On January 5, 2009, Colombia's Congress enacted Act 1273 that amends the Criminal Code and creates a new legally protected interest called information and data protection. The Act 1273 also extended protection to systems that use information technologies and communications. Act 1273 of 2009 concretely created new criminal offenses related to computer crimes and the protection of information and data, with imprisonment penalties up to 120 months and fines up to $1,500 minimum statutory monthly wages [1].
This law criminalizes a range of behaviors related to the handling of personal data, so it is important that companies legally shield themselves to avoid committing any of these crimes. Technological advances and its misuse to illegally seize the assets of third parties by the cloning of bank cards, alteration and hacking of computer systems for receiving services, and electronic transfers of funds through manipulation of software and involvement of ATMs, among others, is becoming a usual behavior worldwide. According to the "Cara y Sello" Magazine, during 2007, companies lost more than $6.6 billion pesos in the wake of computing crime in Colombia.
Act 1273 adds a new title to the Colombian Penal Code (Title VII BIS) called "information and data protection." The new title is divided in two chapters: (1) "Assaults against data and computer systems confidentiality, integrity and availability," and (2) "Computing assaults and other violations. "
The chapter on assaults against data and computer systems confidentiality, integrity and availability, adds the following articles:
- Article 269A: ABUSIVE ACCESS TO A COMPUTER SYSTEM. Anyone who, without permission or outside the agreement, access in whole or in part, a computer system protected or not with a security measure, or keeps within the same, against the wishes of those who have the legitimate right to exclude it, will be held liable to a prison term of forty-eight (48) to ninety-six (96) months and a fine of $100 to $1,000 minimum statutory monthly wages.
- Article 269B: ILLEGITIMATE OBSTRUCTION OF COMPUTING SYSTEMS OR TELECOMMUNICATIONSNETWORKS. Anyone who, without being authorized to do so, prevents from or hinders the normal operation of or access to a computer system, the data contained therein, or to a telecommunications network, will be held liable to a prison term of forty-eight (48) to ninety and six (96) months and a fine of $100 to $1,000 minimum statutory monthly wages, provided that the conduct does not constitutes an offense punishable by a higher penalty.
- Article 269C: DATA INTERCEPTION. Anyone who, without prior court order, intercepts data on its origin, destination or within a computer system, or the electromagnetic emissions from a computer system transporting them, will be held liable to a prison term of thirty-six (36) to seventy and two (72) months.
- Article 269D: COMPUTER DAMAGE. Anyone who, without being authorized to do so, destroys, damages, deletes, deteriorates, alters or deletes computing data, or an information processing system or its parts or logical components will be held liable to a prison term of forty-eight (48) to ninety-six (96) months and a fine of $100 to $1,000 minimum statutory monthly wages.
- Article 269E: MALICIOUS SOFTWARE USE. Anyone who, without being authorized to do so, produces, traffics, acquires, distributes, sells, sends, enters to or extracts from the country or malicious software or other computer programs of harmful effects, will be held liable to a prison term of forty-eight (48) ninety-six (96) months and a fine of $100 to $1,000 the minimum statutory monthly wages.
- Article 269F: VIOLATION OF PERSONAL DATA. Anyone who, without being authorized to do so, to its own benefit or for a third party, obtains, compiles, subtracts, offers, sells, exchanges, sends, buys, intercepts, discloses, modifies or uses personal codes, personal data contained in files, archives, databases or similar means, will be held liable to a prison term of forty-eight (48) to ninety-six (96) months and a fine of $100 to $1,000 the minimum statutory monthly wages.
Act 1266 of 2008 defined the term personal data as "any piece of information linked to one or more specific persons or persons to be determined, or that may be associated with a physical or legal person." It requires companies to take special care in handling the personal data of its employees, since the law requires anyone who "extracts" and "intercepts" such data to readdress its owner.
- Article 269G: WEBSITES IMPERSONATION FOR CAPTURING PERSONAL INFORMATION. Anyone who, with the illegal purpose of and without authority to do so, designs, developments, traffics, sells, runs, programs, or sends electronic pages, links or pop-ups, will be held liable to a prison term of forty-eight (48) to ninety-six ( 96) months and a fine of $100 to $1,000 the minimum statutory monthly wage, provided that the conduct does not constitutes an offense punishable by a higher penalty.
