Cybercrime Court Decisions from Latin America - Legal and Policy Developments (HTCIA Conference, Atlanta, GA (USA), 20 Sept. 2010)

Recent Cyber-crime Court Decisions
from Latin America
Legal & Policy Developments

Renato Opice Blum
Cédric Laurant
Presentation available at http://blog.cedriclaurant.org

High Technology Crime Investigation Association
International Conference
(Atlanta, GA – USA - Sept. 20-22, 2010)
http://www.htciaconference.org/

2

OUTLINE

A. The importance of cyber-crime in Latin America for US
cybersecurity professionals

B. How this emerging cyber-crime activity impacts American
companies and computer users

C. Major legal & policy developments related to cyber-crime in
Latin America

D. Recent cyber-crime court decisions from Brazil and Argentina

E. Recent data protection developments in Latin America - How
they relate to cyber-crime

High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)

5

OUTLINE

A. The importance of cyber-crime in Latin
America for US cyber-security and law
enforcement professionals


Latin America




A. The importance of cyber-crime in Latin America for US cyber- 6

security and law enforcement professionals

• Cyber-crime is growing in Latin America, especially in Brazil.
– In Brazil, more than 6 out of 10 computers get infected by viruses and malware
attacks, compared to an average of 1 out of 2.

From: Norton Cybercrime Report: The Human Impact (August 2010)

A. The importance of cyber-crime in Latin America for US cyber- 7

security and law enforcement professionals

• Cyber-crime is international by nature.
• It requires international cooperation among
all countries.
• But it also requires speedy international
cooperation.


8

OUTLINE

cybersecurity and law enforcement professionals

B. How this emerging cyber-crime activity
impacts American companies and computer
users

Latin America




B. How this emerging cyber-crime activity impacts US 9


• 1. Impact on US companies.
• 2. Impact on American people whose
personal information is misused, leaked,
stolen.
• 3. Impact on American consumers and e-
commerce in the US.




• 1. Impact of cyber-crime on US companies:
– Key conclusions from a recent study (*) that quantifies the economic impact
of cyber-crime attacks:
• “Cyber-crime attacks” include criminal activity conducted via the Internet: theft of
a company’s intellectual property, confiscation of online bank accounts, creation
and distribution of viruses on other computers, posting confidential business
information on the Internet, and disruption of a country’s critical national
infrastructure.
• “Cost” includes: “direct, indirect and opportunity costs that resulted from the loss
or theft of information, disruption to business operations, revenue loss and
destruction of property, plant and equipment, and the external consequences of
the cyber crime. The survey also captures the total cost spent on detection,
investigation, containment, recovery and after-the-fact or “ex-post” response.
• Cyber crimes can do serious harm to an organization’s bottom line. The median
annualized cost of cyber crime of the 45 organizations surveyed is $3.8
million per year. It can range from $1 million to $52 million per year per
company.

(*) Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010.




From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010



• Impact of cyber-crime on US companies:
– Key conclusions from a recent study that quantifies the economic impact of
cyber-crime attacks:
• Cyber-crime attacks are now common occurrences. The
companies surveyed experienced 50 successful attacks per
week and more than one successful attack per company per
week.
• Cyber-crime attacks can get costly if not resolved quickly:
average number of days to resolve a cyber attack was 14
days; average cost per company of $17,696 per day. Malicious
insider attacks can take up to 42 days or more to resolve.
Quick resolution is needed for today’s cyber-crime attacks.
• Information theft represents the highest external cost,
followed by the costs associated with the disruption to
business operations.




• Impact of cybercrime on US companies:
– Key conclusions from a very recent study that quantifies the economic
impact of cyber-crime attacks:
• Detection and recovery are the most costly internal
activities.




• Impact of cybercrime on US companies:
– Key conclusions from a very recent study that quantifies the economic
impact of cyber-crime attacks:
• All industry sectors are impacted.




• 2. Impact on American people whose personal information
is misused, leaked, stolen.
• 3. Impact on American consumers and e-commerce in the
US.

The Norton Cybercrime Report: The Human Impact released
last August finds that:
– “For nearly 3 in 10 victims, the biggest hassle is the time it takes
to sort things out: […] 4 weeks to resolve an average cyber-crime
incident.”
– “There’s the emotional baggage, with around 1/5 of victims finding
it made them stressed, angry and embarrassed (19%), and 14%
mourning the loss of irreplaceable data or items of sentimental
value, such as photo collections.”



