New regulation strengthens cyber supply chain security in China

The Cyberspace Administration of China (CAC) and eleven other ministries jointly published the Cybersecurity Review Measures (Review Measures) on 13 April 2020. These replace the previous regulations on the security review of network products and services (click here for our comments on the previous regulations) and impose more stringent scrutiny over the cyber supply chain of critical information infrastructure (CII) operators. The Review Measures came into force on 1 June 2020.

For further information, please see our article here.

Nanda Lau
Nanda Lau
Partner, Mainland China
+86 21 2322 2117
James Gong
James Gong
Of Counsel, Mainland China
+86 10 6535 5106
Gavin Guo
Gavin Guo
Partner, Mainland China
+86 21 2322 2109

GROWING BODY OF COMMON LAW DECISIONS THAT CRYPTOCURRENCIES CAN AMOUNT TO PROPERTY: RUSCOE v CRYPTOPIA LIMITED (IN LIQUIDATION) CIV-2019-409-000544 [2020] NZHC 728

Cryptocurrency exchanges are a significant target for hackers, and there are numerous well-documented examples of significant amounts of cryptocurrency being taken in attacks.  This frequently gives rise to issues of liability and recovery for the individuals who were holding their cryptocurrency with the exchange in question, and the precise basis on which the exchange is holding the cryptocurrency.

This latest judgment results from the hack in 2019 of Cryptopia, a cryptocurrency exchange.  It adds to the growing body of case law supporting the conclusion that cryptoassets can have the legal status of property. It also provides further guidance on how traditional definitions of property may be applied to digital assets, as well as a detailed discussion on whether cryptoassets are more than merely information.

After the hack, Cryptopia was placed into liquidation in May 2019, and the liquidators applied to the Court (in New Zealand) to clarify the proprietary status of the remaining cryptocurrency in order to determine how the assets should be distributed. In a judgment of 8 April 2020, the High Court of New Zealand found: firstly, cryptocurrencies were “property” and, therefore, were capable of being held on trust; secondly, the cryptocurrencies were held on multiple trusts for the accountholders, one for each type of digital asset in question. This meant that the cryptocurrencies were beneficially owned by the accountholders and, therefore, did not form part of the assets of the cryptocurrency platform. In this case, the Court did not need to consider the questions of Cryptopia’s legal culpability and implications for lost digital assets resulting from the hack.

For further information, please see our blog post here.

Andrew Moir
Andrew Moir
Partner, Global Head of Cyber and Data Security, London
+44 20 7466 2773
Richard Norridge
Richard Norridge
Partner, Head of Private Wealth and Charities, London
+44 20 7466 2686
Charlie Morgan
Charlie Morgan
Digital Law Lead (UK) and Senior Associate
+44 20 7466 2733

Morrisons wins Supreme Court appeal against finding of vicarious liability in data breach class action

Today the Supreme Court handed down its decision in Wm Morrisons Supermarkets Plc v Various Claimants [2020] UKSC 12, bringing to its conclusion a case which had the potential to alter significantly the data protection and cyber security litigation and class action landscape.

The headline news is that Morrisons has been found not to be vicariously liable for the actions of a rogue employee in leaking employee data to a publicly available file-sharing website.

The judgment will likely result in a collective sigh of relief for organisations who have been watching closely to track their potential liability for data breach class actions. However, it is important to note that the Morrisons case and judgment is very fact specific; it does not close the door on data breach class action compensation as a whole. Boardrooms should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.

For further information, please see our blog post here.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Tim Leaver
Tim Leaver
Partner, Employment, Pensions & Incentives, London
+44 20 7466 2305

Julian Copeman
Julian Copeman
Partner, Disputes, London
+44 20 7466 2168

Greig Anderson
Greig Anderson
Partner, Disputes, London
+44 20 7466 2229

Andrew Moir
Andrew Moir
Partner, Global Head of Cyber Security, London
+44 20 7466 2773

Kate Macmillan
Kate Macmillan
Consultant, Disputes, London
+44 20 7466 3737

Lauren Hudson
Lauren Hudson
Associate, Digital TMT & Data, London
+44 20 7466 2483

Anna Henderson
Anna Henderson
Professional Support Consultant, Employment, Pensions & Incentives, London
+44 20 7466 2819

Maura McIntosh
Maura McIntosh
Professional Support Consultant, Disputes, London
+44 20 7466 2608

High Court grants proprietary injunction against Bitcoin exchange holding proceeds of ransomware attack

The High Court has held that cryptoassets (in this case Bitcoin) can be treated as property under English law. As such, the owner of a cryptoasset can, in appropriate circumstances, avail itself of the various proprietary remedies that a court is able to grant.

The practical significance here was that an insurer that had paid a Bitcoin ransom on behalf of its insured was entitled to take action to recover the sum from Bitfinex (the cryptocurrency exchange holding the funds), compel Bitfinex to provide information identifying the individuals who had received the Bitcoin and for the funds to be held on a constructive trust: AA v Persons Unknown who demanded Bitcoin on 10th and 11th October 2019 and others [2019] EWHC 3556 (Comm).

This is not the first case in which the English court has taken the view that cryptoassets are (or are likely to be) property under English law, a conclusion which also has wider significance for cryptoasset owners and investors more generally. However, the decision is noteworthy for the considerable weight the court appeared to give the recent UK Jurisdictional Task Force (“UKJT”) Legal Statement on Cryptoassets and Smart Contracts (on which we previously commented here).

Also of interest in the case was the court’s willingness to hear the matter in private due in part to the court’s view that, in the circumstances, publicity would defeat the purpose of the hearing (because it would increase the risk that the Bitcoin would be moved on before any relief could be enforced).

Andrew Moir, Rachel Lidgate, Charlie Morgan and Martin Hevey consider the decision here.

 

Andrew Moir
Andrew Moir
Partner and Global Head of Cyber and Data Security, London
+44 20 7466 2773
Rachel Lidgate
Rachel Lidgate
Partner, London
+44 20 7466 2418
Charlie Morgan
Charlie Morgan
Senior Associate, London
+44 20 7466 2733
Martin Hevey
Martin Hevey
Senior Associate, London
+44 20 7466 2631

 

Zero-day attacks, red teaming and other cyber concerns

There are a myriad cybersecurity issues that legal departments must concern themselves with, with proactivity being key to the safety of a business’s information.

Speaking recently on a live webcast hosted by Lawyers Weekly — Security breaches: is your firm protected? — Telstra security consultant Keith Kerr said zero-day attacks refer to instances where legal teams discover vulnerabilities that haven’t before been apparent.

For further information, please see our article here.

Kwok Tang
Kwok Tang
Partner, Sydney
+61 2 9225 5569