Laws and regulations governing cybersecurity

Taking into account the Polish legal circumstances in the field of computer crime, it should be stated that virtually all crimes included in Chapter XXXIII of the Penal Code can be committed with the use of a computer. They will then become computer crimes. In some cases, the use of a computer constitutes a circumstance that exacerbates criminal liability, e.g. Art. 268 § 2 and 3 of the Penal Code, while in other situations the perpetrator, committing a crime with the use of a computer, will be treated in the same way as the perpetrator acting in a different way, e.g. art. 265 of the Penal Code, Art. 266 of the Penal Code. Currently, as part of the aforementioned chapter of the Penal Code, the legislator has penalised such behaviours as:

- illegal access to information or an IT system and related to them (Article 267 of the Penal Code)

- acts consisting in destroying, damaging, removing, replacing essential information or similar activities (Article 268 of the Penal Code),

- actions consisting in destroying, damaging, deleting, changing or obstructing access to IT data, or significantly disrupting or preventing the automatic processing, collection or transfer of such data (Article 268a of the Penal Code),

- acts involving the so-called IT sabotage (Article 269 of the Penal Code), also known as IT diversion,

- acts consisting in a significant disruption of the operation of a computer system or teleinformation network (Article 269a of the Penal Code)

- acts consisting in the unlawful production (or similar activities) of computer devices or programs adapted to commit specific crimes, computer passwords, access codes or other data (Article 269b of the Penal Code).

In addition to the above-mentioned chapter, the legislator regulated separately the crime of computer fraud (Article 287 of the Penal Code), theft of a computer program (Article 278 § 2 of the Penal Code) and the handling of a computer program (Article 293 of the Penal Code). All offences included in Chapter XXXIII belong to the category of common offences, with the exception of Art. 269 ​​of the Penal Code, Art. 269a of the Penal Code and art. 269b of the Penal Code. They are of an application nature.

The solutions adopted in Chapter XXXIII of the Penal Code are a consequence of Poland's signing on 23 November 2001 of the Council of Europe Convention No. 185 on Cybercrime and Council Framework Decision 2005/222 / JHA on attacks against information systems.

Article 267 of the Penal Code constitutes the criminal law protection of the privacy of Internet users. In art. 267 § 1 of the Penal Code it penalises actions aimed at obtaining illegal access to information not intended for the perpetrator. From the point of view of the criminal record of the perpetrator's behaviour, it does not matter where the information is stored, whether on the hard drive or on an external server in the network. This means that this provision protects the broadly understood subjective right to dispose of information. The conduct of the perpetrator of the offence specified in art. 267 § 1 of the Penal Code it may consist in opening a closed letter, connecting to a telecommunications network or breaking or bypassing electronic, magnetic, IT or other special security measures. The content of the provision indicates that the legislator penalises the activities indicated in the dispositive part, regardless of whether the perpetrator has read the content of the information. This means that the features of a crime under Art. 267 of the Penal Code will also be filled in by a person who will gain access to information not intended for him, even in a situation where he did not intend to read its content. The privacy of Internet users can also be violated by breaking or bypassing existing security measures and thus breaking into the victim's computer. The broad term in Art. 267 § 1 of the Penal Code types of security, the breaking or bypassing of which is punishable by law, means that securing a file with a password will meet the conditions of secured information.

The perpetrator's actions aimed at gaining access to all or part of the IT system constitute an offence under Art. 267 § 2 of the Penal Code Referring to the subject-matter of the act, attention is drawn to the term "telecommunications network" used by the legislator, which has not been defined in the Penal Code. Therefore, it seems necessary to refer to Art. 2 points 35 of the Act of 16 July 2004 Telecommunications Law, which defines the telecommunications network as transmission systems and switching or redirecting devices, as well as other resources, including inactive network elements that enable the transmission, reception or transmission of signals via wires, radio waves, optical or other means using electromagnetic energy, whatever their type. The analysis of the above definition shows that a telecommunications network can be both the existing cable infrastructure and a wireless network.

Also, the concept of an IT system has not been defined in the Penal Code, its definition is provided in Art. 7 point 2a of the Act of August 29, 1997 on the Protection of Personal Data, which states that "an IT system is a set of devices, programs, information processing procedures and software tools used to process data cooperating with each other". This term also appears in Art. 1 lit. and Council Framework Decision No. 2005/222 / JHA of 24 February 2005, which specifies that an IT system is any device or group of connected or related devices, of which at least one carries out automatic processing of computer data in accordance with the software, as well as data stored, processed, retrieved or provided by them for the purposes of their operation, use, protection or maintenance. Another definition of an IT system is contained in the Council of Europe Convention No. 185 on Cybercrime. Pursuant to Art. 1 lit. and of the Convention, an information system is any device or group of interconnected or related devices, one or more of which, according to the program, performs automatic data processing. Due to the fact that the concept of an IT system plays an important role in determining responsibility for cybercrime, the literature describes an IT system as a set of cooperating hardware and software elements that are used to enter, process and read information. The IT system therefore does not include data transmission facilities.