From: Norton Cybercrime Report: The Human Impact (August 2010)

20

OUTLINE



C. Major legal & policy developments related to
cyber-crime in Latin America




C. Major legal & policy developments related to cyber-crime in 21

Latin America

• Organization of American States:
– 1999: first concern about cyber-crime.
– 1999: established an intergovernmental cyber-crime expert group.
– 2000: the Council of Ministers of OAS Member States issued a set of
recommendations:
• Facilitate cooperation among OAS Member States
• Increase technical and legal capacity-building
• Consider implementation and signature of CoE Cybercrime Convention
• Study feasibility of an Inter-American model of cybercrime legislation.
– Several expert group meetings have taken place every year and
have started:
• To put in place information exchange and cooperation mechanisms
among all OAS countries and with relevant international organizations
(Council of Europe, UN, EU, G8, OECD, APEC, Commonwealth,
Interpol)
• To establish public-private collaboration mechanisms.



Latin America

• The Council of Europe’s Cybercrime Convention:
– Adopted and opened for signature in 2001, entered into
force on July 1, 2004.
– As of April 2009, 46 States have signed it, 25 have
ratified it.
– Costa Rica, the Dominican Republic, Mexico and Chile
have been invited to accede. Argentina requested
accession.
• Any State may accede following majority vote in Committee of Ministers and
unanimous vote by the parties entitled to sit on the Committee of Ministers.



Latin America

• Argentina and Colombia enacted new cyber-crime
laws:
– Argentina’s Act on Cybercrimes (“Ley de Delitos
Informáticos”) (Law No. 26.388 of 2008): includes all
cyber-crimes defined as such by the United Nations and
the CoE Cybercrime Convention.
– Colombia adopted a cyber-crime law (No. 1273 of 2009)
that criminalizes the illegal acquisition and sale of
personal data, phishing, hacking, use of malware and
viruses, computer theft.



Latin America

• C o u n c i l o f E u r o p e ’ s “ G l o b a l P r o j e c t o n
Cybercrime” (between March 1, 2009 – June 30, 2011)
– Objective: promote broad implementation of the Convention on Cybercrime.
– To be achieved through results in the following areas:
• Legislation and policies
• International cooperation
• Law enforcement – service provider cooperation in the investigation of
cybercrime
• Financial investigations
• Training of judges and prosecutors
• Data protection and privacy
• Exploitation of children and trafficking in human beings.
• Cooperation with 120+ countries
• Legislation strengthened in more than 100 countries, including in Argentina,
Colombia, Dominican Republic
• Contributes to the organization of regional legislative workshops in Latin
America


Latin America

• The challenges of cyber-crime in Latin America

– 1. Challenges to international cooperation on cyber-crime:

• Transnational character of computer crimes
• Lack of appropriate legislation on cyber-crime
• Lack of harmonization between different national laws
• Legal powers for investigation are insufficient (e.g.,
inapplicability of seizure powers to intangibles such as
computer data)
• Lack of specialized personnel and equipment

(From Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,”
Regional Workshop, Mexico City, August 26-27, 2010.)



Latin America


– 2. Challenges to fighting cyber-crime:

• Policies and awareness of decision-makers
• Harmonized and effective legislation
• Regional and international cooperation
• Law enforcement capacities and training
• Judicial training
• Law enforcement and cooperation among ISPs




Latin America

– 3. Difficulties of regional and international cooperation:
• Limitations regarding skills, knowledge and training of judges, and to
some extent prosecutors. Direct impact on mutual legal assistance
process (e.g., difficulty to understand cyber-crime matters; reluctance to open a
case or issue search warrants).
• Insufficient use of possibility provided by international agreements for
direct contacts between judicial authorities in urgent cases and efficient
communication channels.
• Involvement of Contact Points (“CP”) network established under Cyber-
crime Convention in the MLA process is too limited.
• Not all CP sufficiently trained, resourced or available to assist competent
authorities and facilitate the process.
• Authorities for MLA of many countries receive a large volume of
requests.



