If this Transcript is to be reported or published, there is a requirement to ensure that no reporting restriction will be breached. This is particularly important in relation to any case involving a sexual offence, where the victim is guaranteed lifetime anonymity (Sexual Offences (Amendment) Act 1992), or where an order has been made in relation to a young person. |
This Transcript is Crown Copyright. It may not be reproduced in whole or in part other than in accordance with relevant licence or with the express consent of the Authority. All rights are reserved. |
Royal Courts of Justice
Strand
London, WC2A 2LL
Before:
MR JUSTICE CAVANAGH
BETWEEN :
XXX Claimant
- and -
PERSONS UNKNOWN Defendants
ANONYMISATION APPLIES
REPORTING RESTRICTIONS APPLY
__________
MR K WANDOWICZ (instructed by Weightmans LLP) appeared on behalf of the Claimant.
THE DEFENDANTS did not attend and were not represented.
__________
JUDGMENT
MR JUSTICE CAVANAGH:
This is the claimant’s application for summary judgment in relation to a ransomware attack. The claimant obtained a without notice interim injunction from Stacey J on 30 March 2022 restraining the defendants from using or distributing the claimant’s confidential information. Thereafter, the claimant issued a claim for breach of confidence, claiming permanent injunctions and damages. At a further hearing on 12 April 2022 (“the continuation hearing”), Chamberlain J continued the injunction on expanded terms until trial or further order.
Perhaps unsurprisingly, the defendants have not engaged with the proceedings at all despite being aware of them. They did not attend the return date for the interim injunction and have not contested the claim. They have not attended today’s hearing even though notice was given to them in accordance with Chamberlain J’s order via the email addresses that they have been using.
The claimant seeks summary judgment in relation to its claim for a permanent injunction. The claimant recognises that it would be open to it to obtain judgment in default as the defendants have not acknowledged service or filed a defence, but the claimant prefers to seek summary judgment on the merits as this may assist the claimant in having the judgment recognised and enforced in foreign jurisdictions. At this stage, the claimant does not pursue its claim for damages against the defendants as it recognises that this would be pointless unless and until the defendants are identified.
At the without notice hearing, Stacey J made an order for anonymity in favour of the claimant. At the continuation hearing before Chamberlain J, the judge also ordered that the claimant continue to enjoy anonymity and granted the claimant’s application for that hearing to take place in private. However, Chamberlain J ordered that the judgment which he had delivered at the end of the continuation hearing should be published (though anonymised) and this has now taken place. The judgment is at [2022] EWHC 1578 (QB), although it has not yet been published on the National Archives or on BAILII.
The claimant subsequently applied for its claim for summary judgment to be dealt with on the papers. This application was refused by Nicklin J on 10 October 2022.
It follows that there were three matters which it has been necessary for me to determine today. These are: (1) whether the claimant should continue to be anonymised; (2) whether the hearing should take place in private (in whole or in part); and (3) whether summary judgment should be granted on the terms sought by the claimant.
I first heard argument on the first two matters (anonymity and a private hearing) which can conveniently be considered together. I directed that the part of the hearing at which I heard argument on these matters would take place in private because it was necessary in the interests of justice to do so, pursuant to CPR 39.2 (3)(a) and (3)(g). This was on the basis that publicity of this part of the hearing would defeat the object of the hearing and because privacy was necessary in the interests of justice. Anonymity had been ordered at the two previous injunction hearings and it would not be possible for the claimant’s counsel properly to refer to evidence and to make submissions on those matters unless the hearing took place in private. It was necessary to proceed in this way to preserve the position in case I decided that that there should be anonymity and/or that the hearing would take place in private. On the other hand, if I rejected the claimant’s request, no damage would be done to the principle of open justice because the identity of the claimant and the underlying facts would become clear at the open hearing that followed and/or in the text of my judgment.
Having heard argument on these matters, I announced my ruling. This was that the identity of the claimant would continue to be anonymised on the same terms as before and as sought in the draft order provided by the claimant, but that the hearing to deal with the summary judgment application would take place in public, after which I would give a public judgment in which the identity of the claimant would be concealed and anonymised. The public hearing would proceed on the basis that I have already read the confidential evidence and there would be no need to refer specifically to it or to the identity of the claimant during the hearing. I said that if it became clear that this was impractical, we would stop and I would hear further submissions from the claimant. In the event that proved unnecessary.
I stated at the end of the private hearing that I would give my reasons for granting the anonymity application and for refusing a private hearing of the summary judgment application in the judgment that I handed down at the end of the oral hearing. The reasons are set out in this judgment. I should add that counsel for the claimant did not press his application for a private hearing of the summary judgment application.
I reiterate that this is a public judgment, but it is one in which I will make no reference to the identity of the claimant or to anything that would lead third parties to identify the claimant. The final order which follows this judgment contains certain additional safeguards to which I will refer later. Accordingly, I will, first, provide a brief summary of the facts. I will next deal with the applications for anonymity and a private hearing, and I will finally deal with the substantive application for summary judgment.
