Cybercrime Court Decisions from Latin America - Legal and Policy Developments (HTCIA Conference,...

Recent Cyber-crime Court Decisions from Latin America

Legal & Policy Developments

Renato Opice Blum Cédric Laurant

Presentation available at http://blog.cedriclaurant.org

High Technology Crime Investigation Association International Conference

(Atlanta, GA – USA - Sept. 20-22, 2010) http://www.htciaconference.org/

A. The importance of cyber-crime in Latin America for US cybersecurity professionals

B. How this emerging cyber-crime activity impacts American companies and computer users

C. Major legal & policy developments related to cyber-crime in Latin America

D. Recent cyber-crime court decisions from Brazil and Argentina

E. Recent data protection developments in Latin America - How they relate to cyber-crime

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

2

OUTLINE

A. The importance of cyber-crime in Latin America for US cyber-security and law enforcement professionals






5

OUTLINE


• Cyber-crime is growing in Latin America, especially in Brazil. – In Brazil, more than 6 out of 10 computers get infected by viruses and malware

attacks, compared to an average of 1 out of 2.

6


From: Norton Cybercrime Report: The Human Impact (August 2010)


• Cyber-crime is international by nature. • It requires international cooperation among

all countries. • But it also requires speedy international

cooperation.

7


A. The importance of cyber-crime in Latin America for US cybersecurity and law enforcement professionals






8

OUTLINE

B. How this emerging cyber-crime activity impacts US companies and computer users

• 1. Impact on US companies. • 2. Impact on American people whose

personal information is misused, leaked, stolen.

• 3. Impact on American consumers and e-commerce in the US.

9



• 1. Impact of cyber-crime on US companies: – Key conclusions from a recent study (*) that quantifies the economic impact

of cyber-crime attacks: • “Cyber-crime attacks” include criminal activity conducted via the Internet: theft of

a company’s intellectual property, confiscation of online bank accounts, creation and distribution of viruses on other computers, posting confidential business information on the Internet, and disruption of a country’s critical national infrastructure.

• “Cost” includes: “direct, indirect and opportunity costs that resulted from the loss or theft of information, disruption to business operations, revenue loss and destruction of property, plant and equipment, and the external consequences of the cyber crime. The survey also captures the total cost spent on detection, investigation, containment, recovery and after-the-fact or “ex-post” response.

• Cyber crimes can do serious harm to an organization’s bottom line. The median annualized cost of cyber crime of the 45 organizations surveyed is $3.8 million per year. It can range from $1 million to $52 million per year per company.

(*) Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010.

10



11

From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010


• Impact of cyber-crime on US companies: – Key conclusions from a recent study that quantifies the economic impact of

cyber-crime attacks:

• Cyber-crime attacks are now common occurrences. The companies surveyed experienced 50 successful attacks per week and more than one successful attack per company per week.

• Cyber-crime attacks can get costly if not resolved quickly: average number of days to resolve a cyber attack was 14 days; average cost per company of $17,696 per day. Malicious insider attacks can take up to 42 days or more to resolve. Quick resolution is needed for today’s cyber-crime attacks.

• Information theft represents the highest external cost, followed by the costs associated with the disruption to business operations.

12



13



• Impact of cybercrime on US companies: – Key conclusions from a very recent study that quantifies the economic

impact of cyber-crime attacks:

• Detection and recovery are the most costly internal activities.

14



15



• Impact of cybercrime on US companies: – Key conclusions from a very recent study that quantifies the economic

impact of cyber-crime attacks:

• All industry sectors are impacted.

16



17



• 2. Impact on American people whose personal information is misused, leaked, stolen.

• 3. Impact on American consumers and e-commerce in the US.

The Norton Cybercrime Report: The Human Impact released last August finds that:

– “For nearly 3 in 10 victims, the biggest hassle is the time it takes to sort things out: […] 4 weeks to resolve an average cyber-crime incident.”

– “There’s the emotional baggage, with around 1/5 of victims finding it made them stressed, angry and embarrassed (19%), and 14% mourning the loss of irreplaceable data or items of sentimental value, such as photo collections.”

