Cyber litigation: the new frontier

Hardly a day now passes without news of a cyber attack making the headlines. From airlines to supermarkets, from banks to professional firms, every sector of the global economy is vulnerable to ever more sophisticated cyber fraud, carried out by highly skilled attackers who are extremely difficult to identify.

There is much that organisations can do to address this threat: from investing in IT security in order to prevent attacks happening in the first place, to procuring cyber insurance and breach response services aimed at mitigating the immediate consequences of an attack. Those consequences may be proprietary, in the sense that they concern a loss of the victim’s own assets (for example, a redirection of funds following the introduction of malware, or a ransom payment in return for removing ransomware). Or they may concern third parties, such as regulators and customers or clients whose data has been accessed, all of whom may need to be notified within a short period of time. An urgent forensic exercise may need to be undertaken in order to shore up the victim’s IT defences and prevent another attack.

However, when the initial crisis has passed, different legal questions arise: such as whether it is possible to trace lost assets, if it is feasible to locate the perpetrators and claim damages or even how best to defend a Group Litigation Order. These are familiar questions, but with a technological spin that necessitates an innovative response. The recent announcement of a new court in London that will specialise in cybercrime, fraud and economic crime recognises this. But at the same time, the English Courts (at the prompting of litigants and their lawyers) are developing the existing procedural armoury to meet the challenges posed by modern communications and business.

The latest case from this new frontier of litigation is CMOC Sales & Marketing Limited v Persons Unknown [2018] EWHC 2230 (Comm), involving the theft of some US$8 million from the bank account of the claimant, a company whose business is the sale and purchase of Niobium, a metal. The theft resulted from the hacking of a director’s email account, enabling the perpetrators to send fake emails and counterfeit payment instructions to the company’s bank. By the time that the fraud was detected in October 2017, some 20 unauthorised payments had been made. From that point onwards, there seems to have followed an impressively forensic and considered campaign of litigation aimed at freezing the stolen funds, identifying the primary perpetrators and conspirators, and bringing the case against them to trial with a view to making good the company’s losses. According to the judgment of HHJ Waksman QC, this involved no less than 14 pre-trial hearings.

At the very first hearing, only 10 days after the fraud was discovered, a worldwide freezing order was sought against “persons unknown”: the first innovation for which this case is particularly notable. While there was legal precedent for injunctions against “persons unknown” being granted in libel and trespass and data ransom cases, this was the first occasion on which a freezing order of this nature had been made. The need for such an order was a function of the hackers’ anonymity, but the judge also stressed the practically important point that the injunction would help the company to identify certain defendants based on information that could be obtained from banks, supplemented by disclosure orders.

The second innovation concerned the alternative modes of service which the Court allowed, in order to effect service on uncommunicative defendants for whom scant details had been located. Hitherto, the Courts had allowed service by posting materials on a public social media platform. However, in view of the practical difficulties of this case, the Court permitted service on certain defendants by social media defendants (including banks) by data room. On data room service, the judge remarked that it has proved a successful means of serving large quantities of documents in a cost effective way.

Aside from these novelties, the interlocutory orders successfully obtained by the company enabled it to trace the stolen funds into accounts held with 50 banks in 19 jurisdictions, and to identify 30 individual defendants (only two of which engaged in the litigation process to any meaningful extent). As so many of the known defendants opted not to participate in the proceedings, quite apart from the defendants who remained unknown, it was necessary for the company to prove its case whilst ensuring that the defendants’ position was fairly presented.

The legal bases for the company’s claims, all of which succeeded, were as follows

• A proprietary claim against all defendants who it could be shown received the stolen funds, on the grounds that the funds were impressed with a constructive trust that enabled the funds to be traced. Based on the lowest intermediate balances of the receiving defendants’ bank accounts, this resulted in approximately US$1.5 million being categorised as traceable funds.
• Claims for compensation for dishonest assistance, and in damages for unlawful means conspiracy, against those defendants who perpetrated the hack and against those defendants who knowingly assisted in the fraud. All of these claims also succeeded in full.
• A claim for knowing receipt against all of the defendants who received the company’s funds, whether directly or at a level (or two) removed. In relation to those defendants who received the company’s funds but did not actively participate in the fraud, they were found to have the requisite knowledge because they knew that the funds had been fraudulently obtained by deceit and illegal hacking, if not necessarily the identity of the victim.
• A restitutionary claim against the direct recipients of the company’s funds on the grounds of their unjust enrichment at the company’s expense.

The case is, in many ways, a blueprint for how cyber attack victims should go about recovering stolen funds via the Courts. First and foremost, the company acted very quickly to obtain a worldwide freezing order, maximising the chances of a significant proprietary claim. Then the company used the resulting information, showing the flow of funds, to identify a large number of defendants. No doubt the next stage will be to enforce the judgment against the known defendants in order to address the US$6.5 million shortfall between the company’s losses and the value of the traced funds, which may pose further practical problems requiring original solutions. However, the overall – very encouraging – feature of this case is that, although it was not possible to identify the “persons unknown” who compromised the company’s systems, by the litigation process it was possible to identify their co-conspirators and collaborators and mitigate the consequences of their actions.

An effective (and speedy) litigation response is an important element of any organisation’s cyber strategy, whether it be offensive – as in this instance – or defensive. The frequency and incidence of cyber attacks would also suggest that this type of litigation is likely to become more commonplace. But as this case shows, English civil procedure will continue to evolve in step with the march of technology and the new threats and challenges that it presents.

Norton Rose Fulbright was awarded the Cyber Law Firm of the Year Award at the 2018 Insider Cyber Rankings Awards