The claimant has been represented before me by Mr Kajetan Wandowicz of counsel, as it was before Stacey J and Chamberlain J. I am very grateful to Mr Wandowicz for his conspicuously clear and helpful submissions, both oral and in writing.
The Facts
I will gratefully adopt the summary of facts that was set out by Chamberlain J in his judgment at the end of the continuation hearing. I should make clear that the facts and matters referred to are supported by the evidence that has been placed before the court by the claimant. This evidence was set out in two confidential witness statements from the claimant’s managing director and in five witness statements from two partners in the solicitors instructed by the claimant, Messrs. Weightmans. Some of these statements were open and some were confidential. The exhibits to the witness statements include the emails that were sent by the defendants in which the threats and demands for money were made. The defendants have not filed any evidence to contradict this evidence. Mr Justice Chamberlain summarised the evidence at [1]-[4] of his judgment as follows:
...on 24 March [the claimant] received a ransom note saying that cyber attackers had downloaded to their servers the claimant’s databases, FTP server, and file server and that they had encrypted files from the claimant’s computers making them inaccessible to the claimant. The attackers provided two email addresses and said that they would regard any failure to contact them as a refusal to negotiate.
On 26 March, the attackers demanded a ransom of US$6.8 million in exchange for decryption and non-disclosure of the downloaded information.
At about 3.00 p.m. on 28 March 2022, the attackers provided to a firm instructed by the claimant proof that they did, indeed, have the files or some of the files they claimed to have hacked.
At 14.26 on 29 March, the claimant’s instructed consultants received an ultimatum indicating that the attackers would post information on their platform and start uploading information which they had downloaded from the claimant’s servers. At that point, the claimant immediately instructed solicitors to make an application without notice. The application came before Stacey J at about 1.00 a.m. on 30 March 2022. Stacey J granted a without notice injunction prohibiting the attackers from using or disclosing the data they took during the attack. The order contained confidentiality provisions and a permission for alternative service on the two email addresses provided by the attackers in their ransom demand. That order was provided by the court in sealed form at 10.51 on 30 March and was thereafter served on the attackers at the email addresses indicated in the order. About two hours later, an email was received from the same email address in defiant terms. I have read the terms of that email and I accept that it shows, as submitted by Mr Wandowicz for the claimant, that the attackers have, indeed, received a copy of the order. The order provided within it for a return date which was today and so it can be safely assumed that those who have perpetrated the cyberattack I have mentioned have received notice of today’s hearing. No further response from the attackers has been received since then.”
The claimant has not been contacted by the defendants since Chamberlain J gave judgment on 12 April 2022.
In the reasons for refusing the claimant’s application for determination of the summary judgment application on the papers Nicklin J said:
“The Claimant sought an Order that the Application be dealt with without a hearing. The judgment of Chamberlain J was given in private. As far as I can tell, all hearings have been conducted in private. I have directed a hearing which, unless exceptionally the Judge is satisfied that it should be in private, will be held in Open Court. If, exceptionally, the Judge is satisfied that it is necessary to hold the Hearing in private, then s/he will give a public judgment (in suitable terms) explaining the order that has been made and the reasons....
At the Hearing, the Court will need to be satisfied that the anonymity order should be continued. Not every data-hacking/cyberattack case justifies anonymity – and several similar claims have been brought without anonymity. The Claimant will need to inform the Court as to the extent to which it has disclosed the cyberattack to third parties and demonstrate that an anonymity order is justified as necessary.”
The claimant has provided a response to the last sentence of Nicklin J’s reasons in the form of the third witness statement of Mr Anthony Rance, a partner at Weightmans, dated 19 October 2022. Mr Rance has provided the court with the following relevant evidence:
The nature of the information which has been stolen by the defendants from the claimant
Mr Rance said that the claimant has been able to carry out a detailed analysis of the files and folders of information which was stolen by the defendants. That analysis has allowed the claimant to identify with precision the contents of those files and folders and, in turn, information that is (a) security sensitive, (b) commercially sensitive and (c) personally identifiable. The majority falls into categories (a) and (b) and to a much lesser extent category (c). He said that much of the information in (a) and (b) is security sensitive, highly classified and protected by the Official Secrets Act 1989.
The nature of the business undertaken by the claimant and why anonymity is important to it
Mr Rance said:
“The Claimant is a multi-discipline company providing technology-led solutions for security-sensitive and highly classified projects of national significance. Its clients require the utmost discretion, secrecy, and protection from external threats.”
Mr Rance further said:
“However, the Claimant believes (and I believe, and consider it to be common sense) that there would be a very significant risk of this changing if the name of the Claimant became public. This is because the nature of the projects in which the Claimant is engaged means that its client data would be of interest to several categories of persons with potentially malicious intent, including hostile nation states, organised criminal groups and terrorist organisations. The Claimant is a well-known company in its industry and it works for well-known clients. If it became known that the information which has been compromised is the Claimant’s, that could well lead to positive efforts at finding that information by such persons or organisations. That in turn would not only promote the Defendants’ criminal endeavours but also allows other third parties to access and exploit the information in question.”
