The year 2022 has been a year of changes in the area of Compliance, changes that have followed a sustained trend of previous years and that could continue in future reforms, such as the potential publication of the criminal reform with the systematization of economic crimes and crimes against the environment, currently in the second constitutional procedure (Bulletins 13205-07 and 13204-07).
In the area of criminal liability of legal persons (Law No. 20,393), we have seen a series of amendments such as the publication of Law No. 21,325 on migration and control of foreigners; Law No. 21,412 on the strengthening of arms control (regulated in Law No. 17,798); and the very recent publication of Law No. 21,488, which includes criminal offenses related to the theft of timber.
However, the event that has caused the greatest repercussion in the national media has been the publication of Law No. 21,459 on computer crimes. With this, Law N°19.223 is repealed and seeks to land the objectives of the Budapest Convention – signed by our country in 2017, and whose second protocol was ratified this year -, considering harmonizing the substantive law of each member country to the new requirements, implementing procedural measures for its prosecution and favoring international cooperation. Thus, new criminal offenses have been incorporated, such as the attack on the integrity of a computer system; illicit access; illicit interception; an attack on the integrity of computer data; computer forgery; receiving computer data; computer fraud; and abuse of devices. All these criminal offenses have been extended to the legal person, which will be effective as of December 20.
Along with the above, recent cybersecurity attacks against some state institutions have promoted the debate on whether companies or institutions are prepared to face these threats.
Given this strong trend of change, and echoing the common questions, I propose seven recommendations on how to address these issues in Compliance Programs, especially in those focused on the Law on Criminal Liability of Legal Entities: first, make a diagnosis of what is already implemented in the company and its shortcomings, for example, it is likely that there are policies and/or controls focused on information security, access, segregation of duties, etc. In this sense, it is recommended to always avoid the creation of controls that do not make sense to the normal operation of the company.
Secondly, not all crimes will be equally applicable to legal entities – let us not forget that, to apply to the company, they must have been committed for its benefit – for example: if a database obtained as a result of illicit access to the systems of another entity is purchased, it could well be understood that this implies a benefit, since the company can use such information for its benefit (reception of computer data), however, it seems less likely that the company will obtain a benefit when its systems are attacked or have suffered illicit accesses.
As a third point, it is recommended that risks be identified according to the company’s operations or areas and not by the type of crime, adopting a preventive approach as far as possible. Thus, the company should examine its risk areas, asking itself: what are my most critical operations? Can I identify my information flows? Are the company’s functions properly segregated? What type of information or data do I handle? Among other questions.
Fourth, evaluate the technical competencies of our teams, since the trend points to the need for increasingly qualified professionals. With this in mind, we must promote conversation between the different areas, since a joint action will imply a more efficient use of resources. Fifthly, clear roles, responsibilities, and access to the company’s systems and devices must be defined, and any contracts that may be affected must be reviewed. On the other hand, as a sixth point, it is essential to engage senior management; and finally, to promote training and refresh the importance of reporting through institutional channels, either to the managers themselves or through whistleblower hotlines.
It is worth mentioning that this approach should be useful not only in this context but also in the face of future changes; compliance is constantly evolving.
* Francisco Bilbao is the Legal and Compliance Director of BH Compliance.