WHEN THE COURT OF CASSATION SANCTIONS THE AUTHOR OF A DATA THEFT AND DECIDES IN FAVOR OF THE VICTIM FOR A COMPENSATION UP TO 3000 €. (CASS. CRIM., 20 MAY 2015, N° 14-81336)

A DECISION THAT OFFERS THE POSSIBILITY TO THE VICTIM OF A DATA THEFT TO RECEIVE COMPENSATION FOR THE DAMAGE SUFFERED.

In order to understand what is behind this notion of data theft, we must first see what is meant by data theft (1), then the different categories of data theft of which the owners of these data can be victims (2), then the consequences that this theft can cause to the victims (3) and finally, the actions available to the victims of data theft in order to receive compensation (4).

1- Definitions

Today, social networks represent a virtual channel where many crimes are committed. This form of virtual delinquency is part of cybercrime.

Cybercrime in the digital age is a new form of delinquency that is widespread in a virtual space. It affects both individuals and professionals.

It refers to different categories of offences among which “data theft”.

Data theft is defined by the article L 323.1 of the Penal Code as: “The fact of accessing fraudulently in all or part of an automated processing system, of maintaining and transferring illegally any information of a confidential or personal nature without the knowledge of its usual user”.

2- The different categories of data theft

There are different ways to commit data theft. They can be phishing, theft by intrusion or cryptojacking etc. ….

a- Phishing and intrusion

Phishing is a fraudulent technique that consists in its author, via stratagems, to incite his victim to provide him with personal data (card numbers, access accounts, passwords etc.) in order to usurp your identity.

With regard to the intrusion, it is a technique that allows its author called the cybercriminal to access in an illicit way in a computer system without authorization of the victim owner. This is the case of hacking or intrusion into a computer system.

What about cryptojacking?

b- Cryptojacking

We cannot talk about cryptojacking without invoking cryptocurrency.

Cryptocurrency is a virtual currency without physical form created from computer code. It is electronic money based on complex mathematical encryption principles.

To generate virtual currency and earn money, a computer is supposed to perform many calculations. This requires a very large amount of energy. When the user performs all these calculations, he receives virtual currency in return: This is the cryptocurrency

Today, BITCOIN is one of the most well-known virtual currencies.

In addition, this currency has some unique characteristics. It is not controlled by any regulatory body. There is no legal entity for this type of currency. On the contrary, it functions autonomously. This makes it easier for cybercriminals to commit fraud.

The question then arises as to how one can commit a fraudulent act using this currency? The most common fraudulent act that seems to go unnoticed is cryptojacking.
Cryptojacking, also called malicious cryptomining, is a hacking technique related to cryptocurrency.

Let’s remember, performing the calculations allows the creation and release of the cryptocurrency. The way most crypto currencies enter into circulation is via a process called “mining”. The mining process turns computer resources into cryptocurrency coins.

The cybercriminal will fraudulently attempt to use this computing power for the sole purpose of mining the cryptocurrency.

How does a hacker or a cybercriminal manage to exploit the computing power of a device belonging to an ordinary person or another user to mine cryptocurrency? Through two techniques: The malware technique and the infection via embedded scripts.

The malware technique consists of getting the victim to click on a malicious link contained in an email. The cryptojacking code then loads in the background on your computer and generates cryptocurrency for the hacker.

In other cases, hackers choose to infect the computer via an advertisement by inserting a javas Script code that runs via a browser.

Cryptojacking, what consequences for the victim?

Cryptojacking viruses can be aggressive to your systems which quickly drains the battery, and can make the computer unusable for long periods of time. The downside is that it can affect you professionally as you become less productive. It can also affect you financially because the more your resources are mined, the more electricity you consume, which will increase your electricity bills.

As a result, victims of cryptojacking can see their computer’s performance degrade when the computational capacity of the most powerful video card graphics processes are exploited, which can reduce the life expectancy of the hardware.

In short, cryptojacking consists of exploiting the computing power of a computer without the owner’s consent, with the sole purpose of making money.

3- What actions should a victim of computer data theft take?

Let’s remember that data theft is considered a crime in the eyes of the law. When you are a victim of data theft and you have suffered a loss, the law allows you to take action against the offender.
As such, several actions can be taken by the victim against the perpetrator.
You can file a complaint with the CNIL (a), engage the civil liability of the perpetrator (b) or his criminal liability (c)

a- Filing a complaint with the CNIL

Data theft is considered a serious breach of security and privacy.
If you are a victim of data theft, you can file a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL).

The CNIL is an administrative authority that acts on behalf of the State.

Its role is to ensure the protection of personal data contained in computer files and processing.

b- Obtaining damages

If you are a victim of data theft and you wish to obtain damages, you can engage the responsibility of the author on the basis of article 1240 of the Civil Code. This article states that “Any act of man, which causes damage to others, obliges the person by whose fault it occurred to repair it”.

The theft of data can cause financial, material or moral prejudice to the victim.
Thus, in order to obtain compensation for the damage suffered, you must prove a fault, a damage and a causal link between the fault and the damage.

In the case of data theft, fault is required when the perpetrator fraudulently accesses a computer data system in order to appropriate the content without your consent. This is an intrusion in a computer system without the knowledge of its user.

The causal link is based on the correlation between this fault and the damage suffered.
However, if the author of the act is in another State, or if the theft is committed abroad and the victim is in France, the competent court to judge the dispute at the international level is in principle that of the defendant’s domicile. However, articles 5 al 3 and 7 al 2 of the Brussels Convention and of the regulation n°1215/2012 of the aforementioned Convention establish a special rule of jurisdiction in favor of the court where the harmful event occurred or is likely to occur.

The law applicable to the dispute remains the law where the harmful event occurred, which is called the lex loci delicti.

c- On the criminal liability of the author

Article 323-1 of the French Criminal Code states: “The fact of fraudulently accessing or remaining in all or part of an automated data processing system is punishable by two years’ imprisonment and a fine of 60,000 euros. Paragraph 3 of the same article states that: “The fact of fraudulently introducing data into an automated processing system, extracting, holding, reproducing, transmitting, deleting or fraudulently modifying the data it contains is punishable by five years’ imprisonment and a fine of 150,000 euros.

Thus, in addition to the damages that the victim of a data theft can benefit from, he or she can initiate criminal proceedings against the perpetrator of the act.

Contact us.