recourse against computer system intrusion

24 February 2005

Franklin Brousse

The opening up of companies’ information systems, which has resulted from the development of new uses, the expansion of intra and inter-company mobile services and the arrival of wireless technologies, makes the security of such systems more vulnerable and increases the risk of intrusions.

Independent of the increased risk of internal threats to a company is the problem of managing the risks related to external intrusions carried out both by pirates and, increasingly, competitors.

The implementation of specific tools, such as security software, and, more generally, IT security policies are important safeguards against these types of risks. However, such precautions are unable to completely exclude such risks and rarely provide a plan of how to react in the event of an external intrusion.

Therefore, the effectiveness of a company’s response to an external intrusion, including the identification of the person responsible for an intrusion and criminal or civil action, depends on the company’s ability to react swiftly and efficiently when faced with an intrusion.

Create a file of evidence of the intrusion

In the event of an intrusion it is important for a company to set up a file which records the different evidence and signs of the intrusion before any recourse or action is taken. All too often, remedial action is unsuccessful due to a lack of sufficient evidence identifying the person responsible and accurately describing the nature of their schemes.

If the intrusion concerns a part of the information system that is closed and secured or is a website, such intrusion can be recorded by making a statement or complaint at any of the specialised sections of the competent Criminal Investigation Department: the BEFTI (Brigade d'Enquêtes sur les Fraudes aux Technologies de l'Information) which has jurisdiction in Paris, the OCLCTIC (Office Central de Lutte contre la Criminalité liée aux Technologies de l'Information et de la Communication) or the BCRCT (Brigade Centrale de Répression de la Criminalité Informatique) on a national level.

These departments are competent to lead investigations with respect to specific offences related to crimes linked to IT and communications, as well as offences which have been facilitated by or are linked to the use of such technology.

These departments also possess the necessary means to enable them to identify and find the persons responsible.

However, such intervention rests solely on the finding of offences linked to “attacks to automation treatment of data systems” mentioned in Articles 323-1 to 323-7 of the French Criminal Code, recently amended by the coming into force of the law in relation to the confidence in the digital economy of 22 June 2004.

In other words, if the available evidence is insufficient to decide upon the material or fraudulent nature of the intrusion, these departments may decide not to intervene in the absence of any criminal charge.

One example of this would be the access or downloading of unsecured web pages via an off-line browser.

The Paris Court of Appeal, in a judgment dated 30 October 2002, decided that the possibility of accessing stored data on a site with a simple navigator, where there are numerous security weaknesses, is not reprehensible.

If the Criminal Investigation Department declares that they do not have jurisdiction, it is possible to proceed with reports made by officers with specific powers such as those of the APP (Agence pour la Protection des Programmes).

What action can be taken?

The search and reports may give rise to a direct criminal claim or one made by a civil party, or a civil claim in relation to a criminal act which could be based on unfair competition if the acts are carried out by a competitor.

In respect of a criminal claim, an investigating magistrate may, following a claim by a civil party, conduct an enquiry into and question the person(s) allegedly involved in the system intrusion. Such person(s) will be accountable to the officer in charge of offences related to access and/or fraudulent maintenance of information systems and/or the deletion or modification of the data represented in them.

In respect of a civil claim, an action cannot be brought unless fault or damage subsists and a chain of causation can be established.

Where damage is caused by an intrusion which occurred in a company domiciled in France, French courts may have jurisdiction and French law could be applied.

In any event, the success of any criminal or civil action will depend on the quality of evidence which has been collected by the company in question and recorded by the authorised persons.