Skip to main content
MENU CLOSE

Why not use the tools you already have to protect your business against cyber crime?

In the most recent edition of the IBA Criminal Law newsletter, John Bechelet and Rebecca Dix of Bivonas Law consider the the potential expansion of the use of private prosecutions to achieve redress for business which have fallen victim to the affects of cyber crime where skilled police resources have failed to keep up with the pace of electronic criminal behaviour; a problem which is estimated to cost the global economy USD $400 billion per annum.

In a global study conducted by the UN Office of Drugs and Crime in 2013, it was found that up to 17% of reported crimes are classed as “cybercrime”. In December 2014, 3.1 billion people, 45% of the world population, had access to the internet and it is estimated that by the year 2020, the number of internet connected devices will outnumber people by six to one.  It is therefore not surprising that global law enforcement is struggling to cope with the rapidly growing scale of criminal investigation into online crime.

In the United Kingdom (UK), the imbalance between lack of specialist law enforcement resources and the capabilities of highly skilled and well funded organised e-crime syndicates is coming to a head.

The UK has 800 specialist internet crime police officers, but with estimates of over 30,000 incidents of cyber crime a day it is clear that investigative resources fall woefully short of that required.

A global cost of USD $400 billion is attributed to cybercrime annually and it is easy to understand why private sector businesses are frustrated by the low number of cyber criminals being brought to justice.

In response, it is anticipated that UK businesses affected by cyber crime will decide to take matters into their own hands by seeking redress through both the civil and criminal courts that will also see a  significant increase in the number of private criminal prosecutions.

In England and Wales, any individual has the right to bring a private criminal prosecution.  This important common law power is enshrined in statute at section 6 of the Prosecution of Offences Act 1985. Lord Mance observed in Jones v Whalley [2006] UKHL 41, that criminal prosecutions;

“may be initiated by private bodies such as high street stores, by charities such as the NSPCC and RSPCA, or by private individuals”.

There is an established pedigree for private criminal prosecutions in areas such as copyright theft. For example, the BPI (the British Recorded Music Industry) frequently brings private prosecutions for offences under section 107 Copyright, Design and Patents Act 1988, as do the Federation against Copyright Theft (FACT).

A relatively recent example is a prosecution by Virgin Media which brought criminal proceedings against three men who took part in a large-scale fraud selling set-top boxes which allowed people unlawful free access to Virgin Media’s cable subscription service. It was estimated that Virgin’s lost revenue as a result of this fraud was £380 million. The private prosecution resulted in convictions for all three men.

In order to privately prosecute it is necessary to first identify the offence which has been committed. The term “cyber-crime” is broad and rather amorphous; cyber-crime offences can be most conveniently divided into 2 categories: (1) cyber-dependant crimes and (2) cyber-enabled crimes.

Firstly, cyber-dependant crimes are offences that can only be committed using a computer, computer networks or any other internet connected device. These acts include hacking, the spread of viruses and malware or distributed denial of service (DDoS) attacks, and generally fall under the scope of the 4 offences set out in the Computer Misuse Act (CMA) 1990, as follows:

Section 1:           unauthorised access to computers

Section 2:           unauthorised access to computers with the intent to commit or facilitate further offences

Section 3:           unauthorised acts with the intent to impair, or being reckless as to the impairment of, a computer

Section 3A:        making, supplying or obtaining articles for use in offences under s1

A cyber-enabled crime is a “traditional” crime which has been facilitated by the use of computers, computer networks or any other internet connected device. Broadly speaking the majority of cyber-enabled crimes fall under two traditional types of offence: Fraud or Theft. Whilst conceptions of the internet and all things cyber rapidly change in this new, hyper-connected world it will soon become hard to imagine a financial or business crime that is not cyber-enabled.

The most widely publicised and often most financially damaging incidences of cyber crime is fraud, and offences of this nature will generally be prosecuted under the provisions of the Fraud Act 2006. Cyber enabled fraud can take various forms, including:

1. Electronic financial frauds, most notably online banking frauds and internet-enabled card-not-present (CNP) fraud,

2. Mass-marketing frauds and consumer scams, including Phishing scams which use disguised fraudulent emails as legitimate email communications and ask for personal or corporate information from users such as passwords or bank account details, and,

3. ‘Pharming’ where an internet user is directed to a fake website and then prompted to input personal details or financial data.

