For those of us specialising in cyber law, we are used to guiding clients through the most challenging times when their businesses have been hit by a cyber or data risk incident. Given all that we have seen when advising organisations direct, it is fair to say that most cyber lawyers live in fear of their firms being targeted by threat actors. In recent months, we have seen an uptick in law firms and Chambers alike having fallen victim to cyber-attacks, including listed law firm, Gateley, and now commercial set, 4 New Square.
In June, threat actors accessed 4 New Square’s systems and exfiltrated data. They then sought to blackmail the Chambers into paying a ransom and threatened to publish that data if the amount requested was not paid. However, instead of making payment of the ransom or attempting to restore data from backups, for example, members of 4 New Square took the bold step of applying for and obtaining an injunction against persons unknown, being the threat actors who were blackmailing Chambers.
So what is an injunction against a person unknown and how effective will it be against threat actors who have stolen data which may be both personal and commercially sensitive, given the nature of what 4 New Square does?
The right to obtain an injunction against an unknown person was first established in Bloomsbury Publishing Group v News Group Newspapers Ltd  EWHC 1087 Ch which concerned the theft from printers of the unreleased fifth Harry Potter book which was being offered to newspapers by unknown individuals.
With such injunctions, although the claimant may be able to describe a person/group of people who are responsible for infringement of their rights, they may not know their true identity. Consequently, the courts have recognised that for justice to be done, in some circumstances it should be possible for a claimant to obtain an interim injunction against ‘persons unknown’ prohibiting or compelling certain acts.
In order to obtain an injunction against persons unknown, the following test must be met:
- There should be a sufficiently real and imminent risk of an act/damage being committed to justify the injunction;
- It is impossible to name the person/persons who are likely to commit the act/damage unless restrained;
- It is possible to give effective notice of the injunction and for the method used to be set out in the order;
- The terms of the injunction should correspond to the threatened act/damage and not be so wide as to prohibit lawful conduct;
- The terms of the injunction should be sufficiently clear and precise to enable people potentially affected to know what they must not do; and
- The injunction should have clear geographical and time limits.
In the case of a ransomware incident, steps 1, 2, 4 and 5 seem relatively straightforward to meet. Typically, a threat actor will be threatening to publish or sell data on the dark web and whilst the group may be identifiable by name (e.g. REvil), it will not be possible to name the actual individual(s) who will do the publishing, for example. However, the requirement to give effective notice may not be without challenge depending on the method of communication with the threat actor(s).
Perhaps the most difficult step to overcome, however, is number 6 and the requirement that the injunction should have clear geographical limits. Whilst forensic investigators can usually narrow the location of the threat actor down to a country, it is rarely more specific than that.
There is also the significant question of enforcement. A number of threat actor groups are based in countries such as Russia, the Ukraine, North Korea and Iran, for example. These are all countries in which it is notoriously difficult to enforce English court orders. As such, the value of the injunction against persons unknown in a cyber-incident may in fact be quite limited, save that it is a step which can be taken to show customers/clients of an impacted entity that they are taking some action to mitigate the risk of data being published.
We shall keep a watching brief as to how the injunctive relief benefits Chambers in its dealings with the threat actor group, although we are yet to fully understand its value.