Cybercrime activity: Public Interest v. Confidentiality

By Chrysanthos Christophorou

One of my most recently published articles  dealt with cybercrime and its rapid expansion in recent times.

The article provided an overview of the relevant legal framework put in place in Cyprus and also discussed the role of the Cyprus courts in combating internet fraud in general. The term “internet fraud” generally covers cybercrime activity that takes place over the internet or via email, including crimes like phishing, impersonation, credit card and identification theft and other criminal activities designed to swindle people or businesses out of money.

Inevitably, in the digital era we currently live in, the internet has become one of the most popular tools used to commit fraud. Thousands of individuals fall victims of internet scams on a daily basis online or through other electronic means. The numbers will continue to increase as internet usage expands and cybercriminals become even more sophisticated.

In the most recent cybercrime case Notesco Financial Services Limited v. ISX Financial EU PLC (Civil Action folio no. 2486/21), the District Court of Nicosia confirmed the readiness of the Cyprus courts to combat cybercrime and identify the wrongdoers where appropriate. The court upon an urgent application granted ex parte a number of interlocutory orders, including a gagging order, a freezing order and an order prohibiting the destruction of information against the respondent banking institution, whereas the requested Norwich Pharmacal orders relating to the UBOs and signatories to the bank account were left to be examined inter partes.

In a nutshell, the cybercriminals, pretending to be employees of the claimant, were approaching investors asking them to disclose certain sensitive and confidential information (e.g. copy of passport/ID, bank accounts etc.) and to make certain payments (the alleged “fee” of the fraudsters for their service) into a bank account designated by them and held by entity Venus Exchange Services OU, with the Cyprus banking institution, on the premise that they would receive back a larger amount to which they were entitled.

The banking institution, an innocent third party in the proceedings, raised the usual grounds of opposition as most banks do in such circumstances, i.e., that they are bound by the applicable banking secrecy laws and regulations and that they are contractually bound not to disclose confidential information and data re their clients, unless ordered by a court of law.

The criteria for obtaining Norwich Pharmacal relief

The judge first discussed the conditions for granting Norwich Pharmacal relief, starting from case of Norwich Pharmacal Co and Others v. Commissioners and Custom Excise (1973) 2 All E.R.943 which is the landmark precedent on the matter, and then went on to discuss the cases which further expanded the principle such as P v. T Ltd (1997) WLR 1309, Ashworth Hospital Authority v. MGN Ltd (2002) UKHL 29, Carlton Film Distributors Ltd v. VCI Plc (2003) EWHC and Mitsui & Co v. Nexen Petroleum UK Ltd (2005) EWHC 625. The judge indicated that the relevant conditions and criteria established and expanded throughout the years by the UK courts have been followed by the Supreme Court of Cyprus in Avila Management Services Ltd v Frantisek Stepanek and others (2012) 1 C.L.R 1403.

These are:

• A wrong must have been carried out, or arguably carried out, by an ultimate wrongdoer;
• There must be the need for an order to enable action to be brought against the ultimate wrongdoer; and
• The person against whom the order is sought must: (a) be mixed up in so as to have facilitated the wrongdoing; and (b) be able or likely to be able to provide the information necessary to enable the ultimate wrongdoer to be sued;

Following the inter partes hearing, the court delivered its judgment on 10/3/2022. In reaching its decision the court took into consideration, inter alia, the seriousness of the matter and the fraudulent conduct of the ultimate wrongdoers, thereby concluding that:

• the requested data were indeed genuinely required in order to enable the applicant to bring to justice the people hiding behind the relevant bank account, and

• in the circumstances, the public interest overrode the duty of confidentiality owed by the banks to their customers, in light of the fact that the disclosure of information related to fraudulent activity which had to be stopped.

The court adopted the position taken by the court in Tournier v. National provincial and Union Bank of England Ltd (1923) All ER 550, as followed by the Supreme Court of Cyprus in Penderhil Holdings Ltd (Civil Appeals 319/11 & 320/11, dd 13/1/2014), emphasising that public interest overrides the duty of confidentiality when the purpose is to prevent fraudulent activity, in this case, the unauthorised and illegal use of the name of the applicant by the cybercriminals with the intent to defraud investors and swindle money out of them.

Note: In recent years, the Cyprus courts have been dealing with an increasing number of internet fraud cases. Our firm has set up a cybercrime task force/unit which is experienced and ready to act upon urgent requests to protect the interests of our clients (businesses and private individuals) who may have fallen victims of internet fraud. For more information and assistance please contact [email protected].

Chrysanthos Christophorou is a partner at Elias Neocleous & Co LLC