Cyber security measures



The massive upsurge in the use of the internet in recent years has encouraged analysts to speculate on what this might mean for the next generation, or indeed for the next few years. One recent survey has predicted that by 2020 the number of internet connected devices worldwide will outnumber people by a staggering six to one.

The acceleration in the number of internet users has unfortunately given rise to an alarming growth in the number of cyber breaches suffered by individuals and companies alike.

Police forces in England have admitted to dealing with more of these crimes than ever before. Data released in 2015 suggests that reported incidents have increased by 200 percent on the previous year’s figures. It is no secret that existing public resources fall woefully short of what is required to fully investigate and prosecute all crimes reported to the authorities as it is; accordingly, a further increase in cyber crime could be disastrous.

The UK government’s Communications Headquarters has emphasised that 80 percent of online threats are avoidable by employing simple best practices. As a result, courses or systems provided by cyber security experts, which have been designed to protect against cyber attacks, have become an increasingly attractive investment for companies.

Recent media reports describe cyber security experts as having ‘hit the jackpot’ with some experts able to command a daily rate in excess of £3000 because of the shortage of people in the market with the required skill and experience.

With companies being encouraged to internally address cyber security, the information technology team, in house general counsel and the chief information security officer all have their roles to play in managing the fall out should the expensive preventative measures recommended by cyber security experts fail.

As an alternative to paying out for these cyber specialists, a handful of City law firms have identified the benefit of having a team with first hand, internal knowledge of how to respond to a cyber incident and often these teams will include consultants who have a regulatory or law enforcement background.

A company’s general counsel is unlikely to have had the need to interact with law enforcement agencies on a day to day basis, so one of the most important assets an external law firm can bring in the wake of a cyber breach is their experience in dealing with these entities and the relationships they have built along the way.

With the strain on public resources and the pressing need to deter the commission of cyber offences, companies should also consider launching their own private prosecutions against the perpetrators rather than waiting for the law enforcement agency to raise the alarm. By selecting an external firm who already have a roundtable of experienced consultants and cyber experts in place, companies could well save themselves a significant fee by responding to cyber attacks in this holistic way.

There are a number of reasons why a company may seek to instigate its own private prosecutions in this way; it may be to prevent a competitor from unlawfully profiting from the breach, deter further breaches or to set the tone within the organisation that cyber crime will not be tolerated.

In England and Wales, any individual has the right to bring a private criminal prosecution; this is enshrined in statute under the Prosecution of Offences Act 1985. In practice this means that the company/individual will employ a law firm to conduct the litigation and appear in court.

Before commencing proceedings a private prosecutor must investigate, in the same way that the police are required to investigate a crime. Much of this investigation can be carried out in-house under the guidance of experienced private investigators and counsel. However, it is likely that police assistance will be required as a private individual does not, for example, have the power of arrest.

Once the investigative stage of the intended prosecution reaches a conclusion that a prosecution ought to be commenced, the prosecutor must lay an Information before the Magistrates’ Court in order that a summons can be issued. The Information will commence the proceedings in court and the defendant is required to respond to it.

When deciding whether to commence a private prosecution, it is important to consider the following criteria. Firstly whether the offence is known to law and the elements of the offence are made out. Secondly, whether the court has jurisdiction to hear the case. Thirdly, whether the prosecutor has the requisite authority to bring the case to court (i.e., has the permission of the Director of Public been obtained where the offence in question so requires). Fourthly, whether the case has been brought within the requisite time period. Finally, whether the allegation is legitimate and not vexatious.

Once the summons has been issued, a private prosecutor may wish to apply for a restraint order over the defendant’s assets, in order to secure realisable assets to make them available for any confiscation order made on conviction, pursuant to the Proceeds of Crime Act 2002, this means that any financial benefit obtained by the defendant by the commission of the crime can be ordered by the court to be paid back to the state and any compensation to be paid back to the victim.

After the summons is issued, a private prosecution will follow the same path as a case brought by a public prosecuting authority. The prosecution will be required to put forward its case, and the defendant is afforded the opportunity to put forward a defence before a lay bench in the Magistrates’ Court or before a judge and jury in the Crown Court if the case is serious enough to be heard there.

The costs for a private prosecution in the Crown Court are recoverable from central funds, and in a recent case that resulted in the victim being able to recover his costs of just under half a million pounds.

It is likely that cyber crime will continue to go unpunished by the state and the statistics show that the breaches are becoming increasingly prevalent because new technology gives the perpetrator the opportunity for instantaneous profit with minimal risk of detection or prosecution. Cyber security and prosecution should, however, be remembered as a viable option for companies when deliberating over their cyber incident response plans for the board.


Rebecca Dix is a senior associate at Bivonas Law. She can be contacted on +44 (0)20 7337 2610 or by email:

© Financier Worldwide


Rebecca Dix

Bivonas Law

©2001-2019 Financier Worldwide Ltd. All rights reserved.