Last month two high profile albeit very different cases highlighted the risk of data leaks in a sporting context
On 14 February 2017 the Queen officially opened the government’s National Cyber Security Centre (NCSC) in Victoria, London.
Unfortunately this all came too late for David Beckham. A week later it was revealed that a year previously hackers had illegally accessed 18.6 million emails and documents from the servers of Doyen Sports, the sports agency responsible for running the ex-footballer’s PR machine.
According to reports published by various media outlets across Europe, including by The Sun in this country, the leaked emails suggested that Beckham had previously used his charity work as part of a campaign to be awarded a knighthood. In the messages, the former England football captain is alleged to have criticised the Honours Committee and complained about the singer Katherine Jenkins being awarded an OBE. Other emails reportedly saw Beckham react negatively to a suggested donation to Unicef, of which he is a goodwill ambassador.
The Beckham PR machine hit back with his spokesperson releasing a statement claiming that the messages were “outdated material taken out of context” and gave a “deliberately inaccurate picture”. The statement also claimed that the alleged emails were “hacked”, “doctored” and “private”.
The story took a fresh turn with the suggestion that the hackers, apparently from Russia, had actually tried to blackmail the sports agency into paying them between €500,000 and €1m in return for them not disclosing the material. The police in Portugal had reportedly been investigating the attempted blackmail for a year and Beckham was apparently not the explicit target of the hack but was “caught in the crossfire”.
Regardless of whether Beckham was the intended target of the hack or not, the case highlights wider lessons relating to cyber security for all organisations and individuals (not just celebrities such as the former England football captain). The sports sector is not immune from this threat. Whilst there has been an increasing focus on cyber security in the corporate world, the propensity to communicate and store highly confidential information in electronic form means that an array of highly sensitive material, personal and professional, is available to anyone who breaches the system. As Doyen Sports have seen, the reputational and financial impact of a cyber-attack can be immense.
Whilst the risk cannot be eradicated, a considerable amount of work can be carried out on the legal, as well as technical and communications side, to reduce the risk and to be prepared to respond well to any breach. It is now accepted that all organisations no matter how large or small should be prepared for ‘when’, not ‘if’ they suffer a cyber-attack. The same applies to individuals and those that act for them.
Going forward it is too early to say what damage, if any, has been caused to the Beckham brand by what has happened. Plainly his PR Machine is now working overtime and it will be interesting to see what action he and his advisors take over the next few months to try to mitigate the situation. According to reports, Beckham obtained an injunction against the Sunday Times last year to prevent the publication of the emails. However, it now appears that he and his advisors chose not to try to stop The Sun publishing its story, possibly mindful of the PJS legal debacle last year, but seemingly influenced by the fact that the email cache had also been leaked to a series of European websites, which began publishing them before the story hit the headlines in this country. In essence the horse had bolted.
One should always be careful about second guessing the advice given by others but this situation is clearly different to PJS. In that case the celebrity involved sought to stop the press reporting on an extra-marital threesome. It is easy to lose sight of the fact that Beckham and his advisors are the alleged victims of one or more criminal offences. It is difficult to be certain whether it was the correct decision not to try to stop The Sun from publishing its story, although avoiding potentially long and public legal action is one good reason not to have pursued the injunction. In any event Beckham must hope the public will consider the emails to be embarrassing and soon to be forgotten. For now though the messages make for uncomfortable reading and he and his advisers must be praying there are not further revelations to come.
Cases such as David Beckham's highlight the increasing cyber threat. However, not all leaks are as sophisticated of course. Last month, the RFU confirmed the outcome of its investigation into Tom Arscott who was sacked by the Aviva Rugby club Sale Sharks following reports that "tactical information" had been leaked to Bristol Rugby after Arscott had met his brother Luke (who plays for Bristol) the night before the two teams were due to play a Premiership match.
The RFU's report found that Arscott had discussed with his brother ahead of the match how Sale Sharks planned to use some backs in their lineouts and that another back would be defending in a different position at certain times. Notwithstanding that there was no evidence to suggest Bristol Rugby "changed any of their game strategy" as a result of receiving what the RFU held to be "Inside Information" it was still held that Arscott had breached Regulation 17 of the RFU's Rules and Regulations. As a result the RFU deemed Arscott's behaviour to be "inappropriate" and issued him with a written warning in relation to his future conduct.
Given that Arscott had already been dismissed from his employment by Sale Sharks as a result of what happened, it is difficult not to have some sympathy with him. In this respect the RFU accepted that he had paid "a heavy price" for a conversation which Arscott had described as nothing more than "banter" and an example of "sibling rivalry".
The Beckham and Arscott cases are clearly different. However, they do highlight the importance of private and confidential information to an organisation or individual and the risk of leaks whether from internal sources or outside. It is obviously impossible to plan for each and every crisis. They come in different guises, whether it is a cyber-hack in Beckham's case or a drink in a hotel bar as with Arscott and his brother. However there are steps that can and should be taken for all organisations and individuals to make sure they are prepared to deal with issues as best as they can. In both the Beckham and Arscott cases could more have been done in advance, either on the technological, legal or even training side? Looking from the outside it is difficult to judge. However, as with all crises, those involved will have learned valuable lessons.
If you require further information on anything covered in this briefing please contact Michael Patrick (firstname.lastname@example.org) or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, February 2017