Phishing in Troubled Waters

29 May 2014

Late last year, a group of information security experts gathered with government officials to hack into the deep intestinal computers of London’s financial district. The purpose of the exercise, dubbed “Waking Shark II”, was to test whether the UK’s banks and stock exchanges – that is to say, the UK financial system – could withstand a major cyber-security attack.

While the exercise was just a simulation, real incidents do occur with astonishing frequency. In January this year, for example, Tony Colston-Hayter, who achieved notoriety in the late 1980s as the foppish progenitor of rave, admitted to conspiring to steal £1.3m by taking control of computer systems at a popular UK high-street bank through a surreptitiously placed desktop device.

The exploitation of weaknesses in an organisation’s IT systems can result not only in significant losses through data theft or reputational damage, it also poses a real risk of civil action or regulatory enforcement and fines. Technical and organisational measures to prevent hacking are necessary not only to shore up defences against data breaches, but also a legal obligation under the seventh data protection principle under the Data Protection Act 1998.

In the event of a security breach, what legal action can be taken against digital aggressors? To answer this question, it is worth considering what “hacking” actually is. A working definition might be: deliberate unauthorised intrusion upon or interference with the operation of another’s computer systems, software or data.

As in the case highlighted above, in which Colston-Hayter admitted to having in his possession 400,000 documents – including personal mail and bank details – such intrusion or interference will involve some access by the perpetrator to confidential business information and the personal data of individuals. Civil actions may therefore be brought against a hacker on a number of grounds: misuse of confidential and/or private information, misuse of personal data and intellectual property infringement being the most common. Hackers may also be prosecuted for computer misuse, and the “data theft” offences in section 55 of the Data Protection Act 1998.

The advantages of criminal proceedings are, of course, rooted in the fact that the perpetrators of the attack will be punished, which theoretically serves as a deterrent against future attacks.

The disadvantages, however, are significant. The criminal law affords no direct remedy to the targets or victims of hacking. Unlike a civil claim, there is no compensation available, and criminal proceedings consume management time which could otherwise have been spent investigating the security breach and mitigating any losses sustained.

Criminal proceedings can also lead to adverse publicity, much of which, with proceedings sub judice, a company would be unable to rebut, and any publicity about the attack could encourage others to try their luck on what may be perceived to be a weak system.

Civil proceedings would allow an injunction to be obtained to prohibit further attacks. Injunctions are both prospective and preventative and, with a penal notice attached (meaning a breach amounts to contempt of court), help to focus the mind of the perpetrator with rather more acuity than some vague apprehension of being caught. Civil actions also provide financial redress for the victim of a cyber-attack, meaning that an organisation, which may have had to spend a significant sum to remedy a breach, could recoup some or all of its losses.

As with any legal action, the costs in time and resources can be prohibitive: there is no substitute for the implementation of a robust IT-security system, rigorous staff training and detailed policies and procedures. Cyber-attacks are, unfortunately, almost at the level of the inevitable and, with the attendant risks of reputational damage or regulatory action, prevention really is better than cure.

Receive our monthly newsletter

About the Author

Phil Hartley

Senior Legal Adviser

Phil specialises in protecting the reputations, privacy and information security of high profile individuals and international companies.

+1 646 934 6219
Our 24 hour number
+1 646 934 6219
Legal information

© 2020 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.