The defendants’ modus operandi
As to the defendants’ modus operandi, Mr Rance said:
“The Defendants operate their own platform on the so-called ‘Dark Web’ (a part of the internet inaccessible from normal web browsers) where they post details of victims and information they have stolen, including links purporting to allow access to that stolen information, sometimes for free but more often for a price. I am aware based on intelligence and having seen evidence of that website, that the Defendants have a history of attacking and blackmailing other organisations.”
The extent to which the claimant has informed others of the ransomware attack
Mr Rance said that the claimant has contacted those of its clients and client organisations which have a shared interest in category (a) and (b) information. Given the security-sensitive and classified nature of this information, awareness at an individual level has been restricted to those who have the appropriate level of clearance. There are fifteen organisations in total, with an estimated five individuals at each one cleared at the appropriate level. Senior personnel at the National Cyber Security Centre (including the director and deputy director of incident management) are also aware and have worked closely with the incident response team, as have senior officers at the National Crime Agency.
The claimant has also made its staff aware of the attack as well as certain employees of clients, client organisations and independent contractors who are security cleared to work on sites connected with category (a) and (b) information and whose contact details comprise the category (c) information. All these individuals have been notified on strictly confidential terms. Mr Rance said that he has no reason to believe that any of them has publicised that information. Indeed, it would be surprising if they were to do so since it is in their own interests that there is no publication. Many of them are also bound by the 1989 Act.
Moreover, given the nature of the category (c) information, the claimant has also been obliged to notify the Information Commissioner’s Office under the General Data Protection Regulation, albeit subject to permitted restrictions and an exemption from disclosure under the Freedom of Information Act in the interests of national security. The Information Commissioner’s Office has since closed its investigation. The only other persons aware of the incident are the claimant’s professional advisers, including the incident response team, albeit, once again, on strictly confidential terms.
The extent to which the ransomware attack has become known to third parties by other means
In relation to the extent to which others have been informed of the ransomware attack, Mr Rance said:
“I should explain that after the uploading of the Claimant’s stolen information on the Defendant’s Dark Web platform, a small number of Twitter users …. did make social media posts which drew attention to it. My firm took immediate steps to address this, seeking to notify Twitter, as well as several of the Twitter users themselves (or at least the ones we could identify) of the terms of the interim injunctions granted by the Court. This proved to be very effective. On 24 April 2022, following my firm’s correspondence with Twitter, I was notified by Twitter that the offending tweets had been removed.
Dark web monitoring was also undertaken by the Incident Response Team to check if the Claimant’s information had appeared on any other platforms but it had not (and I understand that remains the position).”
Anonymity and the question whether the summary judgment hearing should take place in private
The correct approach of courts to derogations from the principle of open justice has helpfully been set out recently by Nicklin J in Various Claimants v The Independent Parliamentary Standards Authority [2021] EWHC 2020 (QB) at [15], [26] and [33]-[41]. These passages are worth setting out in their entirety. Mr Justice Nicklin said as follows:
As I explained in my reasons for granting the Order, the Claimants’ Application sought several derogations from the principles of open justice, including reporting restrictions and that notice of the Application should therefore be given to the media. As the Claimants’ Application does not seek relief against an identifiable respondent, s.12(2) of the Human Rights Act 1998 does not apply, and there is no obligation to notify media organisations. Nevertheless, when reporting restrictions are sought, such media organisations are entitled to be heard as a matter of fairness: A v BBC [2015] AC 588 [66]-[67]. Sometimes, it is impracticable to give notice to media organisations before the order is made, in which case the Court will stand ready to hear an application to vary or discharge any order that has been made. Nevertheless, a party applying for reporting restrictions should consider carefully whether notice should nevertheless be given of the application to the media. Ultimately, as here, the Court may decide that advance notice should be given, and make directions accordingly.
..........
More fundamentally, however, where an application is made for an injunction or similar order to restrict use or publication of information, the Court must retain ultimate control over the information that is provided to third parties to enable them to decide whether they wish to make representations in relation to an application. In some cases, the name of the party or the information sought to be protected may be so sensitive that the Court would not permit or require it to be provided to third parties. A good recent example of that would be the names of the applicants in In re Winch [2021] EWHC 1328 (QB). In the particular circumstances of that case, there would be no question of the Court requiring or directing provision of the names of the applicants to third party media organisations. That would be the very, highly sensitive information that the applicants were seeking to protect. Its provision would simply not be necessary for an assessment by the media organisation whether it wished to make submissions in relation to the application.
..........
CPR 39.2(4) provides:
‘The Court must order that the identity of any party or witness shall not be disclosed if, and only if, it considers non-disclosure necessary to secure the proper administration of justice and in order to protect the interests of that party or witness.’
