Is there a statutory obligation to report cybercrime

Sebzy

If an individual witnesses a cybercrime offence as defined under "Criminal Justice (Offences Relating to Information Systems) Act 2017" is there any obligation to report said offence to the Garda?

Peregrinus

There is no general requirement to report crime to the guards in Ireland. There are mandatory reporting obligations for certain classes of people for certain offences, but if the case doesn't come within those, there's no public legal obligation to report it.

rom

If it is a data breach for example then under GDPR then yes.

Peregrinus

rom wrote: »

If it is a data breach for example then under GDPR then yes.

Does GDPR impose a mandatory reporting obligation on anyone who witnesses a data breach?

ohnonotgmail

Peregrinus wrote: »

Does GDPR impose a mandatory reporting obligation on anyone who witnesses a data breach?

not on anybody that witnesses a breach but it does impose a reporting obligation on the data controller

https://www.dataprotection.ie/en/organisations/know-your-obligations/breach-notification

GerardKeating

ohnonotgmail wrote: »

not on anybody that witnesses a breach but it does impose a reporting obligation on the data controller

If the "witness" benefited (directly or indirectly) from the data breach, would that make a difference ?

Doesn't seem to be policed enthusiastically by the Data Commissioner based on what was reported about one Irish Bookmaker in an incident from a few years ago.

ohnonotgmail

GerardKeating wrote: »

If the "witness" benefited (directly or indirectly) from the data breach, would that make a difference ?

I dont see why. they are not data controllers. the obligation is on data controllers. I have another persons data sent me regularly because they keep using my email address by mistake. there is no obligation on me to report that to anybody.

Peregrinus

GerardKeating wrote: »

If the "witness" benefited (directly or indirectly) from the data breach, would that make a difference ?

There's no general obligation to report a crime, and this is so even if you yourself are the criminal, or if you benefitted in some way from the crime. And I'm not aware that there's any special rules which would make the position different if the crime happens to be a data breach.

Separately, if someone benefits from a crime then you might want to look very closely at the detailed facts of the case, since it's possible that they might show there's a case to be made that the person is guilty of aiding and abetting, or conspiracy. The fact that the person benefits doesn't itself prove this, or come anywhere near proving it, but it may at least suggest the possibility, which could be worth investigating.

If someobody is aware of a crime but didn't report it or take any other action in relation to to it, that might help to build a case that they were complicit in the crime - maybe they didn't report it because they were part of the group that perpetrated it. On the other hand, maybe there was some other reason - e.g. maybe they didn't report it because they were afraid they would lose their job, or damage their relationship with their employer, or because the perpetrator was their friend and they didn't want to see him get into trouble.

Tl;dr: Non-reporting of a crime from which you have benefitted is not an offence. And, while it might give rise to a suspicion that you were complicit in the crime, or guilty of conspiracy or aiding and abetting, it's not evidence that you were.