11 Apr 2012

European Firms And Companies Can Be Held Liable For Other’s Cyber Attacks

Recently the European Parliament's Civil Liberties Committee approved the legislative plans according to which the firms and companies can be held liable for any cyber attacks that others commit “for their benefit”. The proposal is also trying to establish criminal liability of certain “legal persons” within a company for certain cyber crimes.

The crux of these provisions is that specified legal persons would be liable for offences committed for their benefit, whether deliberately or through a lack of supervision. These companies/legal persons may also face penalties such as exclusion for entitlement to public benefits or judicial winding-up.

Naturally, European companies and firms in general and the appointed legal persons in particular must be well trained in cyber law and possible cyber crimes committed against them. If you are an interested in online cyber law trainings in India for international students, check the PTLB’s Blog in this regard.

Take the example of energy sector in Europe that is increasingly relying upon information and communication technology (ICT) for their business and operations. The smart meters are becoming headache for electric energy companies’ world over and European energy companies would also face the same. Manipulation of such smart meters by third part can bring legal troubles for legal persons responsible for their cyber security and safety.

Further, EU member countries will be required to ensure that their networks of national contact points are available round the clock and that they can respond to urgent requests within a maximum of eight hours in order to prevent cyber-attacks spreading across borders. This has been proposed to ensure critical ICT infrastructure protection in Europe.

The proposed law would make it a criminal offence to conduct cyber attacks on computer systems. Individuals could face imprisonment of two years for such offence. A maximum penalty of at least five years in jail could apply if aggravating circumstances or considerable damage, financial costs or loss of financial data occurred.

Individuals found in possession of or distributing hacking software and tools also face criminal charges under the proposed law. Using another person's electronic identity in order to commit an attack that causes prejudice to the rightful identity owner could result in offenders serving a minimum of three years in jail if they are under the maximum penalties that could be imposed.

Tougher penalties would be imposed on criminal organisations. Those harsher penalties will also be imposed for attacks on critical infrastructure such as the IT systems of power plants or transport networks. If damage caused by attacks is insignificant then no criminal sanctions should apply. Criminal offences will also apply for the sale or production of tools that are used to commit cyber-attack crimes.

Malware like Stuxnet and Duqu have already proved that critical infrastructures like power grids, nuclear facilities, satellites, defense networks, governmental informatics infrastructures, etc are vulnerable to sophisticated cyber attacks. This is a grave issue which even Indian government must take very seriously before rolling the smart meters in India.