Polish IP & IT law – copyright trademark computer internet telecomm

Archive for: Art. 267 CRC

Polish regulations on the protection of trade secrets

October 9th, 2008, Tomasz Rychlicki

I. Definitions
There is no definition of “trade secrets” in Polish law. However, there are regulations that allow for very effective protection.

II. The law
The main sources of binding laws in the Republic of Poland are the Constitution of 2 April 1997, acts passed by the Parliament, ratified international treaties and regulations issued, for example, by the Prime Minister or the Council of Ministers – Polish government. Regulations are issued for the purpose of implementation of acts.

II.A. Unfiar competition
Act on Combating Unfair Competition – CUC – (in Polish: Ustawa o zwalczaniu nieuczciwej konkurencji) of 16 April 1993, Journal of Laws (Dziennik Ustaw) No 47, item 211, with later amendments.

Article 11
An act of unfair competition is the transfer, disclosure or use of third party information, which is company confidential or their receipt from an unauthorised person, if it threatens or violates the interests of the entrepreneur.
2. The provisions of section 1 shall also apply to the person who has been rendering work based on employment contract or another legal relation, for the period of three years from its expiration, unless the contract stipulates otherwise or there is no longer secrecy.
3. The provisions of section 1 shall not apply to the person who, bona fide, by way of a legal operation against payment, acquired the information constituting a business secrecy. The court may oblige the acquirer to the appropriate remuneration for its use, nevertheless for a period not longer than duration of secrecy.
4. Company confidentiality is understood to include the entrepreneur’s technical, technological organisational or other information having commercial value, which is not disclosed to the public to which the entrepreneur has taken the necessary steps to maintain confidentiality.
(…)
Chapter 4
Penal provisions
Article 23.1. Every person, who contrary to her obligation towards the entrepreneur discloses to another person or uses in her own economic activity information which is a business secrecy, shall be liable to the fine, probation or imprisonment up to 2 years, provided it is to the significant detriment of the entrepreneur.
2. The same sanctions shall apply to the person, who having acquired illegally the business secrecy, discloses it to another person or uses in her own economic activity.

It is noteworthy that definition of “company confidentiality” provided in article 11(4) CUC explicitly included “trade secrets” term before amendments in 2002. The CUC protection of “company confidentiality” can be enforced in civil or crminal proceedings. However, regulations afforded in the CUC basically apply only to relations between entrepreneurs (commercial relationships).

II.B. Civil Code
The Civil Code – CC – (in Polish: Kodeks Cywilny) of 23 April 1964, Journal of Laws (Dziennik Ustaw) No 16, item 93, with later amendments.

Article 72 [1]. § 1. If during the negotiations, a party has provided information as confidential, the other party is required not to disclose and not to transfer of such information to others and not to use such information for its own purposes, unless the parties otherwise agreed.
§ 2 In the event of failure of performance or improper performance of duties as described in § 1, the entitled person may demand from the other party to undo the damages or to return profits received by the other party.

II.C. Criminal Code
The Criminal Code – CRC – (in Polish: Kodeks Karny) of 6 June 1997, Journal of Laws (Dziennik Ustaw) No 88, item 553, with later amendments.

Chapter XXXIII. Crimes against protection of information
(…)
Article 267.
§ 1. Whoever, without being authorised to do so, acquires information not destined for him, by opening a sealed letter, or connecting to a wire that transmits information or by breaching electronic, magnetic or other special protection for that information shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.
§ 2. The same punishment shall be imposed on anyone, who, in order to acquire information to which he is not authorised to access, installs or uses tapping, visual detection or other special equipment.
§ 3. The same punishment shall be imposed on anyone, who imparts to another person the information obtained in the manner specified in § 1 or 2 discloses to another person.
§ 4. The prosecution of the offence specified in § 1 – 3 shall occur on a motion of the injured person.

