The hacking of email accounts is once again back in the news with well-known celebrities, including Harry Styles, being targeted. In his case, he was targeted via his mother's iCloud account. Others have been targeted through other close family members. Photographs taken from the accounts have then appeared on Twitter and Facebook, though few UK mainstream media outlets have dared to publish them. The attacks were widely publicised just days after Ryan Collins pleaded guilty in the US to stealing hundreds of intimate pictures of female celebrities in a similar exercise last summer.
While the attacks on well-known individuals make the headlines, this phenomenon is an everyday occurrence across the globe. All those hacked are likely to suffer, whether from the breach of privacy or financially if information is then used to fraudulently obtain access to bank accounts and the like. However, those in the public eye or those who are extremely wealthy ((Ultra) High Networth Individuals ("(U)HNWIs")) stand to lose considerably more, particularly in terms of the potential for reputational harm. What should one do when faced with the reality of being hacked?
In the UK, as will be the case in many other countries, the law is of great assistance, but it is only a partial answer. The offender is very likely to have committed criminal offences under the Computer Misuse Act 1990 ("CMA") and Data Protection Act 1998 ("DPA"). Other criminal offences, such as fraud, harassment and blackmail potentially also come into play depending on what the offender does with the information s/he has obtained.
As for the civil law, as well as the hack being a breach of privacy, a data protection claim will almost certainly succeed. With photographs being taken it is likely that a strong breach of copyright claim can also be relied upon. It can reasonably be expected that a court will look very favourably upon a claimant in such circumstances when it comes to damages, which will include the ability to pursue damages for distress under the DPA. Of course, this all puts the claimant in a strong legal position, but it pre-supposes you can identify the offender and that s/he is worth pursuing. Penniless, unidentifiable and/or overseas are all factors which mitigate the effective use of the law. However, much can and should be done.
It is critical to be proactive. As quickly as possible once an attack has been identified the following steps should be completed:
- Computer forensic specialists should be employed to secure all relevant accounts (e.g. other family members, members of staff and the family office) to prevent further attacks;
- The computer forensic experts need to secure the evidence so it can be used in criminal and/or civil proceedings;
- A forensic investigation needs to be undertaken to try and identify the attacker through forensic means;
- The web, including the dark web, should be monitored for any evidence which may assist in identifying the hackers and other relevant actions;
- Banks and financial advisers should be advised so as to avoid the risk of assets being stolen with it being best practice to change passwords;
- Armed with such relevant information that the forensic team can provide, the lawyers can apply to court for orders requiring Internet Service Providers to disclose account details and such other information as they may hold and are able to disclose, to assist in identifying and tracing the attacker. This may not immediately yield results since it may be similar to peeling back layers of an onion.
- An application can be made to the court for an unmasking order, requiring the offender to identify themselves. If the offender has a moment of honesty, they may be willing to divulge their identity and take their punishment. However, it is necessary to be realistic. Many will not respect such a court order, sometimes because they are out of reach of the English courts, others simply choosing to ignore their legal obligations and take their chance. Those that choose to hack an account can hardly be expected to 'do the decent thing' once they have been discovered.
- Set up a monitor and block or takedown system to hide or remove images and information online where ever reasonably possible (websites hosted in places such as Belize may prove impossible, but internet service providers are more easily accessible);
- Consider, if necessary, obtaining an injunction to prevent publication of the stolen information, including any photographs;
- Set up a monitor and takedown system for online infringements;
- Plan and articulate a communications strategy having regard to family, stakeholders and, if necessary, the wider public.
No doubt there are likely to be other immediate issues, depending on the facts. These could include tightening physical security
What one next does is more open to the requirements and wishes of the individual client. If the offenders have been identified, then depending on in which jurisdiction they are to be found, the effectiveness of its laws and judicial system and whether to take action would be to cause more harm than good, criminal and/or civil proceedings are possible.
The criminal route
In the UK, the theft of photographs from another's iCloud account or email will amount to offences under the CMA, including unauthorised access to material and unauthorised access with intent to commit a crime (i.e. stealing and disseminating confidential information), as well as the similar offence under the DPA.
While the criminal route does not provide damages, that may not be the client's motivation. It is also worth bearing in mind the loss of control that the client will face if matters are handed over to the police, as well as the real risk of the matter becoming lost in the system. Save where an officer becomes especially interested in the case, such offences are not regarded as high priority by the police, which is understandable to a point when account is given to the police's budgetary constraints and the need to deal with more serious offences.
It is also an option to bring a private prosecution which will avoid the pitfalls of dealing with the police. While this will involve incurring costs, presently it is likely the victim-prosecutor will get the vast majority of his/her costs back from central funds. This luxury does not exist in the civil system and may not last a great deal longer in the criminal courts.
The decision to proceed with civil proceedings will be greatly influenced by the being able to identify the defendants and the willingness to incur costs to proceed with a case in the knowledge that it is unlikely in most cases that costs will be recovered. However, having initiated proceedings, there is an obligation not to simply sit on the injunction. There is a need to proceed or discontinue the claim. On the basis that the client will wish to maintain the injunction, it will probably be best to proceed to some form of summary judgement if at all possible, thereby limiting the cost exposure and but maintaining the key remedy, the injunction.
Exacerbated by the criminal nature of the breach of privacy and the likely distress caused by the infringement, the court is likely to award sizeable damages.
The likes of Harry Styles will undoubtedly want to make sure this does not happen again. There are a number of steps that can and should be taken. These include:
- Regularly updating security and passwords;
- Considering alternative storing options less vulnerable to attack;
- Carrying out simulations of cyber breaches;
- Establish and regularly update and test a crisis management plan;
- Ensuring those around the individual follow tight electronic and social media protocols;
- Ensure all employees have sound confidentiality provisions in their contracts of employment;
- All relevant individuals, including family members and staff, are given training and education on cyber security – people are always the biggest cyber risk; and
- Maintain sound monitoring procedures to pick up early warning signs of a pending or actual attack.
The relevance of cybersecurity will only continue to increase for all individuals, but especially (U)HNWIs and celebrities. For these individuals, it is even more important to stay on top of this. An up-to-date communication and crisis plan is a key factor in managing these risks, as is taking swift action to remedy problems when they occur. Harry Styles will not be the last victim of a cyber-hack, but each incident provides us with a reminder that this affects everyone, high profile or not. The need for vigilance and to keep on top of preventative measures and best practice is an ever present requirement.
The alternative to such an investment is to create a far greater risk of becoming the next victim, with all the embarrassment, reputational harm, time and expense that dealing with a crisis involves. Investing in good planning and prevention will pay dividends over time.
If you require further information on anything covered in this briefing please contact Julian Pike (firstname.lastname@example.org; +44(0)20 375 7614), or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, March 2016