One Step Closer To The Future (Part III) – Corporate Criminal Liability For Failure To Prevent Non-Economic Crimes
16 min read
On 10 June, the Law Commission published its long awaited Options Paper, with proposals on reforming corporate criminal liability in England and Wales, following the launch of its discussion paper in June 2021. Whilst the Options Paper rejects the much discussed "failure to prevent economic crime" offence, it outlines 10 "options" for strengthening corporate liability, which notably includes the expansion of the failure to prevent model to fraud, and of the identification principle to cover a wider set of senior individuals whose mental acts and states might result in a corporate entity becoming criminally liable. Other proposals include the introduction of failure to prevent offences in relation to a small number of non-economic crimes, making publicity orders available in all cases in which a non-natural person is convicted of an offence, introducing a regime of administratively imposed monetary penalties, introducing civil actions in the High Court based on Serious Crime Prevention Orders, and introducing a requirement for public interest entities to report on anti-fraud procedures, or introducing a requirement akin to Modern Slavery Act statements for large corporations to report on their anti-fraud procedures.
In this final article of our series examining the Options Paper and the future of corporate criminal liability in England and Wales, we examine the Law Commission's proposed options regarding the introduction of failure to prevent offences for non-economic crimes, relating to:
- Overseas human rights abuses;
- Computer misuse; and
- Neglect and ill-treatment of vulnerable persons.
In its discussion paper, the Law Commission asked respondents to consider whether further "failure to prevent" offences (akin to those covering bribery and facilitation of tax evasion1) should be introduced to cover other economic crimes and, more specifically, fraud. Multiple stakeholders (including HMRC) expressed that failure to prevent offences could also be of value in sanctioning and deterring other non-economic crimes, some of which may not have been carried out with a view to benefitting the corporate body.
The Law Commission noted that the case for an offence covering economic crimes was stronger because there is a particular risk of such crimes being committed on behalf of organisations or with a view to benefitting the organisation. It did, however, acknowledge that in certain instances it may be appropriate to impose criminal liability on a corporation for failure to prevent the commission of other crimes, and in some contexts to depart from the general principle that a failure to prevent offence should require proof of intent to benefit the organisation, directly or indirectly.
The Law Commission's Options Paper considers options for a failure to prevent offence with respect to three specific categories of non-economic crimes, namely: overseas human rights abuses, computer misuse, and neglect and ill-treatment of vulnerable adults.
Overseas Human Rights Breaches
The current law
In recent years, there have been a number of attempts by claimants before the English Courts to hold UK-domiciled parent companies liable for human rights abuses that have taken place overseas. As reported here and here, the Supreme Court has concluded that a UK-domiciled parent company is capable of owing a duty of care to third parties for the actions (and omissions) of its foreign subsidiaries. That duty has been established by reference to general principles of tort. However, the Supreme Court's decisions were considered with respect to the jurisdiction of the English courts, rather than the merits of a claim, and so English law on the liability of UK-based companies for complicity in alleged overseas human rights breaches is not settled. Complicity in overseas human rights breaches is currently not a criminal offence in England and Wales.
The Law Commission's proposals
In the Options Paper, the Law Commission has proposed that the Government consider introducing a failure to prevent offence to cover human rights abuses, aimed at holding to account UK-based organisations that may be complicit in human rights abuses conducted overseas. The Law Commission has suggested that such an offence may be introduced on the premise that UK-based organisations have a positive duty to put in place reasonable preventive procedures against human rights abuses in their supply chains, but it was mindful to note that it should be introduced only if there is a demonstrable need to impose such a positive duty on UK-based organisations, not merely because of the current practical difficulties in proving substantive offences against companies which are alleged to have been complicit in human rights abuses.2
The Law Commission noted that the Government should consider the scope or type of organisations to which this statutory duty would apply – whether broadly to "organisations which operate internationally" or to a more focused list of "relevant commercial organisations".3 The Law Commission did not expand on the difference between the two proposed categories. However, it suggested that organisations to which the offence would apply should only be held liable for a failure to prevent a human rights abuse if there was intent to (i) confer a business advantage on the organisation or (ii) confer a benefit on a person by a third party on behalf of the organisation.4 The Law Commission's broad-brush approach differs from the EU approach (under the Corporate Sustainability Due Diligence Directive ("CSDDD") or French Duty of Vigilance Act for example), which prescribes due diligence obligations on commercial organisations based on a threshold of global turnover and employee head count.
