On 15 September 2021, Mr Justice Nicklin issued a final injunction against the ‘person or persons unknown’ responsible for the ransomware attack against 4 New Square. The High Court granted default judgment against the defendants who had failed to engage with proceedings following an interim injunction issued by Mrs Justice Steyn in June 2021:

‘The Defendant has not engaged with the proceedings and have not filed an Acknowledgement of Service or Defence. Little has changed since the hearing before Steyn J on 28 June 2021. Having considered the most recent witness statement, I am satisfied that the Claimants are entitled to default judgment.’

Seeking interlocutory relief following a cyberattack is certainly not a new concept. The first edition of Cyber Security Law and Practice (Lexis Nexis, 2017) highlighted injunctive relief as a response to an external cyber security breach and commented on the guidance of Mr Justice Hildyard in Allfiled UK Ltd v Eltis [2015] EWHC 1300 (Ch). However, injunctions are a useful tool especially when, as in this case, the High Court permits effective service to an email address which can be obtained through communication regarding any potential ransom.

If chambers is subject to a cyberattack, there are a number of practical steps which should be undertaken in addition to obtaining an injunction.

1: Convene the incident response team

If your first question is: ‘What is an incident response team?’ then your chambers is not fully prepared to respond to a cyberattack. An incident response team consists of pertinent individuals with sufficient technical knowledge and authority to recognise the extent of the problem and to engage external assistance if required. The size of the team will depend upon the chambers’ constitution, IT budget and particular resources available. A small (but potentially agile) team could be the head of chambers and a representative from the IT managers running the network. Alternatively, it may include the management committee, IT committee, a group from technical support, and various HR professionals. Crucially, a response plan must be in place so that chambers can act swiftly following an attack.

2: Secure systems and ensure business continuity

Any breach must be contained. With a ransomware attack, the corrupted areas will need to be isolated, and then the network restored from back-ups. This is clearly a technical matter rather than a legal or regulatory consideration; however, chambers must be confident in the advice received. If the extent of the breach is not properly identified, or other systems have been compromised, then the initial attack will be quickly followed by subsequent breaches. Back-ups are also incredibly important. Chambers’ systems must be backed-up regularly. Data redundancy (where the same data is held in separate places) can also protect chambers’ assets but does have a cost: both financial and in terms of slowing down systems.

3: Investigate

While convening the incident response team will be the first step, and securing and restoring chambers’ systems will be the second, the remaining actions following a cyberattack will likely occur simultaneously with no specified order. Chambers will need to investigate; address legal and regulatory requirements; and manage the public response to the attack. These actions will overlap. The incident response team will need an overarching plan.

In a perfect world, the source of the breach will be quickly identified, and this can be relayed to the Information Commissioner’s Office (ICO), and to the wider public in a clear press statement. However, it is certainly not guaranteed that the source of the breach will be known within 72 hours, which is the statutory time limit to notify the ICO of the breach. Further, if the breach is a ransomware attack, then a notification will need to be sent out before data is leaked (assuming that chambers is not going to pay the ransom).

Regardless of the time it takes to identify the source of the breach, the aim of the investigation is to demonstrate clear, remedial action. Investigations are not to attribute blame; rather, to ensure that the breach is not repeated. The investigation should result in clear procedures and practices which will then be disseminated throughout chambers; potentially with associated training. This will certainly not be completed within 72 hours.

4: Address legal and regulatory requirements

Practical steps following a personal data breach and the considerations before notifying the ICO have been discussed in a previous Counsel article (see ‘Handling a data breach’, May 2021). However, the actions of 4 New Square illustrate that other legal recourse is available in response. Chambers must also be alive to becoming the subject of litigation. The Data Protection Act 2018 provides a statutory recourse for those affected by a personal data breach, and tortious liability may also arise. Seeking advice from external agencies is not limited to technical aspects. Chambers will, no doubt, have a plethora of talented tenants able to opine on negligence but that may not be sufficient to properly advise on the specific breach in the circumstances of the particular cyberattack.

5: Manage the public response

The practical effect of Mr Justice Nicklin’s default judgment was negligible because the attackers were never likely to abide by the order:

‘The Defendant must by 4pm on 27 September 2021 deliver up to the Claimants’ solicitors and/or delete the Information in his possession, custody or control.’

There have been occasions when hackers have provided data to the original controllers, through a third-party intermediary, but these instances are rare and are often accompanied by a press statement from an ‘ethical hacker’ condemning the poor security of the data controllers. From a PR standpoint this can be more devastating than losing the personal data.

The primary benefit from the order is the message that this sends to clients and the public. Like a robust investigation which identifies the source of the breach, by seeking injunctive relief, these steps reassure the public that chambers is continuing (ie business as usual), that this freak occurrence will not happen again, and that personal data may actually be safer than at any other chambers.

Managing the public response should not be limited to a single grand gesture, or even communicating the steps that need to be undertaken (ie convening the incident response team; securing systems and ensuring business continuity; investigating; and notifying the ICO). Negative commentary on social media causes reputational damage more quickly than ever before, and preventing negative tweets is practically very difficult. Rather, chambers must be ready to respond. The days of ‘battening down the hatches’ and keeping everything behind closed doors are gone. Chambers will need to monitor social media, send out a proactive message against negative comments, and welcome opportunities to allay concerns.

The Bar Council’s IT Panel produces a raft of guidance each year in an attempt to promote best practice and to try to reduce the vulnerabilities which attackers may exploit. The guidance is designed to be practical and accessible, but chambers have a responsibility to plan their response to a potential breach. 

See also the Bar Council's recent notice on cybersecurity.