Cybercrime and blackmail – remedies in the High Court of Justice and GDPR
Headlines in this article
Following blackmail threats against two companies from cyber-attackers who had stolen confidential information, the court granted injunctions against unknown defendants prohibiting publication of stolen confidential information, and made a range of other orders aimed at protecting the victims of the cyber-attacks and ensuring stolen data remains confidential. The rulings show a flexible approach being taken by the courts and demonstrate the range of potential court-based remedies available to victims in the fight against cybercrime: Clarkson Plc v Person or Persons Unknown [2018] EWHC 417 (QB), 7 March 2018 and PML v Person(s) Unknown [2018] EWHC 838 (QB), 17 April 2018.
Cyber-blackmail
In both cases, the claimant companies were hacked by unknown individual(s) who had gained unauthorised access to their IT systems, stolen confidential information and were then blackmailing the claimants by threating to publish the information unless substantial sums were paid.
The court granted interim injunctions preventing publication of the stolen confidential information, interim orders restricting access to documents on the court file and permitted service of the claim forms electronically on the email addresses from which the blackmail threats had been made. In PML, the court also made an additional order anonymising the claimant’s identity (using the initials “PML”) on the basis that it was an apparent blackmail victim and ought to be anonymised to minimise public attention on the attack.
Clarkson – Derogations from the principle of open justice:
In Clarkson, the defendants(s) did not respond or serve a defence and the court granted the claimant’s application for default judgment and a final injunction prohibiting publication without a hearing. Although proceeding without a hearing was a derogation from the “principle of open justice”, the court held that this was within its power where it did not consider a hearing to be appropriate.
The judge noted that the case had not proceeded in secret; there had been two public hearings at which reasoned judgments had been given and the court was satisfied that the claimant had taken all reasonable steps to notify the defendant(s), who had most likely refused to appear in order to avoid identifying themselves as the perpetrators of the apparent blackmail.
PML - self-identification order against the unknown defendant(s):
In PML, the court made a number of additional orders, including an order requiring the unknown defendant(s) to deliver up and/or destroy the stolen data, and an order requiring the defendant to identify him or herself and provide an address for service (a self-identification order).
The court noted that while the defendant may disobey the self-identification order (and the other orders including the injunction), this was not a reason not to make it and the court should not assume that all defendants would choose defiance. The judge referred to another case he had heard against unknown defendant(s) in which a self-identification order had been complied with1.
The court also paved the way for the claimant to apply for default and/or summary judgment (as the claimant did in Clarkson) should the defendant continue with its refusal to participate in the proceedings.
Comment
As businesses become ever more dependent on technology, the trend of cybercriminals seeking to hide behind the cloak of anonymity in order to evade detection and the reputational, legal and financial consequences of their actions for businesses has become all too familiar. The court’s willingness to grant a range of remedies against unknown defendants should therefore be welcomed.
It is an open question whether an injunction is actually effective at preventing publication of information stolen by unknown cybercriminals. The answer in PML is that it can be if third parties are likely to comply with an injunction prohibiting publication once notified of it. Upon receipt of the interim injunction, the defendant made good its threat and published the claimants’ stolen data on a number of websites and forums. When this came to the claimant’s attention, it served copies of the injunction on the companies hosting those websites, who subsequently blocked access to the documents and deleted them in order to avoid aiding a breach of the injunction. Had the third parties been unwilling to do so, the claimant would have been able to seek an order from the court requiring compliance, potentially even if those companies were based outside the jurisdiction. Such an order has the potential to be a very effective tool available to the court to assist in policing compliance with an injunction on publication.
Both cases are useful reminders that there are court procedures available to victims of cybercrime aimed at ensuring their stolen information remains confidential should they seek to protect their position through the courts. In both cases orders were made restricting access to the hearing papers and certain documents on the court file (including documents exhibiting the stolen data), and in Clarkson the order also restricted the provision of those documents to third parties and non-parties unless an application was made for permission to inspect the documents.
The difference in approach taken by the claimant in each in response to the cyber-attacks is also noteworthy. In PML, the claimant attempted to keep the data breach under control by seeking to protect its anonymity in the courts and by attempting to thwart publication by notifying third parties as and when it became aware of publication. By comparison, the claimant in Clarkson took a more openly confrontational approach, issuing a public statement shortly after it became aware of the attack stating that it would “not be held to ransom by criminals”, and taking steps to contact potentially affected clients and individuals directly in an attempt to mitigate the potential damage caused by publication.
The approach a victim takes will of course depend on the facts of the case and the nature of the stolen data, but in both of these cases the use of injunctions appeared to be part of a broader strategy designed to keep sustained pressure on the blackmailers in an attempt to make publication as difficult, risky and unprofitable as possible.
In both cases the decision to issue an application to court was taken in conjunction with reporting the blackmail to the police, who then commenced their own criminal investigations. Whether a cyber-attack will be reported to the police is a decision that needs to be taken on a case by case basis, however there are obligations on data controllers, regulated entities and public companies to report data breaches to the competent authorities in certain circumstances (be that the FCA, PRA or ICO), and these obligations are enhanced under GDPR which comes into force on 25 May 2018. Notwithstanding this, there are clear advantages to a victim of seeking to protect its interests through the courts in parallel, for example the fact that an injunction can usually be obtained relatively quickly by comparison to often lengthy criminal investigations, and the fact that injunctions and other court orders can be issued against persons unknown. An injunction’s utility may also increase if the cyber-attackers’ identities become known in the future. As the judge noted in PML, few defendants can remain confident that they will ultimately evade identification, and “If they fail, punishment for contempt of court would then loom large”.
Footnote:
1 NPV v QEL & anr [2018] EWHC 703 (QB).
Further information
This case summary is part of the Allen & Overy Litigation and Dispute Resolution Review, a monthly publication. If you wish to receive this publication, please contact Amy Edwards, amy.edwards@allenovery.com.