Latin America

• Advantages of using the CoE Cyber-crime
Convention as a model of legislation in Latin America
– Provides important tools for law enforcement to investigate cyber-
crime.
– Provides for Latin American countries:
• Harmonization of criminal law provisions on cyber-crime with those of
other countries.
• Legal and institutional basis for international law enforcement and
judicial cooperation.
• Participation in the Consultations of the Parties. (T-CY: “Convention
Committee on Cybercrime”).
• The treaty as a platform facilitating public-private cooperation.
 Convention provides global standards and a framework for an effective
fast international cooperation.

(From Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional Workshop,
Mexico City, August 26-27, 2010.)


29

OUTLINE



Latin America

D. Recent cyber-crime court decisions from
Brazil and Argentina



30


D. Recent cyber-crime court decisions from Brazil and 31

Argentina

D. Recent cyber-crime court decisions from Brazil and 32

Argentina

33

BRAZIL – SOME CASES
MEDICAL CLINIC
database copy / unfair competition

AUTOMOTOR COMPANY
illegal video

BROKER COMPANY
database breach / unfair competition

AIRLINE COMPANY
database breach

CHEMICAL INDUSTRY COMPANY
database breach

FORMULA ONE PILOT
image damage

BEVERAGE COMPANY
483 confidential files

34

CASES

ILLICIT
• SCAMS
• HIJACKING THROUGH GAME PASSWORD
• LIBRARY EMPLOYEE – CONTENT COPIED – ORKUT
• SÃO PAULO STATE COURT – 3000 TIMES
• DATA BASE CAPTURING – CURRICULUM FIRM ON THE INTERNET
• RIO GRANDE DO SUL STATE COURT – UNAUTHORIZED ACCESS TO
DATABASE
• COUPLE ON THE BEACH – PRIVACY


35

BRAZIL
CONSTITUTION

Section 5.10 – Intimacy, privacy, honor and image of persons – INVIOLABLE.
Section 5.12 – Secrecy of correspondence and telecom – INVIOLABLE.

CIVIL CODE

Section 20 – Disclosure of writings, the transmission of the word, or publication,
display or use the image of a person.
Section 21 – Private life of a person – INVIOLABLE.

EXPECTATION OF PRIVACY
SÃO PAULO STATE COURT DECISION
Violation of image rights, privacy, intimacy and honor by being photographed and filmed (in love) on
locations – Spanish beach – Injunction to terminate the exposure of movies and photos on web-sites
because it is probable to presume lack of consent to publication. Filing with a daily penalty payment
of $ 250,000.00, in order to inhibit infringement of the command to abstain.
The paparazzi are known for aggressively working with the capture of images, which characterizes
the illegality of their activities [voyeurism]. Denying injunctive relief would reward the work of these
professionals that do not require authorization for their photos and, especially, to legalize the
sensationalism and scandal propagated by the media, without permission of those involved.


36

ARGENTINA – COURT DECISION
SEARCH ENGINE FILTER

MARADONA FORBIDS GOOGLE TO
ASSOCIATE HIM TO SEX SITES

37

SEARCH ENGINE FILTER
RIO DE JANEIRO STATE COURT
INTERLOCUTORY APPEAL

“I note that the injunction has already been accomplished by placing a FILTER ON THE
SEARCH ENGINES. In this manner, it seems more reasonable to maintain the status
quo, pending examination of the matter, without any harm to the plaintiff and without
prejudice for the defendant, who has fully complied with the measure.”
(Interlocutory appeal 20006.002.05508)

Argentina
In two search engines – Google and Yahoo – is possible to make a search to avoid that
certain words appear among search results. In fact, this procedure could be configured to
avoid that a certain word be linked with others in certain types of search or in any search. It is
therefore technically possible to adapt the search for information by avoiding certain words.
IT IS POSSIBLE TO SET UP FILTERS THAT DO NOT ALLOW STATIC LINKING SITES TO
INDEX CERTAIN WORDS WITH PORNOGRAPHIC, EROTIC OR SEXUAL CONTENT, AND
ESTABLISH OTHER INDEX IMAGES THAT DO NOT ALLOW CERTAIN PEOPLE (…)
The content selection control cannot affect the operation of the search engine site or access
to Internet content by users. (99.620/06)


38
BRAZIL
PARANA STATE COURT

NEWS ON THE INTERNET CAUSES HARM TO CITIZEN’S HONOR.
HE WAS NOT GUILTY, BUT THERE WAS NO NEWS ABOUT THAT,
ONLY ABOUT THE PENDING PROCESS

