Privacy injunctions: the judicial response to cyber ransom demands

September 30, 2021 | Gerald D. Chipeur

Ransom demands from cyber terrorists have become an epidemic for businesses in Canada. As we have reported in previous articles, both for-profit and not-for profit businesses have been impacted. Governments and charities have not been spared from the destruction and threatened destruction of hackers engaged in extortion.

The blackmail has many forms, including:

  1. Ransomware that denies access to business data and demands payment in return for a key;
  2. Theft of business records, followed by ransom demands to ensure the information is not published on the internet;
  3. Malicious and false allegations of criminality against legitimate businesses, with offers to refrain from publication on the internet in return for a ransom payment.

There is now legal precedent for businesses, charities and governments to strike back and prevent cyber terrorists from completing their extortion through publication on the internet.

On September 20, 2021, Mr. Justice Pepperall of the English High Court of Justice, Queen’s Bench Division, issued a judgment [2021] EWHC 2529 (QB) (the “Judgment”), granting an injunction to prohibit the publication of false and defamatory allegations of fraudulent conduct that blackmailers threatened to publish. The injunction was unique in three respects:

  1. It was granted without notice to the Defendants, after a hearing held in private;
  2. The names of the Claimants and Defendants were not disclosed and remained anonymous in the Judgment;
  3. Freedom of expression was restricted prior to trial in light of the blackmail threats of the Defendants.

The extortion attempt addressed by Mr. Justice Pepperall was described as follows in the first paragraph of the Judgment:

On 21 July 2021, the directors of the AAA plc became aware that unknown persons purporting to be investors in the company had published a website accusing AAA together with various associated companies (BBB Limited, CCC Limited, DDD plc and EEE Limited) of fraud. The purported investors had also placed a paid advertisement with Google thereby causing their website to be prominently displayed upon any Google search for AAA. In addition, they created other social media accounts on which similar claims of fraud were made. On the same day, AAA instructed an American cyber investigator, Mr. X, to investigate these matters. He was able to make contact with the people behind these events who promptly demanded payment for taking down the website, closing the social media accounts and desisting from the same conduct in respect of BBB, CCC, DDD and EEE.

The evidence presented ex parte to Mr. Justice Pepperall included documentary exhibits, a certified recording of a conversation with one of the alleged blackmailers and a sworn witness statement.

Based upon the evidence before Mr. Justice Pepperall, he found that:

  1. There was compelling evidence of blackmail and that the perpetrators threatened and intended to make further demands with menaces against the Claimants;
  2. Disclosure of the identity of the Claimants would defeat the very purpose of the injunction application in that it would put in the public domain the potentially defamatory allegations of fraudulent conduct that the perpetrators threatened to publish;
  3. The allegations of blackmail warranted a private hearing at the “without notice stage” in order to secure the proper administration of justice.

Justice Pepperall found, as well, that “If notice were given, there is a real risk that such threat might be carried out in an attempt to deprive this application of any practical utility.”

Mr. Justice Pepperall relied upon a 2017 decision from his court, LJY v. Persons Unkown, [2017] EWHC 3230 (QB),  to justify his reasoning at paragraph 25.2 of the Judgment:

“Generally, the court has taken the view that blackmail represents a misuse of free speech rights. Such conduct will considerably reduce the weight attached to free speech, and correspondingly increase the weight of the arguments in favour of restraint. The court recognises the need to ensure that it does not encourage or help blackmailers, or deter victims of blackmail from seeking justice before the court. All these points are well-recognised … It can properly be said that the grant of a privacy injunction to block a blackmail serves the additional legitimate aim of preventing crime.”

In addition to the 2017 and 2021 precedents, the Court of Queen’s Bench of Alberta has granted to the author, on more than one occasion, injunctions prohibiting the publication of defamatory allegations or private client data.

The courts in Canada will work with businesses, charities and governments to effectively address ransomware attacks and provide the means to prevent cyber terrorists from carrying out their menacing threats.

Disclaimer

This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.