On 3 April 2020 Europol (the EU law enforcement agency) published a warning to individuals, companies, public institutions and other organisations about the marked rise in cybercriminal activities since the outbreak of COVID-19 stating that the “… impact of the COVID-19 pandemic has been the most visible and striking compared to other criminal activities”.
Europol caution that there is an expected increase in phishing and ransomware campaigns which will be designed to exploit the current crisis. Phishing is the process whereby an individual is induced to divulge personal information, including banking details, which can then be used to defraud the victim. There is also an expected increase in the scope and scale of these attacks.
The intended effect of a ransomware attack would be to deny access to users to the information on their systems pending payment of a ransom. At the beginning of this month Microsoft published information aimed at protecting critical services such as those provided by hospitals. Europol also identified hospitals as a target for possible attacks. The report also identified government agencies, universities and organisations within the manufacturing sector as prime targets.
These attacks may appear in the form of a link or in a malicious email which infects the target’s systems. Given the unprecedented level of communications into and out of these organisations, users of any potential target’s system should be extremely vigilant regarding the content of communications.
The FraudSmart website (an initiative of the Banking and Payments Federation of Ireland) notes that Interpol (the International Criminal Police Organization – an inter-governmental organization) have reported near-daily fraud cases and requests to assist with stopping fraudulent payments. Interpol also notes that criminals have used bank accounts located in other regions “…to appear as legitimate accounts linked to the company which is being impersonated.”
In the daily briefing on the government’s response to COVID-19 on 2 April, a fraud warning was included from An Garda Síochána. This included a warning to confirm details before transferring any money or buying any product, including in respect of making online payments. It was reported that an Irish citizen was interviewed by the Gardaí on 10 April regarding the suspected laundering of €1.5m into an Irish bank account which is believed to be part of a larger €15m phishing scam which targeted the German government.
Ransomware attacks may be countered by an interlocutory order of the court. While dependent on the circumstances of the case in question it may be appropriate to seek an order for the removal of data relating to the plaintiff from an impugned website or an order for the delivery or deletion of data.
National authorities may be able to block certain payments. However, in some cases, the proceeds have been transferred to second and third bank accounts before they can be traced and blocked.
A person found guilty of money laundering in this jurisdiction is liable on conviction on indictment to either a fine or to imprisonment for a maximum term of fourteen years (or both). There are also numerous other relevant criminal offences including offences relating to theft, fraud, making gain or causing loss by deception, the unlawful use of a computer and the possession of certain articles.
The challenge with many of these offences is that the culprit is often difficult to identify. To remedy this an order seeking the identification of the party may be possible at an interlocutory stage. A further challenge is that the negative publicity arising from an admission that a company or institution has been successfully attacked is often publicity which the company or institution wishes to avoid. It may be possible to mitigate the effect of negative publicity. In England there is jurisprudence from ZAM v CFM and TFW EWHC 662 (QB) for the anonymisation of the plaintiff in blackmail cases. There is a common law power to anonymise in this jurisdiction which is evidenced by the decision of Mr Justice Kelly in Medical Council v Anonymous IEHC 109. In this case the Court refused to hold the hearing in camera but prohibited the publication or broadcast of information which might have identified the defendant.
Contractual remedies may be available to the parties where liability of one or more of the parties can be determined by an examination of the contract. Such liability may arise where a breach of contract occurs where, for example, one party may have failed to adhere to the proper notice required in a contract for change of bank details, or failed to verify such notice by an alternative means (e.g. a phone call).
A failure to exercise reasonable skill and care by one or more of the parties may also result in a finding of negligence against that party.
Mitigating the Risk
To minimise the risks posed by cyber security fraud businesses and institutions should be vigilant in reminding staff of the current best practice. In this article we outlined the steps that organisations should take to assess their data security practices and procedures.
What if a Cybersecurity Issue does Occur?
Depending on the nature of the issue the business or institution may take the following steps or indeed in certain instances may be obligated to take certain actions.
- Where data theft has occurred the requirements of the GDPR and the Data Protection Act 2018 will need to be considered. The definition of personal data under the GDPR is broad and may include information such as email addresses. A personal data breach to the Data Protection Commissioner may need to be made without undue delay.
- Consider what court orders might be sought in order to assist in identifying the cybercriminals, freezing accounts which can be traced back to these individuals or retrieving data in order to mitigate any future claims.
- It is a criminal offence for a person (including a company) to fail to disclose information to the Gardaí as soon as practicable and without reasonable excuse, which the individual knows or believes might be of material assistance in ” (a) preventing the commission by any other person of a relevant offence, or (b) securing the apprehension, prosecution or conviction of any other person for a relevant offence.” Relevant offence is broadly defined and includes cybercrime.
We are available to advise businesses with any issues they face. Please contact your William Fry contact with any queries. Our partners, associates and our support teams are available as usual to support your business. We also have a specific COVID-19 Hub to help you.
Contributed by Marie McQuail
Follow us @WilliamFryLaw