CPR 39.2 contains several provisions that reflect the fundamental rule of the common law that proceedings must be heard in public, subject to certain specified classes of exceptions: XXX v Camden LBC [2020] 4 WLR 165 [17].
Orders that a party to a civil claim be anonymised in the proceedings and reporting restrictions prohibiting his/her identification are derogations from the principle of open justice. The principles to be applied are clearly set out in Practice Guidance (Interim Non-Disclosure Orders)...under the heading ‘Open Justice’:
‘[9] Open justice is a fundamental principle. The general rule is that hearings are carried out in, and judgments and orders are, public: see article 6.1 of the Convention, CPR r.39.2 and Scott v Scott [1913] 1913 AC 417. This applies to applications for interim non-disclosure orders: Micallef v Malta (2009) 50 EHHR 920 at [75]; Donald v Ntuli (Guardian News & Media Ltd intervening) [2011] 1 WLR 294 [50].
[10] Derogations from the general principle can only be justified in exceptional circumstances, when they are strictly necessary as measures to secure the proper administration of justice. They are wholly exceptional: R v Chief Registrar of Friendly Societies, Ex p New Cross Building Society 1984] QB 227, 235; Donald v Ntuli [52]-[53]. Derogations should, where justified, be no more than strictly necessary to achieve their purpose.
[11] The grant of derogations is not a question of discretion. It is a matter of obligation and the court is under a duty to either grant the derogation or refuse it when it has applied the relevant test: M v W [2010] EWHC 2457 (QB) [34].
[12] There is no general exception to open justice where privacy or confidentiality is in issue. Applications will only be heard in private if and to the extent that the court is satisfied that by nothing short of the exclusion of the public can justice be done. Exclusions must be no more than the minimum strictly necessary to ensure justice is done and parties are expected to consider before applying for such an exclusion whether something short of exclusion can meet their concerns, as will normally be the case: Ambrosiadou v Coward [2011] EMLR 419 [50]-[54]. Anonymity will only be granted where it is strictly necessary, and then only to that extent.
[13] The burden of establishing any derogation from the general principle lies on the person seeking it. It must be established by clear and cogent evidence: Scott v Scott [1913] AC 417, 438-439, 463, 477; Lord Browne of Madingley v Associated Newspapers Ltd [2008] QB 103 [2]-[3]; Secretary of State for the Home Department v AP (No. 2) [2010] 1 WLR 1652; Gray v W [2010] EWHC 2367 (QB) [6]-[8]: and JIH v News Group Newspapers Ltd (Practice Note) [2011] 1 WLR 1645 [21].
[14] When considering the imposition of any derogation from open justice, the court will have regard to the respective and sometimes competing Convention rights of the parties as well as the general public interest in open justice and in the public reporting of court proceedings. It will also adopt procedures which seek to ensure that any ultimate vindication of article 8 of the Convention, where that is engaged, is not undermined by the way in which the court has processed an interim application. On the other hand, the principle of open justice requires that any restrictions are the least that can be imposed consistent with the protection to which the party relying on their article 8 Convention right is entitled. The proper approach is set out in JIH.’
In JIH v News Group Newspapers Ltd [21] the Court of Appeal summarised the principles as follows:
(1) The general rule is that the names of the parties to an action are included in orders and judgments of the court.
(2) There is no general exception for cases where private matters are in issue.
(3) An order for anonymity or any other order restraining the publication of the normally reportable details of a case is a derogation from the principle of open justice and an interference with the article 10 rights of the public at large.
(4) Accordingly, where the court is asked to make any such order, it should only do so after closely scrutinising the application, and considering whether a degree of restraint on publication is necessary, and, if it is, whether there is any less restrictive or more acceptable alternative than that which is sought.
(5) Where the court is asked to restrain the publication of the names of the parties and/or the subject matter of the claim, on the ground that such restraint is necessary under article 8, the question is whether there is sufficient general, public interest in publishing a report of the proceedings which identifies a party and/or the normally reportable details to justify any resulting curtailment of his right and his family’s right to respect for their private and family life.
(6) On any such application, no special treatment should be accorded to public figures or celebrities: in principle, they are entitled to the same protection as others, no more and no less.
(7) An order for anonymity or for reporting restrictions should not be made simply because the parties consent: parties cannot waive the rights of the public.
(8) An anonymity order or any other order restraining publication made by a judge at an interlocutory stage of an injunction application does not last for the duration of the proceedings but must be reviewed at the return date.
(9) Whether or not an anonymity order or an order restraining publication of normally reportable details is made, then, at least where a judgment is or would normally be given, a publicly available judgment should normally be given, and a copy of the consequential court order should also be publicly available, although some editing of the judgment or order may be necessary.
(10) Notice of any hearing should be given to the defendant unless there is a good reason not to do so, in which case the court should be told of the absence of notice and the reason for it, and should be satisfied that the reason is a good one.
