IT outsourcing services carry the risks of criminal prosecution. Why can they put employees of the performer?

Evgeny Russkevich classified criminal legal risks in this activity, identifying 3 main groups.

1 risk group - non-specific, it flows from nature outsourcing IT Infrastructure as an economic activity. It includes the risk of criminal liability when a statement of non-fulfillment or improper performance of certain obligations occurs, followed by characterization of the contractor's actions as fraud.

This is a well-known problem in the field of economic activity, when civil law relations are replaced by criminal law relations. Moreover, the position that the subject initially had the intention not to fulfill his obligations, but to steal property under the guise of civil law relations, is always quite vulnerable. In the IT-Business, there are already court decisions under Art. 159 of the Criminal Code (fraud), and there this risk is visible. As an example, Evgeny Russkevich cited an unnamed company that ordered another ERP system from.

The customer was large, with a large number of divisions and the project was large and complex. During the project, the customer, being dissatisfied with the services, stopped providing access to the contractor to the territory of his organization and stated that there was no execution. But at that time, a demo version of the system was already functioning, which was tested with the participation of some customer departments.

In the future, criminal prosecution was built with the indication of such circumstances as, for example, that the customer was given not the final, but a demonstration version of the ERP system. Despite the fact that this version already had a certain functionality, the TK did not explain the specifics of how the demo version can differ from the final one.

Despite this and the fact that subsequently physical access to the customer's site was blocked for the contractor, because of which he could not continue work on the project, the deed was qualified as fraud on an especially large scale.

The reference was to the fact that the original amount of the contract was then increased three times. But this market is quite mobile, says Yevgeny Russkevich, and it is not always possible to agree on the final value of the product, because the complexity of the final decision is not always clear. In such cases, additional agreements may be made to the contract.

Activities in the field of IT outsourcing are associated with a number of criminal legal risks "(photo - sky-dynamics.ru)"

The expert also refers to the first group of risks as the risk of criminal prosecution for involvement in tax evasion. Here we are talking about when outsourcing is a form of tax evasion, for example, from paying personal income tax through schemes of artificial business fragmentation and the substitution of labor relations by outsourcing to switch to another tax system.

General distrust of outsourcing affects the fact that often any interaction with such a company is perceived as an attempt to evade taxes, and the assistance of this company is either co-execution or complicity in such evasion, depending on how much their consistency in achieving this goal is revealed. According to Yevgeny Russkevich, there are examples when outsourcing really had a rigged character, when TK were executed in fact by the team of the same customer.

The first group of professors includes the risk of criminal prosecution in a situation where the organization that maintains the website of another company or provides for these processes decides to protect its right in case of complete or partial evasion of the return performance of obligations. For example, in case of non-payment of services for the work performed, the contractor provides for blocking the customer's website.

According to Evgeny Russkevich, blocking of a resource in such cases gives rise to a situation of criminal prosecution if not according to Article 272 (illegal access to computer information) or 274 articles of the Criminal Code of the Russian Federation (violation of the rules of operation of means of storage, processing or transfer of computer information and information and telecommunication networks), then, at least, according to Article 330 of the Criminal Code of the Russian Federation (arbitrariness).

2 The risk group relates to possible responsibility for the unlawful collection or dissemination of information relating to a particular type of secret. An extremely important component of the IT outsourcing contract is the definition of special conditions for the transfer, storage and processing of restricted information. By definition, the executor in this area will always contact confidential information related, for example, to bank secrecy, commercial secrecy, or affect the personal data of employees of the organization, etc.

In existing law enforcement practice, while the implementation of the risk of criminal prosecution is quite banal, the professor notes: these are attackers who, using the possibilities of their access to trade secrets, steal it. There is an example of theft of the customer database and its transfer to third parties. The perpetrators were convicted in this case under Art. 183 of the Criminal Code (illegal receipt and disclosure of information constituting commercial, tax or bank secrecy).

If the agreement between the parties does not clearly explain such conditions for the customer and the contractor, then in the event that the customer may find that this information was somehow processed, certain issues may arise that may not be limited to civil legal proceedings or mediation, but may go into the criminal legal sphere.

A sensitive problem in the field of outsourcing services is when the contracting authority initially asks the outsourcer to organize surveillance of employees without their knowledge, and this is a hidden condition for establishing cooperation. Such an example took place in the field of cosmetic medicine, when the customer wanted to fight the "left" work of doctors in the workplace. Surveillance was carried out not without the participation of the company, which provided support for the website of the medical organization, and the internal system, and funds were used to secretly obtain information. In such a case, criminal prosecution is possible under several articles at once.

3 The risk group is derived from the activities of the outsourcer as the entities responsible for maintaining stable and safe operation of the ICT infrastructure facilities of the client company. These risks can be divided into two groups. The first is a traditional problem. Outsourcers who are engaged in providing the IB and organizing the customer's information infrastructure are forced to somehow test systems for security and conduct pentests.

The problem is that Art. 273 of the Criminal Code of the Russian Federation (creation, use and distribution of malicious computer programs) speaks of the creation and use of malware, without highlighting from this norm the situation when the same malware can be used to check the system for penetration.

Those programs that are used in operational-search activities are called special technical means, and as for this area, this has not been decided in any way, except that the comments in the doctrine write that Art. 273 of the Criminal Code does not apply to these situations. However, it will not work here to rely on the structure of the disposition, you can only rely on the general signs of crimes, referring to the fact that there is no public danger here, that malware is used for testing with the consent of the customer. But here the question arises whether the customer's consent eliminates the use of malware.

And finally - the risk of responsibility for violation of the rules for the operation of information infrastructure facilities. There is already mentioned above Art. 274 of the Criminal Code. Evgeny Russkevich notes that she is still not working due to her disposition. More interesting in this case is part 3 of Art. Art. 274.1 of the Criminal Code (unlawful impact on the critical information infrastructure of the Russian Federation). Outsourcers, entering into appropriate relations, take responsibility for the proper operation of facilities, for ensuring their safety, etc., and can become the subjects of crime.

Doctor of Law, Professor Yuri Truntsevsky in his article pointed out that the subject of the Research Institute can, within the framework of outsourcing relations, transfer the operation, service of this system to a third-party organization, and those, in turn, will become subjects of responsibility for violations of requirements. Evgeny Russkevich agrees with this, and believes that practice in this area can go, especially taking into account the legal position under Art. 143 of the Criminal Code of the Russian Federation (violation of labor protection requirements), where the question of violating labor protection requirements was decided by the Supreme Court: if the company hired a third-party organization to ensure labor safety, they are also subjects. The same model can be transferred to outsourcers.

The material was written on the basis of a speech by Yevgeny Russkevich at the conference "Criminal Law Risks of Information Service Providers," held in April at the Moscow State Law University named after O.E. Kutafin (Moscow State Law University).

See also

Criminal cases in the information technology market of Russia

How to work with government customers in IT and not get behind bars?