Tech companies may face increased pressure to hand over customer data in the fight against cyber criminals

By Sarah Ellington

The English court has granted orders against the operators of bulletin boards and P2P networks to disclose individual account details and IP addresses under its powers to order third-party disclosure where there is obvious evidence of wrongdoing. 

Historically, these powers have been used more in relation to copyright infringement than tracing cybercriminals, but this could now change, with news that police will encourage the use of civil enforcement powers to track cybercriminals and obtain compensation for victims.

City of London police admit they are overwhelmed by the growth of cybercrime, announcing a new Pilot Scheme where the civil justice system will be used in conjunction with police resources. Cooperation between police and solicitors representing the victims under the Pilot Scheme may mean that victims have access to information already gathered by the police which they might otherwise not have access to or which may take some time to assemble. 

English civil courts have wide-ranging powers to order third-party disclosure against those holding  information that allows tracking of wrongdoers and their assets, such as banks, or companies holding relevant data (for example, IP addresses for sites used to trade bitcoin). Disclosing parties are often "gagged" under these orders, making it contempt of court to reveal the existence of the order. 

These so-called "Norwich Pharmacal" orders have also been granted against third parties outside of England, although there is some controversy over whether the English court can give permission to serve the order and associated claim form outside of England, especially if provision of the data requested may be contrary to local law and/or there may be some other way of obtaining the information sought. 

Companies within England receiving such orders should ensure prompt compliance to avoid contempt of court proceedings.  Those outside England should obtain local law advice regarding compliance, but also consider the position of any English subsidiaries or branch companies who may potentially access the data remotely and arguably be forced to comply with the order, depending on how it is worded.

Cybersecurity is a key topic at the DLA Piper European Technology Summit in London on September 28. Register for your place to hear what the experts see as the challenges and opportunities, and to have your say.

And you can follow the conversation ahead of the event with the Twitter hashtag #dlapipertech16