The authorities make clear, therefore, that derogations from open justice can be justified as necessary on two principal grounds: maintenance of the administration of justice and harm to other legitimate interests: R (Rai) v Crown Court at Winchester [2021] EWHC 339 (Admin) [39].
In the first category fall cases -- such as claims for breach of confidence -- which, unless some derogation is made from the principles of open justice, the Court would, by its process, effectively destroy that which the claimant is seeking to protect. Depending upon the particular facts, the Court may need either to anonymise the party/parties, or (if the parties are named) withhold the private/confidential information from proceedings in open court and in any public judgment: see discussion in Khan v Khan [2018] EWHC 241 (QB) [81]-[93].
Save in that limited category of case, the names of the parties to litigation are important matters that should be available to the public and the media. Any interference with the public nature of court proceedings is to be avoided unless justice requires it: R v Legal Aid Board, ex parte Kaim Todner (A Firm) [1999] QB 966, 978g. No doubt there will be many litigants in the courts who would prefer that their names, addresses and details of their affairs were not made public in the course of proceedings. In Kaim Todner, Lord Woolf MR explained (p.978):
‘It is not unreasonable to regard the person who initiates the proceedings as having accepted the normal incidence of the public nature of court proceedings. If you are a defendant you may have an interest equal to that of the plaintiff in the outcome of the proceedings but you have not chosen to initiate court proceedings which are normally conducted in public. A witness who has no interest in the proceedings has the strongest claim to be protected by the court if he or she will be prejudiced by publicity, since the courts and parties may depend on their cooperation. In general, however, parties and witnesses have to accept the embarrassment and damage to their reputation and the possible consequential loss which can be inherent in being involved in litigation. The protection to which they are entitled is normally provided by a judgment delivered in public which will refute unfounded allegations. Any other approach would result in wholly unacceptable inroads on the general rule...
There can however be situations where a party or witness can reasonably require protection. In prosecutions for rape and blackmail, it is well established that the victim can be entitled to protection. Outside the well-established cases where anonymity is provided, the reasonableness of the claim for protection is important. Although the foundation of the exceptions is the need to avoid frustrating the ability of courts to do justice, a party cannot be allowed to achieve anonymity by insisting upon it as a condition for being involved in the proceedings irrespective of whether the demand is reasonable. There must be some objective foundation for the claim which is being made.’
The same point was made by Lord Sumption in Khuja v Times Newspapers Ltd [2019] AC 161:
‘[29] In those most of the recent decisions of this court the question has arisen whether the open justice principle may be satisfied without adversely affecting the claimant’s Convention rights by permitting proceedings in court to be reported but without disclosing his name. The test which has been applied in answering it is whether the public interest served by publishing the facts extended to publishing the name. In practice, where the court is satisfied that there is a real public interest in publication, that interest has generally extended to publication of the name. This is because the anonymised reporting of issues of legitimate public concern are less likely to interest the public and therefore to provoke discussion. As Lord Steyn observed in In re S [2005] 1 AC 593 [34]:
‘...from a newspaper’s point of view a report of sensational trial without revealing the identity of the defendant would be a very much disembodied trial. If the newspapers choose not to contest such an injunction, they are less likely to give prominence to reports of the trial. Certainly, readers will be less interested and editors will act accordingly. Informed debate about criminal justice will suffer.’
“What is in a name?”, Lord Rodger memorably asked In re Guardian News and Media Ltd before answering his own question, at [63]... The public interest in the administration of justice may be sufficiently served as far as lawyers are concerned by a discussion which focusses on the issues and ignores the personalities, but ([57]):
‘...The target audience of the press is likely to be different and to have a different interest in proceedings which will not be satisfied by an anonymised version of the judgment. In the general run of cases there is nothing to stop the press from supplying the more full-blooded account which their readers want.’
cf. In re BBC; In re Attorney General’s Reference (No.3 of 1999) [2010] 1 AC 145 [25]-[26] (Lord Hope of Craighead) and [56], [66] (Lord Brown of Eaton-under-Heywood).
[30] None of this means that if there is a sufficient public interest in reporting the proceedings there must be necessarily be a sufficient public interest in identifying the individual involved. The identity of those involved may be wholly marginal to the public interest engaged. Thus Lord Reed JSC remarked of the Scottish case Devine v Secretary of State for Scotland (unreported, 22 January 1993), in which soldiers who had been deployed to end a prison siege were allowed to give evidence from behind a screen, that “their appearance and identities were of such peripheral, if any, relevance to the judicial process that it would have been disproportionate to require their disclosure”: A v BBC [39]. In other cases, the identity of the person involved may be more central to the point of public interest but outweighed by the public interest in the administration of justice. This was why publication of the name was prohibited in A v BBC. Another example in a rather different context is R (C) v Secretary of State for Justice (Media Lawyers Association intervening) [2016] 1 WLR 444, a difficult case involving the disclosure via judicial proceedings of highly personal clinical data concerning psychiatric patients serving sentences of imprisonment, which would have undermined confidential clinical relationships and thereby reduced the efficacy of the system for judicial oversight of the Home Secretary’s decisions.’
