Laws and regulations governing cybersecurity

Many users of information and communication systems are unaware of their potential responsibility for the misuse of these technologies.[1] Information and communication systems are a thing, and the person who handles them is obliged to act in such a way that there is no unjustified damage to the freedom, life, health or property of another.[2]

If a tortfeasor causes damage to an injured party, intentionally violating good morals, he/she is obliged to compensate said party; however, if he/she exercises his/her right, the tortfeasor is obliged to compensate the damage only if he/she observed the damage of another as the main purpose.[3]

This wording of the Civil Code clearly implies both the obligation to properly manage information and communication systems, as well as the obligation to prevent damage that could arise from its activities (i.e. the use of ICT in the Internet environment).

Many ordinary users underestimate the protection and security of the ICT resources at their disposal, either negligently or intentionally.

Determining the form of fault in actions of an end user is crucial for possible civil or criminal liability. This statement can be demonstrated in three illustrative real-world cases.

A personal computer user was using an illegal copy of the Windows 7 operating system and intentionally did not update the system. The user intentionally installed programs on the computer that allowed third parties to manipulate the computer without his further assistance.

The purpose of the activity of the user described above was to free himself from any criminal liability for an attack carried out by another person on such a prepared computer (e.g. the computer is intentionally part of a botnet network).

In practice, it is possible to encounter such attackers who base their defence on the fact that they were not the person who carried out a specific attack through a computer.

Avoiding blame based on the claim that the person is not a direct attacker and his actions did not cause a specific attack is not, in my opinion, legitimate, or it is not valid to accept this claim absolutely.

From the point of view of criminal law, at least the application of the institution of participation and the principle of access to participation could be considered[4] since the actions of a person who aided and abetted a criminal offence by another (in particular by providing the means, removing of barriers, eliciting the aggrieved person to the crime scene, keeping watch while an act was committed, providing advice, encouraging the resolve or promising to participate in a criminal offence) are possible to subsume under the provisions on an accessory.[5] In this case, providing the means would also mean making a computer system, or part of it, available for committing an intentional criminal offence.

If a higher degree of direct participation of a user in the infringement of another person were proved, it would be possible to consider such a user as an accessory[6] in a criminal offence. The decisive factor would be the level of knowing about the use of the given computer for an illegal act and further understanding that this activity may violate or endanger the interests protected by criminal law.[7]

From the point of view of civil law, the actions of such a user could be subsumed under Section 2909 of the Civil Code, or it would be possible to use Section 2915 of the Civil Code, which regulates the case where the damage is caused by several persons. This provision stipulates that: “if several tortfeasors are obliged to provide compensation, they shall do so jointly and severally; if any of the tortfeasors has the duty under another statute to provide compensation only up to a certain limit, he/she is obliged jointly and severally with the other tortfeasors to that extent. This also applies where several persons have committed separate unlawful acts, each of whom may have caused a harmful consequence with a high degree of certainty and if the person who caused the damage cannot be identified.“ It is the second sentence of Section 2915 (1) that can be, in my opinion, applied very well to the case described above.

A personal computer user was using an illegal copy of the Windows 7 operating system and intentionally did not update the system. He had a number of games and other applications installed on his computer, in which copyright infringement was committed, in particular by circumventing or suppressing elements of their protection and by using keygens or cracks[8] that contained malware from other attackers. The user was not aware of the fact that his computer was being used by other users.

In practice, this is the most common case in which a computer is misused without the knowledge of its authorised user, even if such a user, through his/her wrongdoing (especially copyright infringement) or simple ignorance of computer technology, caused his/her computer to be misused to attack third parties.

From the point of view of criminal law, it is not possible to use the institution of participation and the principle of accessory participation in this case because the actions of the person who enabled or facilitated the committing of a criminal offence by another person were not intentional and therefore did not aim to help the main offender.

From the point of view of culpability, it would be possible to apply the unwanton negligence provisions to the user of such an infected computer as the offender did not know that his/her conduct may cause such violation or endangering although he/she could and should have been aware of it considering the circumstances and the personal relations.[9]

Due to the fact that there is no negligent factual nature of the crime in the Criminal Code according to Section 230: Unauthorised Access to Computer Systems and Information Media, it will not be possible to use criminal law institutes in this particular case.

From the point of view of civil law, the conduct of such a user could then be subsumed under Section 2912 (1) of the Civil Code: “If a tortfeasor acts in a manner different from what can be reasonably expected in private dealings from a person of average qualities, he/she is presumed to be acting negligently.” In this connection, it should be recalled that the person who caused the damage (tortfeasor) is obliged to compensate the damage, regardless of his fault in cases provided by law.[10]

A user adequately “looks after” his/her computer (has legal software, updates it, etc.) and reasonably secures it (uses antivirus, antispam and anti-malware protection and checks), yet this computer has been attacked from the outside (e.g. connected to a botnet) and subsequently used to attack another.

I consider that, from the point of view of fault, it would not be possible in this case for the users of such an infected computer to be subject to even the provisions relating to unwanton negligence. Due to the proactive activity of such a user, the application of Section 232 of the Criminal Code is also out of the question: Damage to Computer Systems and Information Media Records and Interference with Computer Equipment out of Negligence as gross negligence is required in this provision.[11]

 From the point of view of civil law, then, the conduct of such a user would not be, in my opinion, possible to subsume under the previously mentioned Section 2912 (1) of the Civil Code, for in this case the user acted as justifiably required of him/her. However, this needs to be understood more broadly because, if a user learns that his/her ICT resources are being misused to attack another, he/she is obliged to notify such a person who may be harmed as a result of this fact without undue delay[12] and to warn such a person of the possible consequences. If he/she fulfils the notification obligation, the injured party is not entitled to compensation for the damage that he/she could have prevented after the notification.[13]

In a specific case, it will always depend on all the circumstances of the case, and only to the court is entitled to stipulate the obligation to pay damages.

On the other hand, if a user does not “look after” his/her computer (i.e. does not secure it, does not perform maintenance, etc.) and it is subsequently misused, it is realistic that the court in damages proceedings imposes an obligation on such a user in part or in full (e.g. to use the computing power of one data center) to compensate the injured party for damage caused to him/her by the user’s computer.