Personal data theft is also a common offence which is facilitated by the use of computers and the internet.

There are a number of offences that are created from the  misuse of computer data, for example: section 55 Data Protection Act (DPA)  1998 which prohibits knowingly or recklessly obtaining, disclosing or procuring personal data without the consent of the data controller; section 1 Malicious Communications Act 1998, which makes it an offence to send indecent or grossly offensive electronic communications with the intent of causing distress or anxiety, and section 127 of the Communications Act 2000 which criminalised the improper use of internet communications, a statute which is now regularly used to prosecute internet “trolls”.

Before commencing proceedings a private prosecutor must first undertake the investigation stage, in the same way that the police are required to investigate a crime. Much of this investigation can be carried out in-house; however it is likely that police assistance will be required as a private individual may not have the power of arrest, to obtain search warrants or the power to conduct a financial investigation into any suspect.

Following the investigation stage, the procedure for commencing a private prosecution is set out in Part 7 of the Criminal Procedure (Amendment) Rules 2015 (“CPR”).

Once all necessary evidence has been gathered, the prosecutor must lay any Information before the Magistrates’ Court in order that a summons can be issued. CPR 7.3 prescribes the format which the Information must take:

“(1)      an allegation of an offence in an information or charge must contain:

(a)        a statement of the offence that –

(i)         describes the offence in ordinary language, and

(ii)        identifies any legislation that creates it; and

(b)        such particulars of the conduct constituting the commission of the offence as to make clear what the prosecutor alleges against the defendant.

(2)       more than one incident of the commission of the offence may be included in the allegation if those incidents taken together amount to a course of conduct having regard to the time, place or purpose of commission.”

When reaching its decision as to whether or not to issue a summons, the Magistrates’ Court will consider the following factors:

1.whether the offence is known to law and the elements are present on a prima facie basis;

2.whether the court has jurisdiction;

3.whether the informant has authority to prosecute (that the permission of the Director of Public Prosecutions (DPP)) has been obtained where the offence in question so requires);

4.whether a limitation period applies;

5.whether the allegation is vexatious.

It is important, therefore that the prosecutor also considered these factors in advance of applying to the Magistrates’ Court.

Once the summons has been issued a private prosecutor may wish to apply for the restraint order over the defendant’s assets, in order to secure realisable assets to make them available for any confiscation order made on conviction, pursuant to Section 40 of Proceeds of Crime Act (POCA) 2002.

Thereafter a private prosecution will follow the same path as a case brought by a public prosecuting authority. The prosecution will be required to put forward its case, and the defendant is afforded the opportunity to put forward a defence.

Unless specified in statute the Magistrate will decide whether the case will be tried in the Magistrates’ Court of before a jury in the Crown Court, and this will be determined by the seriousness and complexity of the offence. Summary offences, such as section 3 offences under the CMA 1990, will be heard at the Magistrates’ Court; whilst indictable offences, for instance a serious fraud, will be heard at the Crown Court. If the defendant is convicted then the court will impose the appropriate sentence against the defendant, which may include a payment of costs to the prosecutor.

Following a successful conviction, it is possible for a private prosecutor to pursue any confiscation proceedings against the defendant under POCA 2002.

In the Virgin Media case referred to above, the Court made a confiscation order in the sum of £11.8 million and Virgin Media was subsequently awarded its costs for the proceedings from central funds, pursuant to section 17 Prosecution of Offences Act 1985.

It is now well established that the costs for a private prosecution in the Crown Court may be payable from central funds. A wealthy Indian businessman, Murli Mirchandani, who was the victim of fraud recently recovered his costs of just over £400,000.00 from central funds and secured a jail term of eight years for the perpetrator.

There are a number of reasons why an organisation may wish to instigate a private prosecution; to prevent a competitor from unlawfully profiting from criminal conduct or  to act as a deterrence for further offending in order to protect a business; for example employee hacking or data breaches. Whatever the reason private criminal prosecutions are a powerful old tool that is still readily available to use in tackling the ever increasing commission of cyber crime.

Originally published in the September 2015 edition of the IBA Criminal Law Newsletter.

Bivonas Law LLP

Bivonas Law was established in 1997 and from the outset has acted in serious criminal and regulatory investigations, together with a number of notorious commercial disputes.