Where a party to the litigation (or a witness) seeks an anonymity order (and reporting restrictions) on the grounds that identifying him/her will interfere with his/her Convention rights, then the Court will have to assess the engaged rights: see RXG v Ministry of Justice [2020] QB 703 [25] and XXX v Camden LBC [20]-[21]. Under the CPR, the name and address of a party must be provided in the Claim Form...and, once an Acknowledgment of Service has been filed, the claim has been listed for a hearing or judgment has been entered, the Claim Form will be available for public inspection: CPR 5.4C (1) and (4). In any assessment of the Article 10 right reflected in open justice, the Courts will attach due weight to the default position that, without an anonymity order, the name and address of the party or witness will be available to be reported as part of the proceedings: R (Rai) v Crown Court at Winchester [47]-[48].
Media reports of proceedings may have an adverse impact on the rights and interests of others, but, ordinarily ‘the collateral impact that this process has on those affected is part of the price to be paid for open justice and the freedom of the press to report fairly and accurately on judicial proceedings held in public’: Khuja [34(2)].”
Although this guidance was given in a case that was dealing with an interim order rather than a final order, it is relevant to the present case. Indeed, it may well be the case that the requirements of open justice are all the greater when the court is considering making a final order which may bring the litigation to an end. As the guidance makes clear, anonymity will only be granted where it is strictly necessary, and then only to that extent. It is an exceptional course of action. The burden of establishing any derogation from the general principle lies on the person seeking it. It must be established by clear and cogent evidence. The application must be closely scrutinised and the court must consider whether the interests of the party applying for it can be met by a less drastic order. It is not sufficient in order to justify an order which restricts open justice that the party seeking it is concerned about the embarrassment, inconvenience and potential adverse financial consequences which may flow from being involved in litigation.
Anonymity Order
Applying these principles to the present case, the mere fact that a business would be likely to suffer negative commercial and reputational consequences if it becomes public knowledge that their computer systems have been broken into and have been the subject of a ransomware attack is not automatically a sufficient reason to make orders that have the effect of keeping secret the name of a claimant. This applies even though the claimant business in a case such as this is the victim of blackmail. It may be appropriate for the name of the claimant business to be made public and there are several examples in which this has happened. These include Clarkson plc v Persons Unknown [2018] EWHC 417 (QB) and Ince Group plc v Persons Unknown [2022] EWHC 808 (QB). It is right, as Mr Wandowicz says, that these are cases in which the claimant had not sought anonymity. In many such cases however, where such a data breach consists of a large customer list, the prospective claimant will have no alternative but to make the breach public in such a way that no purpose would be served by an anonymity order. The court must bear in mind the need to avoid advancing the unlawful purpose of the blackmailers. However, it may be that the publication of the name of the victim will not advance the unlawful purpose of the defendants, especially if it is not accompanied by disclosure of the information which has been stolen. There must be something in particular which justifies anonymity or any other derogation to the principle of open justice.
Mr Wandowicz drew my attention to the cases of ZAM v CFW & TFW [2013] EWHC 662 (QB) and LJY v Persons Unknown [2017] EWHC 3230. These, too, were cases of blackmail but of a different type of blackmail from the type with which the present case is concerned. The ZAM and LJY cases were cases of “traditional” blackmail in which allegations were made of sexual misconduct (in ZAM) or criminal conduct (in LJY) which the blackmailer was threatening to disclose unless payment was made. (Another example is NPV v QEL [2018] EWHC 703 (QB)). That is different from the present case in which there is no suggestion that the claimant company has been involved in improper conduct of any kind. There is another type of case, such as In re Winch [2021] EWHC 1328 (QB) in which anonymity is justified because there is strong and credible evidence that the personal safety of a party, or of third parties, would be at risk if their identity was disclosed. Again, this is different from the present case.
I have carefully considered whether the circumstances of the present case are such as to justify the preservation of the claimant’s anonymity. Mr Wandowicz has submitted that there are no competing considerations of truth and public interest to justify the removal of anonymity because there is no suggestion that the stolen information discloses misconduct by the claimant or by others; and no suggestion could possibly be made that the defendants have been acting in the public interest. That is true so far as it goes, but, as the case law makes clear, there remains the extremely important public interest consideration of open justice which must be taken into account.
