Once a cyber-attack or incident is contained, a potential next step is to seek recourse against the wrongdoer, including, if possible, compensation for the losses suffered – particularly if there is no insurance cover available or any policies contain significant excesses.
However, in the case of cybercrime, not uncommonly, it may not be immediately apparent who has committed the wrongdoing, as compared to other frauds or wrongdoing. cyber-tracing. This is taking steps to demonstrate the identity of the cyber-criminal and understand what has happened, including what data or information has been lost or taken and how, may therefore be necessary. This can be done internally or with the assistance of third parties and the courts.
If the data breach is suspected to come from an insider, it makes sense to look at any information already in the company's possession that could be useful, for example the contents of company devices and emails. However, it is important to maintain control over the investigation to avoid any risk of inadvertently committing an offence during the investigation, which would give the wrongdoer or other individuals a basis for claiming breach of their rights – regardless of the fact that the company is a victim.
Potential risk areas include unlawfully obtaining or disclosing personal data (s.55 of the Data Protection Act 1998), the offence to knowingly use a computer for unauthorized access to any program or data (Computer Misuse Act 1990) and laws prohibiting the unlawful interception of communications.
As a further example, although in a different context, in the case of Barbulescu v Romania, an employee argued his former employer had infringed his Article 8 rights under the European Convention on Human Rights by monitoring a Yahoo messenger account which the employee used for client queries, but had also used for personal purposes. In that case, the employer's policy stated that its systems could only be used for professional purposes and the monitoring was also considered reasonable in the context of the applicable law, which was Romanian, so the employee's arguments failed.
It is always worth taking legal advice, internal or external, before commencing an investigation and as circumstances change. Depending on the extent of the investigation, the laws of a number of countries could also be relevant. Ensuring ahead of time that appropriate and lawful employee monitoring policies are in place, and making sure they are appropriately communicated to employees, can also avoid problems.
Third parties who have become innocently mixed up in the wrongdoing may also be able to provide answers. If so, an option is to seek a court order for non-party disclosure in the civil courts on the basis that disclosure is the only means of identifying the wrongdoer.
Examples of third parties against whom non-party disclosure orders have been successfully sought include email providers (e.g. Google), banks, for records of transactions, and website operators and social media platforms (e.g. Facebook) who may be able to provide registration details and IP addresses. If IP addresses are connected with the wrongdoing and known, whether already identified or revealed following initial non-party disclosure, internet service providers may be able to provide subscriber information connected with the IP address.
However, seeking non-party disclosure involves costs. In addition, a party seeking information will need to be prepared to pay a third party's expenses of complying with the order sought, although depending on the scope of the request and how information is stored by the third party these could be minimal. Seeking a court order takes time, but it may be possible to expedite the process on the grounds of urgency.
There are also risks and practical limitations to bear in mind; the information sought could have been lost or routinely deleted, and the data that you obtain could be inconclusive. The cause for this might be that the wrongdoer has entered false details when completing account information or used a publicly accessible computer in order to hide their identity. If so, it may be necessary to make further applications in order to continue the pursuit of the cyber-criminal through cyber-tracing.
Cross-border issues complicate the pursuit of cyber-criminals; if it is suspected or it turns out that the cyber-criminal is based in another jurisdiction, generally speaking this is likely to make them more difficult and costly to pursue. In the case of cyber-tracing through third parties, if the third party does not have a presence in the jurisdiction or hosts the data sought overseas this can hinder obtaining information.
Therefore, whether or not cyber-tracing is worthwhile depends on the facts of each particular case, including the extent of loss suffered, whether there are any potential suspects, the ease of confirming their identity and guilt, and, of course, the victim's objectives. If the primary objective is compensation, it should be borne in mind that if the wrongdoer can be identified they may well not have the assets to be able to fully compensate the loss suffered.
However, there may be other justifications, for example reputational issues. If an insider is suspected, information may also be needed to take appropriate steps to discipline the individual concerned and potentially dismiss them from the company.
As an alternative to cyber-tracing and depending on the seriousness of the cyber-attack, a victim may immediately elect to report the incident and request that the authorities investigate it. This comes with a loss of control but has a number of advantages, most notably cost. However, it is not a cost free option as the company will need to be prepared to fully support any criminal investigation, which will involve at least some time and expense.
The key point to bear in mind when pursuing cyber-criminals is the sooner action is taken the better, including to maximize the potential benefits cyber-tracing given information that may help identify the wrongdoer can relatively quickly be lost or destroyed.