The digital age has ushered in new frontiers, bringing with it an uptick in cybersecurity breaches. When faced with such incidents, the affected parties often turn to the judiciary to help manage and mitigate the damage. However, securing an injunction against unidentified individuals— “against persons unknown” or in an American context a “John Doe” injunction—in cases where sensitive data has been illegally disseminated, poses significant challenges. This is especially apparent when the compromised data has already been broadly circulated, which was seen in the well-documented case of George Hotz, also known as Geohot, who found himself at legal odds with Sony after hacking the PlayStation 3 (PS3).
Hotz, a talented hacker, bypassed the PS3’s security systems and released the exploit code online. Sony’s response was to seek legal recourse against Hotz, resulting in a court order that not only restrained him from further disclosures but also demanded the seemingly impossible task of recalling the widely disseminated code.
However, a recent Australian case involving a large law firm presents a different perspective on the matter. The firm, victim of a cyberattack allegedly perpetrated by a Russian-linked criminal gang known as BlackCat, or AlphV, secured an injunction from the Supreme Court of NSW. The injunction prevents the hackers from disclosing stolen information, believed to be extensive and sensitive, pertaining to the firm’s clients and staff, as well as financial details.
This injunction not only seeks to restrict the hackers but also has the secondary effect of preventing media from reporting any details derived from the stolen data. The ruling was issued on June 12, with orders preventing the hackers from publishing any more stolen data online, promoting links to it, or using it for any purpose other than obtaining legal advice. Furthermore, the attackers were ordered to remove the data immediately.
While on the surface, this appears to be a proactive step, the challenges faced in the Geohot PS3 case prompt us to consider the practical implications of such injunctions:
1. Permanence of Digital Information
Once released, digital information is near impossible to control. Unlike physical goods, digital data can be duplicated, distributed, and stored in countless locations without degradation, making it difficult to govern.
2. Anonymity and Jurisdictional Hurdles
Culprits of cybersecurity breaches often operate under anonymity or pseudonyms and might reside outside the jurisdiction of the issuing court. This presents substantial difficulties in enforcing injunctions.
3. The Streisand Effect
Attempts to suppress information can inadvertently lead to heightened interest, leading to broader distribution of the sensitive data, as was seen in the Geohot case.
4. Limited Scope of Relief
Injunctions typically offer specific relief. In the context of a data leak, this might involve restraining the offender from releasing further information or, as in Hotz’s case, attempting to recall released information. However, such measures provide little comfort when the leaked data has already been widely disseminated.
While the HWL Ebsworth injunction may serve as a deterrent to some, especially within media circles, its ability to enforce this order against anonymous hackers, particularly those operating from foreign territories, and control the spread of already leaked data, may be limited.
Adopting a comprehensive approach to cybersecurity is paramount. Emphasis should be placed on preventive measures like strong encryption at rest (stored data), in transit and in use and multi-factor authentication, and once a breach has occurred, swift action should be taken for containment, damage control, and reinforcing the cybersecurity infrastructure.
Our traditional legal framework continues to adapt to the unique challenges posed by the digital world, often out of necessity, and will certainly be an area which sees rapid change over the coming years.