BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
England and Wales High Court (King's Bench Division) Decisions |
||
You are here: BAILII >> Databases >> England and Wales High Court (King's Bench Division) Decisions >> XXX v Persons Unknown [2022] EWHC 2776 (KB) (25 October 2022) URL: http://www.bailii.org/ew/cases/EWHC/KB/2022/2776.html Cite as: [2022] EWHC 2776 (KB) |
[New search] [Printable PDF version] [Help]
KING'S BENCH DIVISION
Strand London, WC2A 2LL |
||
B e f o r e :
____________________
XXX |
Claimant |
|
- and – |
||
PERSONS UNKNOWN |
Defendants |
____________________
THE DEFENDANTS did not attend and were not represented.
____________________
Crown Copyright ©
MR JUSTICE CAVANAGH:
The Facts
"1. ...on 24 March [the claimant] received a ransom note saying that cyber attackers had downloaded to their servers the claimant's databases, FTP server, and file server and that they had encrypted files from the claimant's computers making them inaccessible to the claimant. The attackers provided two email addresses and said that they would regard any failure to contact them as a refusal to negotiate.
2. On 26 March, the attackers demanded a ransom of US$6.8 million in exchange for decryption and non-disclosure of the downloaded information.
3. At about 3.00 p.m. on 28 March 2022, the attackers provided to a firm instructed by the claimant proof that they did, indeed, have the files or some of the files they claimed to have hacked.
4. At 14.26 on 29 March, the claimant's instructed consultants received an ultimatum indicating that the attackers would post information on their platform and start uploading information which they had downloaded from the claimant's servers. At that point, the claimant immediately instructed solicitors to make an application without notice. The application came before Stacey J at about 1.00 a.m. on 30 March 2022. Stacey J granted a without notice injunction prohibiting the attackers from using or disclosing the data they took during the attack. The order contained confidentiality provisions and a permission for alternative service on the two email addresses provided by the attackers in their ransom demand. That order was provided by the court in sealed form at 10.51 on 30 March and was thereafter served on the attackers at the email addresses indicated in the order. About two hours later, an email was received from the same email address in defiant terms. I have read the terms of that email and I accept that it shows, as submitted by Mr Wandowicz for the claimant, that the attackers have, indeed, received a copy of the order. The order provided within it for a return date which was today and so it can be safely assumed that those who have perpetrated the cyberattack I have mentioned have received notice of today's hearing. No further response from the attackers has been received since then."
"The Claimant sought an Order that the Application be dealt with without a hearing. The judgment of Chamberlain J was given in private. As far as I can tell, all hearings have been conducted in private. I have directed a hearing which, unless exceptionally the Judge is satisfied that it should be in private, will be held in Open Court. If, exceptionally, the Judge is satisfied that it is necessary to hold the Hearing in private, then s/he will give a public judgment (in suitable terms) explaining the order that has been made and the reasons....
At the Hearing, the Court will need to be satisfied that the anonymity order should be continued. Not every data-hacking/cyberattack case justifies anonymity – and several similar claims have been brought without anonymity. The Claimant will need to inform the Court as to the extent to which it has disclosed the cyberattack to third parties and demonstrate that an anonymity order is justified as necessary."
1. The nature of the information which has been stolen by the defendants from the claimant
Mr Rance said that the claimant has been able to carry out a detailed analysis of the files and folders of information which was stolen by the defendants. That analysis has allowed the claimant to identify with precision the contents of those files and folders and, in turn, information that is (a) security sensitive, (b) commercially sensitive and (c) personally identifiable. The majority falls into categories (a) and (b) and to a much lesser extent category (c). He said that much of the information in (a) and (b) is security sensitive, highly classified and protected by the Official Secrets Act 1989.
2. The nature of the business undertaken by the claimant and why anonymity is important to it
"The Claimant is a multi-discipline company providing technology-led solutions for security-sensitive and highly classified projects of national significance. Its clients require the utmost discretion, secrecy, and protection from external threats."
