Determining accountability in cyber fraud is a complex issue with multiple stakeholders, and the responsibility often falls on a combination of parties.

There's a growing push globally, including in places like Taiwan, for a "systemic defense" approach that assigns responsibility to those best positioned to prevent harm, rather than solely blaming the victim.

Here's a breakdown of who should be held accountable and why:

1. The Hacker (The Primary Perpetrator)-

• Criminal Liability: The individual or group directly engaging in the unauthorized access, data theft, and fraudulent activity is the primary actor and holds the most direct criminal liability. Their actions are illegal and directly cause harm.

  • Reason: They intentionally initiate and execute the malicious act.

• Challenges: Attribution (identifying the hacker) and jurisdiction (apprehending and prosecuting them, especially if they are in another country) are significant hurdles. However, law enforcement agencies worldwide (like the FBI, Interpol, and Taiwan's Criminal Investigation Bureau) are increasingly collaborating to track down and indict cybercriminals.

2. The Company/Organization That Got Breached (The "Victim" of the Breach, but also a Steward of Data)-

• Negligence and Data Protection Liability: Companies that experience a data breach or are otherwise exploited in a cyber fraud scheme can be held accountable if they failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data.

  • Reason: They are entrusted with personal and financial data. If their negligence (e.g., outdated systems, unpatched vulnerabilities, weak access controls, insufficient employee training) allows a breach to occur, they bear responsibility for the harm caused to individuals whose data was compromised.

  • Legal Frameworks: Regulations like Taiwan's Personal Data Protection Act (PDPA), Europe's GDPR, and various US state laws (e.g., CCPA) mandate data protection standards and impose penalties (fines, civil lawsuits) for breaches, especially if timely notification is not provided.

  • Example: If a bank's lax security allows a hacker to steal customer funds directly from accounts, the bank will likely be held liable for those losses and face regulatory action. If a company's data breach leads to customers becoming victims of identity fraud, the company can be sued for damages.

• Delayed/Insufficient Disclosure: As seen with Uber and Equifax, companies can face severe penalties for covering up or delaying the disclosure of breaches, as this prevents affected individuals from taking timely protective measures.

• Third-Party Risk: Companies are also increasingly held accountable for the cybersecurity posture of their third-party vendors and supply chain. If a breach originates from a supplier, the primary company may still bear some liability.

3. The Platforms Used (e.g., WhatsApp, Facebook, Google, Telcos, Financial Institutions)-

• Facilitation of Fraud: These platforms provide the infrastructure and communication channels that cybercriminals exploit. Their level of accountability is a growing area of debate and evolving legal frameworks.

• Social Media and Advertising Platforms (e.g., Facebook/Meta, Google, X, LINE in Taiwan):

  • Content Moderation: They are increasingly expected to take proactive measures to detect and remove fraudulent advertisements, scam profiles, and malicious content (e.g., phishing links).

  • Identity Verification: There's a push for platforms to implement stronger identity verification for advertisers and users to prevent impersonation and the creation of fake accounts.

  • Timely Removal: New regulations, like Taiwan's Fraud Crime Hazard Prevention Act (FCHPA), explicitly mandate online advertising platforms to remove fraudulent ads within a specific timeframe (e.g., 24 hours). Failure to comply can lead to significant fines and joint liability for damages caused to victims.

  • Reason: They benefit financially from the ads and user engagement, and have the technical capacity and responsibility to monitor their platforms for illicit activity.

• Telecommunication Companies (Telcos):

  • SMS/Call Fraud: Telcos play a role in preventing spoofed calls/SMS, blocking known scam numbers, and implementing measures to protect personal data related to phone numbers (e.g., Taiwan's "111" SMS short code for government messages).

  • Identity Verification: Ensuring that SIM cards and phone numbers are registered to legitimate identities to prevent their use by fraudsters.

  • Reason: They control the communication networks that fraudsters often use as their primary attack vector (e.g., phishing SMS, scam calls).

• Virtual Asset Service Providers (VASPs) / Cryptocurrency Exchanges:

  • Money Laundering: VASPs are increasingly under pressure to implement robust Anti-Money Laundering (AML) and Know Your Customer (KYC) procedures to prevent their platforms from being used by cyber fraudsters to launder stolen funds.

  • Reporting Suspicious Activity: They are obligated to report suspicious transactions to financial intelligence units.

  • Reason: They facilitate the movement and conversion of illicit funds, making them a crucial choke point for disrupting cyber fraud.

• Financial Institutions (Banks):

  • Fraud Detection: Banks are expected to have advanced fraud detection systems to identify and block suspicious transactions (e.g., unusual wire transfers, large cash withdrawals by money mules).

  • Customer Education: Banks often run campaigns to educate customers about common scams.

  • Prompt Action: Swift action to freeze accounts and recover funds upon notification of fraud is critical.

  • Reason: They are the custodians of people's money and the gatekeepers of the financial system.

Conclusion: Shared Responsibility and Systemic Defense-

The trend is towards a model of shared responsibility, where accountability is distributed across all entities that have a role in the cyber ecosystem.

• The Hacker: Remains criminally liable for their direct actions.

• The Breached Company: Accountable for failing to adequately protect data and systems, often facing regulatory fines and civil lawsuits.

• The Platforms: Increasingly held responsible for the fraudulent activity occurring on their platforms, especially if they fail to implement reasonable preventative measures, identity verification, content moderation, and timely removal of illicit content or accounts.

The "Systemic Defense" approach argues that relying solely on individual users to identify and avoid sophisticated fraud is insufficient. Instead, those who design, operate, and profit from the digital infrastructure must embed security by design and proactively mitigate risks at a systemic level. This shift places a greater burden on companies and platforms to build a safer online environment, thereby reducing the opportunities for cyber fraud in the first place. Taiwan's recent anti-fraud legislation (like the FCHPA) reflects this global shift towards greater platform accountability.