The mentioned above regulations are the basic. There are some other legal acts that govern specific fields of law. For instance the Act on Acountancy, the Code of Commercial Companies, the Code of Labour, the Act on Banks Law etc.

Computer crimes, case VI K 849/07

October 6th, 2008, Tomasz Rychlicki

On August 11, 2008, the District Court in Glogów (VI Wydzial Grodzki) issued an important ruling case file VI K 849/07, regarding a man accused by the prosecutor of using computers to breach electronic security of a company server and database which allowed him to obtain information not intended for him (personal data) thereby acting to the detriment of the business. Mateusz M. was accused by the prosecutor based on regulations provided in Artice 267 §1 of the Polish Penal Code.

Chapter XXXIII. Crimes against protection of information
(…)
Article 267.
§ 1. Whoever, without being authorised to do so, acquires information not destined for him, by opening a sealed letter, or connecting to a wire that transmits information or by breaching electronic, magnetic or other special protection for that information shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.
§ 2. The same punishment shall be imposed on anyone, who, in order to acquire information to which he is not authorised to access, installs or uses tapping, visual detection or other special equipment.
§ 3. The same punishment shall be imposed on anyone, who imparts to another person the information obtained in the manner specified in § 1 or 2 discloses to another person.
§ 4. The prosecution of the offence specified in § 1 – 3 shall occur on a motion of the injured person.

Mateusz M. had browsed through an internet company website and found that the service contained serious programming errors. He put into the login form a string of signs as follows “‘ or 1 = 1” (and repeated this operation in the password field), which resulted in him being signed/logged into a random user account which allowed him to gain access to several user accounts and their personal data. Mateusz M. decided to exploit this opportunity and made contact with company’s representatives. He informed them that he detected a gap in their website security which allowed him entry to the marketing database of firms owned or connected with the company which operated this online database. In the meantime, Mateusz M. checked other websites and online services created by the same authors of the first website. He has also found that all of them contained the same programming errors because all these websites were built using the same content management system (CMS). Mateusz M. was invited by the company to sign a contract to remove these programming errors. He was also presented with a non-disclosure agreement (NDA), which he signed. However the NDA’s date was set prior to the date he had detected the programming errors and this was used by the company to enable the police, who were co-operating with the company, to arrest Mateusz M.

During the pre-trial proceedings the court’s expert in the field of information technology stated that in his opinion Mateusz M. had used “a form of attack on the company’s database called SQL Injection”; the aim of such an attack is “to extract confidential information from the database and to disrupt its operation”. In the course of the proceedings before the court, the District Court in G#x142og1ow allowed the counsel for the defence to admit evidence of another expert.

The second expert provided the court with an opinion that by introducing a string “‘ or 1 = 1” Mateusz M. had not made any breach of the database, he did not crack any password allowing for access to the database, he did not type or insert any software code and Mateusz M. had not affected the functioning of the database in any way. According to the second expert, Mateusz M. had not removed the database security, and he had not changed the password access, nor did he create any new accounts in the database. In this expert’s opinion, the introduction of the said string by Mateusz M. should be considered as an “SQL Injection” method that was used to circumvent the protection of a database, but that it was permitted by the improper and inadequate protection scheme applied to the database by its creators. The “Sign in” form of the database was designed in such a way that merely typing any string of characters was permitted as an input of data for this type of form. The database authors had not implemented any solutions to verify whether the database stored a user name or password attached to such a string, and as it had not, the database did not generate a proper error message

The court held that the action of the accused failed to comply with the statutory elements of Article 267. In the court’s opinion, breaching security occurs when the offender destroys or removes the security, or when the impact of the offender’s action on the security temporarily removes its protective function. Thus a person who gains access to sensitive information without breaking any security measures is not criminally responsible.

The court ruling acquitted the accused of all the charges based on art.632(2) Polish Criminal Proceedings Code, and the court held that the costs of wrongful prosecution were to be covered by the state. This decision was final and consequently there are pending amendments to the Polish Criminal Code relating to the aforementioned regulations.