18



19


From: Norton Cybercrime Report: The Human Impact (August 2010)







20

OUTLINE


• Organization of American States: – 1999: first concern about cyber-crime. – 1999: established an intergovernmental cyber-crime expert group. – 2000: the Council of Ministers of OAS Member States issued a set of

recommendations: • Facilitate cooperation among OAS Member States • Increase technical and legal capacity-building • Consider implementation and signature of CoE Cybercrime Convention • Study feasibility of an Inter-American model of cybercrime legislation.

– Several expert group meetings have taken place every year and have started:

• To put in place information exchange and cooperation mechanisms among all OAS countries and with relevant international organizations (Council of Europe, UN, EU, G8, OECD, APEC, Commonwealth, Interpol)

• To establish public-private collaboration mechanisms.


21


• The Council of Europe’s Cybercrime Convention: – Adopted and opened for signature in 2001, entered into

force on July 1, 2004. – As of April 2009, 46 States have signed it, 25 have

ratified it. – Costa Rica, the Dominican Republic, Mexico and Chile

have been invited to accede. Argentina requested accession.

• Any State may accede following majority vote in Committee of Ministers and unanimous vote by the parties entitled to sit on the Committee of Ministers.


22


• Argentina and Colombia enacted new cyber-crime laws: – Argentina’s Act on Cybercrimes (“Ley de Delitos

Informáticos”) (Law No. 26.388 of 2008): includes all cyber-crimes defined as such by the United Nations and the CoE Cybercrime Convention.

– Colombia adopted a cyber-crime law (No. 1273 of 2009) that criminalizes the illegal acquisition and sale of personal data, phishing, hacking, use of malware and viruses, computer theft.


23


• Counc i l o f Europe ’s “G loba l Pro jec t on Cybercrime” (between March 1, 2009 – June 30, 2011) – Objective: promote broad implementation of the Convention on Cybercrime. – To be achieved through results in the following areas:

• Legislation and policies • International cooperation • Law enforcement – service provider cooperation in the investigation of

cybercrime • Financial investigations • Training of judges and prosecutors • Data protection and privacy • Exploitation of children and trafficking in human beings. • Cooperation with 120+ countries • Legislation strengthened in more than 100 countries, including in Argentina,

Colombia, Dominican Republic • Contributes to the organization of regional legislative workshops in Latin

America


24


• The challenges of cyber-crime in Latin America

– 1. Challenges to international cooperation on cyber-crime:

• Transnational character of computer crimes • Lack of appropriate legislation on cyber-crime • Lack of harmonization between different national laws • Legal powers for investigation are insufficient (e.g.,

inapplicability of seizure powers to intangibles such as computer data)

• Lack of specialized personnel and equipment

(From Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional Workshop, Mexico City, August 26-27, 2010.)


25



– 2. Challenges to fighting cyber-crime:

• Policies and awareness of decision-makers • Harmonized and effective legislation • Regional and international cooperation • Law enforcement capacities and training • Judicial training • Law enforcement and cooperation among ISPs



26



– 3. Difficulties of regional and international cooperation: • Limitations regarding skills, knowledge and training of judges, and to

some extent prosecutors. Direct impact on mutual legal assistance process (e.g., difficulty to understand cyber-crime matters; reluctance to open a case or issue search warrants).

• Insufficient use of possibility provided by international agreements for direct contacts between judicial authorities in urgent cases and efficient communication channels.

• Involvement of Contact Points (“CP”) network established under Cyber-crime Convention in the MLA process is too limited.

• Not all CP sufficiently trained, resourced or available to assist competent authorities and facilitate the process.

• Authorities for MLA of many countries receive a large volume of requests.



27


• Advantages of using the CoE Cyber-crime Convention as a model of legislation in Latin America – Provides important tools for law enforcement to investigate cyber-

crime. – Provides for Latin American countries:

• Harmonization of criminal law provisions on cyber-crime with those of other countries.

• Legal and institutional basis for international law enforcement and judicial cooperation.