It is worth noting that the legislator in Art. 267 § 2 of the Penal Code did not define the method of the perpetrator's action, but only its effect. The above requires that any behaviour consisting in unauthorised access to an IT system is penalised, regardless of whether there has been any breach of computer or system security.

            In art. 267 § 3 of the Penal Code the legislator sanctions another prohibited act consisting in installing or using a listening device, visual device or other device or software in order to obtain information to which he is not entitled. The condition for liability under this provision is not obtaining information, it is sufficient for the perpetrator to take specific actions. However, these actions must be taken for a specific purpose, i.e. to obtain information to which the perpetrator is not entitled.

In art. 267 § 4 of the Penal Code the legislator penalises the disclosure of information obtained to another person in the manner specified in § 1-3.

 Another art. 268 of the Penal Code sanctions the perpetrator's behaviour aimed at violating the integrity of IT data. According to the provisions of the act, this breach may take the form of destroying, damaging, deleting or changing the record of essential information.

 In art. 268 § 2 of the Penal Code The legislator covered the situation when the perpetrator's act concerns recording on an IT data carrier, e.g. a hard drive or a CD. It is noted that the subject of protection of Art. 268 of the Penal Code is the availability of information, and the purpose of the perpetrator's action is to prevent or significantly impede the access to the relevant information by the authorised person. The necessity of the occurrence of an effect in the form of frustrating or significantly impeding access to information means that an offence consisting in destroying, damaging, deleting, replacing essential information or similar activities falls into the category of consequential offences. Such a qualification is consistent with the well-established view of the literature. The legislator in Art. 268 of the Penal Code uses the concept of "material information" without indicating the features that the information must have in order to be material within the meaning of this provision. Therefore, the assessment of the nature of the information in question must be made on a case-by-case basis on the basis of both objective and subjective criteria.

 The subject of protection of art. 268a of the Penal Code, as opposed to Art. 268 of the Penal Code, has been broadly defined and it is the security and availability of IT data, which do not have to meet the significance characteristics. The signs of an offence under Art. 268a of the Penal Code are destroying, damaging, deleting, changing or obstructing access to IT data. Penalised in art. 268a of the Penal Code the behaviour may also consist in significantly disrupting or preventing the automatic processing, collection or transfer of IT data. The second set of prohibited behaviour must be of significance, which should be related to the degree of disruption or prevention of automatic processing, collection or transmission of IT data, and not to the extent of data modified by the perpetrator. We speak of the importance of actions taken by the perpetrator when these actions are characterised by a sufficiently high degree of intensity. The subject of protection of art. 268a of the Penal Code is the security of information stored, transmitted and processed in systems based on IT data.

On the basis of the Polish legal system, the term "IT data" has not been defined, and it plays an important role. Therefore, it is necessary to refer to international law - in accordance with the content of Art. 1 letter b of the Council of Europe Convention No. 185 on Cybercrime. According to the cited provision, this term means "any representation of facts, information or concepts in a form suitable for processing in a computer system, including an appropriate program causing the performance of a function by an IT system".

The definition of IT data is also included in Art. 1 letter b of the Council Framework Decision 2005/222 / JHA of 24/02/2005 on attacks against information systems and means "any representation of facts, information or ideas in a form suitable for processing in an information system, including a program suitable to cause the performance of a function by the system".

 The presented definitions indicate that IT data are all data that is an information carrier, as well as computer programs used both by individually defined persons and used in ICT networks by an undefined number of people.

 In art. 269 ​​of the Penal Code the legislator penalised the behaviour of the so-called IT sabotage. The essence of this crime is the destruction, damage, deletion or alteration of IT data of particular importance for the country's defence, security in communication, the functioning of the government administration, other state body or state institution or local government, as well as disrupting or preventing the automatic processing, collection or transfer of such data.

 In art. 269 ​​§ 2 of the Penal Code the legislator indicated that the crime of sabotage may consist in destroying or replacing an IT data carrier or destroying or damaging a device used for automatic processing, collection or transmission of IT data. As follows from the content of the provision in question, the subject of protection are IT data of particular importance for the country's defence, security in communication, the functioning of the government administration, other state body or local government administration, and the system of automatic processing, collection or transfer of such information. IT sabotage is considered to be a qualified type in relation to the crimes under Art. 268 § 2 of the Penal Code, Art. 268a of the Penal Code and 269a of the Penal Code. The qualifying hallmark here is the type of protected data, i.e. data of particular importance to the values listed in Art. 269 ​​of the Penal Code. The legislator divided the penalised behaviour of the perpetrator into two groups. The first of them are activities aimed at destroying, damaging, deleting or changing computer data of particular importance for the values ​​protected by the regulation. The subject of protection of this part of the provision is the integrity of data belonging to a specific category. The second group of features are activities consisting in disrupting or preventing the automatic processing, collection or transfer of IT data of particular importance for the country's defence, security in communication, the functioning of the government administration, other state body or state institution or local government. In this case, the subject of protection is the availability of data specified in the aforementioned provision.

