Walker Morris’ Retail and Commercial Dispute Resolution specialists Gwendoline Davies and Tim Pickworth look at some of the latest fraud challenges facing retailers today, and some of the technical, practical and legal solutions on offer.
What are the issues and key risks?
Recent analysis released by payments group Adyen has revealed that 60% of British retailers have noticed an increase in fraud over the last year. This is backed up by hard statistics – the Office for National Statistics figures released at the end of 2018 showed an increase in consumer and retail fraud, up 27% on the previous year, despite a stabilisation in fraud figures as a whole.
Retail fraud can occur in myriad ways, but of primary concern in the current climate is cybercrime – in particular the hacking and theft of customer data.
According to a report published by ThreatMatrix in 2018, e-commerce attacks increased by 93% between the first quarters of 2017 and 2018, and every day of 2018’s first quarter showed higher cyber attacks than any one day in the previous three years – and that is just the attacks that are reported. Hugo Rosemount, Crime and Security Policy Adviser to the British Retail Consortium has commented that “[c]yber attacks on the retail industry are doubly damaging in that there are two sets of victims… both the customers (whose data is hacked) and the retailers themselves.” Cybercrime can therefore expose retailers to financial harm (both directly and potentially indirectly if/when they compensate customers), regulatory investigation concerning data protection and breaches and, perhaps of most concern, reputational damage.
One of the reasons that retail fraud is on the rise is the proliferation of electronic and mobile marketing techniques, sales platforms and payment options. Weaknesses in, or gateways between, different IT systems can provide an ‘in’ for hackers; the use of unsecure mobile devices to create and log in to customer accounts; and point-of-sale payment card skimmers represent some of the real risk areas.
However, whilst technology offers fraudsters ever more inventive ways to target victims, it can also provide improved security options for retailers.
What technical and practical solutions are on offer?
Biometric security systems are one area in which technology is being deployed to target fraud, and with many smartphones already capable of using biometric data such as fingerprints, facial recognition and iris scanning to authenticate identity, many consumers are open to having this type of protection implemented for payments too. According to a survey by GlobalData, 67% of consumers would be happy to use a biometric security method to protect their payment details. Biometric security systems may also generally improve the security of mobile devices, and of e-commerce account creations and transactions conducted thereon.
Biometric security systems bring their own legal challenges in the form of data protection concerns, but they highlight the increased sophistication that businesses are considering in the face of rising fraud. Industry analysts predict that biometric payment cards will become widely available on the consumer market during 2019.
Engaging cybersecurity specialists to continually review and improve IT security measures is essential, as is implementing and maintaining comprehensive policies, procedures and staff training as to the various types of retail fraud and the risks associated with handling customer data.
Retailers may also wish to consider reviewing their communications with customers. Whilst there is a fine line to tread between preventing fraud and not putting off prospective customers with onerous security requirements, there might be significant brand credit to be had from, say, warning customers at the point of account creation that it may be safer to proceed privately on a secure PC rather than on an unsecure mobile device or in public; and/or from reminding customers at the point of sale to be alive to the various risks of payment fraud.
What legal options may be open to retailers?
Where retailers do find themselves or their customers a victim of fraud, as well as following any internal incident management regime, retailers should also immediately notify the police. They may be able to recover any stolen monies and potentially take action against the fraudsters.
It may also be necessary or appropriate to notify any insurer, any other parties to the transaction (such as the customer) and any industry representative body.
In addition, retailers should seek immediate specialist legal advice. Walker Morris’ Commercial Dispute Resolution team has significant expertise in fraud claims and would, in some cases, be able to urgently obtain forensic input to help the retailer to understand and to limit the extent of any data breach or any other theft or damage suffered as a result of a cyber attack.
In some cases it may even be possible also to urgently initiate a freezing injunction to try to preserve any stolen monies in the fraudsters’ bank account(s) and/or to obtain an order from the court requiring disclosure of assets to be provided by the suspected fraudsters. If the whereabouts of monies is unknown, Walker Morris has extensive experience in tracing and recovery.
There are also a number of civil remedies that affected retailers may be able to pursue. Depending on the type and circumstances of the fraud, there may be breach of contract; negligence, breach of trust; unjust enrichment and/or tracing claims which could mitigate any losses and potentially help to recover lost funds. It may also be possible to obtain compensation or contributions from other involved parties (such as IT security consultants or the like).