Unauthorized Access to an Entire or Partial IT System – Article 267 § 2 of the Penal Code (k.k.)
Legal Basis
Article 267 § 1 of the Penal Code
Whoever, without authorization, gains access to information not intended for them by opening a sealed letter, connecting to a telecommunications network, or bypassing or overcoming electronic, magnetic, IT, or other special security measures shall be subject to a fine, restriction of liberty, or imprisonment for up to 2 years.Article 267 § 2 of the Penal Code
The same penalty applies to anyone who, without authorization, gains access to an entire or partial IT system.
What Constitutes the Crime of Unauthorized Access to an IT System?
If the perpetrator does not breach security measures but still gains access to an entire or partial IT system, their actions may be classified as an offense under Article 267 § 2 of the Penal Code.
The definition of an IT system is found in legal acts outside the Penal Code. According to Article 1(a) of the Act on the National Cybersecurity System, an IT system is „any device or group of interconnected or related devices, of which at least one, in accordance with a program, performs automatic data processing.”
Gaining access to an entire or partial IT system may result in access to protected data or merely to its configuration (J. Wasilewski, Crime, p. 172).
This offense is punishable by a fine, restriction of liberty, or imprisonment. It is prosecuted only upon the victim’s request.
Examples of Unauthorized Access to an IT System
Example 1
R.K. was accused of unlawfully accessing the IT system stored in the memory of a Samsung G. mobile phone, used exclusively by I.K., between February 1 and February 14, 2015, in an unspecified location. On February 1, 2015, in S., the perpetrator forcibly took the phone from the victim’s hand. Then, no later than February 3, 2015, they accessed stored photos and text messages. (Regional Court in Poznań, case no. IV Ka 5/18)
Example 2
A.Ś. was accused of unlawfully accessing an IT system by using file transfer software between October 2013 and April 2014 in J. and K. He accessed a database containing usernames and corresponding passwords stored in configuration files, thereby acting to the detriment of A.L.K. (Regional Court in Świdnica, case no. IV Ka 720/17)
Example 3
M.W. was accused of unlawfully accessing an email account on April 29, 2014, in W., by logging in from a company computer. After copying email correspondence, he disclosed it before the Regional Court during divorce proceedings. (Regional Court Warsaw-Praga, case no. VI Ka 1461/16)
Legal Issues
Is Gaining Unauthorized Access to an IT System as a Prank Punishable?
Yes. The perpetrator’s motivation is irrelevant—gaining access to an IT system “for fun” may still result in criminal liability. (J. Kosiński, Paradigms, p. 51)
Are Penetration Tests Punishable?
In the case of penetration testers (so-called ethical hackers), Article 269c of the Penal Code may apply, which exempts from liability actions aimed at securing an IT system. More on this topic in upcoming posts.
Legal status as of: August 21, 2021
Cyberlaw by Judyta 