New Cybercrime Law: Criminal and Compliance Aspects
One of the main innovations of the New Law is the modernization of the criminal offenses to adjust them to the new ways (modus operandi) of committing cybercrimes, and to the developments in technology, considering the rise of new risks and attacks on relevant legal assets that were not contemplated in the former legislation.
Hence, it is possible to appreciate the regulation of criminal offenses to expressly punish the illegal access to an information system without requiring a specific purpose (Section 2); the attack on the integrity of a computer system or to affect its normal operation, as well as the integrity of its data (Section 1 and 4); the illegal interception of information (Section 3). Additionally, it is expressly regulated the computer-related fraud (Section 7) and the computer-related forgery aimed to generate supposedly authentic documents (Section 5), which previously had to be partially punished under the general offenses of fraud of the Chilean Criminal Code.
Among some of these innovative criminal offenses, the New Law sanctions (Section 6) to whoever sells, transfers, or stores -in any way- computer data, knowing or being aware of its illicit origin, i.e., obtained from any of the crimes described in the New Law. In addition, the figure for abuse of devices is included (Section 8).
Please bear in mind that all the cybercrimes established in the New Law will be added to the list of predicate offenses to commit money laundering according to the Anti-Money Laundering Law (Law No. 19.913).
Furthermore, the New Law expressly regulates the so-called "ethical hacking", which exempts from criminal liability those who, within the framework of vulnerability investigations or to improve computer security, access a computer system with the express authorization of its owner (Section. 16).
In addition, the figure of “effective cooperation” is included as a mitigating factor of criminal liability, i.e., which allows the judge to reduce the penalty imposed -up to one degree of the sanction regulated in the law- to those who provide information helpful to solve the case, identify those responsible or avoid or prevent the perpetration of any of these crimes. On the other hand, special investigative measures are also included, such as the use of undercover agents (Section 12).
The New Law also establishes some obligations to the communications service providers when the Public Prosecutor's Office request their information. Now, these companies have the specific obligation to preserve the information during a specific period and duties of confidentiality. Breaching confidentiality may be punishable by the offense contemplated in Section 36 B of Law No. 18,168, General Telecommunications Law, which only applies to natural persons.
Please consider that the cybercrimes described above may generate criminal liability to legal entities, as they are included in the list of crimes of Law No. 20,393 (“Corporate Criminal Liability Law”). Thus, companies and legal entities must identify their activities or procedures in which, whether habitual or sporadic, the risk of committing cybercrimes is generated or increased, and implement specific protocols, policies, and procedures, to prevent the commission of such crimes. For these purposes, they will have to carry out a risk survey, covering these new risk scenarios, and update their respective risk matrices and controls of their Crime Prevention Models.
Finally, please note that the New Law establishes a deferred enforcement. Regarding the new rules of the Procedure Criminal Code, the New Law states that it will come in force six months after the publication in the Official Gazette of a regulation that must be issued by the Ministry of Transportation and Telecommunications, also signed by the Minister of the Interior and Public Security. Regarding the new money laundering´s regulation and new crimes that are incorporated to the catalog of the Corporate Criminal Liability Law, the New Law states that it will become effective six months after the publication of the present law in the Official Gazette. Regarding the new cybercrime’s offenses, the New Law will enter into force once the promulgating decree is published in the Official Gazette.
Link to article