1 Criminal Activity
1.1 Would any of the following activities constitute a criminal offence in your jurisdiction? If so, please provide details of the offence, the maximum penalties available, and any examples of prosecutions in your jurisdiction:
Law No. 03/L –166 "On prevention and fight of the cyber crime" ("Cyber Crime Law") provides for criminal offences related to the misuse of computer systems and computer data, although it does not provide a literal denomination of the criminal offences listed below.
Hacking (i.e. unauthorised access)
Subject to the Cyber Crime Law, unauthorised access to computer systems constitutes a criminal offence punishable by imprisonment for up to three years. Unauthorised actions are classified actions performed by a person: (i) who is not authorised by law or contract; (ii) who exceeds the limits of his/her authorisation; and/or (iii) has no permit and is not competent and qualified to use, administer or control a computer system or conduct scientific research on a computer system.
If such an offence is committed for the purpose of obtaining computer data or violates computer security measures, penalties provided by law are higher and such offences are punishable by imprisonment for up to four years and five years, respectively.
In addition, the Criminal Code (Law No. 04/L-082) provides for the criminal offence of unauthorised access into computer systems. In this regard, whoever, without authorisation and in order to gain unlawful material benefit for himself or another person or to cause damage to another person, alters, publishes, suppresses or destroys computer data or programs, or in any other way enters another's computer system, is punished by a fine and up to three years of imprisonment. If the offence results in material gain exceeding the amount of 10,000 Euros or material damage exceeding the amount of 10,000 Euros, the perpetrator shall be punished by a fine and by imprisonment of up to five years.
Denial-of-service attacks
The serious hindrance of the functioning of computer systems, performed by entering information, transferring, changing, removing or destroying computer data or limiting unauthorised limit to access to such data, is stipulated as a criminal offence pursuant to the Cyber Crime Law, and the perpetrator is liable to imprisonment for up to three years. Such offence shall be punished by imprisonment for up to five years if committed by a member of a criminal organisation.
Phishing
We have not identified a criminal offence provided by the Cyber Crime Law or other applicable laws that would represent phishing. However, each criminal activity that aims to misuse computer systems or computer data should be considered individually to establish whether it constitutes a criminal offence provided for by the Cyber Crime Law or any other applicable law.
Infection of IT systems with malware (including ransomware, spyware, worms, trojans and viruses)
We have not identified a criminal offence provided by the Cyber Crime Law or other applicable laws that would constitute infection of IT systems with malware. However, each criminal activity that aims to misuse computer systems or computer data should be considered individually to establish whether it constitutes some other criminal offence provided for by the Cyber Crime Law or any other applicable law.
Possession or use of hardware, software or other tools used to commit cybercrime (e.g. hacking tools)
Pursuant to the Cyber Crime Law, the illegal production, sale, import, distribution or making available, in any form, of any equipment or computer program designed and adapted for the purpose of committing any criminal offence is punishable by imprisonment from one to four years.
Further, the illegal production, sale, import, distribution or making available, in any form, of passwords, access codes or other computer information that would allow full or partial access to a computer system for the purpose of committing any criminal offence shall be punishable by imprisonment from one to five years.
In addition, the illegal possession of equipment, computer programs, passwords, access codes or computer information for the purpose of committing any criminal offence is punishable by imprisonment from one to six years.
An attempt to commit this criminal offence is also punishable by imprisonment, ranging from three months to one year.
Identity theft or identity fraud (e.g. in connection with access devices)
We have not identified any criminal offence provided for by the Cyber Crime Law or other applicable laws that would constitute identity theft or identity fraud. However, as mentioned above, such criminal activities should be assessed individually.
Electronic theft (e.g. breach of confidence by a current or former employee, or criminal copyright infringement)
Pursuant to the Criminal Code (Law No. 04/L-082), an act of avoiding any of the effective technological measures to safeguard technology or the removal or alteration of electronic rights for data management, as provided for by the Law "On copyright and related rights", shall be punishable by imprisonment for up to three years.