In the most recent edition of the IBA Criminal Law newsletter, John Bechelet and Rebecca Dix of Bivonas Law consider the the potential expansion of the use of private prosecutions to achieve redress for business which have fallen victim to the affects of cyber crime where skilled police resources have failed to keep up with the pace of electronic criminal behaviour; a problem which is estimated to cost the global economy USD $400 billion per annum.

In a global study conducted by the UN Office of Drugs and Crime in 2013, it was found that up to 17% of reported crimes are classed as “cybercrime”. In December 2014, 3.1 billion people, 45% of the world population, had access to the internet and it is estimated that by the year 2020, the number of internet connected devices will outnumber people by six to one.  It is therefore not surprising that global law enforcement is struggling to cope with the rapidly growing scale of criminal investigation into online crime.

In the United Kingdom (UK), the imbalance between lack of specialist law enforcement resources and the capabilities of highly skilled and well funded organised e-crime syndicates is coming to a head.

The UK has 800 specialist internet crime police officers, but with estimates of over 30,000 incidents of cyber crime a day it is clear that investigative resources fall woefully short of that required.

A global cost of USD $400 billion is attributed to cybercrime annually and it is easy to understand why private sector businesses are frustrated by the low number of cyber criminals being brought to justice.

In response, it is anticipated that UK businesses affected by cyber crime will decide to take matters into their own hands by seeking redress through both the civil and criminal courts that will also see a  significant increase in the number of private criminal prosecutions.

In England and Wales, any individual has the right to bring a private criminal prosecution.  This important common law power is enshrined in statute at section 6 of the Prosecution of Offences Act 1985. Lord Mance observed in Jones v Whalley [2006] UKHL 41, that criminal prosecutions;

“may be initiated by private bodies such as high street stores, by charities such as the NSPCC and RSPCA, or by private individuals”.

There is an established pedigree for private criminal prosecutions in areas such as copyright theft. For example, the BPI (the British Recorded Music Industry) frequently brings private prosecutions for offences under section 107 Copyright, Design and Patents Act 1988, as do the Federation against Copyright Theft (FACT).

A relatively recent example is a prosecution by Virgin Media which brought criminal proceedings against three men who took part in a large-scale fraud selling set-top boxes which allowed people unlawful free access to Virgin Media’s cable subscription service. It was estimated that Virgin’s lost revenue as a result of this fraud was £380 million. The private prosecution resulted in convictions for all three men.

In order to privately prosecute it is necessary to first identify the offence which has been committed. The term “cyber-crime” is broad and rather amorphous; cyber-crime offences can be most conveniently divided into 2 categories: (1) cyber-dependant crimes and (2) cyber-enabled crimes.

Firstly, cyber-dependant crimes are offences that can only be committed using a computer, computer networks or any other internet connected device. These acts include hacking, the spread of viruses and malware or distributed denial of service (DDoS) attacks, and generally fall under the scope of the 4 offences set out in the Computer Misuse Act (CMA) 1990, as follows:

Section 1:           unauthorised access to computers

Section 2:           unauthorised access to computers with the intent to commit or facilitate further offences

Section 3:           unauthorised acts with the intent to impair, or being reckless as to the impairment of, a computer

Section 3A:        making, supplying or obtaining articles for use in offences under s1

A cyber-enabled crime is a “traditional” crime which has been facilitated by the use of computers, computer networks or any other internet connected device. Broadly speaking the majority of cyber-enabled crimes fall under two traditional types of offence: Fraud or Theft. Whilst conceptions of the internet and all things cyber rapidly change in this new, hyper-connected world it will soon become hard to imagine a financial or business crime that is not cyber-enabled.

The most widely publicised and often most financially damaging incidences of cyber crime is fraud, and offences of this nature will generally be prosecuted under the provisions of the Fraud Act 2006. Cyber enabled fraud can take various forms, including:

1. Electronic financial frauds, most notably online banking frauds and internet-enabled card-not-present (CNP) fraud,

2. Mass-marketing frauds and consumer scams, including Phishing scams which use disguised fraudulent emails as legitimate email communications and ask for personal or corporate information from users such as passwords or bank account details, and,

3. ‘Pharming’ where an internet user is directed to a fake website and then prompted to input personal details or financial data.

Personal data theft is also a common offence which is facilitated by the use of computers and the internet.

