Italy Convention cyber-crimes

28 April 2008

Giulia Mozzato, Debora Stella, Danilo Quattrocchi

On 20 February 2008 the Italian Senate approved a bill ratifying the Convention on cyber-crimes, issued in November 2001. The Convention aimed to safeguard society against cyber-crimes; by promoting a common policy, harmonising national procedures and strengthening judicial powers.

The Italian law follows the three-fold structure of the convention; creating criminal laws to sanction unlawful behaviour; creating procedural rules to punish cyber crimes; and finally, amending rules making corporate entities liable for crimes committed by their employees and agents. The new law significantly amends the Italian criminal and procedural law, as well as creating new types of liabilities for corporate entities.

Changes to the criminal law

One aim of the new act was to ensure proportionality, so that any penalty imposed would be proportionate to the crime committed. For this reason, some provisions of the old criminal code have been amended; changing the structure of the Act, and seeking to address areas that were weak in the previous legislation. Amendments were also required to adapt the wording of the code to reflect the content of the Convention. For this reason the section 635-bis was amended (Damage to information, data and information programs) and new sections 635-ter (Damage to information, data, information programs used by the State or by another public entity or of public utility) and 635-quater (Damage to information and communications systems) of the Criminal Code were introduced. (I would capitalise these as they are section titles)

The changes made to the Code are intended to mirror the distinction inherent in the Convention between damage to the integrity of the data and damage to information systems. Therefore, the two different types of damage are contained in two different sections. The Code also provides for different criminal rules depending on the private or public relevance of what is protected.

Section 615-quinquies (Distribution of equipment, information devices and programmes aimed at damaging or interrupting a Communication or information system) has been changed, widening the types of conduct that fall under the offence. This now includes the production, re-production, import, distribution, communication and delivery of these devices. In order for the conduct to amount to a crime, “specific intent” is now required. (I would capitalise this as it is a section titles)

The Act also extends the Forgery offences to cover electronic documents. Electronic documents are defined as any “electronic representation of acts, facts or data that is legally relevant”. (This repealed the second paragraph of section 491-bis (Electronic document) of the criminal code).

The Act also introduces new section 495-bis of the criminal code, which makes it an offence to make false declarations or statements to an authority that certifies electronic signatures. It is offence to make false statements either as to your own identity or personal details; or the identity of a third party. This offence is punishable by a prison sentence.

The Act also created a specific offence that can be committed by a certification authority. Under section 640-quater (Information fraud by a certification authority of electronic signature) it is an offence for certification authority to commit fraud, this is more than a breach of their obligations, which is already sanctioned by the legislative decree 82/2005, but also requires the authority to make an unfair profit to the detriment of a third party

Changes to the data protection code

The provision also amends the provisions of the data protection code in relation to data retention (by introducing new paragraphs 4-ter, 4-quater, 4-quinquies to Section 132). Under these amendments the police, the Carabinieri, the tax police and the Home Affairs Ministry have the power to order ISPs to retain data relating to internet traffic for a period of ninety days (a period that can be extended). This does not cover the content of any communication. The purpose of this amendment is to allow access to information for the purpose of criminal investigations or for the crime prevention. This provision, according to the principles of the Convention, is intended to grant effective protection to information that is particularly vulnerable to deletion or modifications.

However, this provision will need to be coordinated with the existing obligation to retain data under the Italian data protection code and anti-terrorism legislation (Ministry Pisanu law decree n. 155/2005). Under these rules internet and Communication traffic data must be retained until 31st December 2008. [Keep it capitalised]

Amendments to rules on a company’s liability for the acts of its agents

Under Legislative Decree No. 231 of 8 June 2001 any organisation, irrespective of its legal status, can be subject to administrative sanctions if its agent commits a criminal offence. The Decree applies to almost types of organisations, including corporations, partnerships, unincorporated associations, not-for-profit organisations and other entities.

Where an entity benefits from a crime, it will be directly liable for offences committed by:

  • any representative of the organisation or any person who has a management role (either a formal role, or is “in fact” a manager);
  • any person overseen by or otherwise under the surveillance of, the organization.

The most significant impact of the Decree is that organisations are responsible for the wrongful acts of their agents (who may not necessarily be their employees) if the agents were acting in the company’s interest.

The entity could incur fines of up to € 1,549,000.00 for a breach of this decree. It could also suffer further sanctions which could include the following:

  • temporary prohibition from its activities;
  • revocation of authorisations and licenses issued by the Public Administration;
  • prohibition from contracting with the Public Administration;
  • exclusion from State financial facilities and revocation of facilities awarded to date; and/or
  • prohibition from the right to advertise company’s goods or services

The judge may also impose additional sanctions, such as confiscating any amounts paid or profit derived from the crime. The court’s decision could also be published in one or more newspapers selected by the judge.

The Decree specifically targets certain types of criminal behaviour; according to sections 24 – 25 octies, an organisation may be subject to a penalty as a result of: i)Crimes against the State or public bodies; ii) Falsification crimes involving money, credit cards and stamp duties; iii) Corporate crimes; iv) Acts of terrorism; v) Crimes against individuals; vi) Market Abuse crimes; vii) “Transnational” crimes (according UN Convention on transnational organized crime); viii) Crimes related to the violation of safety measures at workplaces; ix) Money laundering, and x) Handling of goods deriving from a crime.

In order to strengthen its deterrent power, the bill will insert in the Decree a new article 24-bis. This will extend the companies’ liability to the following cyber crimes under the Italian Criminal Code:

  • forgery of a public computerised document (section 491-bis),
  • unlawful access to an information or communication system (section 615-ter);
  • unlawful holding and distribution of codes of access to information and communication systems (section 615-quater);
  • distribution of equipment, devices or information programmes aimed at damaging or interrupting information or communication systems (section 615-quinquies);
  • unlawful interception, impediment and interruption of information and communication systems and computerised communications (section 617-quater);
  • installation of devices aimed at intercepting, impeding and interrupting communications (section 615-quinquies);
  • damage to information, data and information programs (section 635-bis);
  • damage to information, data, information programs used by the State or by another public entity or of public utility (section 635- ter);
  • damage to communication and information systems (section 635-quater);
  • distribution of equipment, devices or information programmes aimed at damaging or interrupting a communication or information system (635-quinquies);
  • information fraud by the electronic signature authority (section 640-quinquies).

However, it should be noted that the entity may not be liable if it can prove that before the offence was committed it had an effective programme in place to prevent breaches of the law. It must identify the sectors of its activity where crimes are most likely to be committed by managers or employees. The programme’s enforcement should be managed by an internal, but functionally independent, body. The Company must also be able to demonstrate that any individuals who committed the offence must have fraudulently chosen not to comply with such program.

The new Italian act heralds a number of significant changes to the regime to deal with cyber crimes; creating a number of new offences and imposing greater responsibilities on companies, whose employees or agents are in breach of the Act.