Thomas Rudkin of Farrer & Co writes:
There is a developing line of cases in England & Wales where those who have been subject to a ransomware attack take action against the hackers through the civil courts. The question is why bother and what is the best way to go about this if that is what the victim decides to do.
From the subsection on how the court proceedings work, he writes:
Upon receipt of an anonymous ransom demand, the company (the claimant) will apply urgently to the court seeking an interim injunction. The legal basis for the claim will invariably be breach of confidence. The requirements for such an action are that the information has the necessary quality of confidence, the circumstances give rise to an obligation of confidence and there is actual or threatened unauthorised use of the information. These requirements will almost always be met in a ransomware (or other cyber blackmail) scenario, where there has been unauthorised access to a company’s systems and to their proprietary information. Notably, the affected organisation will not be basing their claim on breach of data protection legislation or misuse of private information, since such claims are the domain of individuals only.
Continue reading this article on Farrer & Co.