Accessed on: 06.04.23)

Mulheron, Rachael. "Further Impetus for a Statutory Class Action, Post-Lloyd v Google." Civil Justice Quarterly (2022). Available at: https://qmro.qmul.ac.uk/xmlui/bitstream/handle/123456789/77185/Mulheron%20Further%20Impetus%20for%20a%20Statutory%20Class%20Action%2C%20Post-Lloyd%20v%20Google%202022%20Accepted.docx?sequence=2&isAllowed=y (Accessed on: 06.04.23)

Mutendi, Ruvarashe Lisa. What are the legal responses to domestic violence in the UK. Diss. Master’s thesis, Near East University Institute of Graduate Studies, 2021. Available at: http://docs.neu.edu.tr/library/9178716549.pdf (Accessed on: 06.04.23)

Nouh, Mariam, et al. "Cybercrime investigators are users too! Understanding the socio-technical challenges faced by law enforcement." arXiv preprint arXiv:1902.06961 (2019). Available at: https://arxiv.org/pdf/1902.06961 (Accessed on: 06.04.23)

Ralarala, Sinesipho. The impact of cybercrime on e-commerce and regulation in Kenya, South Africa and the United Kingdom. Diss. Strathmore University, 2020. Available at: https://su-plus.strathmore.edu/server/api/core/bitstreams/d2089a73-0980-4b48-8f81-36a592e399d8/content (Accessed on: 06.04.23)

Ukscblog.com, 2022, Case Comment: Lloyd v Google LLC [2021] UKSC 50, Available at: http://ukscblog.com/case-comment-lloyd-v-google-llc-2021-uksc-50/#:~:text=On%2010%20November%202021%2C%20the,representative%20action%20brought%20against%20Google. (Accessed on: 06.04.23)

Wheelans, Angus. "Cybercrime: International Implications on New Zealand Strategy." (2022). Available at: https://ir.canterbury.ac.nz/bitstream/handle/10092/105282/Cybercrime%20-%20International%20Implications%20on%20New%20Zealand%20Strategy.pdf?sequence=1 (Accessed on: 06.04.23)