The same penalty shall apply to anyone who modifies the domain names resolving system, so that makes the user enter a different Internet Protocol (IP) address in the belief that it is accessing its bank or another personal or trusted site, if the conduct does not constitutes an offense punishable by a higher penalty.
The penalty specified in this article shall be increased by one third to one half if the agent has recruited victims in the chain of crime.
This article defines what is commonly called "phishing;" a scam that uses e-mails as means but is increasingly using other means of propagation such as instant messaging and social networks. According to the Computer Crimes Unit of the Judicial Police (Dijin), during 2006, $3,500 million pesos were stolen from financial system through the use of the phishing scheme. [2]
Section 269H added as aggravating circumstances to the aforementioned crimes, increasing the penalty of one half to three quarters, the following conducts when committed,
1. On networks or computing systems belonging to the state, used by the official or financial sector, either domestic or foreign
2. By a public servant in his official capacity
3. Taking advantage of the trust placed by the holder of the information, or that who has a contractual relationship with it
4. Revealing or publicizing the content of information to the detriment of another
5. Getting benefit for himself or a third party
6. For terrorist purposes or creating a risk to safety or national defense
7. Using as an instrument against a third party acting in good faith
8. By a person engaged in the administration, management, or control of that information. In this event, the person will also be disqualified from the exercise of any profession related to information systems processed with computer equipment, for up to three years.
Therefore, it is necessary to have clear and precise conditions of employment, both with employees and contractors, to avoid incurring in criminal offenses.
The second chapter related to computing assaults and other violations includes the following new articles,
- Article 269I: THEFT THROUGH COMPUTERS AND THE LIKE. Anyone who, breaking computer security measures, incurs in the conduct described in Article 239 [3] manipulating a computer system, an electronic, computing or other similar network or impersonating an user to the established authentication and authorization systems, will incur in the penalties mentioned in article 240 of the Penal Code [4] (prison term of three (3) to eight (8) years).
- Article 269J: NON-AGREED TRANSFER OF ASSETS. Anyone who, for profit and using any computer manipulation or similar device, achieves the non agreed transfer of any assets to the detriment of another, provided that the conduct does not constitutes an offense punishable by heavier penalty, will be liable to a prison term of forty-eight (48) to (120) months and fine of $200 to $1,500 minimum statutory monthly wages.
The same sanction will be imposed to anyone who manufactures, introduces, has or gives a computer program aimed to the perpetration of the crime described in the preceding paragraph, or to the perpetration of a scam [5].
If the conduct described in the two preceding paragraphs has a value exceeding $200 minimum monthly wages, the penalty will be increased by half.
Likewise, Act 1273 adds as an aggravating circumstance under article 58 of the Criminal Code the performance of punishable acts by using electronic or computing means.
Act 1273 is an important step in the fight against crime in Colombia. From a corporate point of view, the new law raises the awareness for employers to create suitable mechanisms for the protection of one of its most valuable assets -its information. Companies should fit their employment contracts according to the precepts of this new law, establish responsibilities and penalties for employees within their job regulations, enter into confidentiality agreements with employers, and create specific mechanisms to monitor the safety of information. Moreover, it is necessary to regulate aspects of the new working arrangements such as teleworking or work activities carried out from the employees' residence, which require a higher level of oversight in regards to the management of information. Also, companies should train their employees on their new role and responsibilities in the information technology era, given the high penalties that may be imposed on those employees.
In Parra, Rodriguez & Cavelier, we are able to help your organization in dealing with these new challenges. Our telecommunications, media and new technologies department, labor law department, and litigation team, are ready to provide legal advice and support on information security and data protection matters.
[1] In 2009 the legal minimum wage in Colombia is COP[ Colombian pesos] $496,900. Therefore the maximum fines shall be COP $745,350,000, equivalent to US$334,688 at today's, January 2009, exchange rate.
[2] http://blog.segu-info.com.ar/2008/09/computadores-secuestrados-por-hackers.html.
[3] Theft: to seize a movable good of a third party, with the purpose of obtaining benefits for himself or herself, or another.
[4] Qualified Theft.
[5] Scam. Anyone who illegally benefits for himself or for a third causing damage to others, inducing or maintaining the other on error through trickery or deceit.