Subject to the Law "On copyright and related rights" (Law No. 04/L- 065), violation of the rights protected by this law would be considered if a person processes, imports for distribution, sells, lends, advertises for sale or lease or keeps for commercial technological purposes a computer program, or carries out services without authorisation, and if such actions: (i) are advertised or traded especially for the purpose of avoiding effective technological measures; (ii) have evident commercial purpose or have been used solely for avoiding effective technological measures; and (iii) are designed, produced, adapted or processed primarily with the purpose of avoiding effective technological measures. An effective technological measure is considered as any technology, computer program or other means intended to prevent or remove a violation of a protected right. Pursuant to the Criminal Code (Law No. 04/L-082), an act of avoiding any of the effective technological measures to safeguard technology or the removal or alteration of electronic rights for data management shall be punishable by imprisonment for up to three years.
Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data
In addition to the criminal offences listed above, the Cyber Crime Law also provides for the following criminal offences related to computer systems and computer data: the unauthorised entry of data; change or deletion of computer data; and the unauthorised limitation of access to such a data resulting in inauthentic data.
Also, causing a loss in assets to another person by entering information, changing or deleting computer data by means of access limitation to such a data, or any other interference into the functioning of a computer system with the purpose of ensuring economic benefits for himself or for someone else, shall be punishable with up to 10 years of imprisonment.
Failure by an organisation to implement cybersecurity measures
We have not identified such a criminal offence provided for by the applicable legislation.
1.2 Do any of the above-mentioned offences have extraterritorial application?
The abovementioned laws that stipulate criminal offences apply to the Kosovo territory. In addition, subject to article 115 of the Criminal Code (Law No. 04/L-082), the criminal legislation of the Republic of Kosovo will also apply to persons who have committed such criminal offences outside the territory of Kosovo, if, according to an international agreement by which Kosovo is bound, such criminal offences should be prosecuted even though committed abroad.
Criminal legislation of the Republic of Kosovo shall also apply to any Kosovo citizen or a foreigner who commits a criminal offence outside the territory of the Republic of Kosovo if the criminal offence is also punishable in the country where the offence was committed. In case of foreigners, these provisions shall apply if the foreigner is found in the territory of Kosovo or has been transferred to Kosovo.
However, the criminal proceedings against a Kosovo citizen or a foreigner for criminal offences committed outside Kosovo territory will not be undertaken if the perpetrator has fully served the punishment imposed in another jurisdiction, has been acquitted by a final judgment and/or released from punishment or punishment has become statute-barred and in cases where criminal proceedings may only be initiated upon the request of the injured party and such a request has not been filed.
1.3 Are there any actions (e.g. notification) that might mitigate any penalty or otherwise constitute an exception to any of the above-mentioned offences?
Subject to article 8 of the Cyber Crime Law, for a category of computer systems to which access is restricted or completely forbidden, the owners and administrators of such a computer system are obliged to clearly and automatically warn the user of this computer system, and to provide him/her with information, as well as conditions of use, or forbiddance to use this computer system and legal consequences for unauthorised access to this computer system. Failure to comply with such an obligation is considered a misdemeanour and the perpetrator is punished with a fine ranging from 500 to 5,000 Euros.
1.4 Are there any other criminal offences (not specific to cybersecurity) in your jurisdiction that may arise in relation to cybersecurity or the occurrence of an Incident (e.g. terrorism offences)? Please cite any specific examples of prosecutions of these offences in a cybersecurity context.
The Criminal Code provides that issuing blank or false cheques and the misuse of bank or credit cards constitutes a criminal offence. Such an offence is defined as an act committed for the purpose of gaining unlawful material benefit for the perpetrator or for another person, by issuing or placing into circulation cheques for which the perpetrator knows are not covered by material means. The placing of false cheques or counterfeit credit cards is punished by a fine and imprisonment for up to three years. In relation to prosecution of this criminal offence in a cybersecurity context, there is a case pending before Kosovo courts where the defendant has been prosecuted for violation of the Cyber Crime Law, specifically for the possession or use of passwords, hardware, software or other tools to commit cybercrime.
To view the full article please click here.
Previously published in The International Comparative Legal Guide
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
