​The English Courts have shown that they are willing to use the wealth of existing tools within the Civil Procedure Rules to protect parties who are victims of a malicious data breach.

Summary

An organisation which finds that it has been the victim of a data breach, and that sensitive data has been stolen, can minimise the damage, both financial and reputational, by acting quickly, using the tools available within the Civil Procedure Rules (CPR).

Those tools include interim orders for a freezing injunction, self-identification, non-disclosure/restraint of publication and delivery up and/or destruction of any stolen data.

CPR Tools for cyber victims

A victim of a cyber crime or malicious data breach obviously has a number of decisions to make at an early stage following its discovery. Once the initial steps to investigate and contain the breach are underway, and while the police and other authorities carry out their own investigations, the victim may wish to take urgent action in the civil courts in order to protect their position and to prevent hackers or fraudsters from profiting from their crimes.

The tools which parties and civil judges have at their disposal, including where the malicious actors have not yet been identified, include:

  • Freezing order: Where a claimant knows, even suspects, the identity of the malicious actors, they should very quickly explore the question of whether there are assets against which a freezing injunction could be applied (and where those assets are). Subject to proving a risk that the assets would be dissipated (which in cases involving dishonesty may be a relatively low bar) the courts have shown themselves willing to assist claimants.
  • Interim orders to restrain use of data, such as non-disclosure orders and orders for delivery up and/or destruction of any stolen data.
  • Self-identification orders: Where a defendant remains anonymous in a case of threatened unlawful publication, the court has the power to make an order requiring the defendant(s) to identify themselves and to provide an address for service. Committal for contempt of court action may follow for those who defy such orders and are subsequently identified.
  • Orders against third parties (including outside of the jurisdiction) to block access to websites and servers which are being used, for example, to publish stolen data.

Two 2018 decisions illustrate the extent to which the English civil courts can assist in limiting the damage caused by a cyber attack.

In PML v Persons Unknown, where an anonymous hacker had stolen data and was demanding money under threat of publication, the claimants managed to restrain the hackers’ efforts to use the stolen data by obtaining a series of interim orders and injunctive relief. Alongside an order to restrain the use of the data were orders for delivery up/destruction of the data, an order for self-identification and orders against a third party who was initially hosting the stolen data on its website. The injunction order was then served on a number of companies which were hosting websites or char forums on which the hacker sought to publish the data. The claimants were permitted to serve the defendant using the email address from which his anonymous blackmail demands had been sent; the Court also made an order anonymising the claimant and restricting access to the court file.

The claimants in Solid Property Grundstruck GmbH & Co & Ors v Singh & Ors obtained an order continuing a worldwide freezing order against five defendants. It was alleged that the five (or some of them) were behind a hack of the claimant’s email system, which was then used to fraudulently procure payments amounting to €4 million into the fifth defendant’s bank account. Those funds were immediately transferred to an account in the Czech Republic which was held by or connected to other defendants. The court was satisfied that there was enough at that stage to establish a good arguable case, given evidence of “some involvement” or association by the various defendants. There was also a risk of dissipation of remaining assets, a decision aided by the fact that the underlying claim involved dishonesty, with an international element. Although the perpetrators of, and participants in, the fraudulent activity had not been definitively identified, the court held that it had to do what it could to assist the claimants in protecting themselves, and preserving and protecting any funds which remained.

The English Courts have shown themselves willing to exercise their considerable discretion and to use the CPR flexibly and imaginatively in order to protect parties which have suffered a data breach. Although (as recognised by the court in PML) an anonymous cyber criminal may well be undeterred by self-identification and non-disclosure orders, and may simply choose to defy them, such tools can usefully limit the damage of a data breach when deployed against third parties (like those hosting websites and chat forums). In PML, the court also observed that even of those choosing defiance, “few...can remain confident that they will ultimately manage to evade identification”, and the spectre of punishment by contempt of court then looms large, alongside other criminal charges. Even if the perpetrator cannot be identified, there can be some comfort for business in knowing that their means of publishing stolen data can potentially be limited.

Parties can greatly mitigate their potential losses by using injunctive relief and interim orders to shut down the use of stolen data and to ensure that assets are frozen pending the outcome of any investigations.