"However, the Claimant believes (and I believe, and consider it to be common sense) that there would be a very significant risk of this changing if the name of the Claimant became public. This is because the nature of the projects in which the Claimant is engaged means that its client data would be of interest to several categories of persons with potentially malicious intent, including hostile nation states, organised criminal groups and terrorist organisations. The Claimant is a well-known company in its industry and it works for well-known clients. If it became known that the information which has been compromised is the Claimant's, that could well lead to positive efforts at finding that information by such persons or organisations. That in turn would not only promote the Defendants' criminal endeavours but also allows other third parties to access and exploit the information in question."
3. The defendants' modus operandi
"The Defendants operate their own platform on the so-called 'Dark Web' (a part of the internet inaccessible from normal web browsers) where they post details of victims and information they have stolen, including links purporting to allow access to that stolen information, sometimes for free but more often for a price. I am aware based on intelligence and having seen evidence of that website, that the Defendants have a history of attacking and blackmailing other organisations."
4. The extent to which the claimant has informed others of the ransomware attack
5. The extent to which the ransomware attack has become known to third parties by other means
"I should explain that after the uploading of the Claimant's stolen information on the Defendant's Dark Web platform, a small number of Twitter users …. did make social media posts which drew attention to it. My firm took immediate steps to address this, seeking to notify Twitter, as well as several of the Twitter users themselves (or at least the ones we could identify) of the terms of the interim injunctions granted by the Court. This proved to be very effective. On 24 April 2022, following my firm's correspondence with Twitter, I was notified by Twitter that the offending tweets had been removed.
Dark web monitoring was also undertaken by the Incident Response Team to check if the Claimant's information had appeared on any other platforms but it had not (and I understand that remains the position)."
Anonymity and the question whether the summary judgment hearing should take place in private
"15. As I explained in my reasons for granting the Order, the Claimants' Application sought several derogations from the principles of open justice, including reporting restrictions and that notice of the Application should therefore be given to the media. As the Claimants' Application does not seek relief against an identifiable respondent, s.12(2) of the Human Rights Act 1998 does not apply, and there is no obligation to notify media organisations. Nevertheless, when reporting restrictions are sought, such media organisations are entitled to be heard as a matter of fairness: A v BBC [2015] AC 588 [66]-[67]. Sometimes, it is impracticable to give notice to media organisations before the order is made, in which case the Court will stand ready to hear an application to vary or discharge any order that has been made. Nevertheless, a party applying for reporting restrictions should consider carefully whether notice should nevertheless be given of the application to the media. Ultimately, as here, the Court may decide that advance notice should be given, and make directions accordingly.
..........
26. More fundamentally, however, where an application is made for an injunction or similar order to restrict use or publication of information, the Court must retain ultimate control over the information that is provided to third parties to enable them to decide whether they wish to make representations in relation to an application. In some cases, the name of the party or the information sought to be protected may be so sensitive that the Court would not permit or require it to be provided to third parties. A good recent example of that would be the names of the applicants in In re Winch [2021] EWHC 1328 (QB). In the particular circumstances of that case, there would be no question of the Court requiring or directing provision of the names of the applicants to third party media organisations. That would be the very, highly sensitive information that the applicants were seeking to protect. Its provision would simply not be necessary for an assessment by the media organisation whether it wished to make submissions in relation to the application.
..........
33. CPR 39.2(4) provides:
'The Court must order that the identity of any party or witness shall not be disclosed if, and only if, it considers non-disclosure necessary to secure the proper administration of justice and in order to protect the interests of that party or witness.'
CPR 39.2 contains several provisions that reflect the fundamental rule of the common law that proceedings must be heard in public, subject to certain specified classes of exceptions: XXX v Camden LBC [2020] 4 WLR 165 [17].
