CHILE: An Introduction to Dispute Resolution: White-Collar Crime
New regulation on cybercrime and corporate crime prevention
Jorge Bofill and César Ramos
The phenomenon of cybercrime has become increasingly prominent given the expansion of information technology. As communications and economic processes have been redefined by technology, IT has been transformed into a space of innovation where new developments coexist with new criminal phenomena, which have led to risks for new and "classic" legal assets, such as privacy, patrimony and business secrecy.
Law No. 19,223 faced the phenomenon of cybercrime at an early stage in 1993, sanctioning “computer sabotage” as well as “computer espionage." Nonetheless, after a few years, this regulation showed defects and inadequacies. Law No. 19,223, oriented preferably to the protection of the computer system and the information contained therein, was an insufficient tool in the face of the illicit use of technology for deceptive purposes, to favour, for example, unlawful enrichment. That is the case with the constituent conducts of phishing, which could doubtfully be included in the regulation of financial frauds grouped under the traditional concept of fraud. This crime requires a financial disposition of the deceived subject, which, by definition, does not occur when what is delivered are the access codes that allow the illicit acquisition of money.
This regulatory inadequacy became irreversibly evident in contrast to the 2001 Council of Europe Convention on Cybercrime (Budapest Convention). Chile ratified the Budapest Convention in 2017, agreeing to modify the current legislation to comply with its provisions. In that convention, signatory countries adopted definitions that highlighted the absence of rules covering conducts whose incrimination was necessary, from the perspective of protecting the confidentiality, integrity and availability of data and computer systems and for the adoption of suitable measures to enable effective investigation of offences. The aforementioned is especially important considering the transnational nature of these conducts and the need for the international coordination of policies against cybercrime.
Cyber criminality has shown a significant increase in the last few years. According to the data issued by the Investigative Police of Chile (Policía de Investigaciones), there was a 30% (in the case of frauds) to 45% (in case of computer sabotage) increase rate in 2021. Those are the same increase rate figures as those sustained since the confinement policies implemented related to the COVID-19 pandemic in March, 2020. This scenario reflects the increase in economic transactions via the internet and the use of IT platforms as a means of registry and transfer of information.
Said figures account for the obsolescence of regulation, which was unable to respond adequately to a criminal phenomenon – computer fraud – that showed exponential growth.
The regulation’s vulnerability also became evident in the face of media cases that harnessed the attention of public opinion. In September, 2020, Banco Estado – the governmental bank – was a victim of cyberattack consisting of the introduction of malware in its systems. This event forced the closure of the bank’s branches and the later intervention of the government and Congress in the process of determining responsibilities.
In this context, the recent publication of Law No. 21,459 June 20, 2022, constitutes an important innovation. Said law, which revoked Law No. 19,223 in order to comply with the Budapest Convention, regulates various conducts grouped under the name of “computer crimes.” This definition includes not only conducts that, to some extent, were close to those already regulated, such as attacks on the integrity of a computer system (Article 1); or on the data contained in it (Article 4); unlawful accesses to the system, whether or not carried out with the intention of seizing or using the information (Article 2) and the disclosure of information accessed unlawfully (Article 2). It also punishes conducts whose criminal relevance constitutes a novelty compared to the previous law, such as the falsification of computer data (Article 5); the receiving of computer data, understood as the commercialisation, transfer or storage of such data, when they originate from intercepted access or computer falsifications (Article 6); computer fraud, i.e. the financial damage caused by manipulation of a computer system (Article 7); and the abuse of devices for the perpetration of computer crimes (Article 8).
Law No. 21,459 not only innovates and perfects the description of the incriminated conducts, but also introduces the criminal liability of legal entities regarding cybercrime. Indeed, Article 21 of Law No. 21,459 introduces amendments to Law No. 20,393, incorporating “computer crimes” into the catalogue of offences that cause this kind of criminal liability.
This modification introduces a substantial change in corporate practices, in the framework of the implementation of effective corporate compliance policies. Law No. 20,393 adopted a model in which the company's liability is attributed when the commission of the offence is a consequence of a breach of its management and supervision duties. The law also understands that such duties are fulfilled when a crime prevention model is implemented. Therefore, there is an indisputable guideline for the organisation of the legal entity, orienting it towards the prevention and exclusion of risks associated with the commission of certain offences, described exhaustively in the law.
In this context, there are two key issues in order to anticipate changes regarding corporate compliance, linked to the regulation of cybercrime. On the one hand, the wide diversity of punishable conducts, in a context in which business information is transmitted and safeguarded in technological media, guides the design of prevention models towards the exclusion or reduction of punitive risks associated with the recording, safeguarding and use of information within the organisation. In this sense, both access to external computer systems and adequate control of data, whether or not emanating from the organisation, are essential aspects that prevention models should consider and evaluate among their punitive risks, in order to effectively prevent the commission of crimes.
On the other hand, regarding future investigations under the new law, it is essential to establish systems of control and access to information, in order to show that the supervision systems are suitable for preventing crimes. In the event that they have been committed, the company can adopt ex post facto measures. Said measures must contribute to the investigation and prosecution of those responsible, excluding the benefit of the legal entity and effectively adopting the necessary measures for the recognition of mitigating circumstances due to cooperation or the exemption from criminal liability due to adjustments to the model that have an impact on its preventive effectiveness.
In a context in which the adequate use of investigative tools by the prosecuting entities urgently requires further improvement and training, legal entities will be the ones that will have to take the necessary measures regarding the proper safekeeping and control of information and crime prevention.
As a result, the legal reform of cybercrime will have an irreversible impact on corporate compliance policies. However, the challenge relies not only upon prosecutors and police departments in charge of criminal prosecution. Legal entities will have to implement new policies of supervision and control, adapting their corporate actions and processes to the new law from a cybersecurity perspective.