How can UK or US courts protect your business from a ransomware or cyber-attack?
24 November 2022 | Applicable law: England and Wales, US
For a business realising the awful truth that it has fallen victim to a cyber-attack, there is a lot to do: urgent IT measures to secure assets, investigations, regulatory notifications and carrying out business continuity plans.
There are good reasons for a business to consider adding court action to that action list and an increasing number of businesses are doing so. This is because it is possible to use the courts to obtain an injunction (an order prohibiting certain actions) or gather information on the hackers to prevent the further use or disclosure of any stolen data or information and help track the culprits.
“It is hard to think of a more egregious example of breach of confidence”, a Judge said when granting a permanent injunction to protect information stolen by cyber criminals.
The case of XXX v Persons Unknown  EWHC 2776 (KB) is the latest example of a business seeking the English Court’s help when it has become the victim of a ransomware attack. The identity of the business is not known because it was allowed to pursue its claim anonymously, but the firm provides ‘technology-led solutions for security-sensitive and highly classified projects’.
Anonymity was granted not only because the business was a victim of blackmail but because of the risk posed by the malicious use that its information could be put to in the wrong hands.
What happened to XXX has become an unfortunately common experience: it received a ransom note saying that cyber attackers had downloaded its databases, FTP server and file server and that key files on the firm’s computers had been encrypted rendering them unusable. Two days later the criminals asked for US$6.8 million. Having verified that the hack was real, XXX applied to court without notice to the criminals. On serving the injunction on the email addresses being used by the attackers, an email in reply was received in what was described as ‘defiant terms’. Following the court’s judgment two weeks’ later, XXX never heard from them again.
Why are injunctions useful?
So why did XXX choose to pursue legal proceedings and when is it worth a business looking at similar action against cyber criminals? Here are some of the reasons:
- The real value in the injunction is not likely to be its effect on the criminals, as they are not unlikely to be identified nor abide by court orders (although several cases have suggested that criminals faced with court orders have ‘gone to ground’). However, an injunction can be used by the business against third parties, such as social media platforms and web hosts, to obtain removal of unlawfully disclosed material more quickly and easily.
- It is no longer unusual for businesses experiencing a cyber-attack to ask the English Court for an injunction to protect its stolen information. In the last couple of years this has included major international law firms, hedge funds and a shipping business.
- A business suffering a security breach is likely to have to tell affected third parties anyway, so the litigation is unlikely to bring greater attention. The recent cases have not done so.
- It can be communicated to stakeholders and customers that all steps that could be taken are being taken, including seeking an injunction to protect stolen material. Who doesn’t want to be the business that did everything it could to protect its customers’ data?
- In some cases, as the victim of a blackmail attempt, the claimant company may be able to pursue the case anonymously, which limits any potential impact on the business’ reputation.
- Some specialist business insurance policies may cover the action.
Similar available tools in the US
Firms that do business in the US are able to seek similar injunctive relief against cyber criminals. Indeed, since 2010, Microsoft has secured injunctive relief in dozens of cases against hackers, known and unknown.
This injunctive relief, among other things, may provide businesses some control in the fight against hackers. It facilitates the relief mentioned above, including arming businesses to force take downs of harmful content from third parties. But it can also be used to directly target cyber criminals that execute their schemes through botnets, which are networks of infected computers controlled by a central “command and control” server run by hackers. US businesses have secured injunctive relief requiring domain registries to redirect the criminal-controlled server domain to one controlled by the victim business, which effectively severs the connection between the cyber criminals and the other infected computers in the botnet. These botnets are typically expensive to establish and breaking them up means criminals must start from scratch to rebuild a botnet. Furthermore, once armed with an injunction, businesses are able to relatively quickly petition the court granting the injunction for further relief if criminals continue or try to resurrect their attacks.
Using the Courts to track culprits
Additionally, businesses have several tools at their disposal to gather information helpful to identifying hackers. Businesses may sue unknown cyber criminals in John Doe or Persons Unknown actions, which allow them to secure court-ordered discovery from third parties.
In some US States, filing a Doe action is not necessary to obtain this information. In New York, for example, businesses may be entitled to “pre-action discovery” from third parties – including websites, internet service providers, social media companies, banks, and other entities and individuals – of identifying information, including IP addresses, domain names, phone numbers, email addresses, physical addresses, account information, digital asset wallet addresses, and more.
Similar types of orders can be obtained in England against parties that are ‘mixed up’ in the wrongdoing, even innocently, like internet service providers, phone providers or banks. All of these discovery tools help provide businesses with information necessary to allow them to fight back against cybercrime, including by allowing them to target specific criminals in civil lawsuits and by providing information that is valuable to law enforcement authorities’ investigations and prosecutions.
If you are a person whose data has been stolen in a cyber-attack from a business that you entrusted data to, it is also worth asking the custodian or data controller if they are willing to take these steps to obtain an injunction to protect the information and enable its swift removal online, should that prove necessary.
We recommend that all business, large and small, consult with a lawyer and incorporate a plan for injunctive relief and related discovery mechanisms if they find themselves victims of cybercrimes.