you are being redirected

You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH :

25 July 2019

Cyber-attacks and business secrets - Protection under criminal law

Business secrets are essential assets of companies, and are often the reason for a company having a competitive lead in a market. Thus, they constantly seek to develop new technologies, algorithms or software to create such intangible assets.

Due to their significant economic value, companies try to protect their business secrets from unintended disclosure, or leaks through ever increasing cyber-attacks. In this article we explain some aspects of legal protection available under Austrian law.

1. Protection under criminal law

When it comes to cyber-attacks and the protection of business secrets, most people think of "compliance" with its various facets such as internal guidelines, technical security systems, staff training or – in the aftermath of an attack – internal investigations. However, the Austrian Criminal Code ("ACC") also provides for various protective provisions:

  • Section 118a ACC punishes illegal access to computer systems such as computer hacking and cyber-attacks with the intention to use the received data to damage the victim.
  • Section 119 and section 119a ACC cover the interception of confidential data or messages by technical means under certain conditions. These provisions are thus highly relevant when spy-software is used.
  • Section 120 ACC covers certain forms of wiretapping, such as the use of listening devices to become aware of confidential statements.
  • Section 122 ACC punishes the disclosure or realisation of certain business secrets. Section 123 ACC punishes spying out business secrets with the intention to disclose or realise them.
  • Section 126a ACC punishes data corruption, e.g. by modifying or deleting data. Section 126b ACC punishes the disruption of IT-systems, e.g. by Denial-of-Service-attacks or computer viruses.
  • Section 126c ACC punishes the abuse of computer programs including the possession or the creation of trojans or malware under certain conditions.

In the case of cyber-attacks, affected companies are thus well-advised to assess possible actions under criminal law, especially since criminal proceedings provide the following advantages:

(i) Public prosecutors and courts may apply investigative measures which are not available to the company itself, such as house searches or seizure.

(ii) The public prosecutor is generally in charge of investigations and must clarify the facts and gather evidence.

(iii) The victim can participate in the criminal proceeding as a "private party" to request compensation for the damages caused by the perpetrator without any court fees (as would be the case in civil law proceedings).

(iv) Criminal proceedings may be a good starting point for further civil law actions.

Criminal proceedings can thus be a good way to limit damages and to clarify the situation.

2. Initiating criminal proceedings

Criminal proceedings are generally initiated and conducted by the public prosecutor. Therefore, victims would in practice file a statement of facts (Sachverhaltsdarstellung) with the public prosecutors' office to encourage it to start investigations. It is crucial that such a statement includes strong evidence as the initiation of criminal proceedings requires sufficient initial suspicion (Anfangsverdacht) which is the case if there is concrete evidence that an offence has been committed; mere suspicion or vague indications are not sufficient.

However, some of the relevant offences at hand are of a specific nature as they are subject to private charges, which means that the victim has to investigate the case, provide evidence and file a criminal charge with the court. Nonetheless, evidence-protection measures may be requested from the court in that case too.

3. Cyber-attack! What to do?

In the event of a cyber-attack or the leak of business secrets, the affected company should immediately consider and clarify the following:

(i) What information on the incident is currently available?

(ii) Who is the potential perpetrator? What evidence is available and was it secured? Who are potential witnesses?

(iii) Who needs to be informed? Are external experts needed to clarify the situation?

(iv) Which actions under criminal law are available?

If you have further questions on this topic or if you are affected by a cyber-attack do not hesitate to contact us.

authors: Christoph Haid and Michael Lindtner



austria vienna