Help from the courts with ransomware

The valuable intellectual property of businesses in the tech sector, alongside their potential service roles and access to sensitive customer information, have potential to make them ripe targets for ransomware cyber attacks. 

Prevention is undoubtedly better than cure, with a robust IT infrastructure and appropriate staff training being key aspects of that. But unfortunately it is likely to be impracticable to completely eliminate all risks.

If the worst happens, there are likely to be two parallel problems to resolve:

  • Repairing internal IT systems, including recovering data and functionality; and
  • Protecting your reputation, and sensitive information you may have held. 

The first part of the fix would usually be for IT specialists. However, the Courts are increasingly showing a willingness to assist with the second part. 

A recent court case involving ransomware

A recent example was the Court decision in xxx -v- persons unknown, a High Court decision in October 2022, in which a business which had fallen victim to a cyber attack was seeking an injunction against the perpetrators distributing information they may have unlawfully obtained. 

This case involved a business which, in March 2022, had received a ransomware note asserting that confidential information had been downloaded from its servers – and the original data encrypted – with a US$6.8m ransom sought to prevent publication of the information and loss of the data that had been encrypted. 

The perpetrator had established contact via email in order to negotiate the ransom. The business therefore sought an injunction from the Court, to prohibit disclosure of confidential information, thus making it a contempt of court for the perpetrator to proceed with its threats. This approach exposed the perpetrator to potential penalties for breaching the injunction. Put another way, it made it significantly more risky for the perpetrator to carry out their threat of disclosing confidential information, hence reducing the likelihood of harm to the business. 

The decision is notable for two particular reasons:

  • The Court agreed to keep confidential the name of the business who had sought the order, and to consider the application in private, hence helping to protect the business’s reputation. 

Whilst the Court acknowledged this would not be appropriate in every case, it took into account that the business provided “technology-led solutions for security-sensitive and highly classified projects of national significance” and that its clients “require the utmost discretion, secrecy, and protection from external threats”. 

It follows that, in appropriate circumstances, the Courts are open to providing remedies without the risk of adverse publicity from the Court application itself disclosing the identity of the business involved. 

However, the Court did observe that where a data breach gave rise to obligations that may result in the breach being publicised anyway (for example, under GDPR rules), then the potential benefit of anonymity would be defeated anyway. 

It therefore seems that the Court may be prepared to conceal the identity of a business applying for such an injunction where the very nature of its business might be defeated by its name being revealed, but less so where the business may be harmed only by adverse publicity from its name being revealed, albeit with a need to consider each case on its own facts. 

  • The Court required the perpetrator to refrain from publishing the unlawfully obtained data, and to either return it or delete it, even though the perpetrator’s identity was unknown. This was on the basis that the information had not been published at that point, so that it remained of a confidential nature. 

Without the Court issuing such an injunction, the business’s remedy against the perpetrators would likely be limited to – at best – an action to recover compensation from a fraudster who may not have assets, or who may evade enforcement action (ignoring any criminal prosecution, which may be difficult to prove, and which would not usually directly benefit the business anyway). With the injunction, the fraudster is exposed to consequences similar to criminal liability (i.e. a potential fine and/or imprisonment for breach of the injunction), even if they cannot be directly proven to have conducted the original “hack”. 

There are obvious practical difficulties in enforcing an injunction against “persons unknown”, though a publication of the confidential information would itself add to the trail that may lead to the perpetrator, and is also likely to be helpful in securing the swift removal of data from any third parties that the perpetrator might attempt to publish it through. 

The main takeaway from the case

In this case, it seems that a copy of the injunction was provided to the perpetrator via the email address used to try and negotiate a ransom. However, even if that had not been possible, the Courts seem previously (for example, in Cuciurean v Secretary of State for Transport, 2021) to have taken the approach that as long as an injunction has been served in a manner acceptable to the Court (which the Courts have generally taken a flexible and pragmatic stance on), it is from then onwards binding upon the whole world irrespective of whether any specific individual has actual knowledge of it. That leaves an obvious issue as to fairness if someone innocently breached an injunction, though in the present context it would seem difficult for the perpetrator to argue that their actions were innocent, and it being open to the Court to consider the entirety of the circumstances when deciding any appropriate penalty for a breach of injunction. The takeaway point is therefore that where a business has been a victim of cybercrime, the Courts are ready and willing in appropriate circumstances to act to support the business in preventing damage, rather than limiting their role to exploring compensation for damage once that damage has already been done.