There are a number of offences that are created from the  misuse of computer data, for example: section 55 Data Protection Act (DPA)  1998 which prohibits knowingly or recklessly obtaining, disclosing or procuring personal data without the consent of the data controller; section 1 Malicious Communications Act 1998, which makes it an offence to send indecent or grossly offensive electronic communications with the intent of causing distress or anxiety, and section 127 of the Communications Act 2000 which criminalised the improper use of internet communications, a statute which is now regularly used to prosecute internet “trolls”.

Before commencing proceedings a private prosecutor must first undertake the investigation stage, in the same way that the police are required to investigate a crime. Much of this investigation can be carried out in-house; however it is likely that police assistance will be required as a private individual may not have the power of arrest, to obtain search warrants or the power to conduct a financial investigation into any suspect.

Following the investigation stage, the procedure for commencing a private prosecution is set out in Part 7 of the Criminal Procedure (Amendment) Rules 2015 (“CPR”).

Once all necessary evidence has been gathered, the prosecutor must lay any Information before the Magistrates’ Court in order that a summons can be issued. CPR 7.3 prescribes the format which the Information must take:

“(1)      an allegation of an offence in an information or charge must contain:

(a)        a statement of the offence that –

(i)         describes the offence in ordinary language, and

(ii)        identifies any legislation that creates it; and

(b)        such particulars of the conduct constituting the commission of the offence as to make clear what the prosecutor alleges against the defendant.

(2)       more than one incident of the commission of the offence may be included in the allegation if those incidents taken together amount to a course of conduct having regard to the time, place or purpose of commission.”

When reaching its decision as to whether or not to issue a summons, the Magistrates’ Court will consider the following factors:

1.whether the offence is known to law and the elements are present on a prima facie basis;

2.whether the court has jurisdiction;

3.whether the informant has authority to prosecute (that the permission of the Director of Public Prosecutions (DPP)) has been obtained where the offence in question so requires);

4.whether a limitation period applies;

5.whether the allegation is vexatious.

It is important, therefore that the prosecutor also considered these factors in advance of applying to the Magistrates’ Court.

Once the summons has been issued a private prosecutor may wish to apply for the restraint order over the defendant’s assets, in order to secure realisable assets to make them available for any confiscation order made on conviction, pursuant to Section 40 of Proceeds of Crime Act (POCA) 2002.

Thereafter a private prosecution will follow the same path as a case brought by a public prosecuting authority. The prosecution will be required to put forward its case, and the defendant is afforded the opportunity to put forward a defence.

Unless specified in statute the Magistrate will decide whether the case will be tried in the Magistrates’ Court of before a jury in the Crown Court, and this will be determined by the seriousness and complexity of the offence. Summary offences, such as section 3 offences under the CMA 1990, will be heard at the Magistrates’ Court; whilst indictable offences, for instance a serious fraud, will be heard at the Crown Court. If the defendant is convicted then the court will impose the appropriate sentence against the defendant, which may include a payment of costs to the prosecutor.

Following a successful conviction, it is possible for a private prosecutor to pursue any confiscation proceedings against the defendant under POCA 2002.

In the Virgin Media case referred to above, the Court made a confiscation order in the sum of £11.8 million and Virgin Media was subsequently awarded its costs for the proceedings from central funds, pursuant to section 17 Prosecution of Offences Act 1985.

It is now well established that the costs for a private prosecution in the Crown Court may be payable from central funds. A wealthy Indian businessman, Murli Mirchandani, who was the victim of fraud recently recovered his costs of just over £400,000.00 from central funds and secured a jail term of eight years for the perpetrator.

There are a number of reasons why an organisation may wish to instigate a private prosecution; to prevent a competitor from unlawfully profiting from criminal conduct or  to act as a deterrence for further offending in order to protect a business; for example employee hacking or data breaches. Whatever the reason private criminal prosecutions are a powerful old tool that is still readily available to use in tackling the ever increasing commission of cyber crime.

Originally published in the September 2015 edition of the IBA Criminal Law Newsletter.

Bivonas Law LLP

Bivonas Law was established in 1997 and from the outset has acted in serious criminal and regulatory investigations, together with a number of notorious commercial disputes.

Bivonas Law LLP

About the author

Bivonas Law LLP

Bivonas Law was established in 1997 and from the outset has acted in serious criminal and regulatory investigations, together with a number of notorious commercial disputes.