Almost half of all businesses - 46% - experienced a cyber breach or attack in 2016/17, according to the 2017 Cyber Security Breaches Survey carried out by the UK government's Department for Culture, Media and Sport (DCMS). During a year-long pilot of its 24/7 helpline, Action Fraud received 377 incident reports, which it was then able to pass on to the National Cyber Crime Unit or local police forces for investigation.
In the face of the growing threat of cyber fraud, it may be obvious that businesses should enforce criminal sanctions against the perpetrators, but businesses must also be aware of the potential civil liabilities which may arise against them following a cyber fraud attack.
Take the typical cyber fraud attack, in which a fraudster hacks into a company's systems and intercepts emails from the company to a customer. The fraudster, acting under false pretences, then emails the customer, attaching a false invoice for services carried out by the company, together with payment details - purporting to be those of the company, but in reality those of the fraudster. The company pays the invoice by transferring monies into the account on the invoice, and the fraudster makes off with the money.
In this scenario, a number of civil claims could arise against the company. For example:
- what liabilities, if any, are owed by the company to the customer in contract? Close examination of any indemnity clause providing for the company to pay losses to the customer as a consequence of a breach of the contract, and any available exclusion clause, may be necessary;
- does the company owe liabilities in tort to the customer? It might be argued that the company had a duty of care to ensure that the invoicing process did not fail, and it breached that duty of care by allowing the company's system to be hacked;
- there may also be potential liability under data protection legislation for failing to keep the customer's personal data safe, as well as breaches of section 13 of the 1982 Supply of Goods and Services Act and breaches of directors' duties under the 2006 Companies Act.
Some of these issues will, of course, be determined by the facts, the nature of the relationship between the parties and the contractual documentation that is in place.
Faced with potential civil liability, the need for recovery of monies from the perpetrators of the fraud becomes all the more urgent and businesses may wish to consider their options. Civil remedies available might include issuing court proceedings against a fraudster for deceit, conspiracy, dishonest assistance, unjust enrichment and knowing receipt. More draconian and immediate measures may also be considered to prevent dissipation of assets by the fraudster, such as obtaining 'search and seize' orders, and freezing and 'Norwich Pharmacal' orders compelling disclosure from third parties.
UK businesses and other organisations must improve their ability to deal with cyber fraud attacks and prevention is, of course, vital to mitigating against the risks. However, when the worst happens, businesses and organisations should defer to a pre-prepared agreed response plan, which should include engaging legal advisors as soon as possible to advise on the potential liabilities they may face - as well as the options available to them to recover monies.
Jennifer Craven is a civil fraud and asset recovery expert at Pinsent Masons, the law firm behind Out-Law.com.