On 31 March 2014, the Home Secretary transferred responsibility for protecting our economy from the harm caused by fraud to the National Crime Agency. The National Reporting Service, Action Fraud was transferred to the City of London Police. This rather troubled organisation was previously run by a private sector company, which went into administration and between the Home Office and the City of London Police, there are now at least five specialist cyber-crime units. Since 2013, victims of fraud have continued to report cases to Action Fraud, for which the Home Office, rather than the Police continues to be responsible.
We now have details of how often reported cases are followed up by the Police and the number of successful prosecutions. The results of an investigation by The Times were published last week. The Police are following up fewer than one in 100 reported cases and barely one in 500 result in a conviction. A dramatic increase in reporting reflects a fact that most crime now takes place off the streets because it is being committed on-line. When the cyber-crime figures are included for the first time next month in the overall Crime Survey figures, the number of reported crimes will increase by around three million. There are many examples where the response to reporting a cyber-crime in this way has been slow and confused. Action Fraud has been criticised for using an algorithm to analyse reports but it does make sense if attempts are being made to identify patterns across vast databases. Action Fraud has also suggested that it has prevented crime by closing down 4000 websites each month but in terms of arresting offenders and securing convictions, this level of performance is difficult to justify. In our experience, approaching the Police often prompts a much more interested and quicker response but this can vary region by region. Many commercial organisations are also simply directed by the Police to Action Fraud.
Sometimes reporting a crime is the only means of redress available. If the perpetrator is resident abroad or cannot be identified, increased powers of investigation, together with international co-operation will be required to bring them to justice. More often however victims are targeted for a reason and the perpetrator has some understanding of the organisation, its security systems and software. This type of inside information often also extends to an organisation trading and its vulnerabilities to clients and customers. The criminal law is designed, however, to prosecute and deal with offenders rather than to protect the victim or recover compensation. Anyone seeking compensation should always consider their remedies in the civil courts. There will almost invariably be a civil remedy in damages.
As security systems and software become more sophisticated, it becomes easier to identify and collate at an early stage the evidence which would be required to pursue civil proceedings as well as to investigate crime. The civil law has also responded to an explosion in the use of the internet by applying other remedies, to prevent wrongdoing, including the misuse of commercially sensitive information and economic fraud. As long ago as 1997, legislation was introduced originating from the European Union concerning ownership of a database. The High Court has subsequently applied the proprietary rights of an employer or principal to information stored on social media, such as LinkedIn. In addition to the usual remedies of delivery-up, irretrievable deletion and an injunction, we have successfully obtained an Order to image a defendant’s server in order to ensure that confidential information cannot be misused and the terms of the injunction are fully and properly complied with. The High Court has the power to grant injunctive relief in the case of actions based upon deceit, which is the civil law equivalent of fraud. Judges in the Civil Courts regularly do so and where there are grounds, and more than willing to make Freezing Orders, based upon evidence from systems or which originated on-line. In other words, the Civil Courts have adapted remedies going back decades or even centuries to keep pace with developments in technology and cyber-attacks.
Of course, you do need to identify a defendant and there will invariably be a cost to issuing and pursuing proceedings in the High Court. Subject to the usual considerations however, this will be recoverable and in serious cases, application can be made to the Court immediately. The High Court also offers victims involvement in decision making and control over the entire process. There is also nothing to prevent the victim of crime from seeking a remedy through the Civil Courts and then reporting matters to the Authorities to prosecute. Civil proceedings do not preclude a subsequent complaint, prosecution or conviction.
In serious cases, this must be preferable to simply being provided with a crime reference number and a case file, before being advised to wait for further contact. The statistics suggest that you will be lucky to hear from anyone at the present time. In our experience, the potential losses and reputational damage will often justify investigating matters by appointing an expert before making an application in the High Court, using the civil remedies which have always been available. The Civil Courts have proved to be adaptable and even enlightened in their approach towards technology and in appropriate cases, willing to make interim orders, punishable by contempt of court if they are disobeyed.
We face a significant challenge in promoting the internet as a secure means of doing business. Internet misuse has certainly kept pace with the expansion of commerce on-line. As an alternative to a criminal investigation, organisations who suffer cyber-attacks should consider civil remedies. This is an expanding part of our practice and there has been an increase in the number of applications heard before the High Court generally.