Responding to an email with "serious anomalies",transferring personal data, blocks reimbursement by the bank: French Cour de cassation, July 1st 2020

Phishing is a devastating form of cyber criminality by sending emails appearing to come from a legitimate body in order to obtain from the individual private information (e.g. passphrase, credit card number or other account updates), used then by the perpetrators to commit identity theft.

What can be done against this quite classical behavior (identity theft) multiplied by digital technology?

4 solutions to fight against the Cyber- Criminality of phishing

• Punish the perpetrator
• Organize the reimbursement of damage
• Create incitements to prevent phishing
• Educate everyone

Punishing the perpetrators ... It is always legally possible in Criminal Law through general qualifications (in U.S.) or vert specific laws (for instance in France). But it is very hard to find these perpetrators, to punish them in Criminal Law or in Civil Law. Even if they were found, the proof of intentionality is an obstacle.

Creating incitements to prevent the phishing efficiency is noticed when Regulation, Compliance Law and case law in Ex Ante ask enterprises to secure their information network but also in Ex Post condemn them when personal data are stolen: the perspective to be condemned, for instance for a bank, if its clients' personal data are stolen by phishing, is a strong incentive to organize in the future strong processes of security: that is the Ex Ante effect of the Ex Post decision,

Moreover and by nature, Tort Law has another double effect, not only in Ex Post and Ex Ante but also on clients, on firms, on markets: being obliged to repair the damages victim (here, the client) incites the person in position of power (here, the bank) to take general dispositions for prevent a new similar situation (here a new phishing): in this way, the company protects itself, the victim and the society. This is a systemic effect, emphasized by Law & Economics.

But how to obtain an educational effect ?

A case shows the different possibilities and the choices made, by the first tribunal, then by the Cour de cassation.

THE COURSE OF THE CASE CREDIT MUTUEL /V.

Firstly, a previous judicial condemnation of the bank to reimburse the customer for the money diverted by phishing

In 2015, a phishing mechanism has allowed the diversion of a bank's client personal data and the payment by this bank of fraudulent operation. The client asked the bank to reimburse him which the bank refused to do, on the ground that he had committed a fault by transferring confidential information allowing this fraud.

The client complained before the tribunal to obtain reimbursement and damages. He obtained them, the Tribunal justifying its decision by this consideration: "celui-ci - le client -, qui était de bonne foi, a été victime d’une fraude commise par un tiers, de sorte qu’il n’était pas entièrement responsable de son préjudice" ("the client, who was in good faith, was the victim of fraud committed by a third party, so that he was not entirely responsible for his damage").

The basis of this judgement is the combination of two criteria: the victim’s good faith and the not entirely causation of his damage. This could be resumed in one criteria (by confusion between fault and causation), which is the good faith.

The solution is: if the victim acts in good faith, he can ask reimbursement, Law presuming good faith.

But the Cour de cassation (French Judicial Supreme Court) will invalide this judgment for violation of the Law. This can seem strange because it was true that this client was in good faith as it is true that good faith is presumed and the bank had not demonstrated the client's bad faith.

Secondly, the contestation by the bank of this judgment before the Chambre commerciale (Commercial Chamber) of the Cour de cassation (French Judicial Supreme Court).

Issued on July 1st, 2020, the Cour de cassation's judgment is built in a very classical syllogism: legal rules in major, facts in minor, conclusion.

• Syllogism's major: legal rule interpretation. The Court interprets the articles L.133-19 and L.133-16 of the Code monétaire et financier (French Monetary and Financial Code), even before their new redaction by a law of August 2017, implying: " le payeur supporte toutes les pertes occasionnées par des opérations de paiement non autorisées s’il n’a pas satisfait par négligence grave, exclusive de toute appréciation de sa bonne foi, à l’obligation, imposée à l’utilisateur de services de paiement par le second de ces textes, de prendre toute mesure raisonnable pour préserver la sécurité du dispositif de sécurité personnalisé mis à sa disposition" ("the payer bears all the losses caused by unauthorized payment transactions if he has not satisfied through gross negligence, excluding any analyze of his good faith, the obligation imposed on the user of payment services by the second of these texts, to take all reasonable measures to preserve the security of the personalized security system made available to them".

