In the cases of Clarkson Plc v Person(s) Unknown (“Clarkson”) and PML v Person(s) unknown (“PML”), the court has created a new tool in the fight against cyber attackers. The defendants who are unknown person(s) gained unauthorised access to the claimants’ IT systems and acquired a considerable quantity of information. The unknown defendant(s) then threatened to publicise the information unless a substantial sum was paid. Despite not being able to identify the attackers directly the court was prepared to grant an injunction.In Clarkson, Justice Warby granted the default judgment and the permanent injunction as the claimant’s case showed “a clear need to restrain the defendant(s) from carrying out the threatened disclosures”.
In PML, the claimant made a without notice injunction application to the High Court for an interim non-disclosure order against the hacker to restrain threatened breach of confidence and for delivery-up and/or destruction of the confidential information.
As the court had been asked to grant relief which might affect the exercise of the right to freedom of expression, there was a higher threshold for obtaining an interim injunction. The traditional American Cyanamid principles would not apply and the test would be that which is set out under section 12(3) of the Human Rights Act (1998) (“HRA”) whereby relief cannot be granted unless the court is satisfied that the applicant is likely to establish at trial that publication should not be allowed.
Such cyber attacks where confidential information is accessed and stolen are becoming more and more prevalent in our times and it is important to be prepared. This type of blackmail is beginning to overcome the court’s traditional reluctance to impose sanctions on unknown persons.
Injunctions are a useful tool that can be used to prohibit individuals from disclosing illegally obtained information. At the least, injunctions can be used as deterrents with the hope that they will prevent individuals from profiting from illegally obtained information. They can also be referred to in any subsequent investigation by the ICO, as evidence of an attempt to contain any data breach.