Cybercrimes & Corporate Liability: Let the Corporation Beware!
First, there was the crash of Worldtron and Enron in the United States which should have put local corporate managers and representatives on alert particularly as it relates to the passage of Sarbanes Oxley (Sox) with its stringent information security requirements around financial records. Then there was the Companies Act of Jamaica in 2004 which increased corporate liability and responsibility for officers and directors.
Beware of What?
Now, if those pieces of legislation did not catch the attention of corporate Jamaica, here is something that should. Section 11 of the Cybercrimes Act 2010 (the "Act") which came into effect on March 17, 2010 makes "a director, manager, secretary or other similar officer, of that, body corporate - (a) connived in the commission of the offence; or (b) failed to exercise due diligence to prevent the commission of the offence" liable on conviction on indictment before a Circuit Court to a fine or to imprisonment for a term not exceeding five years or to both such fine or imprisonment. Comment: Check to see that the extract from the law is complete.
It is interesting to note that the consequences in terms of process and punishment in relation to these corporate representatives are more stringent than those for individuals except where the individual is convicted in relation to a protected computer. A protected computer is one which is concerned with:
1. the security or defence or international relations of Jamaica;
2. the existence or identity of a confidential source of information relating to the enforcement of the criminal law of Jamaica;
3. confidential educational material, such as examination materials;
4. the provision of services directly related to communications infrastructure, banking and financial services, public utilities, public transportation or essential public infrastructure such as hospitals, courts, toll roads, traffic lights, bridges, airports and seaports; or
5. the protection of public safety, including systems related to essential emergency services such as police, fire brigade services, defence and medical services.
In the Resident Magistrate's court the trial is by way of summary trial that is, not on an indictment. If there is no damage, the penalty is a maximum of two years imprisonment and/or a fine of two million dollars ($2,000,000). If there is damage, the term of imprisonment is a maximum of three years and/or a fine not exceeding three million dollars ($3,000,000). In a trial on indictment the penalty on conviction is imprisonment of five years or an unspecified fine or both if no damage is done. If damage is done, the term of imprisonment is seven years or an unspecified fine or to both such fine and imprisonment. The penalty in relation to protected computers is an unspecified fine or ten years
imprisonment. In relation to offences other than those involving protected computers, whereas individuals can be prosecuted in either the Supreme Court or in a Resident Magistrate's Court, a close reading of the Act shows that the liability of a corporate representative is only prosecutable in the Supreme Court. The penalty for the corporate representative is a term of imprisonment not exceeding five years or an unspecified fine or both fine and imprisonment. The Act also confers jurisdiction on the court to order restitution. This is usually the domain of civil courts through the filing of a civil action.
Rethinking Corporate Governance...
Companies must be aware that they have primary liability in which case the company itself may be subject to a fine or responsible for making restitution. It is important for the companies to be aware that they can have primary liability. In addition to this, the corporate representative can be liable because of the actions of not only employees but also of independent contractors and third parties. It is a non-delegable duty. This means that the duty to take care cannot be delegated to some functionary or employee. It is the
corporate representative's duty to use due diligence to prevent the commission of an offence. In this regard, due diligence would take into account the security of, wireless networks, in terms of their reach and who can have access to them. In relation to wired networks, the access control protocols are equally important. These access control mechanisms should be documented, verifiable and include audit controls to ensure that they remain relevant and robust.
In summary, corporate governance and responsibility has just taken on a new meaning. Corporate actors must make corporate governance a priority. Being a director on any or many boards is no longer sexy. Personal criminal responsibility is now a possibility under the statute. It is time to take your role seriously.
Practice Leader & IT Partner
Henlin Gibson Henlin, Attorneys at Law