• Participation in the Consultations of the Parties. (T-CY: “Convention Committee on Cybercrime”).

• The treaty as a platform facilitating public-private cooperation. Convention provides global standards and a framework for an effective

fast international cooperation.



28







29

OUTLINE

30



31


32

33

BRAZIL – SOME CASES MEDICAL CLINIC

database copy / unfair competition

AUTOMOTOR COMPANY illegal video

BROKER COMPANY database breach / unfair competition

AIRLINE COMPANY database breach

CHEMICAL INDUSTRY COMPANY database breach

FORMULA ONE PILOT image damage

BEVERAGE COMPANY 483 confidential files


34

ILLICIT

• SCAMS

• HIJACKING THROUGH GAME PASSWORD

• LIBRARY EMPLOYEE – CONTENT COPIED – ORKUT

• SÃO PAULO STATE COURT – 3000 TIMES

• DATA BASE CAPTURING – CURRICULUM FIRM ON THE INTERNET

• RIO GRANDE DO SUL STATE COURT – UNAUTHORIZED ACCESS TO

DATABASE

• COUPLE ON THE BEACH – PRIVACY

CASES


35

BRAZIL CONSTITUTION

Section 5.10 – Intimacy, privacy, honor and image of persons – INVIOLABLE. Section 5.12 – Secrecy of correspondence and telecom – INVIOLABLE.

CIVIL CODE

Section 20 – Disclosure of writings, the transmission of the word, or publication, display or use the image of a person. Section 21 – Private life of a person – INVIOLABLE.

Violation of image rights, privacy, intimacy and honor by being photographed and filmed (in love) on locations – Spanish beach – Injunction to terminate the exposure of movies and photos on web-sites because it is probable to presume lack of consent to publication. Filing with a daily penalty payment of $ 250,000.00, in order to inhibit infringement of the command to abstain. The paparazzi are known for aggressively working with the capture of images, which characterizes the illegality of their activities [voyeurism]. Denying injunctive relief would reward the work of these professionals that do not require authorization for their photos and, especially, to legalize the sensationalism and scandal propagated by the media, without permission of those involved.

EXPECTATION OF PRIVACY SÃO PAULO STATE COURT DECISION


36

ARGENTINA – COURT DECISION

MARADONA FORBIDS GOOGLE TO ASSOCIATE HIM TO SEX SITES

SEARCH ENGINE FILTER


37

“I note that the injunction has already been accomplished by placing a FILTER ON THE SEARCH ENGINES. In this manner, it seems more reasonable to maintain the status quo, pending examination of the matter, without any harm to the plaintiff and without prejudice for the defendant, who has fully complied with the measure.” (Interlocutory appeal 20006.002.05508)

RIO DE JANEIRO STATE COURT INTERLOCUTORY APPEAL

SEARCH ENGINE FILTER

Argentina In two search engines – Google and Yahoo – is possible to make a search to avoid that certain words appear among search results. In fact, this procedure could be configured to avoid that a certain word be linked with others in certain types of search or in any search. It is therefore technically possible to adapt the search for information by avoiding certain words. IT IS POSSIBLE TO SET UP FILTERS THAT DO NOT ALLOW STATIC LINKING SITES TO INDEX CERTAIN WORDS WITH PORNOGRAPHIC, EROTIC OR SEXUAL CONTENT, AND ESTABLISH OTHER INDEX IMAGES THAT DO NOT ALLOW CERTAIN PEOPLE (…) The content selection control cannot affect the operation of the search engine site or access to Internet content by users. (99.620/06)


38

PARANA STATE COURT 1819/2008

NEWS ON THE INTERNET CAUSES HARM TO CITIZEN’S HONOR. HE WAS NOT GUILTY, BUT THERE WAS NO NEWS ABOUT THAT,

ONLY ABOUT THE PENDING PROCESS

BRAZIL PARANA STATE COURT

JUDGE ORDERS GOOGLE TO SET UP A FILTER TO R A N D O M I Z E R E S U LT S W I T H PLAINTIFF’S NAME, MAKING POSSIBLE T H E R O TAT I O N BETWEEN NEWS


39

BRAZIL CONSUMER DEFENSE CODE

Section 43 – Database access. Section 72 – Block access. Detention from six months to one year or a fine

Consumer Defense Association causes damages to consumers by disclosing its database to third parties. Association must include a warning about the disclosure and ask for permission.

PRIVACY SANTA CATARINA STATE

COURT DECISION


40

BRAZIL

WIRETAPPING – ACT 9296/1996

Section 1 – Interception of telephone communications – flow of communication.

Section 10 – Intercept communication or violate secret of Justice, without judicial authorization – confinement from two to four years and fine.

Breach of confidentiality of correspondence and of telegraphic, data and telephone communications – Non-occurrence – Seizure of emails in possession and known of the recipient by court order – Strong suspicions that the material might enlighten the criminal infraction – Interpretation of Section 5, XII of the Constitution.

THERE IS NO VIOLATION OF THE SECRECY OF CORRESPONDENCE.

PRIVACY SÃO PAULO STATE COURT DECISION


41

BLOGGER CONVICTED TO INDEMNIFY

State Court of Ceará

BLOGGER POSTED CONTENT WICH GENERATED OFFENSIVE COMMENT.

HE WAS UNABLE TO IDENTIFY THE AUTHOR AND WAS CONVICTED TO INDEMNIFY THE

VICTIM IN R$16.000

http://www.correiobraziliense.com.br/app/noticia182/2010/02/24/tecnologia,i=175488/SAIBA+COMO+TENTAR+EVITAR+PROBLEMAS+COM+O+USO+DA+REDE.shtml


42

RS STATE COURT – CYBERBULLING

STUDENT CREATES WEBPAGE TO OFFEND ITS CLASSMATE. THE COURT RULED FOR THE INDEMNIZATION TO THE VICTIM TO BE PAYED BY THE DEFENDANT´S MOTHER.

APPEAL. LIABILITY. INTERNET. USE OF IMAGE FOR A DEROGATORY END. FLOG CREATION - PERSONAL WEBSITE FOR POSTING PICTURES IN THE NETWORK. PARENT´S LIABILITY. PATERNAL POWER. BULLYING. MORAL DAMAGE IN RE IPSA. OFFENDED THE SO CALLED RIGHTS OF PERSONALITY.

Imagem: http://farm3.static.flickr.com/2181/2512997167_d6ba9a5031.jpg Source: http://g1.globo.com/vestibular-e-educacao/noticia/2010/07/justica-determina-que-mae-pague-indenizacao-vitima-de-cyberbullying.html

The responsibility of ISP.

ISPs provide space for creating personal pages on the World Wide Web, which are used freely by users. However, with complaint of inappropriate or offensive content to human dignity, the service provider needs to detect and expeditiously remove the elements of this page.


SP State Court – Civil Code, Section 927


43

44

http

://ad

irfer

reira

.file

s.w

ordp

ress

.com

/200

9/02

/sm

s.jp

g

“ T h e i n v i o l a b i l i t y o f c o r r e s p o n d e n c e a n d telecommunications – in this case, the interception of text messages – is only possible upon court request.”

ARGENTINE COURT DECISION

COURT DENIES TEXT MESSAGE AS EVIDENCE OF WIFE’S INFIDELITY


45

LABOR COURT – 13th REGION

ORKUT’S PHOTO ALBUM IS USED AS AN EVIDENCE AT HEARING. THE TOOL PROVED THAT AT A CERTAIN DATE THE EMPLOYEE STILL WORKED AT THE COMPANY.