34. Orders that a party to a civil claim be anonymised in the proceedings and reporting restrictions prohibiting his/her identification are derogations from the principle of open justice. The principles to be applied are clearly set out in Practice Guidance (Interim Non-Disclosure Orders)...under the heading 'Open Justice':
'[9] Open justice is a fundamental principle. The general rule is that hearings are carried out in, and judgments and orders are, public: see article 6.1 of the Convention, CPR r.39.2 and Scott v Scott [1913] 1913 AC 417. This applies to applications for interim non-disclosure orders: Micallef v Malta (2009) 50 EHHR 920 at [75]; Donald v Ntuli (Guardian News & Media Ltd intervening) [2011] 1 WLR 294 [50].
[10] Derogations from the general principle can only be justified in exceptional circumstances, when they are strictly necessary as measures to secure the proper administration of justice. They are wholly exceptional: R v Chief Registrar of Friendly Societies, Ex p New Cross Building Society 1984] QB 227, 235; Donald v Ntuli [52]-[53]. Derogations should, where justified, be no more than strictly necessary to achieve their purpose.
[11] The grant of derogations is not a question of discretion. It is a matter of obligation and the court is under a duty to either grant the derogation or refuse it when it has applied the relevant test: M v W [2010] EWHC 2457 (QB) [34].
[12] There is no general exception to open justice where privacy or confidentiality is in issue. Applications will only be heard in private if and to the extent that the court is satisfied that by nothing short of the exclusion of the public can justice be done. Exclusions must be no more than the minimum strictly necessary to ensure justice is done and parties are expected to consider before applying for such an exclusion whether something short of exclusion can meet their concerns, as will normally be the case: Ambrosiadou v Coward [2011] EMLR 419 [50]-[54]. Anonymity will only be granted where it is strictly necessary, and then only to that extent.
[13] The burden of establishing any derogation from the general principle lies on the person seeking it. It must be established by clear and cogent evidence: Scott v Scott [1913] AC 417, 438-439, 463, 477; Lord Browne of Madingley v Associated Newspapers Ltd [2008] QB 103 [2]-[3]; Secretary of State for the Home Department v AP (No. 2) [2010] 1 WLR 1652; Gray v W [2010] EWHC 2367 (QB) [6]-[8]: and JIH v News Group Newspapers Ltd (Practice Note) [2011] 1 WLR 1645 [21].
[14] When considering the imposition of any derogation from open justice, the court will have regard to the respective and sometimes competing Convention rights of the parties as well as the general public interest in open justice and in the public reporting of court proceedings. It will also adopt procedures which seek to ensure that any ultimate vindication of article 8 of the Convention, where that is engaged, is not undermined by the way in which the court has processed an interim application. On the other hand, the principle of open justice requires that any restrictions are the least that can be imposed consistent with the protection to which the party relying on their article 8 Convention right is entitled. The proper approach is set out in JIH.'
35. In JIH v News Group Newspapers Ltd [21] the Court of Appeal summarised the principles as follows:
(1) The general rule is that the names of the parties to an action are included in orders and judgments of the court.
(2) There is no general exception for cases where private matters are in issue.
(3) An order for anonymity or any other order restraining the publication of the normally reportable details of a case is a derogation from the principle of open justice and an interference with the article 10 rights of the public at large.
(4) Accordingly, where the court is asked to make any such order, it should only do so after closely scrutinising the application, and considering whether a degree of restraint on publication is necessary, and, if it is, whether there is any less restrictive or more acceptable alternative than that which is sought.
(5) Where the court is asked to restrain the publication of the names of the parties and/or the subject matter of the claim, on the ground that such restraint is necessary under article 8, the question is whether there is sufficient general, public interest in publishing a report of the proceedings which identifies a party and/or the normally reportable details to justify any resulting curtailment of his right and his family's right to respect for their private and family life.
(6) On any such application, no special treatment should be accorded to public figures or celebrities: in principle, they are entitled to the same protection as others, no more and no less.
(7) An order for anonymity or for reporting restrictions should not be made simply because the parties consent: parties cannot waive the rights of the public.
(8) An anonymity order or any other order restraining publication made by a judge at an interlocutory stage of an injunction application does not last for the duration of the proceedings but must be reviewed at the return date.
