English court jurisdiction cross-border hacking claim

20 November 2006

Graham Smith

In a recent decision (Ashton Investments Ltd and another v OJSC Russian Aluminium and Others, [2006] EWHC 2545, 18 October 2006) the English High Court has taken jurisdiction over a civil claim arising out of alleged hacking into an English computer from abroad.

Ashton alleged that two Russian defendants (the Rusal Defendants) had hacked into Ashton’s London computer system from Russia and inserted a surreptitious keylogger program with the intention of obtaining privileged and confidential information about existing English litigation that was in progress between the parties. The Rusal Defendants denied this and asserted that Rusal’s own Wi-fi network must have been accessed and used by students at a nearby technical university to carry out the hacking.

Ashton started proceedings for breach of confidence, unlawful interference with business and conspiracy. It sought permission to serve the proceedings against the Rusal Defendants in Russia.

In order to satisfy the English procedural requirements for service out of the jurisdiction, Ashton argued that the case was founded on tort and that damage was sustained within the jurisdiction, alternatively that damage resulted from an act committed within the jurisdiction; that the claim related to property located within the jurisdiction; and that the claim was for an order to refrain from doing an act within the jurisdiction.

The judge held that with the exception of the conspiracy claim Ashton had established the elements necessary to support service on the Rusal Defendants in Russia. Ashton had established that apart from the conspiracy claim there was a serious issue to be tried on the merits and a good arguable case. It had also established that the case was founded on tort and that damage was sustained within the jurisdiction, or that it resulted from an act committed within the jurisdiction. Although the attack emanated from Russia it was directed at the server in London and that was where the hacking occurred. The fact that the information was transmitted almost instantly to Russia did not mean that the damage occurred only in Russia. The removal took place in London. Also substantial and efficacious acts took place within the jurisdiction, which is where the hacking occurred and access to the server was achieved. The actions taken in Russia were designed to make things happen in London, and they did so.

Alternatively the judge held that the Ashton computer system and the confidential information residing on it were property within the jurisdiction. He also concluded that an injunction restraining the Rusal Defendants from interfering with the server would be an order to refrain from doing an act within the jurisdiction.

Ashton had also established that England was clearly the convenient forum for the dispute. Among other factors the judge noted that it was likely that the claim would be governed by English law, since the most significant element of the events – the unauthorised access to the server - occurred in London. Events which occurred abroad were all directed at the server in London.

The judge therefore granted permission to serve the proceedings against the Rusal Defendants in Russia. He refused permission to serve proceedings against the individual defendants against whom Ashton also proceeded, since Ashton had not established a good arguable case in conspiracy or that the individual defendants were necessary or proper parties to the litigation.

Authors