Skadden litigation and international arbitration duo on the support that English law can offer hacking victims

There is no doubt that email hacking poses a very real threat both to individuals and to corporations. The recent case of Bassam Alghanim v Steven McIntyre & Ors [2011] is a useful reminder of the ease with which email hacking can occur, but also the steps that a hacking victim can take to uncover the unlawful activity and secure relief.

In August 2009, a routine Google search by one of the claimant's employees identified a file transfer protocol (FTP) website that contained a large number of private and confidential emails (arranged in PDF batches), which had been stolen from two of the claimant's private AOL email accounts. The specific emails that had been targeted were those that included legal advice from the claimant's lawyers regarding ongoing disputes (among other things), confidential information relating to the claimant's personal finances and confidential medical information.

The process of uncovering precisely what had happened required close co-operation between the claimant's lawyers and an IT forensics firm. On the basis of the stolen email batches discovered on the FTP site (and additional batches found in the Google cache for the site), we obtained a third-party disclosure order for disclosure of the site's data logs against the English Internet Service Provider (ISP) responsible for hosting the FTP site. In addition, with the claimant's consent, AOL provided the access logs for both email accounts. A forensic review of this material identified a number of IP addresses in the UK, which, in turn, led to further third-party disclosure orders against additional English ISPs to reveal who was behind those IP addresses.

computer-hackingWithin a matter of weeks the IT firm had tracked the timeline for each batch of stolen emails, starting from the time the emails were unlawfully accessed up until the time that they were downloaded from the FTP site and viewed. As a result, it was possible to pinpoint which IP addresses were involved and responsible for each step of the hacking scheme.

Responsibility for the hacking and uploading was ultimately traced back to certain individuals and companies in England, and the forensic evidence was sufficiently clear (as was the risk that relevant evidence might be destroyed) that the court agreed to grant search and seizure orders in relation to three separate properties (two commercial and one domestic).

As the details of the story were gradually pieced together, the full scale of the hacking operation became clear. The passwords to the claimant's email accounts had been obtained in July 2008 through the services of a group based in China called (remarkably) 'The Invisible Hacking Group' (a fee of £265 had been paid for each password). Between July 2008 and August 2009, approximately 20 pages of stolen emails had been posted to the FTP site every two to three days. The site had been deliberately set up so as to ensure that it would not appear on any Google searches; in fact, the only reason why the site was discovered in August 2009 was because the defendants had accidentally activated the Google Analytics function in the site's control panel.

The evidence also indicated that the hacking scheme had been done on the instructions of the claimant's nephew acting on behalf of the claimant's brother, Kutayba Alghanim (with whom the claimant was involved in a dispute). Indeed, as Mr Justice Smith concluded, "the evidence shows that the whole operation was done at the behest of the Kutayba camp… who orchestrated the campaign and I do not accept that there is any realistic possibility of them establishing, on the material before me, that they were innocent as to the modus operandi of the people who got the emails on their behalf. One cannot see this material, read it and use it and have any credible belief that it is being obtained honestly".

The claim itself comprised three causes of action: breach of confidence, unlawful means conspiracy and infringement of copyright (in respect of the emails authored by the claimant and those authored on his behalf). On the facts, there was little doubt that the claim for breach of confidence fell squarely within the approach taken by the Court of Appeal in Imerman v Tchenguiz [2010]. Namely, that it is a breach of confidence for a person intentionally to obtain another person's information secretly and without authorisation, knowing that he reasonably expected it to be private, and, without that other person's authority, to examine or copy a document the contents of which were or ought to have been appreciated by the person who obtained it to be confidential to that other person.

The significance of the additional claim for copyright infringement was twofold: (i) the privilege against self-incrimination does not apply to proceedings for "infringement of rights pertaining to any intellectual property" (section 72 of the Senior Courts Act 1981); and (ii) the Courts have discretion to award additional damages for flagrancy (section 97(2) of the Copyright, Designs and Patents Act 1988).

In conclusion, if suspicious email activity is discovered, there are effective steps and remedies that are available under English law and the courts will fully support the victim with mechanisms and processes to detect who is responsible, preserve evidence and secure relief. In terms of relief, the Alghanim case is also an important reminder that in these types of claims it may be possible to quantify damages not on the usual compensatory measure, but on the basis of the defendant's gain; the claimant may ultimately elect for an account of the defendant's profits in lieu of compensatory damages.

Bruce Macaulay (pictured) is a partner and Ben Lasserson an associate at Skadden Arps Slate Meagher & Flom.