JUDGE ORDERS
GOOGLE TO SET
UP A FILTER TO
R A N D O M I Z E
R E S U LT S W I T H
PLAINTIFF’S NAME,
MAKING POSSIBLE
T H E R O TAT I O N
BETWEEN NEWS
PARANA STATE COURT 1819/2008


39

BRAZIL
CONSUMER DEFENSE CODE

Section 43 – Database access.
Section 72 – Block access. Detention from six months to one year or a
fine
PRIVACY
SANTA CATARINA STATE
COURT DECISION

Consumer Defense Association
causes damages to consumers by
disclosing its database to third
parties. Association must include a
warning about the disclosure and
ask for permission.


40

BRAZIL

WIRETAPPING – ACT 9296/1996

Section 1 – Interception of telephone communications – flow of
communication.

Section 10 – Intercept communication or violate secret of Justice, without
judicial authorization – confinement from two to four years and fine.

PRIVACY
SÃO PAULO STATE COURT DECISION

Breach of confidentiality of correspondence and of telegraphic, data and telephone
communications – Non-occurrence – Seizure of emails in possession and known of
the recipient by court order – Strong suspicions that the material might enlighten the
criminal infraction – Interpretation of Section 5, XII of the Constitution.

THERE IS NO VIOLATION OF THE SECRECY OF CORRESPONDENCE.


41

BLOGGER CONVICTED TO INDEMNIFY

State Court of Ceará

BLOGGER POSTED CONTENT WICH
GENERATED OFFENSIVE COMMENT.

HE WAS UNABLE TO IDENTIFY THE AUTHOR
AND WAS CONVICTED TO INDEMNIFY THE
VICTIM IN R$16.000

http://www.correiobraziliense.com.br/app/noticia182/2010/02/24/tecnologia,i=175488/
SAIBA+COMO+TENTAR+EVITAR+PROBLEMAS+COM+O+USO+DA+REDE.shtml

42

RS STATE COURT – CYBERBULLING
STUDENT CREATES WEBPAGE TO OFFEND ITS CLASSMATE. THE
COURT RULED FOR THE INDEMNIZATION TO THE VICTIM TO BE
PAYED BY THE DEFENDANT´S MOTHER.

APPEAL. LIABILITY. INTERNET. USE OF IMAGE FOR A DEROGATORY END.
FLOG CREATION - PERSONAL WEBSITE FOR POSTING PICTURES IN THE
NETWORK. PARENT´S LIABILITY. PATERNAL POWER. BULLYING. MORAL
DAMAGE IN RE IPSA. OFFENDED THE SO CALLED RIGHTS OF PERSONALITY.

The responsibility of ISP.
ISPs provide space for creating personal pages on the
World Wide Web, which are used freely by users.
However, with complaint of inappropriate or offensive
content to human dignity, the service provider needs to
detect and expeditiously remove the elements of this
page.

Imagem: http://farm3.static.flickr.com/2181/2512997167_d6ba9a5031.jpg
Source: http://g1.globo.com/vestibular-e-educacao/noticia/2010/07/justica-determina-que-mae-pague-indenizacao-vitima-de-cyberbullying.html

43

SP State Court – Civil Code, Section 927


44

ARGENTINE COURT DECISION

COURT DENIES TEXT MESSAGE AS
EVIDENCE OF WIFE’S INFIDELITY

http://adirferreira.files.wordpress.com/2009/02/sms.jpg
“The inviolability of
correspondence and
telecommunications – in this
case, the interception of text
messages – is only possible upon
court request.”


45

LABOR COURT – 13th REGION

ORKUT’S PHOTO ALBUM IS USED AS AN EVIDENCE
AT HEARING. THE TOOL PROVED THAT AT A
CERTAIN DATE THE EMPLOYEE STILL WORKED AT
THE COMPANY.

Source: http://www.trt13.jus.br/engine/interna.php?pag=exibeNoticia&codNot=1769#

46

REGIONAL LABOR COURT – E-MAIL AS AN EVIDENCE

Lawsuit nº 2004.028935-4

OVERTIME. EVIDENCE. E-MAIL. EVIDENCE VALIDITY. THE
ELECTRONIC MAIL IS A MODERN EVIDENCE THAT IS VALID TO
CERTIFY OVERTIME LABOR, AS LONG AS THERE IS NO DOUBT
RELATED TO TAMPERING, ESPECIALLY WHEN ITS CONTENT
REMAINS CORROBORATED BY OTHER EVIDENCE IN THE
CASE FILE. IF THE COMPUTER CLOCK WAS CHANGED FOR A
LATER TIME, AS ALLEGED IN THE APPEAL, THE DEFENDANTS
WOULD HAVE TO PROVE IT, AND THEY DIDN´T.


