Injunctions against ‘persons unknown’ as a potential remedy for victims of cyberattacks

Paul Convery
William Fry, Dublin
paul.convery@williamfry.com

Assisted by:

Adele Hall
William Fry, Dublin
adele.hall@williamfry.com

Frank Hanly
William Fry, Dublin

In an increasingly digital world, law firms face a growing number of challenges related to cybersecurity. As the legal sector handles increasing amounts of sensitive data online, managing a legal team now involves heightened focus on ensuring the protection and confidentiality of client information, personal data, legal strategies, proprietary information and highly confidential data from cyberthreats. Professional services firms are subject to increasingly sophisticated attempts to obtain confidential information. Firms must be innovative and proactive in seeking legal recourse if they become a target of a cyberattack.

One of the legal remedies available to the subject of a cyberattack is injunctive relief against ‘persons unknown’. This article considers a case in the United Kingdom illustrating the intersection of legal strategy, cybersecurity and the concept of injunctions against unknown defendants involved a professional services firm that suffered from a ransomware attack (the ‘Case’).[1]

The rise of cyber security threats in legal teams and practical considerations

As law firms increasingly rely on digital tools, they become prime targets for cybercriminals. Law firms hold a wealth of sensitive data including confidential client information, legal and proprietary documentation. The loss of control of this type of information can lead to severe consequences both for the clients and for the law firm itself. The consequences of a breach include infringement of the General Data Protection Regulation (GDPR) and of data subjects' rights; breaches of a law firms' contractual arrangements with clients; regulatory investigations or scrutiny; loss of privilege; reputational damage for both the law firm and client; impact on insurance premiums; and potential loss of competitive advantage.

Managing a legal team in this environment involves more than just ensuring the required compliance with professional standards and regulations; it requires implementing a robust cybersecurity strategy to all aspects of team management.

There are several important factors that lawyers must consider in order to ensure they are adequately prepared if a cyberattack occurs. It is crucial that professional services firms including law firms invest in advanced cybersecurity systems; conduct regular audits of their digital infrastructure; and educate their staff on best practices for preventing breaches. Proactive measures, such as incident response plans, are instrumental in minimising the damage caused by cyberattacks.

In addition to being well-versed in understanding potential vulnerabilities presented when managing litigation and teams, it is important to have an awareness and understanding of the legal remedies available if a breach occurs. The legal remedies available are limited, particularly in a scenario where urgent relief is required and the identity of the wrongdoer is unknown.

Injunctions against persons unknown

The starting position when issuing proceedings is that the defendant is an identifiable person or entity. However, in the case of a cyberattack, the identity of the attacker is not typically known. A body of case law has developed in the courts in the UK and Ireland acknowledging an inherent jurisdiction to issue proceedings and seek injunctive relief against ‘persons unknown’ in the context of cyberattacks. The High Court in Ireland has expressly noted that this jurisdiction is an exceptional one and that it cuts across the general principle of the public administration of justice.

In the context of ransomware or cyberattacks, these injunctions are particularly valuable as the perpetrators often operate anonymously using sophisticated methods to mask their identities. An injunction against persons unknown allows an organisation to seek legal redress by way of injunctive relief before the identities of the attackers are uncovered.

This legal mechanism has become increasingly important in the digital age as cybercriminals often operate from various jurisdictions, making it difficult to track them down in a prompt and efficient manner. The ability to act against anonymous individuals ensures that victims of ransomware and cyberattacks can still enforce their rights and protect their assets without delay.

The Case

A UK law firm faced a serious cyberattack in 2020. During the attack, hackers gained unauthorised access to their internal systems and confidential data. The attackers demanded a ransom in exchange for not publishing the stolen data on the dark web. Faced with this threat, the firm sought an injunction against the unknown individuals responsible for the attack; the ‘persons unknown’.

In the Case, the court granted a prohibitory injunction, restraining the attackers from dealing with or disclosing any of the firm's confidential information and a mandatory injunction requiring the stolen information to be delivered up, deleted or destroyed. The enforceability of an injunction against persons unknown largely depends on whether the attackers can be identified. However, obtaining the injunction may act as a deterrent in respect of any distribution of the stolen data and in respect of attackers carrying out future attacks.

The court also granted an order authorising alternative service on the attackers via the website which they had been using to communicate with the firm. Finally, the court prevented copies of the documents on the court file being made available to non-parties without an order of the court, further preserving the confidentiality of and circumstances surrounding the stolen information.

Of note, the court gave an abridged open judgment restricted to the facts necessary to explain the reason for the order to satisfy open justice requirements. This multifaceted approach demonstrates the adaptability of the legal system, the willingness of the courts to assist victims of cyberattacks and the way in which the courts can leverage existing legal mechanisms in new ways to prevent further harm.

Conclusion

The Case serves as a stark reminder of the growing importance of cybersecurity in the management of legal teams, given the increased level of cyberattacks on professional services firms. It underscores the need to be proactive in developing cybersecurity strategies to prevent against attacks and to understand the complexities of seeking a legal remedy if it becomes necessary.

By leveraging modern legal mechanisms like injunctions against unknown persons, law firms have a manner of recourse if they fall victim to an attack by cybercriminals.

Notes