(9) Whether or not an anonymity order or an order restraining publication of normally reportable details is made, then, at least where a judgment is or would normally be given, a publicly available judgment should normally be given, and a copy of the consequential court order should also be publicly available, although some editing of the judgment or order may be necessary.
(10) Notice of any hearing should be given to the defendant unless there is a good reason not to do so, in which case the court should be told of the absence of notice and the reason for it, and should be satisfied that the reason is a good one.
36. The authorities make clear, therefore, that derogations from open justice can be justified as necessary on two principal grounds: maintenance of the administration of justice and harm to other legitimate interests: R (Rai) v Crown Court at Winchester [2021] EWHC 339 (Admin) [39].
37. In the first category fall cases -- such as claims for breach of confidence -- which, unless some derogation is made from the principles of open justice, the Court would, by its process, effectively destroy that which the claimant is seeking to protect. Depending upon the particular facts, the Court may need either to anonymise the party/parties, or (if the parties are named) withhold the private/confidential information from proceedings in open court and in any public judgment: see discussion in Khan v Khan [2018] EWHC 241 (QB) [81]-[93].
38. Save in that limited category of case, the names of the parties to litigation are important matters that should be available to the public and the media. Any interference with the public nature of court proceedings is to be avoided unless justice requires it: R v Legal Aid Board, ex parte Kaim Todner (A Firm) [1999] QB 966, 978g. No doubt there will be many litigants in the courts who would prefer that their names, addresses and details of their affairs were not made public in the course of proceedings. In Kaim Todner, Lord Woolf MR explained (p.978):
'It is not unreasonable to regard the person who initiates the proceedings as having accepted the normal incidence of the public nature of court proceedings. If you are a defendant you may have an interest equal to that of the plaintiff in the outcome of the proceedings but you have not chosen to initiate court proceedings which are normally conducted in public. A witness who has no interest in the proceedings has the strongest claim to be protected by the court if he or she will be prejudiced by publicity, since the courts and parties may depend on their cooperation. In general, however, parties and witnesses have to accept the embarrassment and damage to their reputation and the possible consequential loss which can be inherent in being involved in litigation. The protection to which they are entitled is normally provided by a judgment delivered in public which will refute unfounded allegations. Any other approach would result in wholly unacceptable inroads on the general rule...
There can however be situations where a party or witness can reasonably require protection. In prosecutions for rape and blackmail, it is well established that the victim can be entitled to protection. Outside the well-established cases where anonymity is provided, the reasonableness of the claim for protection is important. Although the foundation of the exceptions is the need to avoid frustrating the ability of courts to do justice, a party cannot be allowed to achieve anonymity by insisting upon it as a condition for being involved in the proceedings irrespective of whether the demand is reasonable. There must be some objective foundation for the claim which is being made.'
39. The same point was made by Lord Sumption in Khuja v Times Newspapers Ltd [2019] AC 161:
'[29] In those most of the recent decisions of this court the question has arisen whether the open justice principle may be satisfied without adversely affecting the claimant's Convention rights by permitting proceedings in court to be reported but without disclosing his name. The test which has been applied in answering it is whether the public interest served by publishing the facts extended to publishing the name. In practice, where the court is satisfied that there is a real public interest in publication, that interest has generally extended to publication of the name. This is because the anonymised reporting of issues of legitimate public concern are less likely to interest the public and therefore to provoke discussion. As Lord Steyn observed in In re S [2005] 1 AC 593 [34]:
'...from a newspaper's point of view a report of sensational trial without revealing the identity of the defendant would be a very much disembodied trial. If the newspapers choose not to contest such an injunction, they are less likely to give prominence to reports of the trial. Certainly, readers will be less interested and editors will act accordingly. Informed debate about criminal justice will suffer.'
