The offshore jurisdictions are catching up fast with legal issues relating to cybercrime, cyberliability, and the use and discovery of electronic documents.
In the wake of the embarrassing leak in April 2013 of about 2.5 million electronic client files allegedly held by Portcullis TrustNet and Commonwealth Trust Limited (two trust companies with links to the BVI, Singapore and the Cook Islands), the BVI government has just passed a new law, called the Computer Misuse and Cybercrime Act 2014, following a second reading before the BVI House of Assembly.
The Act is designed to prevent the illegal access and misuse of computers, and other cybercrime offences in the BVI, although it also seeks to have extraterritorial effect. The Act updates the legal definitions for various computer-related crimes and it increases the penalties for illegally accessing, copying, intercepting, transferring, erasing or publishing unlawfully obtained data.
The penalties imposed by the Computer Misuse and Cybercrime Act 2014 range from $10,000 to $1 million fines, and 2- to 20-year custodial sentences. The maximum fines can be tripled if the crime involves data taken from a “protected computer”, threatening the BVI’s national security, criminal investigations, financial services businesses, public infrastructure or essential emergency services.
The BVI government has explained, in a recent press release, that the legislation is designed to “assure relevant stakeholders, both domestic and international, that the integrity and safety of their personal and business data is protected as they continue to undertake legitimate business transactions”. In the face of criticism by international media organisations and investigative journalists, the BVI government has sought to downplay the significance of the new Act, arguing that it simply seeks to improve upon amendments previously introduced to the BVI Criminal Code in 2007.
The BVI government has acknowledged, however, that the April 2013 dataleak has triggered the new law, since “the recent theft and unlawful publication of confidential information obtained through computer-generated systems has revealed the shortcomings in the 2007 amendments to the Criminal Code”. The BVI government has sought to stress that the new Act is not about:
• protecting secrecy or shady dealings in the BVI;
• witch hunting anybody involved in previous data leaks;
• muzzling the press;
• covering up any act of corruption; or
• preventing anybody from making a disclosure to a law enforcement authority about any suspicion of the commission or of an attempt to commit an offence.
The Act still has to be approved by the BVI Governor before it is brought into force.
Other offshore jurisdictions already have laws in place regulating the misuse of computers and electronic data, such as Bermuda’s Computer Misuse Act 1996 and the Cayman Islands’ Computer Misuse Law (2000 revision), although these are not as draconian as the BVI’s new legislation. These laws complement legislation that exists in offshore jurisdictions to encourage transactions being conducted electronically, and that allows offshore business documents to be stored electronically and admitted in evidence in legal proceedings, such as Bermuda’s Electronic Transactions Act 1999, Jersey’s Electronic Communications (Jersey) Law 2000, and the Cayman Islands’ Electronic Communications Law (2003 Revision).
So far as rules regulating the conduct of electronic discovery in civil litigation are concerned, the offshore jurisdictions have not yet caught up with legal developments in onshore jurisdictions such as the UK and the USA. However, in a recent unreported decision, the Supreme Court of Bermuda has confirmed that it has the inherent jurisdiction to regulate the parties’ approach to electronic discovery, even in the absence of a specific set of rules. The Bermuda judiciary is willing, therefore, to bring active case management techniques to bear as appropriate, following recent guidance provided by the English courts and set out in the English civil procedure rules, with a view to avoiding an unnecessary and disproportionate waste of costs associated with an unregulated electronic discovery exercise.
The offshore courts have also had to start grappling with other cyberliability issues in recent years. For example, in Bermuda Restaurants Ltd v Daspin and Convergex Global Markets Limited  Bda LR 7, the Supreme Court of Bermuda considered the issue of an employer's potential vicarious liability for defamatory emails sent by an employee on the employer’s computer system. The Court held that the employee was acting on a “frolic of his own”, and that the employer was not responsible for the defamatory publication.
More recently, in Richardson v Raynor  Bda LR 52, the Supreme Court of Bermuda held that a Facebook posting to a limited circle of Facebook “friends” did not give rise to criminal liability for defamation, although the court did not address the issue of potential civil liability.
If all this recent activity is any guide to the future, offshore cyberliability claims and issues look set to grow.