In art. 269 ​​§ 2 of the Penal Code the legislator, protecting the goods specified in § 1, sanctioned the actions of the perpetrator consisting in destroying or replacing an IT data carrier or destroying or damaging devices used for automatic processing, collection or transmission of IT data. These activities may consist in the physical destruction, damage, replacement of e.g. hard drives, as well as hindering or preventing their processing by e.g. damaging network devices. Due to the material nature of the crime of IT sabotage, for assigning the perpetrator an act under Art. 269 ​​of the Penal Code it is necessary to have a specific effect in the form of the destruction or damage to the specified computer data or to disrupt or prevent their automatic processing or transmission.

 Another provision regulating the criminal liability of cybercrime is Art. 269a of the Polish Penal Code. The essence of this provision is the protection of the operational security of a computer system or ICT network. The concept of a computer system is identified in the literature with the concept of an information system. Criminal liability under this provision will be imposed on a person who, without the right, significantly interferes with the operation of a computer system or teleinformation network by transmission, destruction, removal, damage, obstruction of access or change of IT data. The methods of action penalised by the act have been enumerated in the provision and, as a rule, should not raise any interpretation doubts. The exception is the term "transmission", which has not been defined by the legislator. In the literature, this term means the transfer of information from one place in a computer system to another, e.g. from operating memory to disk, from disk to printer, from one computer in a network to another network computer. The sanctioned transmission of IT data at a distance is to take place in an encoded form, not on external media such as a CD.

 Article 269b of the Penal Code sanctions the production, acquisition, sale or making available to other persons of computer devices or programs adapted to commit the enumerated crimes. It is noteworthy that the features of this crime include a number of preparatory activities that may be related to the commission of crimes indicated in the dispositive part of the provision. Criminalisation covers activities consisting in the creation and adaptation of devices or programs for committing crimes under Art. 165 § 1 point 4, art. 267 § 3, art. 268a § 1 or § 2 in connection with § 1, art. 269 ​​§ 2 or article. 269a, their sharing and obtaining, as well as breaking computer passwords, access codes or other data enabling access to information stored in a computer system or ICT network. The subject of protection is the security of information processed electronically in all aspects, i.e. confidentiality, integrity and availability of IT data and systems. Although the legislator uses the plural for sanctioned activities, a single behaviour, for example the sale of only one program, will be punishable by law. Such a view is established both in the doctrine and in jurisprudence.

In art. 287 of the Penal Code the legislator regulated the crime of computer fraud. This offence is included in Chapter XXXV, "Offences against Property". The subject of protection of this article are IT data together with the information contained therein. These data can be stored both in the computer memory and on a CD or server. Penalised behaviour of the perpetrator consists in influencing without authorisation the automatic processing, collection or transmission of information or the change, deletion or introduction of a new record on IT data. The described behaviour of the perpetrator must be aimed at gaining financial gain or causing harm to another person. The literature indicates that the perpetrator's action aimed at influencing the automatic processing, collection or transmission of information takes the form of unlawful interference by an external entity in the course of automatic processes, which causes that after the perpetrator's influence ends its course, in particular processing, collection or transmission, will be different than if the perpetrator's act had not been performed. Computer fraud is a criminal offence. This means that the offence under Art. 287 § 1 of the Penal Code is made at the time of introducing changes or other interference with the device or system for collecting, processing or transmitting information by means of computer technology, as described in this provision. The necessity of the damage is not one of its hallmarks.

In art. 287 § 2 of the Penal Code the legislator defined the privileged type due to a minor case. The offence under Art. 287 of the Penal Code, as a rule, it has a public prosecution character. However, in the event that it was committed to the detriment of the closest person, it causes, in accordance with the provisions of § 3, to change the mode of prosecution to the application.

The above analysis of the provisions regulating criminal liability in respect of cybercrimes indicates that the fundamental object of protection for the criminalisation of computer crimes is the traditional freedom and privacy of individuals, although viewed from a computer perspective. However, also the data collected in the systems are protected, as well as the systems themselves and their integrity, the violation of which may often have very serious social consequences. At the same time, it should be mentioned that the criminal law regulation of cybercrime will encounter two fundamental problems. The first is related to the principle of jurisdiction. Computer crime committed on the Internet is very often of a cross-border, and sometimes even territorial, nature in the sense that it is often committed in isolation from the territory of a given jurisdiction. The second problem is the very rapid development of new forms of cybercrime, which lawmakers usually do not keep up with.

Nevertheless, taking into account the presented criminal law aspects, the seriousness of the threat posed by cybercrime and the need for an appropriate response to it, in particular through regulations in the field of criminal law, cannot raise any doubts.