Source: http://www.trt13.jus.br/engine/interna.php?pag=exibeNoticia&codNot=1769# High Technology Crime Investigation Association International Conference

(Atlanta, GA - USA – Sept. 20-22, 2010)

REGIONAL LABOR COURT – E-MAIL AS AN EVIDENCE

Lawsuit nº 2004.028935-4

OVERTIME. EVIDENCE. E-MAIL. EVIDENCE VALIDITY. THE ELECTRONIC MAIL IS A MODERN EVIDENCE THAT IS VALID TO CERTIFY OVERTIME LABOR, AS LONG AS THERE IS NO DOUBT RELATED TO TAMPERING, ESPECIALLY WHEN ITS CONTENT REMAINS CORROBORATED BY OTHER EVIDENCE IN THE CASE FILE. IF THE COMPUTER CLOCK WAS CHANGED FOR A LATER TIME, AS ALLEGED IN THE APPEAL, THE DEFENDANTS WOULD HAVE TO PROVE IT, AND THEY DIDN´T.


46

47

PRIVACY – BREACH OF CONFIDENTIALITY

TELECOMMUNICATIONS - BREACH OF CONFIDENTIALITY - "E-MAIL" SENT FROM BRAZIL TO THE ELECTRONIC ADDRESS OF THE WHITE HOUSE, IN THE CITY OF WASHINGTON, DC, WRITTEN IN ENGLISH, CONTAINING THREATS TO PHYSICAL INTEGRITY OF THE PERSON OF THE AMERICAN PRESIDENT AND ITS FAMILY – SUBPOENAED THE ISP TO PROVIDE PERSONAL IDENTITY AND ADDRESS OF USER CONNECTED AT THAT MOMENT TO SUCH “IP” NUMBER - NOTIFICATION REJECTED ON THE GROUND THAT THE DATA REQUEST IS PROTECTED BY THE FEDERAL CONSTITUTION FOR TELECOMMUNICATION SERVICES, SO THAT DATA REQUEST PROCEDURES WOULD BE REGULATED BY ACT Nº. 9296/96, ESPECIALLY WITH REGARD TO THE NEED FOR A JUDICIAL ORDER - Habeas Corpus to not be prosecuted for disobedience. Habeas corpus denied. Need of legal authorization for the breach of confidentiality of telecommunications - postal, telephone or transmission of messages or data.

CRIMINAL STATE COURT OF SÃO PAULO


48

E-mail at work. Private use. Importance as a working tool. Privacy. Need for clear policies on its use. Dismissal for cause. Rejection. (CAUSE 15198/2001 S. 36580)

“E-mail has more privacy protection than the classic snail mail, because to operate it, it is required to use a service provider, a user name and a password, that prevents others from intruding into the data and content sent and received. (…) According to constitutional guarantees, along with the evidences concerning the alleged emails the defendant’s privacy is violated with the consequent harm to his dignity and self-determination.” (C. 35.369 Ins. 18/156)

E-MAIL MONITORING

ARGENTINA – COURT DECISION


49

Password does not imply any expectation of privacy in relation to corporate email once the PASSWORD BECOMES AN EMPLOYER’S PROTECTION TOOL TO PREVENT THIRD PARTIES TO ACCESS THE CONTENT OF MESSAGES. (…) Also, there is no offense to the principle of inviolability of intimacy and privacy (Section 5, X, CF/88), once an employee can’t be granted the right to privacy with respect to the use of a corporate email system made available by his company. Otherwise, the employee had no reasonable expectation of privacy, which is conveyed by the statement that the corporate e-mail was intended "only for issues and matters affecting the service” (fl. 636). At last, there is no harm to the principle that ensures admissibility in the process of evidence obtained by illegal means (Section 5, LVI): the corporate e-mail is company’s property, merely transferred to the employee for working purposes, and the employer may exercise control both formal and material (content) over the messages that travel through his corporate email system.

BRAZIL – SUPERIOR LABOR COURT

PASSWORD IS A PROTECTION TOOL FOR THE EMPLOYER


RS STATE COURT – EVIDENCE (EMAIL)

E-MAILS CONTAINING PLAINTIFF’S PERSONAL DATA, ALONG WITH THE INFORMATION THAT SHE IS A CALL-GIRL. SENT BY EX-BOYFRIEND. INCOMING CALLS FROM PEOPLE INTERESTED IN HER SEXUAL SERVICES. SUBJECTIVE LIABILITY. NEGLIGENCE. MORAL DAMAGES.

