The Ransomware Attack Against the Irish Health Service Executive: What Role for the Law in the Face of Growing Cyber Insecurity?

Abstract

In May 2021, the Republic of Ireland underwent a cyber crisis within a health crisis. In the middle of the COVID-19 pandemic, Ireland’s Health Service Executive suffered a catastrophic cybersecurity attack reputed to have affected virtually the entirety of the Irish population. This article discusses the role of the law in two ways. First, the article examines the applicable regulatory framework, which broadly splits into preventative and mitigating measures, and the expectations it places on a range of legal actors: the executive, the Courts, the Data Protection Commission, the Garda Cybercrime Bureau, the National Cyber Security Centre and, in passing owing to limited powers under emergency legislation, the Oireachtas. Secondly, the analysis appraises such legal actors’ ability to meet the challenges put before them in light of their powers and their actual capabilities. The law is only one piece of the complex policy jigsaw puzzle in place to address cybersecurity challenges and respond to the crises that follow from a successful cybersecurity attack. The law is also an imperfect piece as such, in light of the many shortcomings of the applicable European Union, Irish and Common Law. This research reflects on the ability of various legal actors to prevent and successfully respond to attacks both based on such legal shortcomings as well as their concrete operational and jurisdictional setup. In so doing, this enquiry contributes to redressing the known research gap on cybersecurity and cybercrime in the Republic of Ireland and pointing to the continued scarcity of data that hampers legal and public policy analysis. The article ends by highlighting three pinch points for further investigation. The first is the role of the legal-institutional culture within national regulatory authorities and the desirability of implementing measures that may not be perceived as being ‘homegrown’. The second pinch point concerns the State’s attitude (and potential leniency) in scrutinising its own conduct. The third is the making available of adequate resources to enable legal actors to discharge their duties.