Hackers, Judges and Spartacus: Containing a Data Breach with the Court’s Help

How can the court help in practice?

The court’s willingness to intervene in cases where hackers blackmail organisations, and its pragmatism, is illustrated by orders made in a couple of recent cases. Here are some Q&As to summarise:

• Don’t know who the hackers are? Ask for an order requiring them to identify themselves.
• Don’t know what the hackers’ intentions are with the stolen data? Ask for an interim non-disclosure order.
• Don’t want to be identified publicly as a blackmail victim? Ask for anonymity, hearings in private, and for the court file to be sealed.
• Don’t want to disclose the full case? If you're worried about sensitive information in the claim papers being disclosed to/misused by the hackers, ask to wait until they identify themselves.
• Don’t know where the hackers are based? Ask for permission to serve out of jurisdiction.
• Don’t have an address for service? Ask for alternative service by whatever means were used to communicate with you, such as email or text message.
• Want to keep costs down? If the hacker doesn't engage, ask for your default judgment application to be determined on paper instead of at another hearing.

And you should be able to get in front of a judge within a matter of hours.

The dreaded email

The email every organisation dreads (or should dread) receiving:

“… your company's servers are hacked. … Proofs of my words attached below (some files which I could not ever possibly have) … you have two ways:

1. To pay. I delete all the data … and we forget about each other, forever.
2. Not to pay. … I publish all information in public. I think you will understand what happens next: the shares of the company will collapse; the company's credibility will be undermined; all contracts, documents, databases and all internal correspondence of the company – everything is going to be public. .... It's going to be the dead end for the reputation of your company.”

Pay or don’t pay?

The attacker has given you only two options. Pay or not, both are unpalatable. So what do you do? Incident response plans and teams are vital in your response efforts, but won’t dictate the strategy.

Some organisations will pay up, trust the criminals to do as promised, and leave it at that. Others are reported to track down the bad actors, get them to sign NDAs, disguise the payment as part of a legitimate ‘bug bounty’ programme and, having buried the body, hope that no one discovers it.

Leaving aside ethics, let alone laws on breach notification, neither of these approaches look good when the news does eventually surface. They also leave affected individuals at risk of harm, unable to take steps to protect themselves.

But pre-GDPR, organisations rarely notified regulators, let alone those affected, unless there was a real chance they were going to be found out. Investigations and sanctions from regulators, litigation with data subjects, brand damage, a tumbling share price – there’s been every incentive to try sweeping a breach under the carpet.

The blackmailers’ leverage

It’s precisely this potential for pain and embarrassment that blackmailers leverage to their advantage to bend victims to their will.

But the tides might be turning. Organisations – no doubt prompted by the GDPR– have been spending time and money investing in data privacy compliance programmes, and beefing up security. So regulatory scrutiny is perhaps not quite the concern it once was for many.

Further, recent government figures (April 2018) suggest that more than two thirds of large businesses have suffered a cyber breach or attack in the past 12 months, making them no longer the exception, but the norm. And there’s an increased recognition that no organisation is immune from the threat.

In that context, data breaches might seem to be losing the stigma they once had; and with it, the levers used by blackmailers lose some of their effectiveness.

A third option: the courts

It might perhaps help explain why, in recent months, the Media and Communications List at the High Court has seen organisations who have suffered cyber attacks boldly resisting the two options presented to them by anonymous blackmailers.

Instead, they’re choosing a third: going to law and seeking interim non-disclosure orders (a.k.a. INDOs) to restrain threatened breaches of confidence by hackers, as well as delivery-up or destruction of the stolen data. They’re also asking for orders requiring the anonymous blackmailers to identify themselves. These self-identification orders are known as ‘spartacus’ orders.

PML and Clarkson: court assisted breach containment

INDOs and self-identification orders were sought by claimants in two recent cases. In February of this year, an organisation called ‘PML’ (not its real name) was secretly hacked and a very large amount of data was stolen. Three of PML’s directors were sent the email at the start of this piece (which went on to demand £300,000 in Bitcoin).

PML asked the court for anonymity, and got it (hence the company only being referred to as PML). Although a derogation from open justice, anonymity protects blackmail victims and is an important legal policy. The court has previously held that its procedures must be adapted to ensure that blackmailers aren’t encouraged or assisted, and that victims aren’t deterred from seeking justice.

In addition to anonymity, the hearings were in private. This was justified because police investigations were underway, and the court needed to know sensitive information about the data stolen, as well as what the hacker did. The court file was also sealed to prevent access to documents which might otherwise defeat the injunction and anonymity order.

A few months before PML, Clarkson PLC (a FTSE 250 company) responded somewhat differently to a blackmail attempt, but still sought help from the courts. Rather than seek anonymity, it issued a public statement confirming that its security systems had been breached but that it “would not be held to ransom by criminals.”

The statement anticipated that the hackers might release some data, but asserted that its lawyers were on standby to take all necessary steps to preserve the confidentiality in the information. True to that statement, Clarkson sought and was granted an INDO which led to a default judgment and final order for an injunction.

Why bother?

Some will be quick to point out that: an INDO is unlikely to deter hackers from making disclosures of the stolen data; a ‘spartacus’ order is just as unlikely to prompt hackers to identify themselves when ordered (though it does happen occasionally); and that disobeying an order might be a contempt of court, but hackers will already have committed a string of other criminal offences. So why bother?

The benefits of an order

INDOs can be a useful tool when it comes to preventing further dissemination of stolen data by publishers or hosts– even if they’re in other territories. That’s because orders of the English High Court are generally respected internationally.

So whilst making the stolen data inaccessible might be a question of ‘whack-a-mole’ in the short term, an order can pay off as it makes for a much more effective mallet whenever and wherever those data pop up. So, in PML, various companies hosting the stolen documents blocked access to them or deleted them when served with the injunction.

The reality is that hackers will likely get bored before you do, and inevitably their focus will at some point shift to other softer targets who are more likely to cave into their demands.

In this new era of accountability, an order is also an important document you can hold up to the world to show that you’re doing everything in your power to mitigate the potential impact on those individuals affected. That will help not just in your dealings with relevant regulators, but also in the civil courts (if faced subsequently with a prospect of group litigation or representative actions) – not to mention in the court of public opinion.

Court orders aren’t always going to be appropriate in confidentiality breaches. But paying off hackers doesn’t guarantee the outcome hoping to be achieved. It encourages further attacks, and may send a message to the wider criminal fraternity that your organisation is a worthwhile target. There is, therefore, some comfort in knowing that the options presented by attackers aren’t the only ones available to your organisation, and that you can wrestle back some control of the situation with the court’s help.