Court action: a strategic option for data security breach response – a UK perspective

• United Kingdom

• Technology, Media and Telecoms - General

17-04-2019

How an organisation responds to a cyber attack can define how it is seen by its current and future customers, employees, investors and other stakeholders. Separate to the regulatory response, remediation and dealing with inbound litigation risk, an important part of an organisation’s incident response strategy is the action it can take against the perpetrator(s).

From a UK perspective, the Courts provide several options for action, which also make best use of current technology. These include orders restraining the threatened publication of stolen data; requiring delivery-up and/or destruction of stolen data; freezing the assets of those responsible for the attack; as well as identification of users of relevant IP addresses and blocking their use.

Three recent cases illustrate the point:

• In PML v Persons Unknown, an unknown person gained unauthorised access to the computer systems of PML, a UK company, and copied a significant amount of confidential and sensitive data. That person then sought to blackmail PML into paying a ransom for the deletion of the data. PML applied to the English court, obtained a non-disclosure order against the (unknown) defendant to restrain the threatened breach of confidence, and an order for delivery-up and/or destruction of the stolen data, and served these orders via the email account from which the Defendant had been threatening PML. The hearing was conducted in private, the Court file was sealed and PML’s identity was anonymised in all public documents.

The Defendant attempted to publish the stolen data on a number of publicly-accessible websites, but PML was able to use the English injunction to rapidly close down web servers hosting the data in the UK. PML also applied for and obtained a similar order in another European jurisdiction in which the data had been hosted. Using these two injunctions, PML was able to block access to or procure deletion of its data as and when it was hosted on other servers or referred to in online forums. This was effective in minimising the spread of the stolen data and mitigating the impact of the breach.

• In Clarkson plc v Persons Unknown, an unknown individual(s) gained unauthorised access to the IT systems of a London-based public company, obtained a considerable quantity of confidential information, and then threatened to publish that information unless a ransom was paid. The Claimant was able to obtain default judgment and an injunction prohibiting the unknown individual(s) from communicating or disclosing to any third party the confidential information obtained via the breach. The Claimant was able to limit wider disclosure of the data, and again the matter was heard in private and public access to the court’s file restricted.

• In CMOC v Persons Unknown, CMOC was the victim of a business email compromise fraud: unauthorised persons gained access to CMOC’s email system and caused its bank to make some 20 transfers from CMOC’s accounts, totalling $6.91m together with €1.27 million, to persons unknown.

Although CMOC was initially unable to identify who was responsible for the fraud and who had received the transfers, CMOC was able to obtain a worldwide freezing injunction against the assets of the (unknown) perpetrators of the fraud as well as a series of information and disclosure orders against banks across the world through whom the funds had passed. This enabled CMOC to identify a number of individuals and businesses who had either received or handled the funds, and to obtain judgments on claims against many of them including for dishonest assistance; unlawful means conspiracy; knowing receipt; and unjust enrichment. Notably, the court also took the relatively novel step of permitting the use of messaging apps, including Facebook Messenger and WhatsApp, as a method of service of proceedings in circumstances where this was the most practical method of communicating with the Defendants.

A point not mentioned above, but an equally important part of any response strategy, is to assess the action the organisation can take against other organisations which may have allowed, by act or omission, the incident to take place. Vulnerabilities can be varied, but can include through the supply chain or outsourced providers. Separate to contractual risk allocation, a system of active and ongoing due diligence of such suppliers is also critical.