(844) 627-8267
(844) 627-8267
0

Injunctive Relief Against Persons Unknown – The Ransomware Edition – On the Record | #ransomware | #cybercrime


On 11 July 2023, the English High Court handed down its decision on the claimant’s application in Armstrong Watson LLP v. Persons Unknown, granting judgment in default and final injunctive relief. Specifically, the court granted the claimant permanent injunctive relief against persons unknown – a group of unidentified hackers – for purposes of restraining the use and disclosure of confidential information that had been acquired by the hackers via a ransomware attack and to require deletion or delivery up of that information. The central issues addressed by the court were:

  • Whether the claimant could proceed with its application on paper without a hearing, pursuant to the Civil Procedure Rules (CPR).
  • Whether the claimant was entitled to default judgment.
  • What the appropriate remedies were for the alleged breach of confidence claim.

Background

The claimant was a UK-based limited liability partnership providing professional accounting, tax and financial services. It had been the victim of a ransomware attack undertaken by unidentified hackers who threatened to disclose or sell the confidential electronic information obtained – which related to the claimant’s staff, customers and business – on the dark web or to the world at large unless a ransom was paid to them in bitcoin.

The claimant made an urgent without notice application for an interim injunction in March 2023, following the ransomware attack. The claim was brought against ‘persons unknown’, who were said to have hacked the IT system of the claimant.

The interim relief was granted in a judgment by The Honourable Mr Justice Ritchie in the terms sought by the claimant, with provision for a return date and the completion of various steps by each party by specified dates. On the return date, the court proceeded in the defendants’ absence, as the defendants had failed to identify themselves and deliver up or delete the confidential information that was the subject of the application.

The court held that it was satisfied that the claimant had complied with its procedural requirements, including filing and serving the claim form and particulars of claim on the persons unknown. In the circumstances, the court permitted alternative methods of service – namely, service by email in combination with text messages to alert the defendants to the existence of the emails, given the difficulties associated with more traditional methods of service. However, none of the steps required of the defendants by the court were undertaken. Therefore, in light of the defendants having failed to comply with their obligations, the claimant sought default judgment and final injunctive relief, which was granted by The Honourable Mrs Justice Collins Rice.

Issues considered by the court

Dealing with the application on paper without a hearing

  • CPR r.23.8 provides that a court may deal with an application on paper without a hearing if the parties agree, or if the court does not consider that a hearing would be appropriate in the circumstances.
  • In the absence of any material developments since the interim order granting the injunctive relief was made, and given that the defendants had not engaged with the proceedings in any way, the court applied the ruling of Clarkson Plc v. Persons Unknown in finding that a hearing was not appropriate.

Default judgment

  • CPR r.12.3 sets out the basic conditions to be satisfied before entering default judgment, including that the claimant has duly filed and served a claim form and particulars of claim.
  • This case involved a breach of confidence claim. In the particulars of claim, the claimant set out the correct legal components of the cause of action:
    • That the defendants obtained the information without consent or authorisation, and in circumstances in which they knew or ought to have known that the claimant reasonably expected the information to be and remain private and confidential.
    • That the defendants owed the claimant a duty of confidence in consequence.
    • That in accessing and threatening to disclose the information, the defendants were acting in breach of that duty of confidence.
  • The particulars of claim also set out allegations of fact in relation to each of the above components, including the identity and nature of the information, the circumstances in which it was obtained, and the defendants’ subsequent course of conduct – including threats of disclosure or sale unless demands for payment were met.
  • The procedural preconditions for default judgment also were fulfilled in this case, as the defendants had not filed and served a defence by the specified deadline, nor had they provided any response that demonstrated a willingness to engage in the proceedings.
  • The court therefore ruled that the claimant was entitled to default judgment.

Remedy

  • The court held that the claimant was entitled to permanent injunctive relief to restrain the use and disclosure of the information and to require deletion or delivery up of the information.
  • Key considerations of the court included the defendants’ course of conduct associated with the ransomware attack, their failure to engage with the litigation and their breaches of previous orders.
  • The court considered that there was a high risk that the defendants would persist with their course of conduct in carrying out threats of unlawful disclosure, unless clearly restrained by a court order subject to sanctions.

Key takeaways

Companies should take note of this judgment, as the litigation proceedings deployed here in circumstances where the defendants were persons unknown represents a strategic tool in the toolbox for a victim of a cyberattack and is another line of defence in preventing the onward sale or disclosure of confidential company information. The court’s willingness to make an order for final injunctive relief in such circumstances is indicative of the remedies that the court is prepared to impose against unidentified threat actors seeking to cause harm to companies through cyberattacks.

Finally, the judgment is helpful from a procedural perspective, as it reaffirms the relevant factors which the court is likely to consider when assessing whether an application can be determined on the papers without a hearing and the procedural prerequisites in favour of default judgment




Source link

National Cyber Security

FREE
VIEW