The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

Information Blackmail: Legal Fight Back as Hackers Strong-arm Armstrong Watson LLP

26 July 2023

In about February / March 2023, Armstrong Watson LLP, a firm providing professional accounting, tax, financial and related services was the victim of a ransomware cyberattack. Its IT systems were hacked and the hacker(s) threatened to disclose confidential electronic documents on the dark web unless a ransom was paid.

Inevitably, legal actions are becoming more common as part of cyber incident response plans reacting to this sort of occurrence. This decision is useful to companies in three principal ways: firstly, it is a very recent example of successful injunctive relief and ultimately default judgment in a hacking case, where the identity/identities of the perpetrator(s) is/are unknown; secondly, it sets out a cause of action available to victims (breach of confidence) and the necessary ingredients and procedural requirements for judgment; thirdly, it contains clear and helpful reasoning justifying proceeding without a hearing where the Defendants have not revealed themselves or engaged with the litigation.

Here, the firm made an urgent, without notice, application for an interim injunction on the basis of a claim for breach of confidence when the cyberattack became known. The application was granted by Ritchie J (Armstrong Watson LLP v Persons Unknown [2023] 4 WLR 41). Injunctive relief was continued by Linden J in the absence of the Defendants, after the Claimant had filed and served a Claim Form and Particulars of Claim, and the Defendants had failed to identify themselves or to deliver up or delete the stolen information. The matter came before Collins Rice J on 11 July 2023 on an application for judgment in default of Acknowledgement of Service or Defence, final injunctive relief, and derogations from open justice to protect the confidentiality of the case papers.

Procedurally, the Judge accepted the Claimant’s invitation to deal with the application on the papers confirming that while open justice is a vital principle, not every application needs to be dealt with at a hearing: avoiding unnecessary expense but publicising a thorough judgment ‘may even represent a more practical and effective way to give effect to the open justice principle and [Article 6] Convention requirement for a public judgment’.

The Judge held that the Claimant had taken all reasonable steps to notify the Defendant(s), that they had not responded, and ‘the most likely reason…is that they have no intention of identifying themselves as the perpetrators of the apparent information blackmail, a form of expression properly abridged by law’.

She granted default judgment and permanent injunctive relief, both to restrain use and disclosure of the information, and to require deletion or delivery up of the information and she awarded costs, finding the application ‘irresistible’ bearing in mind the quality of blackmail attaching to the course of conduct, the Defendant’s/Defendants’ failure to engage with the litigation and breach of previous Orders.

While this action has no bite in terms of immediate redress for the ransomware attack, it does provide a degree of future protection should the hacker(s) carry out their threat and/or reveal themself/themselves (deliberately or inadvertently).

Companies considering incident management response plans for ransomware attacks will no doubt wish to take note of the ingredients that led to this successful action:

  • The Claimant filed and served a Claim Form and Particulars of Claim.
  • The Defendant failed to file an Acknowledgement of Service or Defence and the time for doing so had expired.
  • The pleaded facts supported the cause of action, that is, they set out the correct legal components of the cause of action.
  • Here, the components of the cause of action (breach of confidence) were that:
    • the information had the necessary quality of confidence;
    • the Defendant(s) obtained it without consent or authorisation, knowing that they did so, and in circumstances in which they knew or ought to have known that the Claimant reasonably expected the information to be and remain private and confidential;
    • the Defendants owed the Claimant a duty of confidence in consequence; and that in accessing, obtaining, retaining, using, publishing, communicating and/or disclosing the information (and/or intending and/or threatening to do so) they were acting in breach of that duty of confidence.
  • The Particulars of Claim set out allegations of fact in relation to each of the components i.e. the identity and nature of the information, the circumstances in which it was obtained, and the Defendant’s / Defendants’ subsequent course of conduct, including threats of disclosure or sale unless demands for payment were met.  
  • Evidence going to the merits was not required: the relief was sought and granted on the basis of the Claimant’s Statement of Case.

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)