One of the bigger issues is that ransomware criminals don't just encrypt systems. As many firms have excellent backup systems in place, that may
not be particularly effective.
More often now, they download the data held on the system, and the main threat is to publish that.
Following a cyber-attack, there used to be four causes of action:
(1) Breach of Data Protection Legislation;
(2) Misuse of Private Information;
(3) Breach of Confidence; and
(4) Negligence.
However, following Warren v DSG Retail Limited [2021] EWHC 2168 (QB) [1] causes (2) and (3) were removed leaving only (1) and (4) and thus no ATE Insurance, thereby reducing the likelihood of "speculative" claims.
On Saturday, 2 December 2023 at 20:27:25 UTC, Simon Parker wrote:
On 02/12/2023 16:15, GB wrote:
On 02/12/2023 15:55, Simon Parker wrote:EWCA Civ 1082 [1] a fraudulent seller had obtained certified copies of
Following a cyber-attack, there used to be four causes of action:
(1) Breach of Data Protection Legislation;
(2) Misuse of Private Information;
(3) Breach of Confidence; and
(4) Negligence.
However, following Warren v DSG Retail Limited [2021] EWHC 2168 (QB)
[1] causes (2) and (3) were removed leaving only (1) and (4) and thus
no ATE Insurance, thereby reducing the likelihood of "speculative"
claims.
I find it hard to see why a firm of solicitors that employed a major
software supplier is negligent because of failures at the supplier's end? >> In Dreamvar (UK) Ltd v Mishcon de Reya and Mary Monson Solicitors [2018]
ID documents from a solicitor and used these with a second solicitor
(Mary Monson Solicitors (MMS)) to sell a house to Dreamvar (UK) Ltd with
Mishcon de Reya (Mishcon) acting for Dreamvar in the sale. By the time
the fraud was spotted by the Land Registry, Mishcon had already
transferred Dreamvar's money to MMS and they in turn had sent it to the
fraudster who was now "in the wind".
Paras [187] and [188] of the original judgment (quoted in [110] of the
linked judgment said:
<quote>
187. As for MdR's position, it is common ground that it is insured for
events such as this, and that its insurance cover is sufficient to cover
in full the loss suffered, should it not be excused from liability. In
terms of balancing the relative effects or consequences of the breach of
trust, it is apparent that MdR (with or without insurance) is far better
able to meet or absorb it than Dreamvar. While, as I have held, it was
not unreasonable for MdR not to have advised Dreamvar about the risk of
fraud, or to have sought greater protection for Dreamvar against that
risk (such as further undertakings), it is also not irrelevant that MdR
was necessarily far better placed to consider, and as far as possible
achieve (a matter not in the event tested), greater protection for
Dreamvar against the risk which in fact occurred. As I have already
found, Dreamvar has no recourse against MMS, and (it appears) no
practical likelihood of either tracing or making any recovery from the
fraudster. As a result, the only practical remedy it has is against MdR.
188. For these reasons, I conclude that MdR ought not fairly to be
excused for the breach of trust, and that I should in any event, in my
discretion, decline the relief sought. I would however add that if,
contrary to my conclusions above, MMS were liable to Dreamvar, I would
have exercised my discretion to relieve MdR of its liability for breach
of trust to the extent of the liability found against MMS.
<end quote>
In [111] of the Court of Appeal judgment, Lord Justice Patten said of
the sections of the High Court judgment quoted above:
<begin quote>
The judge was entitled to take all these factors into account in
exercising his discretion and in my view his conclusion is
unimpeachable. But his indication in [188] that he would have excused
MdR in the event that MMS is also liable to the purchaser for breach of
trust is, with respect to the judge, difficult to follow. Although such
a finding of liability gives Dreamvar another means of recovering its
money, it does not provide MdR with any grounds for being relieved of
its own liability. The assessment of the reasonableness of its conduct
and the inequality of position between it and its former client remain
the same. Mr Halpern QC is right in my view to submit that any
distribution of liability should be achieved through contribution
proceedings and not by the exculpation of MdR under s.61.
<end quote>
In the ransomware attack both the solicitor and CTS will be insured for
the losses, the vendors less so.
I find it unlikely in the extreme that any solicitors involved in this
case will have advised their clients that there was a risk that
completion could fail as a result of a cyberattack on their IT supplier,
CTS, or even that their IT system provision was outsourced to the extent
that any catastrophic failure at CTS would lead to them being unable to
complete meaning as in this judgment the client was not made fully aware
of all the risks they faced.
Similarly, there is an inequality of position between the vendor and
their solicitor with the cyberattack as there was in the cited case.
On that basis, I find the Dreamvar judgment persuasive.
That leaves DP legislation. Does that cover failure of a system toThe ICO states: "Loss of access to personal data is as much of a
function?
personal data breach as a loss of confidentiality." [2]
Going back to a bygone age and paper based files, and supposing a firmInterestingly, a complaint frequently aired in this case is that the
of solicitors suffered a catastrophic flood or fire, would the firm have >>> been liable to make good their clients' resulting losses?
solicitors were relying only on the IT systems with very few if any
paper files as backup.
Sounds odd, especially these days when little exists in paper form in the first place. Or is there an expectation that everything ought to be printed off as a "backup"?
On 2 Dec 2023 at 22:52:59 GMT, "David McNeish" <davidmcn@gmail.com> wrote:
Sounds odd, especially these days when little exists in paper form in the
first place. Or is there an expectation that everything ought to be printed >> off as a "backup"?
I see no reason why there should not be accessible local backups of the information on the system. Preferably in some form such as snapshots in which the previous hourly backup cannot be overwritten by ransomware.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 50:05:41 |
Calls: | 6,711 |
Calls today: | 4 |
Files: | 12,243 |
Messages: | 5,354,920 |
Posted today: | 1 |