I have decided that the circumstances are such as to justify anonymity. The particular feature that justifies the continuation of the anonymity order in the present case is the nature of the work that is carried out by the claimant and the risk that if the identity of the claimant is disclosed, this will prompt third parties with malign intent to seek to make contact with the blackmailers and/or to locate the stolen information on the ‘Dark Web’. It is established on the evidence that the work of the claimant is security-sensitive and, indeed, much of it is covered by the Official Secrets Act 1989. As Mr Rance makes clear in his statement, there is a real danger, if the claimant’s identity is made known, that malicious persons, including hostile nation states, organised criminal groups and terrorist organisations, will exploit this information by seeking the material that has been stolen in the ransomware attack. The nature and modus operandi of the defendants is such that they are unlikely to be scrupulous about those to whom they are prepared to provide the material. It follows that a very great deal of harm may be done if the identity of the claimant is disclosed.
It follows also that, in the particular circumstances of this case, the identification of the claimant by the court would advance the objective of the defendants by giving rise to the very harm to the claimant and others that is the subject of the defendants’ activities and threats. It would, as Mr Wandowicz put it, make the court the instrument of the harm that the defendants seek to impose upon the claimant. It may be that not every piece of information that has been obtained by the defendants is of such a nature that its disclosure would harm the claimant’s business or would result in security problems, but I am satisfied that this will apply to a substantial number of the documents that have been accessed.
I have given anxious thought to the requirement that any application for anonymity must be supported by clear and cogent evidence. It is fair to say that much of the information provided by Mr Rance in his third witness statement about the security sensitive nature of the stolen information is general and high level in nature. However, this is understandable because if he were to go into details, he would thereby jeopardise the very secrecy that he is seeking to protect. Mr Rance is a solicitor and an officer of the court and there is no reason why I should not take what he says as being truthful. In my judgment, I have been provided with sufficiently clear and cogent evidence to justify continuing with the anonymity order in the form of Mr Rance’s third statement.
Moreover, in oral argument in the private part of the hearing before me, Mr Wandowicz was able to draw my attention to further material in the confidential statements which provided additional detail to support what was said in Mr Rance’s third statement. It is also relevant that the identity of the victim of this ransomware attack is not yet significantly in the public domain. It is true that it has been shared with a substantial number of employees, contractors and clients. However, everyone in these categories with whom the information has been shared are persons with whom the claimant was obliged to share information of the data breach and who are bound by an obligation of confidentiality themselves, which there is every reason to think they will respect. The same applies to the public authorities (the National Cyber Security Centre, the National Crime Agency and the Information Commissioner), which have, rightly, been informed by the claimant of the breach. The claimant has retained very experienced and reputable specialist consultants to monitor the internet and social media for any references to the data breach and take steps speedily to delete any such references.
In these circumstances, it is not the position that the fact of the breach and the identity of the claimant have already been disseminated so widely that an anonymity order would serve no purpose. The draft order also makes provision that disclosure of information, including the claimant’s identity, will not be unlawful if it comes into the public domain in England and Wales as a result of publication in the national media other than as a result of breach of this order or of a breach of confidence or privacy. I am also satisfied that the continuation of the anonymity order is consistent with the European Convention of Human Rights and, in particular, with Article 6.
A Public or Private Hearing
As I have already said, I have held the hearing in private to decide upon the extent to which the principle of open justice would be restricted, if any. However, I have decided that it would be an unnecessary restriction upon that principle to order that the hearing of the application for summary judgment itself should be heard in private. I have reached this conclusion for the following reasons:
As already said, any derogation from open justice must be justified by necessity and must go no further than necessary.
The interests of the claimant are sufficiently protected by the continuation of the anonymity order and also by the provisions of the draft order. These include an order for non-publication of the confidential schedules which identify the confidential evidence which has been provided to the court and an order to the effect that pleadings, witness statements and other filings will not be provided to any other person unless the court grants permission after an application is made.
As I have read the confidential evidence, it should be, and was, possible for submissions to be made without the need to refer in open court to anything that would give a clue to the claimant’s identity. I have stated that if it had unexpectedly become necessary to do so during the course of hearing, then I was prepared to listen to any application that the claimant might wish to make at the time.
I am hereby handing down a public judgment, as Chamberlain J did in April 2022. There is no reason or there was no reason to think that anything that would be disclosed during the course of the public hearing of significance would not be mentioned in this judgment or would not have been mentioned in Chamberlain J’s judgment.
As I have said, in light of my indications in relation to the anonymity order, Mr Wandowicz did not press his application for the summary judgment hearing to take place in open court.
Accordingly, I proceeded to hear argument in open court on the summary judgment application.
The Summary Judgment Application
I have no doubt that I should grant summary judgment in the terms sought. This is essentially for the reasons that were advanced by Mr Wandowicz on behalf of the claimant. The particulars of claim in the claim form allege two causes of action: breach of confidence and intimidation. Intimidation is not pursued. The claimant seeks summary judgment on the breach of confidence claim and relief in the form of a permanent injunction. Pursuant to CPR r.24.2, the court may give summary judgment for the claimant on the whole of claim or on a particular issue, if: (a) it considers that the defendant has no real prospect of successfully defending the claim or issue; and (b) there is no other compelling reason why the case or issue should be disposed of at a trial.
