Tackling hacking

One of the latest businesses to be plunged into the Orwellian nightmare of a cyber-attack is Capita, the vast outsourcing group. Given that Capita employs around 50,000 people in the UK and holds public sector contracts worth £6.5bn, the potential consequences of the breach could have been catastrophic and far-reaching. It is certainly no surprise that media commentary has been highly critical of Capita’s response. The Sunday Times revealed information that had been uploaded by the hackers on to the dark web, raising questions about the scale of the breach (which Capita is yet to confirm). But even those businesses that are meticulously prompt and transparent about a hack are rarely credited or considered a victim of wrongdoing.

Law firms are increasingly familiar targets of hackers. The consequences of being targeted by hackers are illustrated by the experience of Ince which was the victim of a cyber-attack in March 2022. The hackers stole personal data, threatened Ince with publication if the law firm did not agree to pay a ransom and are also said to have disrupted access to its systems. The cost to Ince has been estimated in the region of £5m and a significant contributor to the financial woes that saw the firm enter into administration before being acquired by Axiom DWFM.

Global cybercrime costs are predicted to grow by 15% year on year, reaching an annual cost of $10.5tn by 2025, up from $3tn in 2015. It can take years for the full scale of the damage to become known, but the costs of a cyber incident will often encompass lost data, disruption to business, revenue losses from system downtime, stolen intellectual property, notification costs and potentially significant and long-lasting reputational damage. This is putting to one side the payment of ransoms to the hackers.

The process of notifying a cyber-breach to regulators, clients and customers can be a complex affair that stands to impact significantly on a company’s reputation. Aside from the obligation placed upon organisations to notify the Information Commissioner’s Office within 72 hours of becoming aware of the breach (where it is likely to pose a risk to data subjects’ rights), and the need to consider further notifications to industry regulators, the extent and nature of any notification to clients and customers warrants very careful consideration. The reality is that, as soon as an external third party is notified of the breach, the organisation’s reputational profile will be firmly engaged.

While reporting an incident to law enforcement is not obligatory, the cybersecurity division of GCHQ, the National Cyber Security Centre, offers confidential real-time threat analysis and technical guidance which may prove invaluable in the early stages of an attack.

Aside from securing cyber insurance and ensuring that proper cybersecurity measures are in place, law firms remain highly vulnerable to cyber-attacks. Ince, like the barristers chambers 4 New Square which suffered a similar attack in 2021, secured an injunction to prevent the hackers (or any publisher served with the order) publishing or communicating the stolen information, including their and their clients’ data. The effectiveness of an injunction is often down to the speed upon which it can be obtained and served. Clearly it did not prevent enormous losses for Ince.

But hacking is not only deployed for ransomware purposes. Some of the most eye-catching litigation of the past decade has involved attempts to establish a finding that hacking has taken place, either as the wrongdoing at the centre of the claim (such as the phone hacking claims against News Group and Mirror Group), or as having been deployed during a dispute for the purposes of advancing one party’s position (such as the claim by Azima against Ras Al Khaimah, which, while originally unsuccessful in its attempts to attribute responsibility to the defendant, is now set for a high-profile re-trial next year in light of the latest Court of Appeal decision in this ongoing litigation).

Those litigating against totalitarian states, individuals close to the centre of power or otherwise with enormous resources at their disposal, need to be alive to the risk this poses in terms of their cybersecurity posture. The pre-eminent researchers at Citizen Lab, whose evidence helped expose NSO’s Pegasus iPhone spyware, have concluded that a new Israeli firm is enabling infection of iPhones, this time via iCloud calendar invitations. The targets are not notified of the invitations because the spyware utilises historic calendar events, so no ‘click’ or other positive step is even required to enable infection. While victims may be oblivious to the attack at the time, similar breaches of phone operating systems have eventually been detected by the likes of Apple who have shown willing to notify victims, including political figures.

The increasing sophistication and availability of technology will make hacking easier, more effective and more difficult to prove. The English courts have a well-earned reputation for exposing and assisting the prevention of fraud, as notably illustrated by the flexibility and development of the Norwich Pharmacal jurisdiction. It will often be impossible to identify the ultimate hacker or fraudster, particularly where sophisticated criminal enterprises are involved. But in certain cases, for example where the suspicion is that hacking is being deployed as an adjunct to litigation, the English courts can enable the gathering of invaluable information that will assist victims of hacking to identify wrongdoers and hold them to account. It is only by heightening the threat of exposing the hackers that lawyers, regulators and law enforcement agencies will get a grip on this insidious industry.

Dominic Crossley and Andrew Willan are partners in the privacy and media team at Payne Hicks Beach