Proponents have proposed a list of harms that would be covered under the failure to prevent human rights abuses offence.5 Such harms would include: murder, rape, an offence under section 1 of the Modern Slavery Act (holding a person in slavery or servitude or requiring a person to perform forced or compulsory labour), kidnapping, false imprisonment, corporate manslaughter, grievous bodily harm or wounding with intent, poisoning,6 causing bodily injury through explosives7, use of explosives or corrosive substances with intent to cause grievous bodily harm8, and endangering life by damaging property9. The Law Commission did not take a clear view of this proposed list. It did, however, emphasise that the main purpose of introducing such a failure to prevent offence would be to capture conduct overseas and stressed that, in deciding whether to take this option forward, a key issue to consider would be whether the case for extraterritoriality had been made out. It therefore raised an alternative question as to whether it would be preferable to give these specified human rights abuses themselves extraterritorial effect. However, that approach would require a review of the extraterritorial application of the relevant criminal law legislative provisions and updates to the relevant statutory instruments, which is a challenging exercise.
The Law Commission supported the incorporation of a defence to the proposed offence. It suggested that parties could rely on a defence of having reasonable prevention procedures in place, as well as a defence that it was reasonable not to expect the corporation to have such procedures in place, as this would limit the burden that the extraterritorial nature of the provision would otherwise place on corporates. However, it did not specify what such "reasonable" prevention procedures would look like in practice and whether these would mirror the "adequate" procedures standard of the UK Bribery Act 2010 or the "reasonable" procedures of the Criminal Finances Act 2017 in relation to the facilitation of tax evasion for example. Further clarity on applicable defences and guidance on appropriate due diligence procedures would be needed to enable UK-based companies to align their compliance frameworks with such statutory obligations.
If the Government decides to enact a failure to prevent human rights abuses offence in legislation, it will clarify the English position on parent-company liability and create a statutory obligation on UK-based companies to prevent human rights abuses within its supply chains and subsidiaries overseas through an appropriate due diligence framework. It will also bring the UK closer in line with the mandatory due diligence standards for corporates being introduced across Europe (such as the French Duty of Vigilance Act, the German Supply Chain Act and the CSDDD as discussed here, here and here).
The current law
The Law Commission was also asked to consider the introduction of a failure to prevent office with regards to computer misuse. The Computer Misuse Act 1990 ("CMA") is the main piece of UK legislation relating to cyber-dependent crime. It was most recently amended in 2015 to ensure that it met the requirements of the Council of Europe Cybercrime Convention10 ("Cybercrime Convention") and other relevant EU directives.
The CMA, as amended, creates three specific offences:
- Section 1: Unauthorised access to computer material: Section 1(1) provides that a person is guilty of an offence if: (a) they cause a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access they intend to secure is unauthorised; and (c) they know at the time that such access is unauthorised.
- Section 2: Unauthorised access with intent to commit or facilitate commission of further offences: Section 2(1) provides that a person is guilty of an offence if they commit a section 1 offence with the intention of committing further offences.
- Section 3: Unauthorised Acts with intent to impair or with recklessness as to impairing the operation of a computer: Section 3 provides that a person is guilty of an offence if they commit an authorised act in relation to a computer that they know to be unauthorised with intent to or being reckless as to whether their act will impair the operation of any computer, prevent or hinder access to any program or data held in any computer, impair the operation of any program or the reliability of any data, or enable any of these things to be done.
