Cyber security negligence… Spending £2.4 million to not have a Constable in the gallery – who’s liable when hackers switch your bank details and leave a seller empty handed? Read our latest legal insight by Sebastian Hale-Smith and Ashleigh Evans
In November 2018, hackers intercepted bank details emailed from a London based art dealer to a museum and replaced them so that when the museum paid nearly two and a half million pounds for John Constable’s A View of Hampstead Heath: Childs’s Hill, Harrow in the distance the seller received… nothing.
The technique operated by the fraudsters to intercept emails to provide the erroneous bank details to the museum is known as phishing. It is a way that hackers con victims into providing account data or gain access into seemingly secure systems. Once your information has been obtained, hackers create new user credentials or install malware (such as backdoors) into your system to send emails from a victim’s account or steal sensitive data.
When the museum realised that it had unwittingly handed over £2.4m to a bank account in Hong Kong – completely unassociated with Simon C. Dickinson Limited (the art dealer) – with little hope of recovering the money from where they paid it, they issued a claim against the dealer, who was attempting to take possession of the painting as they hadn’t received payment for it.
Does having insufficient cyber security amount to negligence?
The museum’s rationale for issuing this claim was that the dealer had been negligent when it came to protecting the stream of emails that had flowed between the parties from phishing and interception.
Negligence is a civil tort where a party breaches a duty of care owed to another, causing harm to the second party where that harm was not remote. While it is true that Simon Dickinson, the art dealer, owed a duty of care to the museum the reverse is also true. Both parties claimed that it was the other who had had their email systems hacked – with neither willing to shoulder the blame for the digital transgression.
It transpired that both parties had flaws in their cybersecurity system and Judge Mark Pelling dismissed the museum’s claim for negligence on the grounds that the museum owed its own duty of care to maintain reasonable email cybersecurity. This effectively stopped them for continuing their claim for negligence – as they had been equally responsible for not checking and double checking where they were sending such a large sum of money.
However, Judge Pelling did allow them to amend their claim and the museum are now pursuing an alternative claim for damages under contract law.
Was the contract fulfilled?
It is clear that Rijksmuseum Twenthe and Dickinson had formed a contract between themselves for the sale and purchase of the painting. The court established that the parties had formed a legally binding contract as they had clearly demonstrated each element required to form a contract; this being an offer, acceptance, consideration and an intent to create legal relations.
The art dealer’s negotiators were copied into several of the phishing emails between the museum and the fraudsters. Gideon Shirazi, the museums lawyer maintained in court that the silence of the negotiators gave rise to an implied representation by conduct, or lack thereof.
The Claimant accepted the offer provided by the art dealer and the funds were transferred. It’s therefore clear that both parties had intended to become legally bound to the contract. The painting was passed over to the museum by the Seller and a payment was made in exchange for the goods by the Buyer – a contract had been formed and was fulfilled by both parties.
The museum subsequently made a claim for damages, stating that the art dealer was negligent for not realising that the intercepted emails containing wrong bank details had been fraudulent, despite the dealer’s negotiators being well aware of the emails that had been sent containing the details. Although this initial claim failed in the High Court, the museum is now serving another application to alter the claims against the art dealer by taking another route with alternative claims to seek damages for their losses as subsequently, the museum is now unable to sell the painting.
Counsel for Dickinson declared in court that the museum had been negligent by failing to verify the bank details, stating that “instead of accepting the reality of the situation, the museum has reacted by pursuing a series of hopeless claims against SCD (the art dealer), in the hope of pinning the blame for the museum’s mistake on SCD.”
Non-return of the painting
At this moment, the museum still holds the painting and Dickinson has not received payment for fulfilling their obligation to pass on the painting. As the museum has physical possession of the painting, Dickinson is unable to resell it and obtain the money the dealer believes to be entitled to for fulfilling their obligations under the contract. Although Dickinson maintains that they retain the title of the painting even though it has been delivered, the Museum are at this time holding the painting until the courts determine which party the painting belongs to.
Combating cyber-crime through due diligence and control strategies
Modern technology has created new classes of crime and provides means for cyber criminals to commit traditional offences in new ways. A lack of due diligence and control means that parties may fall victim to the cyber con-artists.
Since the Covid-19 crisis, the number of employees working from home and remote locations has rapidly grown over night, due to the government’s guidelines to stay at home. With this increase, there has been a sharp rise in cyber hackers looking to exploit vulnerabilities in systems to intercept emails or seek confidential information. This case is a valuable lesson for all parties sending money within a transaction – always be cautious and verify bank details over the phone. Be vigilant, ensure systems are safe and secure.
Cyber security negligence… Who was ultimately responsible?
It’s clear from Judge Pelling’s dismissal of the museum’s claim for negligence that both sides owed a duty of care to protect the important and sensitive information passing between them. Both parties have pointed metaphorical fingers accusatively at the other side arguing that it was the other’s online security which allowed the hackers to infiltrate their email chain.
We await the final judgment on this matter with interest but the lesson to take away from this is that there is a joint responsibility in situations like this – where sensitive information such as bank details, delivery addresses, and contact information are being sent electronically without encryption or protection – to ensure that the information is correct. This doesn’t necessarily mean investing in virtual private networks and encryption software; a quick telephone call to confirm the bank details would have exposed the hacker’s deceit immediately – and either party could have made it.
For more information about cyber security negligence or how we’re supporting businesses through these unprecedented times, contact our Corporate and Commercial Legal Team on 01323 407555 or email@example.com
SO Legal Solicitors Eastbourne – 01323 407555
SO Legal Solicitors Brighton & Hove – 01273 069920
SO Legal Solicitors Hastings – 01424 709050
SO Legal Solicitors Uckfield – 01825 729840
SO Legal Solicitors Notting Hill – 0203 9677700