Andy Hague

20200113

A brief history of cyber regulations – and what it means for us now

When it comes to talking about regulation in technology, specifically business regulations, it’s usually only a matter of time before someone mentions the General Data Protection Regulation (GDPR), and understandably so. The concern that GDPR would cause huge disruption for businesses took hold almost as soon as the deadline for compliance was announced in 2017, and it continues to be a major point of unease today.

While GDPR is certainly the most high-profile regulation in recent memory, it is by no means the first. IT regulations have been in place, in the UK at least, since the latter half of the 20th century, coinciding with the rise of the internet and computers. GDPR may be one of the latest challenges, but businesses have continually had to adapt to the ever-changing digital landscape, especially when it comes to regulations.

Businesses and users alike have a responsibility to prepare for what is likely to come next, and cyber regulations are no different. But how can they do this? Looking to the past is often a prudent way to understand the future.

Humble Beginnings

The history of computer regulations begins as far back as 1988, with the Malicious Communications Act (MCA). This legislation made it illegal in England and Wales to “send or deliver letters or other articles for the purpose of causing stress or anxiety”. Email was not nearly as ubiquitous then as it is today, so the forward-thinking inclusion of “other articles” helped to ensure that newer forms of computer communication became just as viable as physical letters.

This regulation was relatively straightforward. It focused on individuals, and for businesses, there was little to fear in terms of punishments for non-compliance. There was also some ambiguity over what material could be classified as ‘offensive’.

The next major milestone in IT legislation came in the form of the Computer Misuse Act of 1990. The law was aimed at offering businesses protection in the wake of the growing threat of cybercrime – rather than making them responsible for security. Under this new law, it was now illegal to access a computer without permission, especially if you were attempting to gain access to unauthorised data.

In 1990 just 2.6 million people, or 0.5% of the world, were operating online. Now this number is closer to 50%, with 3.4 billion people online as of 2016. Considering the proliferation of cyber threats that exist today, it’s hard to comprehend how bad things could have been had this legislation not been put in place at such an early stage.

Brave New World

It was several years until the next major piece of IT legislation was introduced in the UK. At this point in history, there were just under 400 million people now using the internet globally, and it was becoming a major facilitator for businesses.

The 1998 Data Protection Act recognised that our online data had become a valuable commodity. While the law also applied to organised filing systems, its primary scope was to protect personal data stored on computers.

The act itself gave individuals the legal right to control information about themselves. As such, businesses had an obligation to comply with the eight ‘data protection principles’, to prevent people’s information being spread across the world and protect individuals from crime.

As online business continued to grow, the Communications Act of 2003 was introduced to give individuals even more control over their data. One of the biggest changes that businesses had to comply with was that marketing materials must now be an opt-in process (with the exception of “similar products and services”).

However, unlike later regulations, the organisation was not held responsible in the event of data breach, loss, or destruction. It was only required to inform the relevant parties of any such occurrence.

A digital future

In 2010, it was apparent that the internet had become an economy itself. This meant it would need to be afforded new protections to ensure its safety.

The Digital Economy Act of 2010 did just that. It was implemented in order to defend against software piracy, as well as providing Ofcom with extra powers to combat other forms of piracy. With tech and domain names now properly protected by the law, organisations could make the most of an increasingly civilised internet.

This helped global ecommerce to rapidly accelerate. In 2012 global spending on ecommerce had reached one trillion, and by 2019 this had more than tripled to 3.5 trillion. The law protected businesses online and they were quick to reap the rewards.

However, not every new legislation has been as warmly received.

GDPR and beyond

In 2011 the European Union began seriously considering what was called ‘A comprehensive approach to personal data protection in the EU’. By June of 2015, it had arrived at a consensus on the General Data Protection Regulation, or GDPR for short.

Under this legislation, companies are liable for any data of European Union citizens that is lost, damaged, or not properly protected.

However, the enormous scale of the legislation and the severity of punishments instilled a huge amount of fear and confusion in businesses. Opinions differ wildly on the effectiveness of the legislation. Due to news coverage alone, it cannot be denied that the general public and the wider business environment are now aware of the seriousness of data protection. But despite enormous penalties, such as the British Airways’ £189m fine, more than 30% of European businesses and 50% of UK businesses are not GDPR-compliant.

Understanding older regulations and legislation is imperative to gaining a clear understanding of those that might be put in place in future, such as the EU Cybersecurity Act. This act is not dissimilar to GDPR in that it is an EU wide directive to protect users and businesses online, but it focuses much more strongly on the IoT, services, and processes. What’s more, anyone wishing to do businesses within the EU will benefit from EU certification under the act.

The law is often slow to keep up with new technologies. And as regulations grow more complex, many businesses are, in turn, slow to keep up with the new requirements, leading to growing regulatory resistance of the kind we have seen around GDPR. But the rules which have been put in place over the years have a had a profound effect on shaping the virtual world we live and work in today, protecting businesses and consumers from crime online.

There will be many more regulations to come in future, particularly as emerging technologies such as AI and autonomous vehicles become more sophisticated. To avoid falling foul of the law, it is important for businesses to learn from the past and try to anticipate regulatory changes as much as possible by staying as cybersecure as possible. In short, businesses need to go beyond compliance.

To learn more about what compliance means for your organisation and how to take advantage of it, be sure to read our latest whitepaper ‘Beyond Compliance: Raising the bar on cybersecurity’.

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >

Video

See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >

Whitepapers

In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >