Cyber Insurance Perspectives
Part One: Types of legal liability for violation of data legislation
Information technologies have gained international significance and have become a key part in all spheres of activity for individuals, society and states alike. National economic development and formation of information-focused society hinges on their effective use. The Infosphere plays an important role in realizing strategic national priorities of the Russian Federation. Therefore, data must be protected from unlawful interference, collection, storage and processing.[1]
Due to the pre-eminence of transition to a global information-driven society, the issue of data security has come to the forefront. Many systems central to the administration of public services, economic decision-making and business processes are either already being implemented or soon will be implemented with the help of advanced information technologies. Currently, large amounts of data is being accumulated in various information systems, including data on national security and defense policy, financial, scientific and technical matters, as well as data related to the private lives of Russian Federation citizens.
The goals of national information policy are clearly outlined in the National Security Strategy of the Russian Federation, through the year 2020 (Approved by the Decree of the President of the Russian Federation, dated May 12, 2009, No. 537) and in the Information Security Doctrine of the Russian Federation (Approved by the Decree of the President of the Russian Federation, dated December 05, 2016, No. 646); along with The State Programme: Information Society, 2011-2020 (Approved by the Resolution of the Government of the Russian Federation, dated April 15, 2014, No. 313), as well as The Scientific and Technological Development Strategy of the Russian Federation (Approved by the Decree of the President of the Russian Federation, dated January 01, 2016, No. 642).
Codification into law is one of the fundamental building blocks in the development of an information society. This, in turn, makes the issues of legal violations and legal liability highly relevant to the information sphere.[2] From now on, the legal governance of relations in the information sphere has the objective of ensuring the effectiveness of these relations, and the observance of the legal rights of those entering in these relations.[3]
The Constitution of the Russian Federation defines three legal subjects: the individual, society and the State. As a result, crimes in the sphere of information are divided into three categories: crimes against individuals, society and the State.[4]
In a context of digitalization and globalization, the statement of an acclaimed lawyer Veniamin F. Yakovlev becomes all the more justified, namely that the law is constantly evolving and becoming more complex in the process. Legal frameworks surrounding liability are being strengthened, and new forms of legal liability are emerging. However, if liability issues are to be resolved to the satisfaction of both the legislator and the enforcer, it should be assumed that there exists a general concept of liability as a legal category.
Analyzing the viewpoints of well-known legal scholars (S.S. Alekseeva, S.N. Bratus, N.V. Vitruk, I.L. Bachilo, etc.) and reviewing the statements of Russian legislators, we come to the conclusion that legal liability in the information sphere can be understood as a direct response of the State to infringements on the law, according to their severity, hence its mandatory nature.
In other words, legal liability for information and data-related crimes means that the offender is subject to those measures stipulated in the legislation regulating the information sphere.
Crucial legal provisions in the information sphere are outlined in the Constitution of the Russian Federation. Federal Law dated July 27, 2006, No. 149-FZ On Information, Information Technology and Information Protection is the piece of legislation of primary importance, since in the 1st part of Article 10 of this law, the provisions for permitting the free flow of information within the territory of the Russian Federation are set out, they observe the requirements outlined in the legislation of the Russian Federation. This law also contains Article 17 called the Responsibility for Offences in the Sphere of Information, Informational Technologies and Protection of Information.
Violation of provisions of other laws regulating relations in the information sphere may also result in the incurrence of legal liability (for example, Federal Legislation on Banks and Banking Activities, on Communications, on Personal Data, on Access to Information, on Media).
It should be noted that legal liability for violations of the legislation on information relations has several specific characteristics, namely:
- crimes are always related to information
- crimes may be classified as informational offences not only if there is a direct relation to the information, but also in the cases where an intermediary is involved
Awareness and understanding of the liability rules surrounding legal relations, where one of the essential elements is information, is present in the legislation of the Russian Federation.
Today, crimes in the sphere of information technology are primarily those crimes committed by persons who also use various information technologies.[5]
Computer crimes relate to the observance of the established order of computer information flow. Computer crimes can also include more specific legal relations that are essential to the maintenance of public safety.[6]
The subject of cybercrime is computer information.
According to Article 2 of the Federal Law dated July 27, 2006, No. 149-FZ On Information, Information Technology and Information Protection, information is defined as various data (reports and details) regardless of its form. Computer information is clearly defined by the way in which it is presented. Paragraph 1 of the notes to Article 272 of the Criminal Code of the Russian Federation outlines that computer information is information (messages and data) transmitted by electrical signals, regardless of the storage location, processing and transmission means.[7]
The central principles of legal relations regulation in the field of information, information technology and information protection are the free search, receipt, transfer, production and distribution of information in various legally permissible ways. The legitimacy of the method depends on the observance of the legal rights of the information owner, regarding both access and usage of such information.[8]
Information can be divided by access category into public and restricted-access information (access to which is regulated by federal laws).
Computer crimes violate both the legal rights and interests of citizens. More broadly, computer crimes infringe on the Information Security of the Russian Federation. In accordance with the Information Security Doctrine of the Russian Federation, Information Security in the Russian Federation is defined as the protection of legal interests at the following levels: individual, society and State.[9]
Violations in the information sphere are differentiated by the degree of threat they pose and are in terms of the likelihood of socially-dangerous consequences that can stem from such violations. When examining the actions of perpetrators, it is important to distinguish between direct intent and actions that have inadvertently led to socially-dangerous outcomes. The intent and motives of the perpetrator determine their type of legal liability.
During the litigation process, the subject of the unlawful act, the evidence of the unlawful act, the intent of the actions and the possibility of identifying the perpetrator are determined.
Current information legislation consists of many federal laws but most of them establish disciplinary, civil, administrative or criminal liability. The exception is two federal laws. Article 24 of the Federal Law on Personal Data, prior to the amendments dated July 27, 2011, established that the perpetrators bear civil, criminal, administrative, disciplinary and other liability set out in the legislation of the Russian Federation. However, following amendments by Federal Law dated July 25, 2011, No. 261-FZ, the current wording of Article 24 of the Federal Law on Personal Data states that liability is provided for by the legislation of the Russian Federation. Thus, today the legislation excludes the application of other liability types, in line with the usual legislative practice. As for the second federal law, the Federal Law on Information, Information Technology and Information Protection, Article 17 establishes disciplinary, civil, administrative and criminal liability for crimes in the field of information, information technology and information protection.[10]
Thus, the most common type of legal liability relating to information crimes is that of the sector profile. Each type of legal liability has specific sanctions and application procedures.
Disciplinary/official liability results from disciplinary violations. Distinctively, it involves the perpetrator of a crime and the body that applies a disciplinary measure.
Administrative liability is defined as administrative measures (coercion, fines and administrative detention) applied by the executive authorities to the perpetrator.[11] The largest number of issues (over 40) covering information access and the means of communication is contained in Chapter 13 of the Administrative Offences Code of the Russian Federation, namely
Administrative Offences in the Field of Communications and Information.
However, other chapters of the Administrative Offences Code of the Russian Federation also contain provisions which stipulate legal liability for violations in the information sphere. They include On the Denial of Information (Article 5.39), On the Concealment or Misrepresentation of Environmental Information (Article 8.5), On the Use of Official Information in the Securities Market (Article 12.21), On the Disclosure of Security Measures (Article 17.13), etc.
Civil liability relates to violations of property and personal non-property rights of individuals and organizations. Its purpose is to restore the property rights of citizens that have been infringed upon, by means of compensation for damages, in the forms provided for by civil law.
The most severe measure of State coercion is criminal liability. It can be both public and personal. Its public nature is differentiated by the fact that the State is the subject that charges with criminal liability. As for the personal nature of the offence, the perpetrator is criminally liable. Such criminal activity is usually the means of committing various economic, public security, public policy and other crimes. Such actions may not only cause significant material damage to all participants of economic relations, but also make confidential information available to the public.
As a result, in 1996, Chapter 28 was introduced into the Russian Federation Criminal Code – Crimes in the sphere of computer information, which includes all relevant provisions under Articles 272-274 of the Criminal Code of the Russian Federation.[12]
It should be noted that the protection of restricted-access information is carried out in accordance with article 28 of the Criminal Code. This article provides that such information includes legally-protected computer information (Articles 272 and 274 of the Criminal Code), the access to which is restricted, as well as other information accessible to the public (article 273 of the Criminal Code).[13] Under Article 9 of the Federal Law dated July 27, 2006, No. 149-FZ On Information, Information Technology and Information Protection, legally protected information includes information representing state, commercial, official, professional and other legally-protected secrets, and confidential information on personal data of individuals
These types of crimes and liability are typical of the law in the field of information confidentiality.
Nowadays, there is no proper understanding of enforceable legal liability in the legislation related to the information sphere. This is primarily due to the lack of a clear definition of information, which, in turn, makes it difficult to define information crimes.
As a reminder, the terms of the contract between the parties are an important factor in determining the scope of liability. Such a contract will determine the scope of liability of the network security provider, in particular for violations of information legislation. The terms and conditions of the contract can help you avoid the risk of being held liable for the corresponding violations.
[1] Belevskaya Y.A., Fisun A.P., Minayev V.A., and others Legal support of information security of informatization objects and regulation of constitutional rights of individuals in the information sphere: Monograph/Edited by PhD in Technical Sciences, A.P. Fisun, Candidate of Legal Sciences Yu.A. Belevskaya. Orel: GOU VPO Orel State University Publ. 2008. 362 p
[2] Polyakova T.A., Streltsova A.A. Organizatsionnoe i pravovoe obespechenie informatsionnoy besopasnosti[Organizational and legal support of information security]. Moscow, 2016, 325 p
[3] Bachilo I.L. Informatsionnoe pravo [Information law], Moscow, 2016, 419 p
[4] Tishchenko E.N., Sharypova T.N. Formalization of selection of various options of information protection system against unauthorized access in the electronic document management environment. Reporter of Rostov State University of Economics. 2010. No.3(32). 226-233 pp
[5] Landik S.A., Sharypova T.N. Computer crimes and electronic data protection measures. In the collected volume: science today: challenges and solutions, materials of the international scientific-practical conference: in 2 parts. 2018. 68-70 pp
[6] Landik S.A., Sharypova T.N. Computer crimes and electronic data protection measures. In the collected volume: science today: challenges and solutions, materials of the international scientific-practical conference: in 2 parts. 2018. 68-70 pp
[7] Criminal Code of the Russian Federation
[8] Parfelenko A.A., Sharypova T.N. Internet piracy. In the collected volume: science today: challenges and solutions, materials of the international scientific-practical conference: in 2 parts. 2018. 48-50 pp
[9] Parfelenko A.A., Sharypova T.N. Internet piracy. In the collected volume: science today: challenges and solutions, materials of the international scientific-practical conference: in 2 parts. 2018. 48-50 pp
[10] Yurchenko Y.I., Sharypova T.N. Types of legal information // Innovative approaches in modern science: art. based on the materials of the XIV International Scientific and Practical Conference Innovative Approach in Modern Science. – No.2(14).- М., Internauka Publ., 2018.- 206-209 p.
[11] Semkin S.N., Semkin A.N. Osnovy pravovogo obespecheniya zashchity informatsiyi [Basics of legal support for information protection]. Textbook for higher education institutions. M., 2008. 238 p
[12] Criminal Code of the Russian Federation.
[13] Criminal Code of the Russian Federation.