47

CRIMINAL STATE COURT OF SÃO PAULO

PRIVACY – BREACH OF CONFIDENTIALITY

TELECOMMUNICATIONS - BREACH OF CONFIDENTIALITY - "E-MAIL"
SENT FROM BRAZIL TO THE ELECTRONIC ADDRESS OF THE WHITE
HOUSE, IN THE CITY OF WASHINGTON, DC, WRITTEN IN ENGLISH,
CONTAINING THREATS TO PHYSICAL INTEGRITY OF THE PERSON OF
THE AMERICAN PRESIDENT AND ITS FAMILY – SUBPOENAED THE ISP
TO PROVIDE PERSONAL IDENTITY AND ADDRESS OF USER
CONNECTED AT THAT MOMENT TO SUCH “IP” NUMBER - NOTIFICATION
REJECTED ON THE GROUND THAT THE DATA REQUEST IS PROTECTED
BY THE FEDERAL CONSTITUTION FOR TELECOMMUNICATION SERVICES,
SO THAT DATA REQUEST PROCEDURES WOULD BE REGULATED BY
ACT Nº. 9296/96, ESPECIALLY WITH REGARD TO THE NEED FOR A
JUDICIAL ORDER - Habeas Corpus to not be prosecuted for disobedience.
Habeas corpus denied.
Need of legal authorization for the breach of confidentiality of
telecommunications - postal, telephone or transmission of messages or data.

48

ARGENTINA – COURT DECISION

E-MAIL MONITORING

E-mail at work. Private use. Importance as a working tool. Privacy.
Need for clear policies on its use. Dismissal for cause. Rejection.
(CAUSE 15198/2001 S. 36580)

“E-mail has more privacy protection than the classic snail mail,
because to operate it, it is required to use a service provider, a user
name and a password, that prevents others from intruding into the
data and content sent and received. (…) According to constitutional
guarantees, along with the evidences concerning the alleged emails
the defendant’s privacy is violated with the consequent harm to his
dignity and self-determination.”
(C. 35.369 Ins. 18/156)


49

BRAZIL – SUPERIOR LABOR COURT

PASSWORD IS A PROTECTION TOOL FOR THE EMPLOYER

Password does not imply any expectation of privacy in relation to corporate
email once the PASSWORD BECOMES AN EMPLOYER’S PROTECTION
TOOL TO PREVENT THIRD PARTIES TO ACCESS THE CONTENT OF
MESSAGES. (…) Also, there is no offense to the principle of inviolability of
intimacy and privacy (Section 5, X, CF/88), once an employee can’t be
granted the right to privacy with respect to the use of a corporate email
system made available by his company. Otherwise, the employee had no
reasonable expectation of privacy, which is conveyed by the statement that the
corporate e-mail was intended "only for issues and matters affecting the
service” (fl. 636). At last, there is no harm to the principle that ensures
admissibility in the process of evidence obtained by illegal means (Section 5,
LVI): the corporate e-mail is company’s property, merely transferred to the
employee for working purposes, and the employer may exercise control both
formal and material (content) over the messages that travel through his
corporate email system.

50

RS STATE COURT – EVIDENCE (EMAIL)

E-MAILS CONTAINING PLAINTIFF’S PERSONAL DATA,
ALONG WITH THE INFORMATION THAT SHE IS A
CALL-GIRL. SENT BY EX-BOYFRIEND. INCOMING
CALLS FROM PEOPLE INTERESTED IN HER SEXUAL
SERVICES. SUBJECTIVE LIABILITY. NEGLIGENCE.
MORAL DAMAGES.

Declarations by the ISP are in his legal file that proves the
e-mail was sent from a domain name that belongs to the
defendant, and considering the failure to prove a fact wich
could remove his liability, the case is upheld.


51

RIO GRANDE DO SUL STATE COURT
Rio Grande do Sul Court of Appeals determines INDEMNIZATION TO
FURNITURE STORE´S CLIENT FOR BEING COLLECTED IN A
VEXATIOUS WAY THROUGH ORKUT.

