This means that an IT or It Security Director will only be liable in his personal capacity when he is the perpetrator of the crime, that is, when he has carried out the act alone, jointly or through another that he has used as an instrument. This is established in article 28 of the Criminal Code.
Also considered perpetrators are those who directly induce another person or persons to execute the criminal act and those who cooperate in its execution with an act without which it would not have been carried out.
As we can see, in all these cases the Criminal Code requires a direct and intentional involvement of the manager in the execution of the acts. This involvement may consist of direct participation in the criminal act or the issuance of orders and instructions leading subordinates to commit the crime.
Technological crimes admit no other form of commission than intentional. That is, they cannot be committed out of recklessness. They demand active and intentional conduct from the subject, a deliberate will to commit the crime.
Jurisprudence has developed the concept of criminal liability for omission, in which a manager may incur with respect to criminal conduct carried out by those who occupy subordinate positions in the business organization. For this figure to occur, the director must have knowledge of the facts and power of disposition over them, omitting the exercise of the powers of his position to prevent the crime.
To this end, it is necessary that the manager has sufficient data to know that the conduct of his subordinates, carried out within the scope of his functions and within the framework of his managerial power, creates a criminal risk, and it is also necessary that the manager does not exercise the powers of control that correspond to him over the subordinate and his activity, or does not act to prevent the criminal act.
This wilful tolerance, which would place the manager in the sphere of authorship, is independent of the rank of the manager, since there will be criminal liability for omission provided that the manager has a position of guarantor, that is, an obligation of supervision and control over the acts of his subordinates.
Therefore, in order for the directors of an IT Department or a Computer Security Department to be declared criminally responsible for a crime committed by one of their subordinates, the level of involvement of the manager in the facts must be high, through direct authorship or knowledge and wilful tolerance of the acts of their subordinates.
The deliberate lack of control over risks with a medium or high probability level could be assimilated to intentional tolerance, although it will be necessary to analyze the circumstances of each case.
Complete content in original source Expansión