Declarations by the ISP are in his legal file that proves the e-mail was sent from a domain name that belongs to the defendant, and considering the failure to prove a fact wich could remove his liability, the case is upheld.


50

51

RIO GRANDE DO SUL STATE COURT

Rio Grande do Sul Court of Appeals determines INDEMNIZATION TO FURNITURE STORE´S CLIENT FOR BEING COLLECTED IN A VEXATIOUS WAY THROUGH ORKUT.

Appeal Nº 71002350874/2009

DAMAGE REPAIR. INCURRING DEBT FOR THE PURCHASE OF FURNITURE. VEXATIOUS COLLECTION. POST ON PLAINTIFF´S ORKUT PROFILE STATING HE WAS INDEBTED. LIABILITY OF THE COMPANY ON BEHALF OF WHOM HE WAS CHARGED FOR THE FURNITURES. MORAL DAMAGES. EXISTING DEBT. REDUCED VALUE. APPEAL PARTIALLY UPHELD.

(...) because the defendant, from whom the furnitures had been purchased through installments, had called several times to collect the bill and had posted on the plaintiff´s orkut profile that he was indebted, causing embarassment among his co-workers (...)


52

BRAZIL – LABOUR COURT (2nd REGION)

“(...) THE DEFENDANT HAD PUBLISHED IN ORKUT MANY PHOTOGRAPHS RELATED TO A PRODUCT THAT HAD NOT EVEN BEEN LAUNCHED, WHICH PREMATURE DISCLOSURE DID NOT AND DO NOT INTEREST THE AUTHOR, HOLDER OF INDUSTRIAL PROPERTY RIGHTS”.

“(...) IT IS ABSOLUTELY IRRELEVANT TO KNOW IF THE DEFENDANT HAS ACTED WITH BAD FAITH, BECAUSE WHAT IS IMPORTANT TO INVESTIGATE IS THAT THERE IS A HIGH LIKELIHOOD THAT REFERRED DISCLOSURE CAN CAUSE PATRIMONIAL HARM TO THE AUTHOR”.

I N D U S T R I A L P R O P E R T Y. E M P L O Y E E ORDERED TO COMPENSATE COMPANY FOR PUBLISHING MATERIAL NOT YET PUBLISHED


53

FEDERAL COURT – 2nd REGION (RJ)

“CRIMINAL LAW AND CRIMINAL PROCEDURE. CRIME AGAINST TELECOMMUNICATIONS COMPANIES. ILLEGAL DISTRIBUTION OF CABLE TV SIGNAL. UNION’S INTEREST. FEDERAL COURT JURISDICTION. RECLASSIFICATION OF FACTS. CRIMES OF SECTION 171 OF CRIMINAL CODE AND SECTION 183 OF ACT Nº 9.472/97.”

I - The conduct attributed to defendants in the complaint is the illegal distribution of cable TV signals, which violates the uniqueness of the Union to organize the exploitation of telecommunications services.

III - The retransmission of illegal cable TV signal is not atypical. Though TV signal is not considered a source of energy, ruling out the possibility to characterize the crime as a theft, the crime to be considered is qualified as “larceny by fraud”.

(...) I correct the material error for the accused to be CONVICTED under the terms of the sentence, but TO BE ARRESTED."



54

Lawsuit nº 591/07 – Unfair competition (Sponsored links)

District of justice of São Carlos – 1st criminal court


FEDERAL COURT – 1st REGION

CRIMINAL PROCEDURE. HABEAS CORPUS. SCAM. INTERNET CRIME. TEMPORARY PRISON. ABSENCE OF REQUIREMENTS.

1. Larceny by fraud practiced over the internet, with the participation of several people with specific activities - a) the programmer (the one who designs the phishing website and the malicious codes, e.g. the trojan) – the person responsible for capturing passwords; is the cracker, not the hacker, b) the user (who directly uses the software); c) the carder (responsible for obtaining credit cards and bank notes that will be paid through the Internet); d) the sub-carder (the person who, despite not knowing the software users, buy the magnetic cards from mules and sell them to carders that make contact with users; e) the mule (the one who lends your bank account to receive the money from the illicit activity) – aiming to phish the account holder´s password and withdraw the money from his bank account.


