Handling stolen data is a term that does not exist in such a way in the Swiss Criminal Code StGB and therefore does not entail any criminal consequences. However, the pre- and post-deeds, which usually accompany handling stolen data, are criminal. In the Swiss Criminal Code, in the case of a sale of someone else’s data, handling stolen goods (Art. 160 StGB) does not apply. But why is that so?

Data are not things

Handling stolen goods according to Art. 160 StGB states that a thing, of which one knows or must assume that another has obtained it, acquires it, has it given to him, takes it as a pledge, conceals it or helps to sell it by criminal acts against the property, is punished. Although one might assume on the basis of the term that handling stolen goods (Art. 160 StGB) applies to the sale of other people’s data, this assumption is incorrect according to clarifications made by Zurich public prosecutors. The reason for this is provided by the Swiss Civil Code ZGB. In the sense of art. 641 ff. ZGB, a thing is an object that is separable, physical and controllable. Since there is no property right to data, they are not things. This extends from protection under contract law, criminal law, data protection law and copyright law to protection under unfair competition law. However, it remains to be clarified whether this protection meets the requirements of the digital society. However, the property law provisions are not suitable for data protection (Fröhlich, Eigentum an Daten?, 2017). The same problem also shows the theft according to Art. 139 StGB, the criminal damage according to Art. 144 StGB and the trespass according to Art. 186 StGB. 186 StGB”:https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de#art_186. All these offenses presuppose a property. However, with Art. 143 StGB (unauthorised obtaining of data) a theft (Art. 139 StGB), with Art. 144 ^bis StGB (damage to data) a criminal damage (Art. 144 StGB) and with Art. 143 ^{bis 184} StGB (unauthorised access to a data processing system) a counterpart to trespass was created for the virtual world and thus for data.

Applicable criminal offences

However, although data theft itself is not punishable, many of the pre- and post-offenses are illegal. The unauthorised obtaining of data according to Art. 143 states that whoever, with the intention of unlawfully enriching himself or another, acquires electronically or in a comparable manner stored or transmitted data for himself or another, which are not intended for him and are specially secured against his unauthorized access, shall be punished. Further, unauthorised access to a data processing system may also be punished under Art. 143 ^{bis 184} StGB. Paragraph 1 describes that whoever by means of data transmission equipment unauthorizedly penetrates into a foreign data processing system, which is specially secured against his access, shall be punished upon request. Paragraph 2 further explains that anyone who puts into circulation or makes accessible passwords, programs or other data which he knows or must assume are intended to be used to commit a punishable act under paragraph 1 shall be punished. A damage to data according to Art. 144 ^bis StGB is present according to number 1, if someone changes electronically or in comparable way stored or transmitted data unauthorized, deletes or makes useless. It shall be punished upon application. If the offender has caused great damage, the offence shall be prosecuted ex officio. Clause 2 states that whoever manufactures, imports, places on the market, advertises, offers or otherwise makes available programs which he knows or must assume are intended to be used for the purposes specified in Clause 1, or gives instructions for their manufacture, shall be punished. The computer fraud according to Art. 147 StGB in the case of transfer of assets declares that whoever, with the intention of unlawfully enriching himself or another, acts on an electronic or comparable data processing or data transmission process through incorrect, incomplete or unauthorized use of data or in a comparable manner and thereby causes a transfer of assets to the detriment of another or conceals a transfer of assets immediately thereafter shall be punished. The fraudulent misuse of a data processing system to the detriment of a relative or family member is prosecuted only upon application. Since these articles of the law explicitly mean data, they are applicable. Also the extortion according to Art. 156 StGB and the coercion according to Art. 181 StGB are applicable, because they do not presuppose either things or data. This list of night crimes is not exhaustive. For a better understanding, the factual situation is clarified by means of a concrete example.

Example – the tank crackers

An unknown perpetrator, we call them the Tank Crackers, penetrates the data processing system of the Duck company and steals sensitive customer data. The Armor Crackers have already committed criminal offenses not only of unauthorized access to a data processing system (Art. 143 ^{bis 184} StGB) of the Duck Company, but also of unauthorised obtaining of data (Art. 143 StGB). Now the tank crackers are in possession of the Duck company’s customer data and want to make a profit. They can do this in various ways. Either they blackmail the company Duck (extortion according to Art. 156 StGB) by contacting it and demanding a certain amount of money for the return/deletion of the data or they offer the customer data for sale on the web (possibilities not exhaustive). In the case study, the tank crackers decide to offer Duck’s stolen customer data for sale on an online marketplace for leaked data. Donald discovers the armored crackers’ offer and also wants to profit from this data. He transfers cryptocurrency to the tank crackers and receives the leaked data of the Duck company in return. The tank crackers did not commit a crime when selling the leaked data according to the Swiss Criminal Code. Also Donald has acquired the leaked data legally. Since the data offered for sale are not particularly protected against access, the unauthorised obtaining of data (Art. 143 StGB) does not apply here either. However, if the safecrackers had decided to blackmail the Duck company, they would have been liable to extortion under Art. 156 StGB.