Appeal Nº 71002350874/2009

D A M A G E R E PA I R . I N C U R R I N G D E B T F O R T H E P U R C H A S E O F
FURNITURE. VEXATIOUS COLLECTION. POST ON PLAINTIFF´S ORKUT
PROFILE STATING HE WAS INDEBTED. LIABILITY OF THE COMPANY ON
BEHALF OF WHOM HE WAS CHARGED FOR THE FURNITURES. MORAL
DAMAGES. EXISTING DEBT. REDUCED VALUE. APPEAL PARTIALLY UPHELD.

(...) because the defendant, from whom the furnitures had been purchased through
installments, had called several times to collect the bill and had posted on the
plaintiff´s orkut profile that he was indebted, causing embarassment among
his co-workers (...)


52

BRAZIL – LABOUR COURT (2nd REGION)

I N D U S T R I A L P R O P E R T Y. E M P L O Y E E
ORDERED TO COMPENSATE COMPANY FOR
PUBLISHING MATERIAL NOT YET PUBLISHED

“(...) THE DEFENDANT HAD PUBLISHED IN ORKUT MANY
PHOTOGRAPHS RELATED TO A PRODUCT THAT HAD NOT EVEN
BEEN LAUNCHED, WHICH PREMATURE DISCLOSURE DID NOT AND
DO NOT INTEREST THE AUTHOR, HOLDER OF INDUSTRIAL
PROPERTY RIGHTS”.

“(...) IT IS ABSOLUTELY IRRELEVANT TO KNOW IF THE DEFENDANT
HAS ACTED WITH BAD FAITH, BECAUSE WHAT IS IMPORTANT TO
INVESTIGATE IS THAT THERE IS A HIGH LIKELIHOOD THAT
REFERRED DISCLOSURE CAN CAUSE PATRIMONIAL HARM TO THE
AUTHOR”.


53

FEDERAL COURT – 2nd REGION (RJ)
“CRIMINAL LAW AND CRIMINAL PROCEDURE. CRIME AGAINST
TELECOMMUNICATIONS COMPANIES. ILLEGAL DISTRIBUTION OF
CABLE TV SIGNAL. UNION’S INTEREST. FEDERAL COURT
JURISDICTION. RECLASSIFICATION OF FACTS. CRIMES OF SECTION
171 OF CRIMINAL CODE AND SECTION 183 OF ACT Nº 9.472/97.”

I - The conduct attributed to defendants in the complaint is the illegal distribution of
cable TV signals, which violates the uniqueness of the Union to organize the
exploitation of telecommunications services.

III - The retransmission of illegal cable TV signal is not atypical. Though TV signal is
not considered a source of energy, ruling out the possibility to characterize the crime
as a theft, the crime to be considered is qualified as “larceny by fraud”.

(...) I correct the material error for the accused to be CONVICTED under the terms
of the sentence, but TO BE ARRESTED."


54


Lawsuit nº 591/07 – Unfair competition (Sponsored links)
District of justice of São Carlos – 1st criminal court


56

FEDERAL COURT – 1st REGION

CRIMINAL PROCEDURE. HABEAS CORPUS. SCAM. INTERNET
CRIME. TEMPORARY PRISON. ABSENCE OF REQUIREMENTS.

1. Larceny by fraud practiced over the internet, with the participation of
several people with specific activities - a) the programmer (the one who
designs the phishing website and the malicious codes, e.g. the trojan) – the
person responsible for capturing passwords; is the cracker, not the hacker,
b) the user (who directly uses the software); c) the carder (responsible for
obtaining credit cards and bank notes that will be paid through the Internet);
d) the sub-carder (the person who, despite not knowing the software users,
buy the magnetic cards from mules and sell them to carders that make
contact with users; e) the mule (the one who lends your bank account to
receive the money from the illicit activity) – aiming to phish the account
holder´s password and withdraw the money from his bank account.