56

PARANÁ STATE COURT – CRIMINAL APPEAL

LAWSUIT Nº 2004.028935-4

CRIMINAL APPEAL - INSERTION OF FALSE DATA INTO INFORMATION SYSTEM (SECTION 313-A OF CRIMINAL CODE) - AUTHORSHIP AND MATERIALITY PROVED - CIVIL SERVANT WHO INSERTED FALSE DATA ON CIRETRAN´S SYSTEM REQUESTED BY HER BOYFRIEND - RELEASING VEHICLE´S DOCUMENTS WITHOUT PAYING THE PROPER FEES - VEHICLE LICENSE FEES NOT COLLECTED - DISQUALIFICATION THE FOR PREVARICATION - CONDUCT WICH OVERSTEPPED THE LIMITS EXPOSED IN SECTION 319 oF THE CRIMINAL CODE - PENALTY DECREASE - LATER REGRET - CRIME PRACTICED 17 TIMES REPETITIVELY, SHOWED LACK OF REGRET - INCREASING THE PENALTY IS SUITABLE, CONSIDERING THE NUMBER OF RECIDIVISM - CRIME COMMITTED AGAINST THE PUBLIC ADMINISTRATION - PENALTY OVER A YEAR - LOSS OF JOB - COMDEMNATION EFFECT - APPEAL DENIED


57

58

The arrows point...


GREETINGS

“That God gives you serenity to accept things that cannot be changed, courage to change things that can be changed and wisdom to know the difference”.


59







60

OUTLINE

• Relationship between data protection, cyber-security and cyber-crime: – A strong data protection framework is necessary to provide

support to cyber-crime laws. – Implementing data protection processing rules during cyber-crime

investigations improves its accuracy and efficiency. – Security breach notification requirements in the U.S. since 2005:

triggered by leaks, disclosures or theft of personal information.

• Lack of data protection frameworks in LAC (with a few exceptions: Argentina and Mexico).

61


C. Recent data protection developments in Latin America – How they relate to cyber-crime

MEXICO

CONSTITUTION

- Since 2007, the Constitution expressly acknowledges the right of personal data protection as a fundamental right.

- “The information pertaining to private life and personal data shall be protected pursuant to the terms and exemptions set forth in the laws.” “Every person, without the need to prove his own legal interest or justify his use, shall have free access to public information, to his own personal data and the correction of such data.”

- In 2009, the Constitution obliged the Congress to enact a data protection law for the private sector within 12 months from the publication of the reform. The deadline was April 30, 2010.

IAPP Global Privacy Summit Washington, DC 2010

62 E. Recent data protection developments in Latin America How they relate to cyber-crime

MEXICO



BILLS ON PERSONAL DATA PROTECTION

- Since 2001, there have been 6 data and privacy bills, which are modeled loosely on international data protection standards such as those found in the EU Data Protection Directive, the Spanish Data Protection Law, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, and the APEC Privacy Framework.

MEXICO

LEGAL FRAMEWORK AT THE FEDERAL LEVEL

- New data protection law since June 2010.

- There are several laws about privacy and data protection in specific fields, such as finance and banking, consumers' rights, credit information, telecommunications and national security.

- The Federal Law of Transparency and Access to the Government Public Information (LFTAIPG) standardizes principles under which the various organs of the State must process citizens' personal data.



OBSTACLES TO OVERCOME

1.- Proliferation of federal regulation. 2.- Differences between state regulations. 3.- Lack of provisions about transborder data flows.

RELEVANT INTERNATIONAL INSTRUMENTS

OECD Recommendations on Privacy. Mexico is an OECD member since 1994.

APEC Privacy Framework, 2004.

Economic Partnership, Political Coordination and Cooperation Agreement between the European Community and its Member

States, and the United Mexican States, 2000.

MEXICO



DATA PROTECTION LAW OF 2008

Ley Estatutaria 1266 de 2008 Habeas data Limited to the financial sector (banks, credit reporting

and commercial companies).


