Data theft in an SME: criminal law aspects

Date theft can lead to considerable damage in a company, combined with loss of reputation. Management is often unaware that inadequate security measures can also lead to personal liability.

Internal employees as data thieves
instances of Data theft or. Data theft is widely discussed in the media. In particular, reports on the theft of entire customer bases at banks come to mind. Most of the time, these are constellations in which an employee

Information about bank customers is copied in order to sell it later via intermediaries. Recipients are private individuals, companies or foreign (tax) authorities. It also happens that a company that has been robbed is blackmailed into buying back stolen data - whereby a copied data record later comes into circulation despite being bought back. In the case of industrial companies, it is also possible for rival companies to profit from secret research results in this way. In the banking environment, the Bradley Birkenfeld case particularly prominent. As a former UBS employee, he handed over client data to US tax authorities and received a reward of more than USD 100 million from them1.

Apart from this modus operandi, there are also other known ways of illegally obtaining data. One can think of the classic intrusion into a computer system of outside of an Company (so-called Hacking). These cyberattacks have recently led to

more and more to media reports. Here, the damage potential of the attacks is particularly noteworthy:

1. Hacker attack on the U.S. Office of Personnel Management (obtaining 19.7 million personnel files containing sensitive personal data), 2
   Hacking of 150 million Adobe accounts (obtaining of more than 38 million user data).3

Finally, data theft is to be distinguished from a misuse of acquired data, in which data is used by the end recipient in an unfair manner for his own benefit. Data theft is a preliminary stage of criminal activity. Very widespread is also the Data corruption by means of virus programs, which are transmitted by attachments in e-mails or download of files.

Computer crimes
There is no unanimous view among experts as to whether and to what extent companies are affected by computer crime, in particular by internal unauthorised data acquisition. In the canton of Zurich, police crime statistics indicate a decreasing trend 4 . On the other hand, investigative firms emphasize the increasing risk of data theft for SMEs5 .

In the author's experience no decrease in computer-related offences to be noted. By no means all cases of data theft are reported to the police, not least to avoid publicity as a result of a criminal investigation. Here, the law enforcement authorities are faced with a considerable unknown numberwhich is not included in their statistics. In addition, computer offences cannot always be assigned to the same offence under the Criminal Code (SCC), which can lead to a distortion of the statistics. It should also be taken into account that a large number of offences never become known to the SMEs concerned, or only after many years.

Uncontrollable risk
Data is not a classic object of crime. In homicide there is the murder weapon, in car theft there is the vehicle. Data on the other hand are arbitrary and quickly reproducible. They can be exchanged worldwide within fractions of a second. Perpetrators use proxy servers that are distributed all over the world. The final storage can be purely virtual on clouds, or the loot can be divided into small data units and stored at any location. Particularly serious is the fact that even recovered data sets offer no guarantee that criminal hands are not in possession of multiple copies.

Against this background, the question of whether and how many computer crimes are counted by the authorities becomes relative. The fact is that an affected SME is exposed to an uncontrollable risk of losing the know-how stored in data records forever - with a corresponding risk to reputation and marketability. Particularly in international cases, law enforcement authorities come up against factual and legal limits and are no longer able to secure the crime 'data'.

Criminal classification of the tortious conduct
In the event of data theft, an affected company may initiate civil and criminal proceedings. Questions of supervisory law may also arise if an SME is subject to a supervisory authority (e.g. the Financial Market Authority). Under civil law, a data thief can be sued for damages, and in the case of an employee, with the full range of instruments of employment law. Of course, this remains a small consolation when a company is threatened with millions in damages.

Criminal liability (of the organs of a stolen company)?
For the law enforcement authorities, the question inevitably arises as to whether the managing bodies organised their SMEs in such a way as to minimise the risk of offences. Was data freely available to any employee? Were data traffic controls in place? Is sensitive data encrypted, how is a backup stored? If such questions cannot be answered satisfactorily, the managing director can be accused of not having fulfilled his responsibility and thus having enabled a computer crime. This has serious consequences.

Under civil law, this can lead to claims for damages against a CEO. In terms of criminal law, severe (custodial) sentences may be in prospect under the heading of unfaithful management (Art. 158 StGB).

Chances and risks of a criminal complaint
Before any criminal charges are filed, it must be carefully examined what risks are thereby created. It must be borne in mind that the criminal prosecution authorities investigate a criminal offence as part of their own planning. Criminal proceedings may proceed relatively quietly or may also attract media attention and cause protracted and costly litigation. On the other hand, the illegal use of data records can cause uncontrollable damage to SMEs. Often, these have no choice but to take all measures to combat the damage due to liability or supervisory regulations.

This means that the Minimize the risk of an escalating criminal investigation. There are ways to cooperate with authorities. There is room for negotiation in the fact that in the case of petition offences, following a civil settlement with an opposing party, further criminal proceedings can be dispensed with (withdrawal of the criminal petition or declaration of disinterest). As a preparation for criminal proceedings and for the purpose of rough control of an investigation, a criminal complaint should be prepared by an expert. This should be focused, whereby a balance must be struck between brevity and substantiation of the allegations. It is not advisable to file a criminal complaint orally; experience shows that it is difficult to get the core message across in this way. The risk should not be forgotten that a criminal investigation can also cause a considerable administrative burden for the company itself (witness interviews, editing of company documents, etc.).

The future of data theft
The theft of data masters will remain a significant risk for an SME. For reasons of cost and efficiency, work is increasingly being done paperlessly, with all internal and external business transactions documented on servers.

Companies are more sensitive to risks when dealing with data sets. Nevertheless, criminals are also highly professional in their field, and the secret wealth of knowledge held by SMEs provides an incentive for criminal activity. It can thus be assumed that computer crimes to illegally obtain information about customers and operational know-how of SMEs will continue to increase.