Data breach reuse: a legal risk?
Vocabulary and criminal law in cyber security
Today, especially thanks to a large amount of information and information leaks (data leak). Although this information is technically freely available open source (open sources) – it is not legal to reuse them. It is especially important for professionals in this field penetration testing – information system security testing with cyber attack simulation – understanding this limit. Practicing companies pen test therefore, it must strictly monitor this practice to avoid potential criminal penalties.
Where to do it leaks ? A cyber attacker can gain access to an information system when they identify a vulnerability. It installs a malware (malware in French) or experience a “arbitrary code execution” who can change – without the owner’s consent – what the target information system is doing. During exploitation, a cyber attacker can copy, modify or delete data. If he decides to share this information by putting it on the network (more or less) for free, he “factory” a leaked.
In criminal law, there are many crimes that the author can be accused of leaked. The two most important “data theft (unsupported)” as well as “damage to automated data processing system (STAD)” (Article 323-1 of the Criminal Code), theft “fraudulent appropriation of another’s property” (Article 311-1 of the Civil Code). Although the theft of information in a medium (copying a document) is traditionally repressed by judicial practice, the theft of digital information says. “not supported” (copying data to a floppy disk or downloading to a hard disk) is more recent.
Still, in criminal law, a cyber attack is defined in STAD as access and/or maintenance by a third party without authorization. Intrusion by a Pentester – a computer security specialist who performs an intrusion test – falls into this category if the latter does not have an official written permission. The Criminal Code provides for numerous charges for this practice: fraudulent access to and maintenance of STAD, deletion or alteration of data, modification of operation, insertion, storage, removal, reproduction and transmission. Penalties range from two to five years in prison and fines from €60,000 to €150,000.
what is leakage
A distinction can be made between two types leaks : I’internet leak – dissemination of information “stolen” directly through the Internet – and news leak – disclosure of confidential information by the media – this benefits from the protection of confidentiality of sources. Today, internet leakage is prevalent because information leakage is available on the internet through electronic communication networks, such as TOR, which make it possible to reach a target resource by hopping over a series of “nodes” that allow it to offer relative anonymity. However, there is a legal vacuum around malware or leaks, for which there is no legal definition. Then it becomes necessary to think by analogy with legal texts that approach them as closely as possible.
The official definition of leakage is also a matter of debate. In literal translation a “data leak”it would be more appropriate to characterize as “data leak”. Indeed, data is actually a technical representation of all or part of information in binary format only, whereas information is knowledge, knowledge or subjective information acquired or transmitted by humans. Of course, a leakedit is possible to access the data, but what really matters is the information contained in the leak, such as the information found in personal data.
According to Master Marc-Antoine Ledieu, a data leakage defined as “processing of information in digital format – i.e. unauthorized collection, storage and/or use”. In terms of the General Data Protection Regulation (GDPR), which applies to the 27 member states of the European Union (EU), the concept of “processing of personal data” is extremely broad. To overcome this, the EU adopted a Regulation on 30 May 2022 Data Management Act which constitutes the right to reuse data in open sources. In particular, the text provides a legal definition of the concept of information: “any digital representation of acts, facts or information and any compilation of these acts, facts or information, in particular in the form of sound, visual or audiovisual recordings”.
what do you find on the island? leaked ?
Quite a paradoxical point when discovering a leaked so you have to look at its contents to know the criminal risk involved in owning it. However, opening a leaked to be in bad faith, because it is likely that this consultation will lead to the study of information belonging to a third party. Thus, legally, it is possible to find four categories of data in a data leak: more or less sensitive personal data (password, e-mail address) (health data, bank data, etc.), commercial and industrial data (patent, plan). , know-how) and copyrighted information (non-open source source code, intellectual production). These last two categories require increased monitoring of companies because they are of particular interest to cyber attackers.
Data leak is not open source!
A “open data” is determined by the fact that it can be freely accessed, used, modified and distributed, regardless of its purpose. Despite the generally accepted and widespread opinion, a leaked does not convert “available” by the mere fact that legally “technical” is available. The data of one leaked not public information. The Regulation adopted by the EU on May 30, 2022 clarifies this difference. According to Article 2.2, “reuse” is the number of data in open sources “use of data held by public sector bodies by natural or legal persons for commercial or non-commercial purposes other than the primary purpose of the public service mission”. Therefore, data produced by public services can be reused for professional or personal purposes, with or without payment, without exclusivity, unlike personal data that does not originate from these services and is available on the Internet. As an example, a company cannot exploit a data leak from one of its competitors at the risk of being prosecuted.
Different risks of criminal prosecution in case of reuse a leaked
reuse a leaked therefore, free technical access consists of copying, storing, and then reusing data. Depending on the nature of the information used, the risk of crime is clearly not the same. A person who reuses a leaked has violated a legally protected secret, STAD, the rights of the producer of the database content, has committed an act of falsification of proprietary software or illegally processed personal data.
All of these cases are punishable by three to seven years in prison and fines from €100,000 to €750,000.
Seen draconian legislation and partial solutions
Thus, in a criminal sense, it seems very dangerous for a company to reuse leaks, although court experience in this area is quite rare. This situation can be explained by the great novelty of the phenomenon, but also by the reluctance of companies to name the first case law in this field.
However, it seems legal to keep leaked personal data anonymized, which is not possible for other types of data (confidential, industrial and copyright). At the same time, it is also possible to exploit data leaks by performing a RIFI (search for information leaks on the internet), which the CNIL supervised on January 11, 2022. The transaction may be legal in contract. binding the two companies (customer and service provider) that defines the obligations of each party and includes the requirements of Article 28 of the GDPR. This type of targeted research service can specifically enable a company to detect accidental or intentional data leaks that it may be a victim of.
It should be noted from this report that professionals a leaked to avoid exposure to (multiple?) criminal risks.
Ronan Le Goascogne for OSINT & Surveillance, Cyber and Environmental Law clubsAEG