The cost of being a victim of crime? An extraordinary £77million, according to TalkTalk at the recent sentencing of one of the individuals who hacked their systems and blackmailed six senior executives.
Baroness Harding of Winscombe (then TalkTalk Chief Executive) and others received blackmail threats demanding payment in Bitcoin or customer data would be sold on the dark web. The TalkTalk data breach continues to be in the news, with recent revelations that customer data hacked in 2015 remains available online.
The modus operandi of the corporate blackmailer is to obtain information – sometimes as simple as email addresses and perhaps credit card details of business customers – and threaten the company that they will be released publicly knowing that will risk the ruin of the company's reputation and result in significant costs. It is important to realise that in contrast to blackmails of many high-profile individuals, the stolen information may not reveal any misdeeds. The threat arises from the fact that it is information about third parties that the company had been entrusted to keep safely and its release will damage consumer trust and confidence.
There is a lot for a corporate target to think about in these circumstances and many immediate challenges for the General Counsel and the Board: notification obligations under the General Data Protection Regulation, urgent IT investigations and security fixes, reporting to regulators, communications plans, working with law enforcement and business continuity. Most firms with the resources to do so now invest in 'war gaming' a hacking scenario as part of crisis readiness.
There are many responsive strategies to blackmail, and perhaps its greatest challenge for the in-house legal team is there is rarely a 'right' or obvious answer. It is an exercise in judgement, in circumstances where usually no one has any prior experience.
One possible, but less well explored tactic, is to pursue injunctive relief against the person or persons unknown who possess the stolen information. This can be beneficial for a number of reasons:
- It demonstrates that the business took every conceivable step, including going to court, to react to the hack, which may be especially important where any data stolen is customer data
- Should the blackmailer begin to upload material online, it is much easier and quicker to obtain takedown of it from websites with the benefit of a court order already in hand
- The successful obtaining of an injunction can be used as a part of a communications plan, including when fulfilling any obligation to notify affected data subjects under GDPR
- If the stolen information is sensitive and is passed to the media, this enables you to be one step ahead and if an attempt to publish a story based on the misappropriated information is to be made, the publisher will need to demonstrate to the court that there is public interest in the planned disclosure.
On this latter point, the law firm Appleby pursued breach of confidence claims against the BBC and the Guardian arising from publication of the so-called 'Paradise Papers' which disclosed information about many wealthy and high-profile individuals, but only after the publication and not before. Appleby had been hacked and it is thought around seven million documents stolen. We wonder what impact seeking an injunction may have had prior to the media acquiring the stolen material. The claim, which was to establish what documents were in the possession of the media, was settled last year.
The brilliant case of PML v Persons Unknown illustrates the potential impact of obtaining a court order against the hacker. The company – which notably was able to pursue the claim anonymously, thus avoiding further publicity of the matter, which was also under police investigation – was hacked and it duly received a blackmail demand for £300,000 in Bitcoin. Taking back control, even though a victim of crime, the business successfully obtained an urgent non-disclosure order protecting the stolen information, even though the culprit was unknown. The order was served on the criminal, who responded by releasing some of the data, but this was quickly removed from the internet using the court order. Just over a month from the first demand being made, the blackmailer dropped his price to £100,000 and then was never heard from again. Bravo PML.
In the Talk Talk case, the blackmailer was identified as a result of his own online activities in which he boasted of involvement in illegal acts. It is, however, possible to obtain a so-called Spartacus order from the court asking an anonymous actor to identify themselves. Whilst it may seem vanishingly unlikely that anyone intent on unlawful activity will comply, there have been a few cases where the deliberate flouting of a court order addressed to them has been a step too far and the individual has responded. More likely, the benefit comes later when that individual is eventually identified and proceedings for contempt may be commenced immediately.
The police advice to blackmail victims is: 'Don't panic; don't communicate; don't pay'. To which we would add, 'don't be powerless'. If valuable data has been stolen from you, you are a victim of crime but for businesses the law unusually holds you responsible and imposes obligations on you. The public policy justification is that business (rather than affected consumers) is the right place to impose liability and businesses may be able to insure against risk. But it understandably creates a sense of injustice for many clients put in this place, especially those with limited means. The ability to seek injunctive relief to protect further misuse of unlawfully acquired material at least engenders a sense of a fightback and taking back control from the blackmailers.