Hacking

Hacking is criminalized in Belgium under Article 550bis of the Criminal Code.

Note : the actions of a certain category of hackers, being ethical hackers, are being not penalized under certain conditions.

Hacking is a serious crime under Belgian criminal law. Whether you are a victim of hacking or accused of hacking, specialized legal guidance from a lawyer is essential.

Hacking

1. External hacking (art. 550bis, § 1 Sw.).

External hacking occurs in two possible scenarios:

  • Intentional access: A person intentionally gains access to an IT system while knowing that he is not authorized to do so (an electronic intrusion);
  • Unintentional access with enforcement: A person has accidentally accessed an information technology system but decides to remain in it rather than leave the system when he becomes aware of the unauthorized access.

Hacking only occurs if one gains access to another person's information system. In practice, this distinction is not always easy to make, e.g., in cases of divorce. In any case, it seems out of the question that in the event of an actual divorce, one partner could still gain access to the other partner's mailbox, even though they shared all their logins and passwords during the relationship.

Punishability for hacking requires only that contact has been established between the perpetrator and the computer system and that one knows not to be entitled to take access. External hacking out of mere curiosity is thus punishable.

It is not necessary for hacking that a security system would be breached. Indeed, this would have a number of consequences such as what level of security is required or the disclosure of the security features in response to evidence at trial etc. However, breaching security systems can be considered hacking with fraudulent intent which carries a more severe penalty (see below).

Special attention is required for surfing on other people's (unsecured) wireless (wifi) networks. This is punishable unless (i) permission has been obtained from the owner of the wireless network, or (ii) it concerns a wireless network that is freely and openly available to the public (a public hotspot).

Examples of external hacking:

  • A fired employee who still takes access to his former employer's server after being fired
  • An employer taking access to an unsecured personal webmail account on a returned company smartphone
  • Defacing: replacing an original web page with one of your own after hacking (which can lead to other crimes such as computer fraud or forgery)

Punishment

External hacking is punishable by imprisonment of 6 months to 2 years and/or a fine of 208 to 200,000 euros (after opdeciemen)

However, acting with fraudulent intent constitutes an aggravating circumstance leading to a more severe penalty: imprisonment from 6 months to 3 years and/or fine from 208 to 200,000 euros (after opdeciemen).

2. Internal hacking (art. 550bis, § 2 Sw.).

Internal hacking occurs when someone with access authority to an information technology system accesses data outside that authority.

Examples of internal hacking:

  • An employee who has access to certain parts of a network (such as inventory records), but also accesses other parts to which he is not authorized (such as payroll records)
  • A doctor in a hospital who has access to medical records of his own patients, but consults the records of a known person who is not a patient of his

Unlike external hacking, internal hacking always requires deceptive intent or an intent to harm. A mere curiosity with no ulterior motive does not appear to be punishable under this article.

Internal hacking does not include one who takes access to data contained in an IT system to which he has access authority, but diverts this authority from its finality (Cass. Jan. 24, 2017). Consider an IT firm that has authority to access the client's entire IT system and consults confidential client information that has nothing to do with the assistance task.

If access authority and restrictions are not in writing, proving the override can be problematic.

Punishment

Internal hacking is punishable by imprisonment from 6 months to 3 years and/or a fine from 208 to 200,000 euros (after opdeciemen)

3. Some peculiarities common to internal and external hacking

Aggravating circumstances (art. 550bis, § 3 Sw.)

Three acts lead to criminal aggravation for both internal and external hacking:

  1. Adopt data: taking over the data stored, processed or transmitted by means of the computer system, e.g. downloading data after accessing a system, as in corporate espionage.
  2. Adopt system: using an information technology system of a third party or using the information technology system to access an information technology system of a third party
  3. Damage system or data: Cause damage to the hacked system, to third-party systems, or to the data in these systems. It is irrelevant whether the damage was caused inadvertently or intentionally.

In the presence of one or more of these circumstances, the punishment is imprisonment from 1 to 5 years and/or a fine from 208 to 400,000 euros (after opdeciemen).

Attempt (art. 550bis, § 4 Sw.).

Attempting both external and internal hacking is punishable by law and is punished in the same way as the completed crime. An example is the automated trying of long lists of possible passwords.

Special repetition (art. 550bis, § 8 Sw.)

The above penalties are doubled if internal or external hacking is committed within the five years following a conviction for hacking, forgery of information technology (art.210bis Sw), eavesdropping on private communications (259bis and 314bis Sw), computer fraud (504quater Sw) or computer sabotage (550ter Sw).

Other offenses surrounding hacking

1. Hacker tools (art. 550bis, § 5 Sw.).

The law punishes as a separate crime certain acts of preparation of hacking. These are:

  • Making, owning, producing, selling, obtaining for use, distributing or making available
  • Of an instrument (including informatics data)
  • That is primarily designed or adapted for hacking

Examples:

  • Distributing programs designed to facilitate hacking
  • Offering hacker tools on a website
  • Distributing third-party passwords

Note that this does not include general works on network security.

Punishment:

The penalty for this crime is imprisonment for 6 months to 3 years and/or a fine of 208 to 800,000 euros (after opdeciemen).

2. Principals (art. 550bis, § 6 Sw.).

The law provides for the harshest penalties for individuals who order or incite the commission of internal or external hacking or distribution of hacker tools.

Punishment:

Principals are punishable by imprisonment from 6 months to 5 years and/or a fine from 800 to 1.6 million euros (after opdeciemen)

3. Collection of data resulting from hacking (art. 550bis, § 7 Sw.).

The retention, disclosure, distribution or use of data while knowing it was obtained through hacking is punishable by law.

Punishment:

The fencing of data obtained through hacking is punishable by imprisonment of 6 months to 3 years and/or a fine of 208 to 800,000 euros (after opdeciemen).

4. Business in common with hacker tools, commissioning and fencing

As with hacking itself, these related offenses are also subject to the special re-offense provision of Section 550bis, § 8 Sw. For a new violation of Section 550bis Sw within five years of a conviction for informational fraud, interception of private communications, informational fraud or hacking, the penalties are doubled.

Victim of hacking? Protect your rights

As a victim of hacking, you may face serious harm: loss of personal data, financial losses, reputational damage and psychological impact. Prompt legal response is essential to secure evidence, mitigate damages and hold perpetrators accountable. Our attorneys will guide you through every step, from criminal charges to civil claims for damages.

Read more: More on legal help for victims of hacking.

Accused of hacking ? Defend your rights

An accusation of hacking can have far-reaching consequences: a criminal investigation, searches, seizure of computers or even pre-trial detention. A specialized defense is crucial to protect your rights, expose errors in the investigation and argue your case in the best possible way. Our lawyers will assist you from the first hearing to the end of the proceedings.

Read more: More on legal defense when accused of hacking.

Why hire our law firm for hacking cases?

Our lawyers combine in-depth legal knowledge with technical understanding of cybercrime and hacking:

  • Specialized expertise in computer crime and hacking legislation
  • Personal approach focusing on your specific situation when hacked or being hacked
  • Practical Experience In both defense and assistance to victims of hacking
  • Preventive advice To prevent future hacking incidents
Are you a victim of hacking or accused of hacking? Our attorneys are ready to thoroughly analyze your case and advise you of your rights.

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics