New tools in the fight against cybercrime
The Finnish Criminal Code has been recently amended to combat cybercrime more effectively. The Criminal Code now takes a tougher stance against cybercrime by amending certain provisions, introducing completely new provisions and more severe penalties.
The amendments entered into force 4 September 2015. From now on, cybercrime offences, such as illegal data interference and identity theft, can be found under their own titles in the Criminal Code.
During the past years, the number of cyber-attacks against information systems has significantly increased worldwide. In response to the evolving forms of criminal activity, the European Parliament has adopted a directive on attacks against information systems (2013/40/EY), which has now been implemented in Finland.
Cybercrime means offenses that are committed online by using electronic communications networks and information systems. The basic types of cybercrime affecting businesses include extortion (for example, via ransomware – that is to say, malicious software that restricts access to a system and demands that the user pay a ransom to remove the restriction), misrepresentation, such as bank mandate fraud, violation of intellectual property rights, illegal access and system interference.
The providers of software and computer services, financial services, pharmaceutical and biotech companies and electronic and electrical equipment providers are at particular risk.
What's new in the Criminal Code?
The provision regarding illegal data interference has been clarified. Under the provision, it is prohibited to delete, damage, alter or suppress computer data on an information system or render such data inaccessible.
In addition, the aggravated illegal data interference outlaws the use of botnets. Botnets are groups of computers infected with malicious software and controlled by the attacker without the owners' knowledge. This amendment to the Criminal Code is welcome, as the cyber-attackers are increasingly using virtually hijacked computers to conduct attacks.
A company can be a victim of such attacks in situations where attackers insert a malicious code into software or disrupt service or access to a website. Such attacks are likely to cause severe damage to companies, as they can lead to loss of revenue and affect customer confidence and a company's reputation.
Moreover, a brand new cybercrime offence, identity theft, is introduced. Identity theft means misuse of another person's – including both individuals and companies – identification data to deceive a third party.
Under the Finnish provision, the misuse must cause financial damage or other disadvantage to the person whose identification data has been used illegally. Identity theft complements and will be applied together with fraud and defamation.
An offence against a company could be classified as an identity theft (alongside with fraud) in cases where a company receives a fake invoice seeking payment redirection. Typically, the sender of such invoice pretends to be a legitimate vendor requesting a wire transfer to a new or different bank account. The scam is usually not detected until the company is alerted by complaints from the legitimate vendor that payments are outstanding and due.
A company can also be the victim of an identity theft in a situation where the offender has created a fake profile of the company on social media and promised unfounded discounts for consumers. In that case, the company could face costs related to the investigation of the incident and possible harm to its reputation.
Practical implications for companies
The possible deterrent effect of the amended Criminal Code is good news for all companies even though the new provisions, as such, do not make ICT systems less vulnerable.
The pan-European approach facilitates the co-operation between the authorities in different jurisdictions. In terms of increased co-operation between the authorities, all EU Member States must be able to respond quickly to urgent information requests from each other. Member States also need to collect statistics on cyber-attacks and report on cybercrime offences to the European Commission. The cyber-attack directive and the amended Criminal Code aim to reduce the damage and facilitate catching perpetrators of cybercrime offences and bringing them in front of the court.
The best way to prevent and mitigate damages resulting from cybercrimes is, of course, to be aware of the risks connected to cyber operating environment and to actively maintain a high level of data protection. In addition, cyber-insurance that protects your company from internet-based risks is also worth considering.