As Mr Wandowicz submitted, the relevant principles are well known and summarised by the learned editors of the White Book at para.24.2.3, who cite the well-known exposition by Lewison J in EasyAir Ltd v Opal Telecom Ltd [2009] EWHC 339 (Ch). In short, the court must, without conducting a mini-trial, consider whether the defendant has a realistic (as opposed to a fanciful) prospect of defending the claim for breach of confidence, a realistic case being one where there is some degree of conviction rather than being merely arguable. There are three basic elements in an action for breach of confidence. They are: (a) the necessary quality of confidence about the information being protected; (b) circumstances importing an obligation of confidence; and (c) unauthorised use of that information: see Attorney General v Guardian Newspapers Ltd (No.2) [1990] 1 AC 109 HL (p268 A-C) per Lord Griffiths. There is no doubt that blackmail based on computer hacking gives rise to a claim for breach of confidence: e.g. PML v Persons Unknown [2018] EWHC 838 (QB) [13]. Confidence in the information may be lost by publication, but that only happens when the information becomes “so generally accessible that in all the circumstances it cannot be regarded as confidential”: see Guardian Newspapers (p.282C) per Lord Goff.
In the present case, I am fully satisfied on the evidence before me that the stolen information has the necessary quality of confidence about it. It is material which falls into one of the following categories: security sensitive information, commercially sensitive information, or personal information relating to individuals. The information was obtained by computer hacking and, therefore, in circumstances importing an obligation of confidence; and there is no doubt whatsoever that it was, and is, being used in an unauthorised manner. It was taken in order to blackmail the claimant and the claimant plainly did not, and does not, authorise the taking of it by the defendants.
It is equally clear that the stolen information has not lost the necessary quality of confidence. Thankfully, so far at least, very few people are aware of the nature of the leak or where to access the information, if, indeed, it is currently available on the ‘Dark Web’. The tweets that drew attention to the breach have been deleted. The only people to whom the claimant has disclosed the leak are those to whom the claimant had an obligation to make such a disclosure.
In summary, therefore, there is clear and undisputed evidence that the defendants deliberately stole a large amount of data from the claimant and sought to render it unusable in the claimant’s hands with a view to blackmailing the claimant into paying a very large sum of money for the return of the data in a usable format and in return for non-disclosure of the data by the defendants to the general public, or at least to those persons with the ability and the inclination to obtain such data from the ‘Dark Web’. There is no conceivable justification for this course of action. Indeed, it is hard to think of a more egregious form of breach of confidential information.
I should add that Mr Wandowicz very properly drew my attention to s.12 of the Human Rights Act 1998. I am also satisfied that the grant of this relief in the absence of the unknown defendants is not in breach of s.12 of the Human Rights Act. This is an application for final relief, not for interim relief, and so s.12(3) does not apply. Even if I am wrong about that, and as regards s.12(4), I have no doubt that the rights of the claimants and other affected parties outweigh any rights enjoyed by the defendants.
As to the relief that is sought, I agree with Mr Wandowicz that the case for relief in the form of a final injunction is overwhelming. The final injunction in the draft order has two strands. The first is a prohibition on continued misuse of the claimant’s stolen information, and the second is for the return of that information or its destruction upon oath. As Mr Wandowicz said, both are typical relief in this type of case and both are wholly justified by the circumstances of this case.
I am content also that it makes good sense to adjourn the issues of the claimant’s entitlement to damages and for the assessment of costs, with liberty to restore. This, plainly, saves time and expense in circumstances where the quantification of the claimant’s losses would require extensive disclosure, evidence, and, in all likelihood, a trial lasting several days. This would be wholly disproportionate, leading to very great expense and to a waste of judicial time in circumstances where the defendants remain unknown and, therefore, are highly unlikely to be located to pay any damages awarded against them.
As for costs, the costs of the without notice hearing and the return date were reserved. To produce a bill of costs at this time would be a waste of resources and, similarly, to assess them would be a waste of judicial time. It is absolutely clear, however, that the claimants are entitled to the costs of the entirety of these proceedings.
Conclusion
Accordingly, I grant the injunction in the terms sought and direct that this judgment should be published and the order be made public in accordance with and subject to the limitations in the anonymity provisions contained within the order.
L A T E R
I have approved the terms of the draft order that has kindly been drafted for me by Mr Wandowicz. I make clear that the final version of the order does not include any cross-undertakings on the part of the claimant. Those cross-undertakings fall away because this is a final order and so there is no possibility of a subsequent order which might activate an obligation on the part of the claimant to make a payment due under the cross-undertaking.
__________
CERTIFICATE Opus 2 International Limited hereby certifies that the above is an accurate and complete record of the Judgment or part thereof. Transcribed by Opus 2 International Limited Official Court Reporters and Audio Transcribers
5 New Street Square, London, EC4A 3BF
civil@opus2.digital This transcript has been approved by the Judge. |