Practical assistance from the Courts in relation to ransomware attacks: XXX v Persons Unknown (2022)
The English High Court has once again demonstrated that it has a number of weapons in its procedural armoury to help corporate victims of ransomware attacks. In a recent decision (XXX v Persons Unknown [2022] EWHC 2776 (KB)), a final injunction was granted in respect of a breach of confidence claim against a group of unknown defendants who illegally obtained confidential information by way of a ransomware attack. The Court also maintained the anonymity of the claimant in granting the injunction.
We consider the facts and explore the practical outcomes of the case in this article.
Facts
In March 2022, the claimant (who remains anonymous for the purposes of this claim) received a ransom note, notifying them that they had been the victim of a cyber-attack in which cyber attackers had obtained and downloaded the claimant’s databases, server and encrypted files and had made them inaccessible to the claimant. The claimant’s business related to the provision of technology-led solutions for projects of national significance and as such the data obtained was highly classified, security-sensitive information that was protected by the Official Secrets Act 1989. The attackers demanded a ransom of USD 6.8 million in exchange for the decryption and non-disclosure of the data. The claimant made a without notice application and, on 30 March 2022, the Judge (Stacey J) granted an injunction which prohibited the attackers from using or disclosing the data that they had obtained from the cyber-attack. This injunction was continued at a subsequent hearing by another Judge (Chamberlain J) until trial or further order.
The claimant then brought proceedings for breach of confidence, claiming both a permanent injunction and damages. The claimant subsequently sought a summary judgment in respect of the permanent injunction.
Breach of confidence claims
In order to succeed with a claim for breach of confidence, the claimant must establish that (Attorney General v Guardian Newspapers Ltd (No. 2) [1990] 1 AC 109) the information:
- has the necessary quality of confidence;
- that the defendant came to know of what was being said in circumstances importing an obligation of confidence; and
- that there had been unauthorised use or a threat to use that information to the detriment of the owner of the information.
Remedies available for breach of confidence include an injunction, an award of damages or account of profits.
Practical Outcome 1 – Injunction
The claimant sought summary judgment on its breach of confidence claim and relief in the form of a permanent injunction. The Judge hearing the application (Cavanagh J) granted summary judgment on the finding that the responding party (the attackers) had no real prospect of successfully defending the claim, and there were no other compelling reasons why the matter should be heard at full trial.
In doing so, Cavanagh J approved a permanent injunction, finding that the case for relief in this form was “overwhelming”. Granting the summary judgment on the terms sought, Cavanagh J applied the three basic elements for an action for breach of confidence (as above) to conclude that ‘Persons Unknown’ could not reasonably defend the claim: he was fully satisfied that the information had a necessary quality of confidence, was obtained in circumstances importing an obligation of confidence and was being used in an unauthorised manner. Cavanagh J noted that given the way in which the persons had attacked the claimant’s databases, server and encrypted files and blackmailed the claimant, it was “hard to think of a more egregious form of breach of confidential information”. The final injunction was formed of two strands: first, prohibiting the continued misuse of the stolen data, and second, ordering the return of the stolen data or its destruction upon oath.
Comment:
Although it is understandable on the facts of this case why the claimant succeeded with its breach of confidence claim and did so on a summary judgment basis, it is significant that the Court granted an injunction on the above terms, particularly given that the defendants’ identities remain unknown. Injunctions against ‘Persons Unknown’ raise a multitude of legal questions, including around notice and awareness of the order itself. English case law confirms that, provided that the terms of the order permit alternative service and these have been complied with, a respondent to a ‘Persons Unknown’ injunction will be taken to have notice of the order’s existence. Furthermore, the injunction granted will usually contain a penal notice for contempt of court, meaning contravention of the terms of the injunction could lead to imprisonment and/or a fine. Construction of the order in this way provides it with real bite, especially against the perpetrators of a cyber-attack.
Practical Outcome 2 – Damages
In his judgment, although the issues of entitlement to damages and assessment of costs were adjourned, Cavanagh J retained liberty to restore these issues, therefore not precluding the claimant from bringing future claims against the defendants, in the event that the defendants can be identified in order to request payment of the same.
Comment:
This is a welcome finding. It suggests that the remedies available to the victims of a cyber-attack are not exhausted on the imposition of an injunction. Notwithstanding potential criminal proceedings for failure to comply with the injunction, if the defendants can later be identified, then a claim for damages and costs may also be available to the claimant.
Practical Outcome 3 – Anonymity
In addition to seeking a permanent injunction, the claimant submitted that their identity should continue to be anonymised, as it had been in the previous orders of Stacey J and Chamberlain J. Cavanagh J found in the claimant’s favour and ordered that the identity of the claimant continue to be anonymised.
Whilst open justice is a fundamental principle of the English judicial system, Cavanagh J noted that derogations from this can be justified in specific cases. Cavanagh J found that although mere “negative consequences” suffered by a business as a result of a cyber-attack would not automatically justify anonymity, the nature of the work undertaken by the claimant in this case, and the risks posed if its identity were to be known, justified derogation from open justice. This was because the claimant operated “security-sensitive and highly classified projects of national significance” and as such, if the claimant’s identity was to be revealed, its data would be “of interest to several categories of persons with potential malicious intent, including… organised criminal groups and terrorist organisations.”
Comment:
Although anonymity will not be ordered for every claimant who is the victim of a cyber-attack, and indeed the Court stressed this point in the judgment, it is useful to note that where the publication of the name of the victim could “advance the unlawful purpose of the defendants” resulting in “a very great deal of harm” to the victim, an anonymity order could be available in this context. The Court has taken a clear position that it will not become an “instrument of harm” in claims concerning cyber-attacks.
Conclusions
The Court identified an arsenal of remedies available to victims of cyber-attacks and provided practical guidance as to: (a) the steps to take to obtain a permanent injunction via the summary judgement route; (b) preserve the availability of claims for damages and costs; and (c) maintain the anonymity of the corporate victim.
To discuss any issues in this article, please get in touch with the authors.
For a previous article relating to breach of confidence, click here, and for further disputes related content click here to visit Disputes+.