COLOMBIA


PRIVACY IN E-GOVERNMENT SERVICES

General obligation of all government entities that use electronic resources to manage the information of citizens in a manner respectful to their privacy.

Decree No. 1151 of 2008 establishes general principles to follow in how online services are provided by the government.

Protection of privacy is further regulated by the Ministry of Communications’ “e-Government Policy Manual,” applicable throughout all governmental entities.


COLOMBIA


“SAN SALVADOR COMMITMENT” (2008) 2nd Ministerial Conference on the Information Society

in Latin America and the Caribbean. Decision made to:

“facilitate dialogue and coordination of various regulatory initiatives at the regional and local levels that may contribute to the region’s regulatory harmonization, especially on the topics of privacy and data protection”;

“invites countries to consider the possibility of ratifying or acceding to the Council of Europe Cybercrime Convention as an instrument to facilitate [the] integration and regulatory adaptation in this area within the framework of principles of protection of the right to privacy.”


PERU


Renato Opice Blum, CEO and Partner, Opice Blum Advogados Associados (Brazil) http://www.opiceblum.com.br <renato [at] opiceblum [dot] com [dot] br>

Cédric Laurant, Independent Privacy Consultant http://blog.cedriclaurant.org - http://security-breaches.com <cedric [at] laurant [dot] org>


69

Speakers

70

Lawyer and Economist; Coordinator of Electronic Law's MBA, of São Paulo Law School; Invited Professor at Electronic Law’s Course, Florida Christian University, Fundação Getúlio Vargas (FGV), PUC, FIAP, Rede de Ensino Luiz Flávio Gomes (LFG), Universidade Federal do Rio de Janeiro, FMU and others; Speaker teacher at Mackenzie University; Collaborating Professor of ITA-Stefanini’s partnership; Speaker at the IAPP’s Global Privacy Summit 2010, Washington, DC Arbitration Referee at FGV and Mediation and Arbitration's Chamber of São Paulo (FIESP); President of the Superior Council of Information Technology of the Trade Federation of São Paulo, and Technology Law Committee of AMCHAM; Member of Information Society Law Committee – OAB/SP; Former Vice-President of Electronic Crime’s Committee – OAB/SP; Member of American Bar Association (ABA), Inter American Bar Association (IABA), International Law Association (ILA), International Bar Association (IBA) and International Technology Law Association (Itechlaw); Coordinator and co-author of “Internet and Electronic Law Manual”; CEO at Opice Blum Attorneys-at-Law http://www.opiceblum.com.br/lang-en/index.html Résumé at Lattes Platform: http://lattes.cnpq.br/0816796365650938

Renato Opice Blum [email protected]

WWW.OPICEBLUM.COM.BR

twitter.com/opiceblum


71

Independent consultant based in Brussels, Belgium.

Attorney, member of the District of Columbia Bar.

Specialty areas: international privacy, data protection and information security.

Senior Research Fellow, Central European University (Budapest, Hungary). Currently directing the research of the "European Privacy and Human Rights”, a European Commission-funded privacy research and advocacy project. Info at: http://phr.privacyinternational.org/

Research Director, Privacy & Human Rights – An International Survey of Privacy Laws and Developments (EPIC & Privacy International 2003, 2004, 2005).

Formerly Visiting Law Professor, University of los Andes (Bogota, Colombia) and International Privacy Project Director, Electronic Privacy Information Center (Washington, DC).

Lic. Jur., University of Louvain (Belgium); LL.M., Columbia Law School (New York, NY); M.A. (London).

Profile/Résumé: http://www.linkedin.com/in/cedriclaurant

Blogs: http://blog.cedriclaurant.org; http://blog.security-breaches.com

Cédric Laurant cedric [at] laurant.org

www.cedriclaurant.org

twitter.com/cedric_laurant


Cybercrime Court Decisions from Latin America - Legal and Policy Developments (HTCIA Conference,...

Technology

Transcript of Cybercrime Court Decisions from Latin America - Legal and Policy Developments (HTCIA Conference,...