In about February / March 2023, Armstrong Watson LLP, a firm providing professional accounting, tax, financial and related services was the victim of a ransomware cyberattack. Its IT systems were hacked and the hacker(s) threatened to disclose confidential electronic documents on the dark web unless a ransom was paid.
Inevitably, legal actions are becoming more common as part of cyber incident response plans reacting to this sort of occurrence. This decision is useful to companies in three principal ways: firstly, it is a very recent example of successful injunctive relief and ultimately default judgment in a hacking case, where the identity/identities of the perpetrator(s) is/are unknown; secondly, it sets out a cause of action available to victims (breach of confidence) and the necessary ingredients and procedural requirements for judgment; thirdly, it contains clear and helpful reasoning justifying proceeding without a hearing where the Defendants have not revealed themselves or engaged with the litigation.
Here, the firm made an urgent, without notice, application for an interim injunction on the basis of a claim for breach of confidence when the cyberattack became known. The application was granted by Ritchie J (Armstrong Watson LLP v Persons Unknown  4 WLR 41). Injunctive relief was continued by Linden J in the absence of the Defendants, after the Claimant had filed and served a Claim Form and Particulars of Claim, and the Defendants had failed to identify themselves or to deliver up or delete the stolen information. The matter came before Collins Rice J on 11 July 2023 on an application for judgment in default of Acknowledgement of Service or Defence, final injunctive relief, and derogations from open justice to protect the confidentiality of the case papers.
Procedurally, the Judge accepted the Claimant’s invitation to deal with the application on the papers confirming that while open justice is a vital principle, not every application needs to be dealt with at a hearing: avoiding unnecessary expense but publicising a thorough judgment ‘may even represent a more practical and effective way to give effect to the open justice principle and [Article 6] Convention requirement for a public judgment’.
The Judge held that the Claimant had taken all reasonable steps to notify the Defendant(s), that they had not responded, and ‘the most likely reason…is that they have no intention of identifying themselves as the perpetrators of the apparent information blackmail, a form of expression properly abridged by law’.
She granted default judgment and permanent injunctive relief, both to restrain use and disclosure of the information, and to require deletion or delivery up of the information and she awarded costs, finding the application ‘irresistible’ bearing in mind the quality of blackmail attaching to the course of conduct, the Defendant’s/Defendants’ failure to engage with the litigation and breach of previous Orders.
While this action has no bite in terms of immediate redress for the ransomware attack, it does provide a degree of future protection should the hacker(s) carry out their threat and/or reveal themself/themselves (deliberately or inadvertently).
Companies considering incident management response plans for ransomware attacks will no doubt wish to take note of the ingredients that led to this successful action:
A monthly data protection bulletin from the barristers at 5 Essex Chambers