The Austrian legislature has been striving for years for a proper criminal punishment of cyber criminals. But first the perpetrators have to be caught.

The danger of indemnity claims from customers or business partners whose data have not been kept safe by the hacked company cannot be ignored. In the worst case, the company victimised by cybercrime must prove it is not liable for data theft, data damage, or cyber-spying. And in some cases it must prove it had an adequate risk security system to prevent “hostile attacks”. In terms of civil law, preventive safeguarding and precautions against cybercrime are ever more important.

Prosecution in Austria

Since the 2002 amending law in the follow-up to the Cybercrime Convention of the European Council, it is also possible in Austria (at least in theory) to prosecute the culprit. Under the Criminal Code and the Data Protection Act, a number of criminal offences (eg, fraudulent abuse of data processing, sniffing [unauthorised recording or following] of phone calls and e-mails) bring fines and custodial sentences of up to five years.

But whether hackers will ever be prosecuted depends on many factors. Often, the perpetrator is unknown, untraceable, or had no intent to harm the victim. It is also hard to establish intent of enrichment. There are, however, experts in the State Offices of Criminal Investigation who diligently prosecute cybercrime and it pays to file a charge “against persons unknown” even when there are few clues at hand.

No criminal liability for companies

A hacked company has nothing to fear from the criminal law as long as the offence did not originate from the company itself. Only the culprits and their accomplices can be held accountable for criminal acts. All cybercrime offences in Austria require deliberate acts with the intent to damage and enrich. Negligent omission to use preventive security measures is not a crime. And with good reason: a criminal conviction always remains the last resort. Yet a phone-hacking scandal like that of “News of the World” would have been treated differently under Austrian criminal law. If, for instance, the company gains an economic advantage by means of criminal acts, or if the management has knowingly tolerated or even commissioned the offence, both the management and the company can be guilty of a crime.

A hacked company has nothing to fear from the criminal law as long as the offence did not originate from the company itself. Only the culprits and their accomplices can be held accountable for criminal acts.