Company obtains cyber injunction under the protection of anonymity

In the case of PML v Persons Unknown [2018] EWHC 838 (QB), the firm has obtained an interim non-disclosure order on behalf of a UK company, under the protection of anonymity, after it sustained a major cyber-attack.

Cyber attack

Early this year, an anonymous hacker unlawfully obtained access to a UK company's computer systems, stealing a large amount of information which was then hosted on a password protected website. The hacker then sent an email to directors of the company, informing them of the attack, providing login and password details for the website and demanding a substantial ransom in bitcoin, otherwise the stolen information would be published in order to destroy the company. The hacker attached various confidential documents belonging to the company to these emails, by which it was established that the attack appeared to be genuine. The hacker's website was hosted in another European country.

Injunction

The company made a without notice injunction application to the High Court for an interim non-disclosure order against the hacker to restrain threatened breach of confidence and for delivery-up and/or destruction of the confidential information. An order for alternative service via email was sought.

Derogations from the principle of open justice (i.e. that legal process should be open and transparent) were also sought in that the company asked for anonymity, that the hearing be heard in private and that access to the court file be restricted.

The interim applications Judge granted the injunction (which was subsequently served on the hacker), which was later continued at the return date hearing several weeks later for the following reasons.

The test

The threshold for obtaining an interim injunction is higher where the court is asked to grant relief which might affect the exercise of the right to freedom of expression. In such cases, the test is not that as set out under the traditional American Cyanamid principles, but is that set out under section 12(3) of the Human Rights Act (1998) ("HRA") whereby relief cannot be granted unless the court is satisfied that the applicant is likely to establish at trial that publication should not be allowed.

As set out in the judgment, the threshold was met in this case, i.e. the company was likely to demonstrate at trial that publication of the stolen documents (the confidential information) would not be allowed on the basis that the circumstances in which the Defendant came to be in possession of the relevant documents and information (i.e. by computer hacking) imposes an obligation of confidence on the Defendant, Tchenguiz -v- Imerman [2011] Fam 116 applied. After service of the interim non-disclosure order via email, the Defendant failed to engage in the proceedings, let alone suggest any public interest that could justify his/her threatened (or actual) publications. In fact, the Defendant had continued to threatened to publish, and in various instances had, in breach of the order, made attempts to publish (via an online forum and a cloud-based computer file transfer service), the confidential information. The Defendant had also failed to deliver up the confidential information and was in prima facie breach of the injunction. For all these reasons, continuation of the injunction was justified.

Notice of application

The interim applications Judge, who initially granted the order, was satisfied, as required under section 12(2) of the HRA, that there were compelling reasons as to why the Defendant had not been notified of the injunction application on the basis that the company was a victim of blackmail and the Defendant may publish the confidential information if notified. Notice of the return date was given, but the Defendant failed to attend.

Anonymity

The Judges at both the interim application and the return date hearings granted the company anonymity, referring to it in these proceedings by the initials "PML" in order to protect its identity. The basis for doing so was that PML was an apparent victim of blackmail and extortion and, therefore, its identity ought to be anonymised, see ZAM -v- CFM and TFW [2013] EWHC 662 (QB) and LJY -v- Person(s) unknown [2017] EWHC 3230 (QB) applied.

Other derogations from open justice

In the judgment, the Judge makes clear that he considered it was strictly necessary to hear the application in private pursuant to CPR Part 39.3( a ), ( c ) and ( g ) as (i) there was a powerful, if not overwhelming, case that the Defendant was blackmailing PML, (ii) a police investigation was underway and (iii) the Judge heard evidence and submissions relating to the activities of the Defendant and the stolen confidential information. Therefore, the purpose of the proceedings would have been harmed had the hearing been in public. Restricted access to documents on the Court file was continued, as was necessary in order not to defeat the injunction and anonymity order.

Self-identification

At the return date hearing, the Judge also granted an order requiring the Defendant to identify him/herself and an address for service, as well as service out of the jurisdiction, given that the Defendant had hidden behind a cloak of anonymity whilst threatening breach of confidence. The Judge said that such an order was necessary if, in the event of success in the claim, the remedies to which the Claimant would be entitled were to be effective and that just because some Defendants may not comply, it could not be assumed that all would choose defiance stating "Few defendants can remain confident that they will ultimately manage to evade identification".

Implications

This decision will be very helpful for companies who suffer a cyber-attack at the hands of an anonymous hacker, but who are nervous about taking legal action for fear that it could lead to wider public attention of the attack and its details. It appears from the judgment, following the developing case law in this area, that victims of blackmail (individuals as well as companies) are arguably entitled to protection via anonymity. Such an anonymity order will also be very useful for companies who wish to stop a hacker/blackmailer going to the press as, once served with the order, a third party must also comply with its terms, including the anonymity provisions, or instead challenge the order. Legitimate publishers would be likely to think twice before doing so, given the potentially criminal activities of the Defendant and the fact that their actions in seeking to publish may benefit or support such a Defendant's activities.

It also appears from the judgment that the injunction obtained was effective in having the operators of websites, forums and website hosting companies remove confidential information likely to have been disclosed on such sites by the Defendant post service, thereby helping to cut off the circulation and publication networks around the Defendant's attempts to damage PML. Therefore, there is utility in companies obtaining "Persons Unknown" injunctions to stop hackers carrying out blackmail attempts both directly and indirectly as legitimate third parties are likely to comply once notified or served, even if based in different jurisdictions.

Potential Claimants should also take some comfort from the ancillary orders made in this case. In the absence of participation by the Defendant, the court may give directions allowing a Claimant to apply for default or summary judgment should no Defence be filed in order to bring the proceedings to a close and obtain a final injunction (and to avoid the interim order being left in permanent suspension). Following the similar, recent cyber decision in Clarkson Plc v Person or Persons Unknown. Reference [2018] EWHC 417 (QB), a court may also consider it appropriate for such an application to be determined on paper where (as in that case) a Defendant fails to engage with the claim and a hearing would add to the expense of the claim without serving any useful purpose. Such an approach will help Claimants save cost in dealing with these types of Defendants, against whom costs may not so easily be recoverable and, at least until they are identified.

Lastly, as was the case in PML, it will often be beneficial to work with partners in other jurisdictions where websites or servers may be hosted or located. In this case, the Defendant's website was being hosted in another EU country and PML applied for and obtained an order from a Court in that jurisdiction (as well as in England) directed at the host of the Defendant's website, which was served simultaneous to the English order, resulting in access to the website being blocked. Taking action in multiple jurisdictions will be more effective as it will be much more disruptive to such a Defendant's activities, helping to contain the attack. Working with IT forensic security specialists and the relevant authorities is also very important.