As cyber crime continues to hit the headlines English courts are starting to adapt the traditional remedies used to tackle tech-heavy disputes
The effect of cyber fraud has increasingly become headline news. From last year’s high-profile ransomware attacks and mass-data breaches across multiple sectors, to this year’s controversy around the use of personal data by Facebook and third parties it works with, cyber fraud poses a devastating threat even to the most sophisticated corporates. Much is written about the increasing boardroom focus on these issues, and the significant penalties and group claims that companies and their directors might face when subject to such cyber attacks. But how, when disaster strikes, can traditional English law remedies assist these companies to fight back and take steps against the perpetrators, even when their identity is unknown?
This article explores briefly the current legislative framework regulating cyber space, and then questions how English civil law and its remedies can keep pace with and adapt to new challenges posed by developments in technology, and be used to assist victims of cyber crime to bring claims to help recover their losses.
Cyber space: the current legislative framework
The legal infrastructure governing cyber space is broad. It includes a patchwork of EU regulation that has been developed to impose various risk management, reporting and notification obligations on data controllers and processors that may fall victim to cyber attacks. The Network and Information Security Directive ((EU) 2016/1148) (also known as the Cybersecurity Directive), is due to be implemented by the UK in May 2018 and the General Data Protection Regulation (GDPR) ((EU) 2016/679), will take effect later in that month. These together contain strict compliance, notification and reporting obligations, and provide for very large penalties in the event of breach.
GDPR will be policed in the UK by the Information Commissioner’s Office, which can be expected to become increasingly active and high profile. Having previously been limited to toothless financial penalties of £500,000, its enforcement powers will now extend to fines of up to €10m or 2% of worldwide turnover. The Financial Conduct Authority will have equivalent powers, and severe penalties for regulated firms and their senior managers/directors may become the norm.
Domestically, the key source of cyber crime offences is the Computer Misuse Act 1990, as amended by the Police and Justice Act 2006 and the Serious Crime Act 2015. By their very nature, however, prosecutions under this legislation are often resource intensive and time consuming. Although there does appear to have been an increase in the appetite of the authorities, such as the Crown Prosecution Service and the Serious Fraud Office, to pursue such prosecutions, the delays involved and lack of control over the process for victims can be frustrating.
Cyber crime legislation adds little to civil remedies when it comes to recovery by victims of their monetary assets. While it might be possible to recover such sums following successful prosecution (for example, if the court imposes a compensation order on sentencing), this is predicated on the identification and seizure of the assets. In a sophisticated cyber fraud, such compensation orders are unlikely to be of practical benefit to a victim, where a hallmark of the fraud will usually be rapid international distribution and attempted laundering of the proceeds.
Adapting traditional civil remedies to cyber fraud
Against this difficult backdrop, pursuing civil remedies may be the best alternative – or even a necessity – for corporate victims of cyber fraud. In England, there are various traditional civil law actions available, including the torts of deceit and conspiracy. Further, the concepts of unjust enrichment, knowing receipt and dishonest assistance can all effectively be adapted to the modern methods used by cyber fraudsters.
While litigation of this type can be resource intensive, it can be progressed quickly: one of the key benefits lies in the ability to freeze and trace stolen assets relatively quickly and efficiently, maximising a victim’s chances of recovery in multiple jurisdictions. Importantly, control of the civil claim lies with the corporate and this can be invaluable, particularly from a corporate governance perspective in the case of larger organisations.
Where funds are stolen, there might also be scope to consider a claim against the bank that permitted the misappropriation. However, the more sophisticated the fraud, the less likely it will be that a claim can be framed against the bank based on, for example, alleged breach of its mandate in allowing fraudulent payments. Even if those difficulties can be overcome, there might often be commercial or other reasons why organisations will not want to target their banking providers with these claims.
That said, corporate victims may need to take steps to mitigate losses – whether against banks or the potential perpetrators – particularly if seeking to recover losses under any available cyber-crime insurance policy. It may not be enough to rely on criminal authorities to investigate and prosecute themselves.
What is clear is that both an effective strategy and swift action are required. It is imperative for corporates to approach specialist lawyers immediately following discovery of the fraud; whatever steps are taken in seeking to recover misappropriated assets will invariably be time critical.
Turning technology against the cyber criminals
As has been widely reported, Cooke, Young & Keidan has recently obtained a worldwide freezing order against ‘persons unknown’ who committed cyber fraud through a sophisticated attack, which led to unauthorised payments being made out of the victim’s bank accounts.
It is believed this was the first reported order of this type to be granted by the English courts against ‘persons unknown’ and ancillary disclosure orders were obtained against a significant number of third parties into whose accounts stolen money was transferred. Novel orders in relation to service were sought and granted, which included service by use of online data rooms and through Facebook. This allowed for the service of a large volume of documents globally both efficiently and cost effectively. The methods employed have so far yielded significant results, including steps to freeze and ringfence accounts worldwide, and obtaining valuable information to support tracing and recovery of stolen funds. Action to recover funds is continuing at the time of writing and significant recoveries have been achieved so far.
Is English law keeping pace with technological advancements?
It is clear that the courts are ready and willing to adapt traditional civil remedies in order to assist in tackling the growing threats posed by cyber crime, technological advancements and the new realities of how this fraud is undertaken.
In the same way, adaptable civil remedies will likely play a significant role in resolving other problems created by digital developments. The remedies above could equally apply to alleviate some of the problems associated with ‘anonymous’ internet technologies, such as distributed ledger technologies – the most notable example being Blockchain, which acts as a ledger for Bitcoin transactions. Such technologies often guarantee anonymity through the use of cryptography. However, where an exchange is used for these transactions, obtaining a worldwide freezing order, followed by a properly-targeted disclosure order against the owners of the exchange server, could offer an effective remedy. It is yet to be seen whether such enforcement methods will be successful, but in the interim, these remedies appear to be the most effective available while the debate continues about how distributed-ledger technologies and cryptocurrencies should be regulated.
What is clear is that while regulation and legislation will always be playing catch up, the English courts are increasingly willing to adapt and grant novel remedies, with international scope and application, having regard both to technological developments and innovative commercial litigators.
Sinead O’Callaghan, partner at Cooke, Young & Keidan
About Cooke, Young & Keidan
Cooke, Young & Keidan is a leading boutique of commercial disputes lawyers acting for national and international corporates, and high-net-worth individuals.
The firm offers a full range of commercial dispute resolution expertise, including civil fraud, financial services (both litigious and contentious regulatory), partnership and trade disputes, and arbitration across a wide range of sectors and industries.
The firm is known for outstanding successes in complex cases, thanks to its experience, innovation and tenacity. Its specialist focus makes it free of conflicts of interest, meaning that it can act effectively against most financial institutions and substantial multinational companies.
