noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

U-Haul International Inc.

Livingston Floods: U-Haul Offers 30 Days Free U-Box Storage to Victims
Greenberg Traurig LLP

USCIS Updates I-526E Filing Fee Schedule to Include $1,000 Integrity[...]
Fried, Frank, Harris, Shriver &[...]

University of Pennsylvania Carey Law School - Spring Corporate Roundtable

Dentons US LLP

04/23/2024 | News release | Distributed by Public on 04/23/2024 04:18

Acting against unknown hackers: a groundbreaking Australian data breach case

April 23, 2024

In a landmark decision that underscores the evolving landscape of cybersecurity law in Australia, the Supreme Court of New South Wales judgment of HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71 establishes that Australian courts may order injunctive relief to restrain unknown hackers from dealing in stolen data.

Key points

In an Australian first, the Supreme Court of New South Wales has granted injunctive relief to restrain unknown hackers from using stolen data.
The decision outlines the factors to consider when seeking legal redress to protect confidential data.
While the practical effect of an injunction obtained against cyber-criminals may be limited, the obtaining of such an injunctions may prevent further harms by restraining online platforms and other third parties who have been made aware of the injunction from accessing or further publishing confidential stolen data.

Alert content

In a landmark decision that underscores the evolving landscape of cybersecurity law, the Supreme Court of New South Wales in Australia has recently delivered judgment in HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71 - a case which followed a data breach at one of Australia's national law firms. The judgment establishes that Australian courts may order injunctive relief to restrain unknown hackers and other third parties from dealing with stolen data. In this article, we give an overview of the factors to consider when seeking such relief.

Background

On 26 April 2023, HWL Ebsworth Lawyers (HWLE), a national Australian law firm, received an email from unknown computer hackers. The hackers claimed to be from the notorious group "ALPHV" (also known as "Blackcat") and to have stolen HWLE's confidential data, including sensitive client records and information such as legal advice provided to Australia government entities, personally Identifiable Information (PII); government information including data relating to national security and law enforcement matters, and corporate information, including client, contract, and project information.¹ HWLE publicly confirmed that the hackers had accessed and transferred at least two million files comprising at least 3.5 terabytes of data from HWLE's private servers. HWLE could not itself identify the hackers but evidence suggested they were located outside of Australia. Critically, the data comprised confidential client information, posing a severe threat to both the firm's integrity and its clients' businesses. The hackers threatened to publish the files unless HWLE paid them a ransom - rumoured to be at least US$4 million in bitcoin.

HWLE refused to pay the ransom. The hackers made some of HWLE's files available on the dark web. HWLE responded by filing a summons and interlocutory orders on 9 June 2023 in the Supreme Court of New South Wales, seeking urgent relief against "those persons who carried out or participated in the unauthorised exfiltration of computer files from the plaintiff's file storage systems".

Legal proceedings

On 12 June 2023, Hammerschlag CJ in the Supreme Court of New South Wales granted interlocutory orders to restrain the hackers. HWLE sent the orders to the hackers and by 27 June 2023, the sample cache of HWLE data could no longer be located on the dark web. Unsurprisingly, the defendants failed to appear in the proceedings and HWLE filed a motion for default judgment (to dispose of the action without a trial) and sought a permanent injunction.

On 12 February 2024, Slattery J delivered judgment and granted a permanent injunction restraining the hackers (as unknown persons) from dealing with the stolen data by prohibiting them from placing it on the internet, transmitting or publishing it, using it for any purpose, or facilitating its publication.

A key benefit of the injunction relates to third parties who have been notified of or made aware of the orders - they will also be restrained from accessing, using or publishing the exfiltrated data in breach of the orders, thus reducing further dissemination of the stolen data. In practice this also prevents HWLE's own clients from accessing the exfiltrated data to identify which of their records are leaked and assessing their level of exposure (although the orders did provide a mechanism for HWLE's consent to be sought for this to occur).

The decision is a milestone in the Australian legal landscape as it demonstrates:

that an equity court has jurisdiction to make orders restraining foreign defendants from dealing with stolen data;
the efforts that must be taken to bring the matter to the attention of the defendants (all reasonable efforts);
that a plaintiff must do what is reasonable to differentiate the members of the class of defendants from the "whole world" by reference to clearly identifiable acts;
that a plaintiff must be able to identify with specificity the stolen information in question, although there is no requirement to individually itemise documents where that is would be an oppressive obligation; and
that evidence of theft of confidential data coupled with attempted extortion may be sufficient evidence for a court to grant injunctive relief.

Our take

This case highlights the potential benefits of taking legal steps as part of the arsenal when responding to cyber theft. The judgment demonstrates that Australian courts are willing to grant injunctive relief restraining unknown foreign actors from dealing with stolen data and that injunctions of this nature can be practically useful to assist in limiting the dissemination of stolen data (and so minimising harm to the victims) by enabling a plaintiff to inform online platforms and other third parties (such as media organisations) of the orders, where they might access or publish material that frustrates the effectiveness of the orders. In other words, it may help limit the damage done.

We expect that this case will lead to other companies affected by a ransomware incident in the future to consider seeking similar injunctive relief.

In our view, the cost and utility of obtaining such an injunction needs to be balanced against the benefits and the risk of additional media publicity that could result.

Relevant considerations for companies in such circumstances following a breach should include:

whether the ransomware incident is already publicly known or being widely publicised (seeking such an injunction could otherwise result in increased media awareness and reporting and an injunction will not be available when the stolen data has lost its confidential character);
how seeking an injunction may be viewed, including whether viewed positively as the affected entity taking steps to protect the affected individuals from further harm; ²
the legal effectiveness of the injunction, including the practical steps required to serve copies of the orders on third parties to ensure that they are made aware of the restrictions imposed by the court's orders; and
whether seeking an injunction to protect stolen confidential information is a necessary step if the victim of cyber theft wishes to maintain any claim of confidentiality in any data exfiltrated as part of a breach incident. ³

What should you do as a result?

This judgment is a first in Australian cybersecurity law, providing a roadmap for businesses to seek legal redress for cyber theft. As cybercrime continues to evolve, this case serves as a reminder of the critical role of the legal system in protecting confidential information and maintaining the integrity of the digital landscape. As cyber-attacks are increasing in prevalence, we expect to see more examples of injunctions being used to restrain the unlawful use of exfiltrated data stolen as part of a ransomware attack.

Companies should consider updating their data breach response plans to include a consideration of potential legal redress by way of injunction or other interlocutory orders - whether to mitigate the potential harm to the business or data subjects or whether to consider such steps as part of the post-incident media strategy.

Please contact Dentons' privacy and cyber experts if you require assistance with any data breach or data breach response planning.

HWL Ebsworth Cyber Security Incident National Office of Cyber Security | Lessons Learned Review February 2024 published by Australia's National Office of Cyber Security (NOCS) at https://www.homeaffairs.gov.au/reports-and-pubs/PDFs/nocs-hwl-ebsworth-lessons-learned-report.pdf
See for example the comments in the Lessons Learned Review published by National Office of Cyber Security NOCS) (available at https://www.homeaffairs.gov.au/reports-and-pubs/PDFs/nocs-hwl-ebsworth-lessons-learned-report.pdf) in relation to the injunction obtained by HWLE.
See Glencore International AG v Federal Commissioner of Taxation (2019) 265 CLR 646, suggesting that a claim would need to be made in equity for a breach of confidence to restrain publication of documents stolen as part of a cyber incident.

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format