International litigation over cross-border hacking and downloading of confidential information

In the recent case Ashton Investments Limited v OJSC Russian Aluminium, the English High Court had to rule on whether proceedings could continue in England against foreign defendants accused of hacking from offshore into a London-based server.

Ashton Investments Limited (Ashton) is an English company with a computer system in its offices in London. It provided consultancy services to Ansol, a Channel Islands company. Ansol had entered into a series of commercial arrangements with a state-owned aluminium producer in Tajikstan which resulted in litigation into which OJSC Russian Aluminium (Rusal), the world's third largest aluminium producer, was joined as a party.

In January 2006, during a routine security scan on Ashton's server, Ashton detected the existence on its computer system of "spyware". The spyware programme was designed to be installed surreptitiously, often by an innocent looking email sent from a remote computer, to create a log of everything typed on the computer, and to transmit information secretly to the person who had installed the software. Investigations revealed that there had been various attempts to gain unauthorised access to the system from internet addresses registered to the defendant Rusal. Numerous successful attempts had also been made from other internet addresses in Austria and Moscow. Ashton and Ansol inferred that Rusal was behind all these attempts, and that it had managed to obtain secret information about the litigation in which Ansol and Rusal were involved.

Ashton and Ansol issued proceedings against four Russian parties - Rusal, Rusal Management Co, Rusal's Chairman (Mr Deripaska) and its CEO (Mr Bulygin), alleging unauthorised access by one or more of the defendants to confidential and privileged information on Ashton's computer system. The first cause of action was for breach of confidence. The claimants also sought damages for unlawful interference with their business and intent to injure by unlawful means; damages for conspiracy by unlawful means; and an injunction.

The Russian defendants denied that they or anyone acting on their behalf ever sought to gain access to Ashton's server. Their evidence was to the effect that the attempted access shown to have been from their internet address could not have been from either of the two Rusal computers which were authenticated for use at that address (both of which were shown not to have been in use at the relevant times), and had most likely resulted from Media Access Control numbers, which controlled access from those computers to Rusal's wireless connection to the internet, being cloned and used by third parties. The defendants applied for an order that the English court had no jurisdiction to try the proceedings, or alternatively that it should not exercise any such jurisdiction; and further contended that Russia was the appropriate forum for the resolution of the dispute.

The High Court (Queen's Bench Division, Commercial Court) concluded that there was a good arguable case against Rusal and Rusal Management Co., and held that the proceedings against those parties could continue in England; but that there was insufficient evidence to show that there was a serious issue to be tried against Mr Deripaska and Mr Bulygin.

Much of the argument concerned the application of the English rules of procedure for service of proceedings out of the jurisdiction, and forum conveniens arguments over whether England was the appropriate forum for the resolution of the dispute. Importantly the court held that:

1. Although the attack emanated from Russia, relevant acts were committed within the English jurisdiction, in that the hacking occurred where the server was located and accessed in London.

2. The digitally stored confidential information which was the subject matter of the claim was "property" - in the form of intellectual property – which was located within the jurisdiction.

3. Significant damage also occurred in England where the confidential and privileged information was viewed and downloaded, even though it had been transmitted almost simultaneously to Russia.

On these grounds the court concluded that the English procedural rules permitting service out of the jurisdiction had been satisfied. The court also observed that if an injunction were to be sought to restrain the defendants from interfering with Ashton's server that would be a claim for an injunction ordering the defendants to refrain from doing an act within the jurisdiction, which would also enable service of the proceeding to be made out of the jurisdiction.

Similar issues would arise in New Zealand if such a claim were brought here as a result of hacking into a New Zealand computer system and downloading of information from offshore. Rule 219 of the New Zealand High Court Rules permits proceedings issued in New Zealand to be served out of New Zealand on a foreign defendant where any act in respect of which damages are claimed occurred in New Zealand (i.e. hacking into a server located in New Zealand); or where the subject-matter of the proceeding is property situated in New Zealand (i.e. confidential information or other intellectual property contained in digital form on a server in New Zealand); or where it is sought to restrain the performance of any act in New Zealand (i.e. further hacking into a server located in New Zealand).

As in the Ashton case, a defendant in New Zealand proceedings who has been served overseas can challenge the jurisdiction of the New Zealand court on the grounds that the claim does not fall within the rules entitling proceedings to be served overseas; or on the ground that there is no serious issue to be tried; or on the ground that New Zealand is not forum conveniens.

Need more information?

For more information on breach of confidence, hacking, and related intellectual property and IT issues, please call Alan Ringwood on 64 9 916 8925 or Garry Williams on 64 9 916 8661.