Background

Jersey's financial regulator is looking to place greater emphasis on cyber risk management in its Code of Practice to make sure companies have policies in place to identify threats, protect assets, and act quickly in case of an incident.

The Draft Cybercrime (Jersey) Law 201- (the “Law”) has been lodged by the Minister for Home Affairs for debate on Tuesday 15th January 2019. The Law, if adopted, would bring Jersey up-to-date in its treatment of crime involving computers and data storage. The Law is a series of amendments to other legislation that is intended to provide authorities with sufficient powers to deal with increasingly sophisticated online criminal activity, and will make Jersey compliant with the international treaties in this area.

When the Law is adopted, Jersey would be in a position to have the Council of Europe Convention on Cybercrime (the Budapest Convention) extended to it. The Convention is concerned with crimes committed over the Internet, particularly infringements of copyright, computer-related fraud, child pornography, hate crimes, and violations of network security.

Principles

The Law will allow access to information held on computer systems on the same terms that access to physical information is currently available. This is due to the fast pace of the developments in the use of technology and storing data electronically.

Law Enforcement

The Law will provide for additional powers where computer systems are used to commit offences or hide evidence of offences. This will also improve Jersey’s ability to provide assistance to other jurisdictions.

The Law will also bring certain offences regarding computer misuse into line with equivalent offences in the United Kingdom and to give greater powers to law enforcement authorities to access devices which are password protected or locked. This will improve Jersey’s domestic response to criminal activity, as well as satisfy certain parts of the Convention.

The Amendments

The amendments to current legislation made by this Law would be as follows:

• Computer Misuse (Jersey) Law 1995 - this amendment would update the definitions and penalties for unauthorised access to computer material (hacking), unauthorised modification of computer material (e.g. damaging a computer to hinder access to incriminating data) and also make it an offence to supply or obtain any software or hardware for the purposes of committing a crime online;

• Criminal Justice (International Co-operation) (Jersey) Law 2001 - this amendment would allow for a preservation order to be granted in the event that the Island was working with another jurisdiction to investigate a crime. This is in order to prevent a suspected party of deleting or destroying data when under investigation. It would also make it an offence to delete or destroy any data that was the subject of a preservation order;

• Police Procedures and Criminal Evidence (Jersey) Law 2003 - this amendment would allow police officers, subject to an application and permission from the Bailiff, to gain access to any material stored on a computer or on a "cloud based" storage programme; and

• Regulation of Investigatory Powers (Jersey) Law 2005 - this amendment would make it an offence for a service provider (i.e. telecoms provider) to tip off a service user about any request from a public authority to investigate any information they may hold. It would also enable law enforcement to require a person to grant them access to a device which is otherwise locked (i.e. mobile phone, tablet etc.), subject to permission from the Bailiff. Such notice could only be given on the grounds of national security, for the prevention and detection of crime, in the economic interests of Jersey, or to perform a statutory power or duty.