On December 20, 2022, Law No. 21,459, which amends the old Computer Crimes Law, and establishes new rules on this type of crime, to update them to current needs, comes into force.
Therefore, to review the scope of this new regulation, BH Compliance, and BCP Abogados held a webinar this Thursday, July 25, with a panel composed of Katherine Barcia, Legal Manager LAHC of ADP; Ivan Millán, Director of Compliance of BCP Abogados, and from BH Compliance, with the presentation of Ramón Montero, Legal and Compliance Manager, and the moderation of Susana Sierra, CEO.
The CEO of BH Compliance began the activity with a brief introduction on compliance and its arrival in Chile with the Criminal Liability of Legal Entities Law, where crimes have been added to the catalog, computer crimes the last ones to be added. He also stressed the need to look at compliance from a broader concept, as is done in other countries, and where the risks faced by companies, which increase over time, are analyzed, in addition to giving greater importance to the generation of evidence to show that companies are doing everything possible to prevent crimes.
Ramón Montero then referred to the details of the new law, highlighting that it is in line with the Budapest Convention – an international agreement to combat transnational organized crime, specifically computer crimes – and that it establishes norms and modifies legal bodies such as the criminal procedure code, Law 18,168 General Telecommunications Law and Law 20,393 on the Liability of Legal Entities. All of the above, are consistent with the regulations on Personal Data Protection. He also referred to each of the eight crimes contemplated in the new law, where the first four already existed in the repealed regulation, adding four new ones: attack on the integrity of a computer system, illicit access to a computer system, illicit interception, attack to the integrity of computer data, computer forgery, reception of computer data, computer fraud and abuse of a device.
For his part, Iván Millán stressed the importance of identifying and addressing risks within companies, establishing an information security policy; assigning roles and responsibilities; recruiting IT personnel with technical skills, but also knowledge of compliance; restoring assets or establishing access expiration; taking care of the management of mobile devices and remote work; generating access controls to systems and dependencies, through the creation and expiration of users or password management; taking care of user authentication and cryptography.
Katherine Barcia advised on how companies can implement better controls in the face of the new law. In this regard, she pointed out that this regulation cannot be looked at in isolation, that all areas must be involved, but under a professional with experience in the matter, who is independent of the compliance officer, and who is related to the IT area. He also emphasized that the law must be adapted to the reality of each company, by existing policies and including a special chapter with internal regulations detailing the risks and how to prevent them. At the same time, he emphasized the role of the board of directors in supervising and directing compliance with this new law.