A John Constable painting sits at the centre of a £2.4m online fraud, after computer hackers duped the prospective buyer of the picture into sending the money to the wrong bank account. As the police report a marked increase in online fraud during the coronavirus pandemic, this case serves as a timely reminder of the risks associated with online transactions and illustrates the particular cybersecurity issues affecting the art market.
In 2018, the Rijksmuseum Twenthe in the Netherlands negotiated the purchase of Constable’s A View of Hampstead Heath: Child’s Hill, Harrow in the Distance from Simon Dickinson, a London art dealership. Unbeknownst to either party, cybercriminals gained access to their chain of emails. As the time for the museum to transfer the money came, the hackers impersonated a Dickinson email account and inserted the details of a Hong Kong bank account in place of the art dealer’s. The museum transferred the money, which arrived in Hong Kong and now cannot be traced.
As things stand, the museum is holding the painting, and has attempted to claim that responsibility for the loss lies with Dickinson in a number of different ways. The museum initially claimed that it had fulfilled its obligations under the contract and therefore held legal title, to which Dickinson replied that no payment under the contract had been made, because it was made to an imposter. The museum subsequently applied to court to amend its claim to include multiple other claims, including that Dickinson, which appeared to have been copied into the fraudulent emails, gave an implied representation that the emails were genuine by failing to say that they were fraudulent.
These attempted amendments to the museum’s claim were all refused by the court earlier this year, not least because the museum had stopped short of claiming that Dickinson knew (or ought to have known) that the emails were spoofs – and without this essential allegation, no case could be made that there had been an implied representation. For their part, Dickinson maintains that they would expect the museum to have carried out its own independent checks of the bank details, and that they did not know that any fraud was being perpetrated. Although the museum’s application to amend the claim was refused, it is reported that another such application is on the way.
Anti-crime procedures in the art world
The level of sophistication of each party’s cyber security in this case is, of course, a contested point. One common practice to defend against such so-called “man in the middle” attacks is to confirm the details of key emails over the telephone. Looking beyond who may have been at fault in this particular case, the fact that such measures are not necessarily deployed as standard in the art market, when some form of them would be mandatory in other industries, highlights the pitfalls of the art market’s traditional resistance to professionalisation.
In the context of seeking to combat crime in the art market, one might naturally look to the government’s implementation of the EU’s 5th Anti-Money Laundering Directive, which has seen rigorous customer due diligence requirements imposed on “art market participants”. In practice, these obligations place a heavy emphasis on verifying the identity and source of funds of the purchaser of an artwork. The issue in the Constable fraud, of course, lay with the destination of the funds, and more broadly with a lack of verification of the details of the seller. To the extent that such a problem remains unaddressed under the new legislation, it appears that there is scope for expansion here, at the very least in the form of best-practice guidance.
The Rijksmuseum Twenthe currently holds the painting, preventing Dickinson from selling it elsewhere. So, the situation remains somewhat on hold pending determination of the legal proceedings. The lessons for comparable institutions and businesses from this episode are clear; the art market is a ripe target for cybercriminals, and the sophistication of modern hacking techniques should not be underestimated. If it is possible to identify simple and cheap steps to lessen risk – especially when verifying key details of a transaction – these are worth serious consideration, regardless of whether such steps are enshrined in formal industry standards or regulations.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, May 2020