In Ireland, the Commission for Communications Regulation, the body responsible for communications security, has recently issued warnings about the threats to both Government agencies and the private sector from these kinds of attack.
This is especially so with the ongoing roll-out of 5G technology.
One only has to Google ‘ransomware attacks 2019’ to see the scale of the problem in the US. The first injunction to address the problem of cyberattacks was heard in Ireland on New Year’s Eve 2019, before Gearty J, but it was an application for interim relief, and there is no written decision.
It is only a matter of time before cyberattack cases become a regular feature in the Irish courts and, when they do, practitioners will turn to British case law for guidance, because such cases have become common before the courts there in the last three years.
In AA v Persons Unknown (2019), a hacker infiltrated and bypassed the firewall of an insurance company and installed malware that encrypted all of the company’s systems, demanding a ransom in Bitcoin for the encrypted files.
The same scenario – hacking, ‘exfiltration’ of data, Bitcoin demand, threat of online publication if the ransom was not met – gave rise to PML v Person(s) Unknown (2018).
In PML, the plaintiff company made a formal complaint to the police, and then an ex parte application to the Media and Communications Court in London for an interim non-disclosure order to restrain the threatened breach of confidence and for delivery-up and/or destruction of the stolen data.
What type of reliefs should be sought? How can the unknown defendants be described? How can the interim injunction be served? Should the judge sit in camera if so requested? Should the judge anonymise the plaintiff if requested to do so? What happens if the defendants fail to engage with the legal process?
In cases where the hackers have demanded money, some version of the following reliefs may be appropriate at interlocutory stage:
- An order directing the defendants to remove all data relating to the plaintiff and its customers from the website with the relevant domain name,
- An order compelling the defendants to deliver up or delete all data exfiltrated by the defendants from the plaintiff,
- An order providing for restrictions on the reporting of these proceedings by media and/or an order that the plaintiff be anonymised in reports of the proceedings,
- An order that the person(s) unknown identify him/her/themselves and provide an address for service.
In terms of the plenary summons, it may be appropriate to seek damages for conspiracy, deceit, fraud and breach of confidence, as well as for unlawful interference with business relations and economic interests, and causing loss by unlawful means.
It is not enough to simply issue proceedings against ‘persons unknown’. It is necessary for the unknown persons to be described as narrowly as possible, so that there is certainty as to who is included in the description, and who is not.
In the context of cyberattacks, the descriptors may be “persons unknown responsible for demanding money from the plaintiff on [date]” or “persons unknown who demanded Bitcoin on [dates]”. The need for a descriptor has been settled since Bloomsbury Publishing Group plc v News Group Newspapers Ltd (2003).
Issuing proceedings against ‘persons unknown’ should be seen as a temporary expedient, a way of getting a case up and running. There is an obligation on the plaintiff to try and identify unknown persons as quickly as it can.
The other side of the coin
The other side of that coin is that a party cannot take proceedings purely against persons unknown where it knows the identities of some individuals – known individuals must be named.
The courts will grant interim and interlocutory injunctions against persons unknown, but final orders where the identities of parties have remained unknown are less common.
It can be done, however – it was done in Novartis Pharmaceuticals UK Ltd v Stop Huntingdon Animal Cruelty (2014) and Clarkson plc v Person or Persons Unknown (2018) – but the value of a final order (for example, by way of judgment in default of appearance) against persons unknown will, in most cases, be low.
Order for service
The courts have become very familiar with alternative digital methods of service over the course of the past ten years.
The court may make an order for service by mail to a ‘front’ or ‘info@’ email address, where there are reasonable grounds for believing that this will “serve as a conduit for bringing matters to the defendants’ attention” (LJY v Persons Unknown ).
The same is true of service via Facebook, Twitter, or WhatsApp, for example. If communication has been taking place via a phone, it may be practicable for the court to direct that service be effected via a series of texts, as long as the texts contain enough detail for the defendants to know the key features of the order.
In one case, it was ruled that, if the defendants (who had been texted the terms of the injunction order) did not provide an address for service, the plaintiff could serve the pleadings by filing them in court, with the order providing that, in the absence of a response by a certain date, an application for default judgement would be heard.
This method was considered a ‘deemed service’. In cases against persons unknown, it is good practice to ask the judge to include in the order liberty to apply for the defendants.
Who knows where the persons unknown are? They may be within the jurisdiction and they may not. In CMOC v Persons Unknown (2017), the court took the view that, because the damage of the wrongdoing was sustained within the jurisdiction of the court, the ‘tort gateway’ was fulfilled.
This seems a reasonable approach. What if the only link to this jurisdiction is the IP address that the hackers appear to be using? That ought to be enough to ground the proceedings, on the basis that the tort is being (or is about to be be) committed in this jurisdiction – but that rationale will lose force if the hackers cease to operate from that IP address and switch to one generated elsewhere.
In some cases, a plaintiff might seek orders that its identity be protected, on the grounds that, if its injunction were reported, much of the damage the hackers sought to do to its business would be done by the publicity surrounding the court action.
The English courts have permitted anonymisation and have sat in camera in blackmail cases (LJY v Persons Unknown and ZAM v CFM and TFW ). The rationale is that the protection of blackmail victims is an important legal policy and, at the earliest stages of a case, no competing considerations will prevail over that policy.
In cyberhacking cases, it is more correct to speak of extortion rather than blackmail, but the point applies in both cases.
The force of the logic in the foregoing statements is clear. The power to anonymise in England and Wales is found in that jurisdiction’s Civil Practice Rules. There is no analogous rule in the Irish rules of court.
There is, however, a common law power to direct a hearing otherwise than in public (Medical Council v Anonymous , which followed Gilchrist v Sunday Newspapers ), and such a course of action is – in the words of the Irish Supreme Court – “particularly justified when constitutional values are engaged”.
Court would have to consider the necessity of an in camera hearing, and its proportionality. It may take the view that the proper administration of justice can be achieved by the lesser measure of anonymising the parties and making an order restricting media reporting, and that this may be done pursuant to the court’s inherent jurisdiction.
In PML, a targeted company had recourse to the legal system, and appropriate orders were made in two jurisdictions.
Notice of the orders was given to internet service providers. The hackers, though persistent, were frustrated, and eventually appear to have moved on, presumably to a less combative target. There is, of course, no guarantee that this pattern will always play out.
In CMOC, the benefit of legal action was a set of orders that could be served on third-party banks.
In CMOC, persons unknown infiltrated the email account of one of the plaintiff’s senior management team and sent payment instructions to the administration of the company, the result of which was that a number of very large payments (in the region of Stg£6.3 million) were sent out of the plaintiff’s bank account to various other banks around the world.
The resulting proceedings sought and obtained worldwide freezing injunctions against persons unknown. Such orders – which have extraterritorial effect – are granted only in exceptional circumstances. International fraud is one such qualifying circumstance.
The usefulness of the orders lies in notifying the banks of the freezing injunction and obtaining disclosure orders against them, rather than targeting the persons unknown in any meaningful way.
Effect of orders
An effect of such orders may be that the banks in question can assist in identifying the persons unknown, or at least in providing a piece of the puzzle.
The boundaries of this area have yet to be stress-tested in an Irish context, and it may be that, across jurisdictions, cyberhacking scenarios require more IT than legal firepower.
For the time being, however, it does appear that initiating proceedings and securing interim and interlocutory orders have value in sending a signal to the hackers that their demands will be resisted and their websites deleted – and in securing orders that are essential to ensuring action by important third-parties.
Anthony Thuillier is a practising barrister specialising in commercial litigation