57

PARANÁ STATE COURT – CRIMINAL APPEAL

LAWSUIT Nº 2004.028935-4

CRIMINAL APPEAL - INSERTION OF FALSE DATA INTO INFORMATION
SYSTEM (SECTION 313-A OF CRIMINAL CODE) - AUTHORSHIP AND
MATERIALITY PROVED - CIVIL SERVANT WHO INSERTED FALSE DATA
ON CIRETRAN´S SYSTEM REQUESTED BY HER BOYFRIEND -
RELEASING VEHICLE´S DOCUMENTS WITHOUT PAYING THE
PROPER FEES - VEHICLE LICENSE FEES NOT COLLECTED -
DISQUALIFICATION THE FOR PREVARICATION - CONDUCT WICH
OVERSTEPPED THE LIMITS EXPOSED IN SECTION 319 oF THE
CRIMINAL CODE - PENALTY DECREASE - LATER REGRET - CRIME
PRACTICED 17 TIMES REPETITIVELY, SHOWED LACK OF REGRET -
INCREASING THE PENALTY IS SUITABLE, CONSIDERING THE
NUMBER OF RECIDIVISM - CRIME COMMITTED AGAINST THE PUBLIC
ADMINISTRATION - PENALTY OVER A YEAR - LOSS OF JOB -
COMDEMNATION EFFECT - APPEAL DENIED


58

The arrows point...


59

GREETINGS

“That God gives you serenity to accept things that
cannot be changed, courage to change things that
can be changed and wisdom to know the
difference”.


60

OUTLINE



Latin America


E. Recent data protection developments in Latin
America - How they relate to cyber-crime


C. Recent data protection developments in Latin America – How 61


• Relationship between data protection, cyber-security and
cyber-crime:
– A strong data protection framework is necessary to provide
support to cyber-crime laws.
– Implementing data protection processing rules during cyber-crime
investigations improves its accuracy and efficiency.
– Security breach notification requirements in the U.S. since 2005:
triggered by leaks, disclosures or theft of personal information.

• Lack of data protection frameworks in LAC (with a few
exceptions: Argentina and Mexico).


E. Recent data protection developments in Latin America 62

How they relate to cyber-crime
MEXICO

CONSTITUTION

- Since 2007, the Constitution expressly acknowledges the right of
personal data protection as a fundamental right.

- “The information pertaining to private life and personal data shall be
protected pursuant to the terms and exemptions set forth in the laws.”
“Every person, without the need to prove his own legal interest or
justify his use, shall have free access to public information, to his own
personal data and the correction of such data.”

- In 2009, the Constitution obliged the Congress to enact a data
protection law for the private sector within 12 months from the
publication of the reform. The deadline was April 30, 2010.

IAPP Global Privacy Summit
Washington, DC 2010


MEXICO

BILLS ON PERSONAL DATA PROTECTION

- Since 2001, there have been 6 data and privacy bills, which are
modeled loosely on international data protection standards such as
those found in the EU Data Protection Directive, the Spanish Data
Protection Law, the OECD Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data, and the APEC Privacy
Framework.

Washington, DC 2010


MEXICO

LEGAL FRAMEWORK AT THE FEDERAL LEVEL

- New data protection law since June 2010.

- There are several laws about privacy and data protection in
specific fields, such as finance and banking, consumers' rights,
credit information, telecommunications and national security.

- The Federal Law of Transparency and Access to the
Government Public Information (LFTAIPG) standardizes
principles under which the various organs of the State must
process citizens' personal data.

Washington, DC 2010


MEXICO

OBSTACLES TO OVERCOME

1.- Proliferation of federal regulation.
2.- Differences between state regulations.
3.- Lack of provisions about transborder data flows.

RELEVANT INTERNATIONAL INSTRUMENTS

OECD Recommendations on Privacy.
Mexico is an OECD member since 1994.

APEC Privacy Framework, 2004.

Economic Partnership, Political Coordination and Cooperation
Agreement between the European Community and its Member
States, and the United Mexican States, 2000.
Washington, DC 2010


COLOMBIA

DATA PROTECTION LAW OF 2008

Ley Estatutaria 1266 de 2008

Habeas data

Limited to the financial sector (banks, credit reporting
and commercial companies).

Washington, DC 2010


COLOMBIA

PRIVACY IN E-GOVERNMENT SERVICES

General obligation of all government entities that use
electronic resources to manage the information of
citizens in a manner respectful to their privacy.

Decree No. 1151 of 2008 establishes general
principles to follow in how online services are
provided by the government.

Protection of privacy is further regulated by the
Ministry of Communications’ “e-Government Policy
Manual,” applicable throughout all governmental
entities.