"What is in a name?", Lord Rodger memorably asked In re Guardian News and Media Ltd before answering his own question, at [63]... The public interest in the administration of justice may be sufficiently served as far as lawyers are concerned by a discussion which focusses on the issues and ignores the personalities, but ([57]):
'...The target audience of the press is likely to be different and to have a different interest in proceedings which will not be satisfied by an anonymised version of the judgment. In the general run of cases there is nothing to stop the press from supplying the more full-blooded account which their readers want.'
cf. In re BBC; In re Attorney General's Reference (No.3 of 1999) [2010] 1 AC 145 [25]-[26] (Lord Hope of Craighead) and [56], [66] (Lord Brown of Eaton-under-Heywood).
[30] None of this means that if there is a sufficient public interest in reporting the proceedings there must be necessarily be a sufficient public interest in identifying the individual involved. The identity of those involved may be wholly marginal to the public interest engaged. Thus Lord Reed JSC remarked of the Scottish case Devine v Secretary of State for Scotland (unreported, 22 January 1993), in which soldiers who had been deployed to end a prison siege were allowed to give evidence from behind a screen, that "their appearance and identities were of such peripheral, if any, relevance to the judicial process that it would have been disproportionate to require their disclosure": A v BBC [39]. In other cases, the identity of the person involved may be more central to the point of public interest but outweighed by the public interest in the administration of justice. This was why publication of the name was prohibited in A v BBC. Another example in a rather different context is R (C) v Secretary of State for Justice (Media Lawyers Association intervening) [2016] 1 WLR 444, a difficult case involving the disclosure via judicial proceedings of highly personal clinical data concerning psychiatric patients serving sentences of imprisonment, which would have undermined confidential clinical relationships and thereby reduced the efficacy of the system for judicial oversight of the Home Secretary's decisions.'
40. Where a party to the litigation (or a witness) seeks an anonymity order (and reporting restrictions) on the grounds that identifying him/her will interfere with his/her Convention rights, then the Court will have to assess the engaged rights: see RXG v Ministry of Justice [2020] QB 703 [25] and XXX v Camden LBC [20]-[21]. Under the CPR, the name and address of a party must be provided in the Claim Form...and, once an Acknowledgment of Service has been filed, the claim has been listed for a hearing or judgment has been entered, the Claim Form will be available for public inspection: CPR 5.4C (1) and (4). In any assessment of the Article 10 right reflected in open justice, the Courts will attach due weight to the default position that, without an anonymity order, the name and address of the party or witness will be available to be reported as part of the proceedings: R (Rai) v Crown Court at Winchester [47]-[48].
41. Media reports of proceedings may have an adverse impact on the rights and interests of others, but, ordinarily 'the collateral impact that this process has on those affected is part of the price to be paid for open justice and the freedom of the press to report fairly and accurately on judicial proceedings held in public': Khuja [34(2)]."
Anonymity Order
A Public or Private Hearing
1. As already said, any derogation from open justice must be justified by necessity and must go no further than necessary.
2. The interests of the claimant are sufficiently protected by the continuation of the anonymity order and also by the provisions of the draft order. These include an order for non-publication of the confidential schedules which identify the confidential evidence which has been provided to the court and an order to the effect that pleadings, witness statements and other filings will not be provided to any other person unless the court grants permission after an application is made.
3. As I have read the confidential evidence, it should be, and was, possible for submissions to be made without the need to refer in open court to anything that would give a clue to the claimant's identity. I have stated that if it had unexpectedly become necessary to do so during the course of hearing, then I was prepared to listen to any application that the claimant might wish to make at the time.
4. I am hereby handing down a public judgment, as Chamberlain J did in April 2022. There is no reason or there was no reason to think that anything that would be disclosed during the course of the public hearing of significance would not be mentioned in this judgment or would not have been mentioned in Chamberlain J's judgment.
5. As I have said, in light of my indications in relation to the anonymity order, Mr Wandowicz did not press his application for the summary judgment hearing to take place in open court.
Accordingly, I proceeded to hear argument in open court on the summary judgment application.
The Summary Judgment Application
Conclusion
Transcribed by Opus 2 International Limited Official Court Reporters and Audio Transcribers 5 New Street Square, London, EC4A 3BF Tel: 020 7831 5627 Fax: 020 7831 7737 [email protected] |