Data theft vs. ransomware

Data theft should not be confused with ransomware. In ransomware, the perpetrator extorts a ransom for the release of a computer or the data on it. In this case, unlike data theft, the perpetrator uses damage programs, with the help of which it can prevent access to data, its use or the entire computer system.

Protection against cyber attacks

No matter if you are a private person or a company, to be informed about cyber attacks and to protect yourself accordingly against them is indispensable in today’s world. If you don’t want to become a victim, you should regularly test the emergency in order to detect vulnerabilities and to be able to remedy them at an early stage.

Private

Private users are advised to keep their web browser, operating system and software up to date. In addition, virus protection and a firewall make it more difficult for a possible attacker to penetrate. In general, care should be taken to choose a secure password and a separate password for each login. A password manager can help with this. Passwords should be at least ten characters long, contain upper and lower case letters, numbers and special characters. In addition, it is discouraged to choose passwords that are associated with the user or contain actual words. Furthermore, security can be further increased by opting for two-factor authentication where possible. Before opening an email or its attachment, it is important to check it for plausibility and meaningfulness. Downloads should also be carefully considered. In addition, care should be taken to always use an encrypted Internet connection (HTTPS).

Company

It is recommended that companies review their security model at regular intervals or have it reviewed. Security assessments, penetration tests, etc. can provide information about possible vulnerabilities. can provide information about possible vulnerabilities. It is also important to sensitize employees to possible cyber attacks and to train them in the use of the infrastructure. A contingency plan for emergencies can help to ensure a timely and appropriate response. External backups of data and secure data exchange are other ways of counteracting cyber attacks.

Behavior in case of emergency

What do you do if you are attacked despite all precautionary measures? The first thing to check is how likely it is that the perpetrator is actually in possession of your data. It is possible that they only want to get their hands on money and that the actual data is not available at all. For example, you can ask the perpetrator for a sample data set. If there is a possibility that the perpetrator has the real data, appropriate measures should be taken. It is not advisable to pay the requested amount of money. This is because there is no guarantee that the perpetrator will not subsequently resell or delete the leaked data. In this case, it is recommended to contact specialists.

Summary

Cyber attacks are widespread and occur daily. Accordingly, thematization and contingency planning is of great importance. It can hit anyone and at any time. With simple tricks you can prevent them and protect not only yourself but also your company. Especially in case of an emergency, one should react correctly and be prepared. Data theft does not exist in the Swiss Criminal Code. Nevertheless, many of its pre- and post-deeds are punishable and, depending on the actions of the perpetrator, several elements of the crime may be fulfilled. For example, unauthorised obtaining of data under Art. 143, unauthorised access to a data processing system under Art. 143 ^{bis 184} StGB or further, damage to data under Art. 144 ^bis StGB, the computer fraud according to Art. 147 StGB, the extortion according to Art. 156 StGB or the coercion according to Art. 181 StGB (list not exhaustive) may apply. If you are not sure whether you are sufficiently protected or have become a victim of a cyber attack, we will be happy to support you.

About the Author

Michèle Trebo has a Bachelor of Information Technology at ZHAW and worked six years as a police officer in the field of cyber crime investigations. She is responsible for criminal research topics like darknet analysis, cyber threat intelligence, fraud investigation, and forensics. (ORCID 0000-0002-6968-8785)

Links

• https://datenrecht.ch/wp-content/uploads/2017/03/Jusletter_eigentum-an-daten-_8ba966db21_de.pdf
• https://fedlex.data.admin.ch/filestore/fedlex.data.admin.ch/eli/cc/24/233_245_233/20120101/de/pdf-a/fedlex-data-admin-ch-eli-cc-24-233_245_233-20120101-de-pdf-a.pdf
• https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de
• https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de#art_139
• https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de#art_143
• https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de#art_143_bis
• https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de#art_144
• https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de#art_144_bis
• https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de#art_147
• https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de#art_156
• https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de#art_160
• https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de#art_181
• https://www.fedlex.admin.ch/eli/cc/54/757_781_799/de#art_186