Cybercrime as a challenge for modern criminal law
Cybercrime is one of the most dynamically developing areas of contemporary criminal law. With the rapid development of information and communication technologies, we are observing an equally rapid evolution of online crime, which translates into a growing threat to the security of individuals, public institutions, and businesses worldwide.
In modern society, the internet has become not only a fundamental tool for communication but also an indispensable element of everyday life, work, and education. However, the growing reliance on the global network has led to a proportional increase in the number and complexity of crimes committed via it.
The scale and causes of the increase in cyber threats
Recent years have seen a significant increase in cyberattacks, with motives ranging from financial to political to ideological. This phenomenon is driven by factors including the tense geopolitical situation, the dynamic development of artificial intelligence, and the increasing availability of high-performance computing power, for example, through cloud computing. Estimates suggest that approximately 20% of all crimes committed in Poland are cybercriminal.
The increasing digitalization of economic processes makes companies particularly vulnerable to hackers. Such activities can result not only in data loss or IT infrastructure disruption, but also in significant financial and reputational damage that can impact the continued operation of the organization.
The effects of cyberattacks on businesses
The consequences of cybersecurity breaches are both short-term and long-term. According to a Harvard Business Review , the direct impact of an attack primarily includes data loss and operational disruption, but the indirect effects can be even more severe. These include loss of competitive advantage, lower credit ratings, a decline in the company's market value, and a loss of customer and business partner trust. In the broader context, cyberattacks can lead to a slowdown in economic innovation and reduced investment in the technology sector.
Types of attacks and methods of operation of cybercriminals
There are essentially two main methods of attacking IT systems. The first is a technical attack, carried out using specialized IT knowledge and programming tools that allow for the direct breach of system security. The second type is a social engineering attack, which involves manipulating humans and obtaining information about organizational structure, security procedures, or employee habits, for later use in a breach. In practice, both methods often occur together, complementing each other.
The most common forms of attacks on enterprises are ransomware attacks, which block access to data in order to extort ransom, or DDoS (Distributed Denial of Service) attacks, which overload servers and disable services.
Legal aspects of cybercrime
Hacker attacks are criminal offenses punishable under the Penal Code. These acts are prosecuted ex officio, meaning law enforcement agencies are obligated to initiate proceedings upon receiving notification of their commission. A company that has fallen victim to a cyberattack acquires the status of aggrieved party, which grants it certain procedural rights, including the right to submit evidentiary motions, participate in proceedings, and demand compensation for damages.
Obligation to notify law enforcement authorities
Every hacker attack should result in an immediate criminal report being filed. This action has significant procedural implications and should be filed with the prosecutor's office or the police. The report should provide a chronology of events, describe the incident's effects, and include all possible electronic evidence, such as system logs, network traces, and security reports.
Failure to report an attack may have not only practical but also legal consequences, particularly for institutions covered by the National Cybersecurity System Act (Journal of Laws of 2018, item 1560) or the GDPR. Failure to respond to an incident may be considered a breach of legal obligations and result in administrative sanctions.
Obligations arising from personal data protection regulations
Under the GDPR, a company that is the victim of a cyberattack is obligated to implement a security incident response procedure. If the attack results in a personal data breach, the data controller is obligated to report the breach to the President of the Personal Data Protection Office within 72 hours and notify the data subjects.
The importance of appropriate response and due diligence
From a criminal law perspective, a hacker attack qualifies as an information protection offense. A company that has fallen victim to a hacker attack has not only the right, but also the obligation, to notify law enforcement authorities. A prompt and appropriate response, including securing evidence, analyzing the incident, and notifying the appropriate institutions, demonstrates due diligence in protecting information and personal data.
Meeting these obligations is crucial from both a legal and reputational perspective. Responsible cybersecurity incident management fits into the broader context of a culture of compliance and building trust in business relationships.
This article is for informational purposes only and does not constitute legal advice.
The law is current as of November 5, 2025.
Author:
Series editor:
