*/
On 15 September 2021, Mr Justice Nicklin issued a final injunction against the ‘person or persons unknown’ responsible for the ransomware attack against 4 New Square. The High Court granted default judgment against the defendants who had failed to engage with proceedings following an interim injunction issued by Mrs Justice Steyn in June 2021:
‘The Defendant has not engaged with the proceedings and have not filed an Acknowledgement of Service or Defence. Little has changed since the hearing before Steyn J on 28 June 2021. Having considered the most recent witness statement, I am satisfied that the Claimants are entitled to default judgment.’
Seeking interlocutory relief following a cyberattack is certainly not a new concept. The first edition of Cyber Security Law and Practice (Lexis Nexis, 2017) highlighted injunctive relief as a response to an external cyber security breach and commented on the guidance of Mr Justice Hildyard in Allfiled UK Ltd v Eltis [2015] EWHC 1300 (Ch). However, injunctions are a useful tool especially when, as in this case, the High Court permits effective service to an email address which can be obtained through communication regarding any potential ransom.
If chambers is subject to a cyberattack, there are a number of practical steps which should be undertaken in addition to obtaining an injunction.
If your first question is: ‘What is an incident response team?’ then your chambers is not fully prepared to respond to a cyberattack. An incident response team consists of pertinent individuals with sufficient technical knowledge and authority to recognise the extent of the problem and to engage external assistance if required. The size of the team will depend upon the chambers’ constitution, IT budget and particular resources available. A small (but potentially agile) team could be the head of chambers and a representative from the IT managers running the network. Alternatively, it may include the management committee, IT committee, a group from technical support, and various HR professionals. Crucially, a response plan must be in place so that chambers can act swiftly following an attack.
Any breach must be contained. With a ransomware attack, the corrupted areas will need to be isolated, and then the network restored from back-ups. This is clearly a technical matter rather than a legal or regulatory consideration; however, chambers must be confident in the advice received. If the extent of the breach is not properly identified, or other systems have been compromised, then the initial attack will be quickly followed by subsequent breaches. Back-ups are also incredibly important. Chambers’ systems must be backed-up regularly. Data redundancy (where the same data is held in separate places) can also protect chambers’ assets but does have a cost: both financial and in terms of slowing down systems.
While convening the incident response team will be the first step, and securing and restoring chambers’ systems will be the second, the remaining actions following a cyberattack will likely occur simultaneously with no specified order. Chambers will need to investigate; address legal and regulatory requirements; and manage the public response to the attack. These actions will overlap. The incident response team will need an overarching plan.
In a perfect world, the source of the breach will be quickly identified, and this can be relayed to the Information Commissioner’s Office (ICO), and to the wider public in a clear press statement. However, it is certainly not guaranteed that the source of the breach will be known within 72 hours, which is the statutory time limit to notify the ICO of the breach. Further, if the breach is a ransomware attack, then a notification will need to be sent out before data is leaked (assuming that chambers is not going to pay the ransom).
Regardless of the time it takes to identify the source of the breach, the aim of the investigation is to demonstrate clear, remedial action. Investigations are not to attribute blame; rather, to ensure that the breach is not repeated. The investigation should result in clear procedures and practices which will then be disseminated throughout chambers; potentially with associated training. This will certainly not be completed within 72 hours.
Practical steps following a personal data breach and the considerations before notifying the ICO have been discussed in a previous Counsel article (see ‘Handling a data breach’, May 2021). However, the actions of 4 New Square illustrate that other legal recourse is available in response. Chambers must also be alive to becoming the subject of litigation. The Data Protection Act 2018 provides a statutory recourse for those affected by a personal data breach, and tortious liability may also arise. Seeking advice from external agencies is not limited to technical aspects. Chambers will, no doubt, have a plethora of talented tenants able to opine on negligence but that may not be sufficient to properly advise on the specific breach in the circumstances of the particular cyberattack.
The practical effect of Mr Justice Nicklin’s default judgment was negligible because the attackers were never likely to abide by the order:
‘The Defendant must by 4pm on 27 September 2021 deliver up to the Claimants’ solicitors and/or delete the Information in his possession, custody or control.’
There have been occasions when hackers have provided data to the original controllers, through a third-party intermediary, but these instances are rare and are often accompanied by a press statement from an ‘ethical hacker’ condemning the poor security of the data controllers. From a PR standpoint this can be more devastating than losing the personal data.
The primary benefit from the order is the message that this sends to clients and the public. Like a robust investigation which identifies the source of the breach, by seeking injunctive relief, these steps reassure the public that chambers is continuing (ie business as usual), that this freak occurrence will not happen again, and that personal data may actually be safer than at any other chambers.
Managing the public response should not be limited to a single grand gesture, or even communicating the steps that need to be undertaken (ie convening the incident response team; securing systems and ensuring business continuity; investigating; and notifying the ICO). Negative commentary on social media causes reputational damage more quickly than ever before, and preventing negative tweets is practically very difficult. Rather, chambers must be ready to respond. The days of ‘battening down the hatches’ and keeping everything behind closed doors are gone. Chambers will need to monitor social media, send out a proactive message against negative comments, and welcome opportunities to allay concerns.
The Bar Council’s IT Panel produces a raft of guidance each year in an attempt to promote best practice and to try to reduce the vulnerabilities which attackers may exploit. The guidance is designed to be practical and accessible, but chambers have a responsibility to plan their response to a potential breach.
On 15 September 2021, Mr Justice Nicklin issued a final injunction against the ‘person or persons unknown’ responsible for the ransomware attack against 4 New Square. The High Court granted default judgment against the defendants who had failed to engage with proceedings following an interim injunction issued by Mrs Justice Steyn in June 2021:
‘The Defendant has not engaged with the proceedings and have not filed an Acknowledgement of Service or Defence. Little has changed since the hearing before Steyn J on 28 June 2021. Having considered the most recent witness statement, I am satisfied that the Claimants are entitled to default judgment.’
Seeking interlocutory relief following a cyberattack is certainly not a new concept. The first edition of Cyber Security Law and Practice (Lexis Nexis, 2017) highlighted injunctive relief as a response to an external cyber security breach and commented on the guidance of Mr Justice Hildyard in Allfiled UK Ltd v Eltis [2015] EWHC 1300 (Ch). However, injunctions are a useful tool especially when, as in this case, the High Court permits effective service to an email address which can be obtained through communication regarding any potential ransom.
If chambers is subject to a cyberattack, there are a number of practical steps which should be undertaken in addition to obtaining an injunction.
If your first question is: ‘What is an incident response team?’ then your chambers is not fully prepared to respond to a cyberattack. An incident response team consists of pertinent individuals with sufficient technical knowledge and authority to recognise the extent of the problem and to engage external assistance if required. The size of the team will depend upon the chambers’ constitution, IT budget and particular resources available. A small (but potentially agile) team could be the head of chambers and a representative from the IT managers running the network. Alternatively, it may include the management committee, IT committee, a group from technical support, and various HR professionals. Crucially, a response plan must be in place so that chambers can act swiftly following an attack.
Any breach must be contained. With a ransomware attack, the corrupted areas will need to be isolated, and then the network restored from back-ups. This is clearly a technical matter rather than a legal or regulatory consideration; however, chambers must be confident in the advice received. If the extent of the breach is not properly identified, or other systems have been compromised, then the initial attack will be quickly followed by subsequent breaches. Back-ups are also incredibly important. Chambers’ systems must be backed-up regularly. Data redundancy (where the same data is held in separate places) can also protect chambers’ assets but does have a cost: both financial and in terms of slowing down systems.
While convening the incident response team will be the first step, and securing and restoring chambers’ systems will be the second, the remaining actions following a cyberattack will likely occur simultaneously with no specified order. Chambers will need to investigate; address legal and regulatory requirements; and manage the public response to the attack. These actions will overlap. The incident response team will need an overarching plan.
In a perfect world, the source of the breach will be quickly identified, and this can be relayed to the Information Commissioner’s Office (ICO), and to the wider public in a clear press statement. However, it is certainly not guaranteed that the source of the breach will be known within 72 hours, which is the statutory time limit to notify the ICO of the breach. Further, if the breach is a ransomware attack, then a notification will need to be sent out before data is leaked (assuming that chambers is not going to pay the ransom).
Regardless of the time it takes to identify the source of the breach, the aim of the investigation is to demonstrate clear, remedial action. Investigations are not to attribute blame; rather, to ensure that the breach is not repeated. The investigation should result in clear procedures and practices which will then be disseminated throughout chambers; potentially with associated training. This will certainly not be completed within 72 hours.
Practical steps following a personal data breach and the considerations before notifying the ICO have been discussed in a previous Counsel article (see ‘Handling a data breach’, May 2021). However, the actions of 4 New Square illustrate that other legal recourse is available in response. Chambers must also be alive to becoming the subject of litigation. The Data Protection Act 2018 provides a statutory recourse for those affected by a personal data breach, and tortious liability may also arise. Seeking advice from external agencies is not limited to technical aspects. Chambers will, no doubt, have a plethora of talented tenants able to opine on negligence but that may not be sufficient to properly advise on the specific breach in the circumstances of the particular cyberattack.
The practical effect of Mr Justice Nicklin’s default judgment was negligible because the attackers were never likely to abide by the order:
‘The Defendant must by 4pm on 27 September 2021 deliver up to the Claimants’ solicitors and/or delete the Information in his possession, custody or control.’
There have been occasions when hackers have provided data to the original controllers, through a third-party intermediary, but these instances are rare and are often accompanied by a press statement from an ‘ethical hacker’ condemning the poor security of the data controllers. From a PR standpoint this can be more devastating than losing the personal data.
The primary benefit from the order is the message that this sends to clients and the public. Like a robust investigation which identifies the source of the breach, by seeking injunctive relief, these steps reassure the public that chambers is continuing (ie business as usual), that this freak occurrence will not happen again, and that personal data may actually be safer than at any other chambers.
Managing the public response should not be limited to a single grand gesture, or even communicating the steps that need to be undertaken (ie convening the incident response team; securing systems and ensuring business continuity; investigating; and notifying the ICO). Negative commentary on social media causes reputational damage more quickly than ever before, and preventing negative tweets is practically very difficult. Rather, chambers must be ready to respond. The days of ‘battening down the hatches’ and keeping everything behind closed doors are gone. Chambers will need to monitor social media, send out a proactive message against negative comments, and welcome opportunities to allay concerns.
The Bar Council’s IT Panel produces a raft of guidance each year in an attempt to promote best practice and to try to reduce the vulnerabilities which attackers may exploit. The guidance is designed to be practical and accessible, but chambers have a responsibility to plan their response to a potential breach.
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
Giovanni D’Avola explores the issue of over-citation of unreported cases and the ‘added value’ elements of a law report
Louise Crush explores the key points and opportunities for tax efficiency
Westgate Wealth Management Ltd is a Partner Practice of FTSE 100 company St. James’s Place – one of the top UK Wealth Management firms. We offer a holistic service of distinct quality, integrity, and excellence with the aim to build a professional and valuable relationship with our clients, helping to provide them with security now, prosperity in the future and the highest standard of service in all of our dealings.
Is now the time to review your financial position, having reached a career milestone? asks Louise Crush
If you were to host a dinner party with 10 guests, and you asked them to explain what financial planning is and how it differs to financial advice, you’d receive 10 different answers. The variety of answers highlights the ongoing need to clarify and promote the value of financial planning.
Most of us like to think we would risk our career in order to meet our ethical obligations, so why have so many lawyers failed to hold the line? asks Flora Page
If your current practice environment is bringing you down, seek a new one. However daunting the change, it will be worth it, says Anon Barrister
Creating advocacy opportunities for juniors is now the expectation but not always easy to put into effect. Tom Mitcheson KC distils developing best practice from the Patents Court initiative already bearing fruit
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
National courts are now running the bulk of the world’s war crimes cases and corporate prosecutions are part of this growing trend, reports Chris Stephen