CMA offences are commonly committed alongside other substantive financial crime offences, often under the Fraud Act 2006 or the Theft Act 1968. The section 2 offence makes explicit provision for this. For example, if an employee downloads copies of files containing sensitive commercial information which they are not authorised to access and forwards the files to themselves or downloads them onto a hard drive, the employee could be found to have committed a section 1 offence with the intention of committing theft, therefore also committing a section 2 offence. A computer misuse offence could also be committed in combination with a bribery offence, if the individual intended to use the data obtained without authorisation in order to commit bribery, or to receive a bribe.
A need for reform
Concerns have been raised that the CMA is now no longer fit for purpose, as it has failed to keep pace with both the rapid technological advances which have taken place since its inception and the sharp increase in cybercrime in recent years. Indeed, the NCA has described cybercrime as a threat to national security, and the government appears to be increasingly focused on tackling harmful activity online, as reflected in the Online Safety Bill. Cybercrime is commonly defined as any crime that involves the use of a computer, and within a business crime context, it is used to describe frauds attempted or committed using a computer network and the internet. However, this concept and definition of cybercrime is outdated, given that in a corporate context almost every transaction will now involve the use of a computer, and the majority of business crimes are committed on computers or through the use of computers.
It has also been argued that, in its current state, the CMA is not fulfilling the requirements of the Cybercrime Convention11, which includes a specific failure to prevent offence12. Under the CMA, corporates can be criminally liable on the basis of the identification principle but not through a specific failure to prevent offence, and it has been noted that the difficulties in attributing liability via the identification principle may be one of the reasons as to why corporate prosecutions for computer misuse offences are uncommon13 and that a failure to prevent offence within the CMA would address this.
The Law Commission's proposals
The Law Commission acknowledged that computer misuse may be particularly likely to occur within a corporate context where commission of the offence might be aimed at providing a business advantage to the corporate body, and that it might also be reasonable to expect employers to have procedures in place including technical restrictions to prevent employees from committing such a criminal offence. The Law Commission did specify that the general principle that the offence should require proof of intent to benefit the organisation (directly or indirectly) should apply.
However, the introduction of such an offence raises another important question which the Law Commission did not address, concerning whether it would cover acts committed by employees only or whether it would mirror the approach of the UK Bribery Act, whereby a relevant commercial organisation can be held liable for failing to prevent the acts of an "associated person" (i.e. any person carrying out services for or on behalf of the relevant commercial organisation).
Another broader point which the Law Commission did not consider was whether the underlying offences within the CMA upon which the failure to prevent offence would be based are themselves fit for purpose in the modern age. For example, the offences cover unauthorised access to computer material, but there may be instances where an employee is in fact authorised to access such material but intends to use it for an improper purpose. This may commonly occur in the context of start-up companies and the use of intellectual property for example, where an employee might access data, information or intellectual property with the intent of using it to benefit their new employer. The CMA does not currently guard against this scenario, and confidential information is not considered property for the purposes of the Theft Act 1968 unless it is recorded on a document or file.14 If a scenario such as this one is not adequately covered in existing legislation, companies are unlikely to be incentivised to ensure that employees are not engaging in such behaviour. There are therefore wider questions surrounding the adequacy of the existing CMA offences which would not be addressed through the introduction of a failure to prevent computer misuse offence. In 2021, the Home Office ran a call for evidence on the CMA, and it is currently assessing whether there is any harmful activity not currently covered by the Act. The Law Commission consequently concluded that whether or not a corporate failure to prevent computer misuse offence is introduced should be considered as part of this review, rather than as a standalone reform.
The Law Commission also flagged that a failure to prevent offence in relation to offences under the CMA may raise issues of extraterritoriality, as the CMA already contains complex extraterritoriality provisions reflecting the fact that computer systems transverse international boundaries. These provisions would therefore need to be taken into account if a failure to prevent offence is to be introduced.
