The threat of a cyber-attack has never been greater. In the last number of months, the healthcare system in Ireland was subject to two high-profile attacks, whilst a major US fuel pipeline was taken offline following a cyber-security incident, generating headlines around the world. This has highlighted the extreme danger which cyber-attacks can pose for businesses and the critical need to think ahead in how to deal with such attacks, which can occur when you least expect them.
The Matheson team has extensive experience in assisting businesses with their cyber-security defence, both in terms of containing and combatting a breach but also in minimising the damage to the business following an attack. We also advise on the urgent legal processes which may be open to businesses in the event of an attack, including court injunctions which may be obtained on an anonymous basis, where appropriate, in order to protect the privacy of the business.
Effects of a cyber-attack
In most instances, the systems are targeted by ransomware controlled by criminals. The ransomware encrypts the company’s data and may also block access to those systems. The hackers may then threaten to leak the stolen data to the public or the company’s competitors unless the company pays a ransom (the Ransomware-as-a-Service model).
To contain the attack, a company can instruct a cyber-incident response support team. This will consist of:
- legal advisors, such as Matheson, who can advise on the immediate legal obligations and help combat the attack by, for example, court injunctions; and
- forensic investigation specialists, who analyse the attack, find its source and establish technical solutions.
The team may also advise on negotiations with the hackers.
Reacting to a cyber-attack
Cyber-attack victims naturally want to exhaust every avenue available to protect their data, staff, clients, reputation and commercial interests. A useful protection is to secure an injunction against the hackers in the High Court.
Although the hackers are unlikely to be identifiable, Matheson has secured injunction orders against “persons unknown”. Matheson has successfully secured injunctions seeking:
- hackers deliver up and / or delete the stolen data;
- hackers are restrained from using, hosting, processing and / or publicising by any means the stolen data;
- hackers identify themselves;
- any party who may inadvertently come into possession of the stolen data is restrained from using, hosting, processing and / or publicising by any means the stolen data once they have notice of the court’s order; and
- cyber-attack victim remains anonymous in the title of court proceedings and media reports of the proceedings.
Matheson will firstly make an ex parte interim injunction application to the High Court. This is an urgent injunction made without the hackers’ knowledge. They are temporary until the court can hear an interlocutory injunction application. Matheson has secured ex parte interim injunction orders within 48 hours of receiving instructions, and even convened High Court hearings on weekends and public holidays.
Some days after an interim order has been granted, an interlocutory injunction hearing takes place. The hackers are given notice of this (usually through a communication portal set up to negotiate the ransom). Where granted, interlocutory injunction orders remain in place until a full injunction hearing takes place. If no full injunction hearing takes place, the interlocutory orders will endure until they serve their purpose.
Confidentiality and reputational damages are primary concerns here. A competitor may seek to take advantage of a cyber-attack if it becomes public knowledge. In some instances, a company may wish to pay a ransom. Media reports on the ransom payment could taint public confidence in a company and showcase it as a potential mark for other cyber criminals. For these reasons, Matheson delicately handles every injunction application and ensures that the company’s confidentiality is safeguarded. Recently, Matheson successfully applied to anonymise the company’s name in court proceedings and prevent the media from identifying it in reports on the case. This is the first time an order of its kind was ever granted in interlocutory injunction proceedings in Ireland.
Benefit of court order
Obtaining an injunction against cyber criminals may seem counterintuitive. However, an injunction can prevent “onward processing” of the stolen data. In practical terms, this means that a company can enforce the order against a platform (e.g. Google), even though the platform has come into possession of the data innocently.
Obtaining an injunction also demonstrates that a company is treating the incident seriously. It is a useful mitigation measure when notifying the Data Protection Commission.