Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
Find up-to-date guidance on points of law and then easily pull up sources to support your advice with Lexis PSL
Check out our straightforward definitions of common legal terms.
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Access our unrivalled global news content, business information and analytics solutions
Insurance, risk and compliance intelligence using big data, proprietary linking and advanced analytics.
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Discuss the latest legal developments, ask questions, and share best practice with other LexisPSL subscribers
PML v Person(s) Unknown (responsible for demanding money from the claimant on 27 February 2018)  EWHC 838 (QB)
The case demonstrates the value to victims of hacks or data breaches in swiftly applying to the courts for injunctions. Not only was the court willing to make a range of orders against an anonymous hacker—including that he identify himself on penalty of a finding of contempt of court—but the claimant was also able to use the orders granted against the defendant to swiftly have its data removed or rendered inaccessible from websites on which it was posted. Website hosts, even if based overseas, tend to react favourably when presented with a court order demonstrating that information on their servers is confidential and the product of malicious hacking.
The judgment also shows that victims of blackmail threats to publish confidential or sensitive information should not be held back from seeking relief by a fear of publicity. The court was alert to the need to adapt its procedures so as not to discourage blackmail victims from seeking justice, such that the hearings were held in private, the claimant anonymised (or pseudonymised), and the court file sealed.
Following this judgment, it is likely to become the norm to seek a self-identification or ‘Spartacus’ order whenever a non-disclosure order is sought against a unknown defendant, Nicklin J making clear that such orders may well be justified where a claimant has satisfied section 12(3) of the Human Rights Act 1998 (HRA 1998) as otherwise, remedies are unlikely to be effective.
The claimant was a UK company which received an email from the defendant stating that the company’s servers had been hacked, and all the data copied. The defendant attached sample documents and provided a link to a password-protected ‘cache website’ containing a copy of the data. He stated that he would delete the data if the company paid him £300,000 (via Bitcoin) within two weeks, but if it did not pay then he would make the data public. The email also stated that any contact with the police would similarly lead to the claimant’s information being published. The claimant investigated and found that it had indeed been the victim of a hack, with a very large quantity of its data being copied.
The claimant immediately reported the matter to the police. It also communicated with the defendant, requesting extensions of the deadline and further assurances. The defendant engaged, although he raised his price and threatened to look for buyers. He did, however, offer to accept payment in instalments.
The claimant then applied, without notice, for an interim non-disclosure order, and for an order for delivery up and/or destruction of the stolen data.
At the first hearing, Bryan J, sitting in private, granted the injunction for a three-week period. He anonymised the claimant, on the basis that it was a victim of blackmail, and restricted access to the court file. He was satisfied that the requirements of HRA 1998, s 12(2) and (3), were met. The blackmail element and the risk of publication if the defendant were notified of the application constituted compelling reasons why he had not been so notified.
The judge permitted the order to be served by email, as the only method available. The defendant replied defiantly, and then again to state that he had removed the password protection from the cache website, such that it was publicly accessible. He also stated that he would email the claimant’s customers the following Monday.
Separately, however, the claimant had identified the company hosting the cache website, and had obtained from the court of the relevant jurisdiction an order for it to block access to the cache website, with which it complied.
The defendant emailed the claimant to state that he had set up another website hosting the documents, and that he was looking for buyers for the data. The claimant identified companies hosting websites containing the data, including postings on a financial forum, all of which blocked access to or removed them following service of Bryan J’s order.
Thereafter the defendant made further threats of publication, although he did reduce his asking price to £100,000.
On the return date, Nicklin J continued the injunction. The defendant had continued to threaten to publish the information unless paid a large sum of money—indeed, the postings on the forum appeared to be by him, and thus in direct breach of the order.
The court was satisfied that the claimant was likely to establish that the circumstances in which the defendant came to be in possession of the relevant information—by hacking—imposed an obligation of confidence on him (Imerman v Tchenguiz  EWCA Civ 908,  1 All ER 555). The defendant had not suggested there was any public interest which might justify such publication. HRA 1998, s 12(3), was therefore satisfied. The defendant’s failure to deliver up or delete the stolen data was a breach of the order and further supported its continuation.
Because the defendant was seeking to blackmail the claimant, and it was necessary to hear submissions as to the defendant’s activities and the data that was stolen, the court heard the application in private, anonymised the claimant, and sealed the court file.
Nicklin J also made an order that the defendant identify himself (the ‘self-identification’ or ‘Spartacus’ order), noting that such an order was necessary if any remedies against the defendant were to be effective.
Given the possibility that the defendant was resident abroad, the judge also granted the claimant permission to serve out of the jurisdiction. The detriment the claimant would suffer would be within the jurisdiction, and the threatened publications would include publication within the jurisdiction, such that both limbs of CPR PD 6B, para 3.1(21) were satisfied.
Interviewed by Robert Matthews.
Free trials are only available to individuals based in the UK
* denotes a required field
0330 161 1234