In late August, the Israeli State Attorney, Mr. Shai Nitzan, issued guidelines (number 2.38) outlining the policy on prosecution, case management and sentencing considerations, regarding the offense of unlawful intrusion to computer material (section 4 of the Computers Law, 5755-1995).
The guidelines establish a hierarchical severity of acts that constitute intrusion to computer material. The guidelines explains that severe punishment should commensurate with the harm caused by such acts, taking into account the potential harm caused by computer-related offenses and the public's dependence on computers, including smart-phones.
The guidelines detail the manner in which a prosecutor must evaluate evidence, the considerations that must be weighed before prosecution, the relationship between the offense of intrusion to computer material and other offenses, as well as considerations for sentencing following conviction.
The guidelines adopt the judgment of the Supreme Court in the matter of Nir Ezra [LCrimA 8464/14 The State of Israel v. Ezra], according to which the offense of unlawful intrusion to computer material can arise even when no technological barrier (such as a password or other means of security) is overcome. However, overcoming an information security measure will constitute an aggravating circumstance that in turn increases the public interest in prosecuting the offender.
The guidelines state that instances of intrusion to computer material for a legitimate purpose, such as for information security testing by an authorized party, or intrusion in good faith or in the absence of a clear definition of the limitations of authorized use of a computer, may lead to the conclusion that prosecution should be avoided. The guidelines distinguish between three categories of appropriate punishment in terms of sentencing policy considerations:
- Severe cases - in which the appropriate sentencing is near the maximum imprisonment term for the offense. These cases may include, among others, intrusion to critical national infrastructures, banks and credit-card companies, security agencies, databases containing more than one million records or intrusion aimed at harming national security or by an agent acting on behalf of a foreign country;
- Intermediate cases - these will generally justify actual imprisonment, even if not at the full imprisonment term prescribed by the law. These include intrusion to public agencies that are not considered "critical national infrastructures", business espionage, financial transactions, significant invasion of privacy, intrusion that is ideologically motivated or performed in for payment (hacking), intrusion into databases containing more than 10,000 records of personal information and intrusion into computer material by of two or more offenders acting in concert;
- Minor cases - in which sentencing can be limited to mere probation depending on the circumstances. This category includes all other instances that do not fall into the categories of severe or intermediate cases.
The guidelines also indicate that the Cyber Unit in the State Attorney's Office should be consulted in when issues relating to unlawful intrusion into computer material arise.
The State Attorney 's guidelines are available here (in Hebrew).