• Syllogism's minor: facts presentation. The Court notes that the Tribunal "avait aussi retenu que M. V... avait commis une négligence grave en répondant à un courriel présentant de sérieuses anomalies tenant tant à la forme qu’au contenu du message qu’il comportait" ("had also understood that Mr. V ... had committed gross negligence in replying to an email with serious anomalies relating both to the form and to the content of the message it contained").

• Syllogisme' conclusion: the tribunal's judgment has violated Law and must be broken.

THREE LESSONS FROM THE CASE CREDIT MUTUEL /V.

First Lesson of this Case Law: good faith is not a pertinent criteria ; by nature the user has the objective duty to react to an "abnormal"email

The mix of Compliance Law (on personal data) and Criminal Law leads to the prevalence of objective analysis (see another result of this mix and the evolution).

In this case, the implicit notion of "objective fault", usual in Economic Law and constituted by the behavior itself, is applied, while the implicite notion of "subjective fault" (the intention to have this behavior) is rejected by the affirmation of the non-pertinence of good faith.

As long as the client does not react to an "abnormal" reaction, his/her negligence is constituted.

In the present case, the bank is protected by this objective analysis. It is not an exception or a favor for the banks: this objectivation of the analysis applied to an individual follows the objectivation of the analysis of what is required from the Bank, required to react when a bank account is "abnormal" objectively. The Bank must immediately react (for instance stop the operation, ask questions, transfer information to the Supervisory body, etc.). The same objective obligation is put on the user.

Second Lesson of this Case Law: a probationary system, itself built on an Ex Ante diligences burden

In Ex Ante, the enterprise makes available a "dispositif de securité personnalisé" ("personalized security device"), but the user must take himself/herself "toute mesure raisonnable pour en préserver la sécurité" ("any reasonable measure to preserve its security").

Thus, the first step is purely in Ex Ante. First, the enterprise takes security device, designed for the user. But if it has done that, the burden changes and the user must "preserve its security". Each turn.

The question is: is this alternance of burdens specific to the Banking sector, or is it applied to every situation of personal data in a similar configuration?

The Cour de cassation has applied specific legal dispositions (of the French Monetary and Financial Code) but it reasoning seems to be a more general division of burdens, because it is impossible for the enterprise to control the use for the client of his/her own personal data, and in Law also "no one can achieve the impossible".

On this structural division, a second division of proof burden is built.

If the email is "normal", the damages caused by the cyber-captation of information are borne by the company, but if the email is "abnormal", objectively abnormal, here this was the case in its form and in its content, the damages are borne by the user.

The object of proof is and only is the "abnormal" character of the email.

The burden of the abnormality proof is on the company: the client does not have to prove the "normal" nature of the email.

Here, the bank had proven the abnormal nature of the email: it had to legally gain.

The client argued of his good faith. Because this is not the object of proof, he has to legally lose.

If the email had been normal, the customer would have fully won.

Cutting reimburse, as the first judges have done, was a bad solution.

Third Lesson of this Case Law: contribution to the educational Compliance Law

Among the possible solutions to fight and prevent cybercrimes, especially phishing, the best could be the education of everybody, of the users for instance who must learn to control the emails they receive and react, the duty of the society being to give them a digital education, the duty of the "crucial operators" being to give them adequate Compliance Tools.

In this case, the user had the means to react and had not do it, when he when in the best position to do so. He must pay for that, this is a sort of "lesson", in this sort of "fable de La Fontaine": sort of raven seduced by a hacker-fox, the client cannot obtain the reimbursement of his cheese, the next time he will look at his emails more carefully.

This liberal conception is in the core of the "nudge theory" (notably conceived by Cass. Sunstein), which puts on the individual the burden to achieve the goal of Regulatory system. The internalization is very adequate in Compliance Law (on the articulation between nudge techniques and Compliance Law, see for instance Lucien Rapp, Incentive Theory and Governance of Space Activities, 2020).

It supposes the education of individuals (on the articulation between education and Compliance Law, see M.A. Frison-Roche, Training: content and container of Compliance Law, 2020).

This is what Regulators and Courts do, for instance by this Cour de cassation judgment.

__________________________________________________________________