1. Describe how legislation impacts on cyber security (AC 1.1)

UK laws have overall positive impact on cyber security. Law makers strive to make the cyber space a more secure.

There's seven noteworthy laws and regulations: General Data Protection Regulation (GDPR) This regulation is all about how organisations and business collect, use and store personal data(names, emails, addresses, IP addresses). GDPR forces organisation to take data protection seriously and have strong security measures to prevent data breaches. One of the main rules that organisation need to use " appropriate technical and organisational measures" to protect personal data. This involves things like encryption, firewalls, access controls and regular security updates. Organisation that store sensitive information like health data, are expected to have even stronger protection in place. In the event of data breach, organisations are required to notify the Information Commissioner's Office (ICO) within 72 hours. Non compliance with the UK GDRP can lead to enormous fines. British Airways was fined £20M because their Cyber Security was inadequate, this made it very easy for hackers to leak personal and financial details of more then 425,000 customers. Clearview AI got a £7.5M (approx.) fine for obtaining photos from the internet without the consent of the individuals. Data Protection Act 2018 (DPA) DPA work alongside the UK GDRP. It adds extra rules on top of GDRP, covering areas like law enforcement, national security and intelligence services. DPA makes cybersecurity a legal responsibility, organisation can no longer ignore it. With DPA organisation are now required to maintain a detailed records of data processing activities and conduct Data Protection Impact Assessments (DPIAs) for high risk processing. What makes DPA different from GDRP is that GDRP is strict for everyone. DPA has few exception - police can process data without consent to help solve crimes, Journalists can publish personal info if it's in the public interest, and the government can limit data rights for security reason. Directive on security of network and information systems (2016/1148) (NIS) NIS focuses on security of systems unlike the two previous laws. Critical sectors like power grids, hospitals, banks, water suppliers, big digital companies(cloud services and search engines) and transport networks have to take cybersecurity seriously because of NIS. Before NIS, organisation could decide to hide cyberattack and hope no one would notice. Now organisation must report major cyber incidents. Thanks to NIS, we now have NCSC which acts as the computer security incidence response team(CSIRT)"to competent authorities" Computer Misuse Act (1990) This act helps protect computers and data from criminals by making hacking and misuse illegal. With this act in place, it is illegal to use someone's computer without permission " A person is guilty of an offence if - he causes a computer to perform any function with intent to secure access to any program or data held in any computer" It is illegal to change data without permission, and it is also illegal to own or share tools that can be used for hacking Communications Act 2003 This act mainly focuses on TV, radio, and telecoms, but it impacts cyber security in few ways too. This act requires telecom companies (broadband/mobile providers) to keep their networks secure. As in they need to ensure no script kiddie can just hack into their system and wreak havoc. Next thing it does it making it illegal to send harmful or misleading electronic messages like phishing or scam calls. Ofcom was created with this act and given powers to oversee digital services. This includes making sure internet providers help block harmful content, like illegal or malicious websites. Telecommunications Security Act 2021 focuses even more so on cyber security, making it a top priority. It gives clear, strict rules that companies must follow against hackers and stopping cyberattacks. This act also allows the UK government to ban companies like Huawei from supplying telecom equipment if they are considered a security risk. And lastly, thanks to this act, companies who don't follow the security rules, they can receive huge fines.