Neglect and Ill-Treatment of Vulnerable Persons
It was also submitted to the Law Commission that failure to prevent offences should be adopted in the health and social care sectors to supplement the pre-existing "care provider" offence currently applying to corporates15. The existing offence requires the prosecution to establish a gross breach of a relevant duty of care owed by the care provider, and the Law Commission noted that the very high degree of fault required for a care provider to be convicted was surprising. It therefore proposed an alternative failure to prevent offence (with a reverse burden of proof) to cover ill-treatment and neglect.
It noted that imposing a positive duty on a corporate backed up by criminal sanction for a negligent failure to fulfil such a duty of care would be a significant step and require compelling justification, and stated that introducing such an offence was ultimately a question of policy. It also emphasised that, contrary to its general position, the requirement that the underlying conduct should have been intended to confer a business advantage on the organisation should not apply in this context, as even where the neglect and/or ill-treatment is attributable to a desire to cut costs or save money, being able to demonstrate that a particular act was done with that purpose is unlikely.
A question of policy
It appears that a major factor in the calls for corporate criminal liability reform, in relation to both economic and non-economic crimes, is the current inadequacy of the identification principle and the challenges it poses to prosecutorial agencies seeking to attribute criminal liability to corporates. Indeed, the Law Commission has emphasised that a decision to introduce new failure to prevent offences of any kind must be considered alongside the issue of retention or reform of the identification principle. If the principle is to remain unchanged, the calls for new failure to prevent offences will inevitably become harder to ignore. Any reform to the identification principle will likely place pressure on corporates to reassess their decision making structures.
If the Government introduces further failure to prevent offences, it will need to provide clear guidance on the compliance standards that will be expected of corporates so that corporates can update their due diligence frameworks and prevention procedures to align with these new statutory obligations. This will likely place significant compliance burdens on corporates who will need to have effective procedures in place to address a variety of different offences.
Ultimately, the Law Commission has made it clear that the potential introduction of failure to prevent offences for non-economic crimes is a question of policy. It remains to be seen whether the new Government will consider these proposed offences as necessary legislative updates and, if so, a priority on its agenda.
1 A corporate "failure to prevent" offence was first introduced in relation to the base offence of bribery by section 7 of the UK Bribery Act 2010, and then mirrored in sections 45 and 46 of the Criminal Finances Act 2017 in relation to the facilitation of tax evasion.
2 Options Paper; Para 8.119-8.121.
3 Options Paper, Para 8.126.
4 Options Paper, paragraph 8.91; Also CJC and Traidcraft Exchange Joint Submission, p.14.
5 CJC and Traidcraft Exchange Joint Submission, p.14.
6 Offences Against the Person Act sections 23 or 24.
7 Offences Against the Person Act section 28.
8 Offences Against the Person Act section 29.
9 Criminal Damage Act 1971 section 1(2).
10 Convention on Cybercrime (ETS No. 185), which was signed by the UK on 23 November 2001, ratified on 25 May 2011, and came into force on 1 September 2011. It is the first international treaty on crimes committed via the internet and other computer networks, and deals with offences such as infringements of copyright, computer related fraud, and violations of network security, among others. Its main objective, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation.
11 The Criminal Law Reform Now Network ("CLRNN") has recommended reform of the CMA and the specific inclusion of a failure to prevent offence within the Act.
12 Article 12(2) of the Cybercrime Convention provides that a body corporate can be liable in its own right for failing to prevent an employee from offending. The liability of the corporate may be criminal, civil, or administrative.
13 Criminal Law Reform Now Network, "Reforming the Computer Misuse Act 1990", Paras 5.5, 5.6 and 5.7.
14 Under English law, confidential information is not considered property (Oxford v Moss (1978) 68 Cr App R 183). Therefore, it appears that ‘industrial espionage' where a defendant dishonestly obtains trade secrets from a corporate does not constitute theft, unless the defendant also steals documents or electronic files on which such information is recorded, with the necessary mens rea.
15 Under section 21 of the Criminal Justice and Courts Act 2015.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2022 White & Case LLP