Washington, DC 2010


PERU

“SAN SALVADOR COMMITMENT” (2008)

2nd Ministerial Conference on the Information Society
in Latin America and the Caribbean.

Decision made to:

“facilitate dialogue and coordination of various
regulatory initiatives at the regional and local levels that
may contribute to the region’s regulatory
harmonization, especially on the topics of privacy and
data protection”;

“invites countries to consider the possibility of ratifying
or acceding to the Council of Europe Cybercrime
Convention as an instrument to facilitate [the]
integration and regulatory adaptation in this area within
the framework of principles of protection of the right to
privacy.”

Washington, DC 2010

69

Speakers

Renato Opice Blum, CEO and
Partner, Opice Blum Advogados
Associados (Brazil)
http://www.opiceblum.com.br
<renato [at] opiceblum [dot] com [dot] br>
Cédric Laurant, Independent
Privacy Consultant
http://blog.cedriclaurant.org - http://security-
breaches.com
<cedric [at] laurant [dot] org>


70

WWW.OPICEBLUM.COM.BR

Renato Opice Blum
renato@opiceblum.com.br

twitter.com/opiceblum
 Lawyer and Economist;
 Coordinator of Electronic Law's MBA, of São Paulo Law School;
 Invited Professor at Electronic Law’s Course, Florida Christian University, Fundação Getúlio
Vargas (FGV), PUC, FIAP, Rede de Ensino Luiz Flávio Gomes (LFG), Universidade Federal do Rio
de Janeiro, FMU and others;
 Speaker teacher at Mackenzie University;
 Collaborating Professor of ITA-Stefanini’s partnership;
 Speaker at the IAPP’s Global Privacy Summit 2010, Washington, DC
 Arbitration Referee at FGV and Mediation and Arbitration's Chamber of São Paulo (FIESP);
 President of the Superior Council of Information Technology of the Trade Federation of São
Paulo, and Technology Law Committee of AMCHAM; Member of Information Society Law
Committee – OAB/SP; Former Vice-President of Electronic Crime’s Committee – OAB/SP;
 Member of American Bar Association (ABA), Inter American Bar Association (IABA),
International Law Association (ILA), International Bar Association (IBA) and International
Technology Law Association (Itechlaw);
 Coordinator and co-author of “Internet and Electronic Law Manual”;
 CEO at Opice Blum Attorneys-at-Law http://www.opiceblum.com.br/lang-en/index.html
 Résumé at Lattes Platform: http://lattes.cnpq.br/0816796365650938


71

www.cedriclaurant.org

Cédric Laurant
cedric [at] laurant.org
twitter.com/cedric_laurant

 Independent consultant based in Brussels, Belgium.

 Attorney, member of the District of Columbia Bar.

 Specialty areas: international privacy, data protection and information security.

 Senior Research Fellow, Central European University (Budapest, Hungary). Currently directing the
research of the "European Privacy and Human Rights”, a European Commission-funded privacy research
and advocacy project. Info at: http://phr.privacyinternational.org/

 Research Director, Privacy & Human Rights – An International Survey of Privacy Laws and
Developments (EPIC & Privacy International 2003, 2004, 2005).

 Formerly Visiting Law Professor, University of los Andes (Bogota, Colombia) and International Privacy
Project Director, Electronic Privacy Information Center (Washington, DC).

 Lic. Jur., University of Louvain (Belgium); LL.M., Columbia Law School (New York, NY); M.A. (London).

 Profile/Résumé: http://www.linkedin.com/in/cedriclaurant

 Blogs: http://blog.cedriclaurant.org; http://blog.security-breaches.com


Cybercrime Court Decisions from Latin America - Legal and Policy Developments (HTCIA Conference, Atlanta, GA (USA), 20 Sept. 2010)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (15)

Similar to Cybercrime Court Decisions from Latin America - Legal and Policy Developments (HTCIA Conference, Atlanta, GA (USA), 20 Sept. 2010)

Similar to Cybercrime Court Decisions from Latin America - Legal and Policy Developments (HTCIA Conference, Atlanta, GA (USA), 20 Sept. 2010) (20)

More from Cédric Laurant

More from Cédric Laurant (8)

Recently uploaded

Recently uploaded (20)

Cybercrime Court Decisions from Latin America - Legal and Policy Developments (HTCIA Conference, Atlanta, GA (USA), 20 Sept. 2010)