‘How did you get in here?’ - What rights do you have against third parties when your IT staff go rogue?

The recent High Court case of Media Entertainment NV v Karyagdyyev and another [2020] EWHC 1138 (QB) is interesting, particularly for tech companies, as it involves the often feared and always undesirable headache – what rights do you have against third parties when your IT staff, without your authorisation, disclose confidential IT passwords to those third parties who then access confidential information on your network?

Media Entertainment, the claimant who operated an online gambling business, recently faced this situation. Its IT system administrator, without authorisation, disclosed confidential password details to the defendants, Sapar Karyagdyyev and Alfonso Gonzales Garcia, who unsurprisingly accessed Media Entertainment’s IT systems and confidential information stored therein. Media Entertainment sought damages and injunctions. There was no dispute that the information was confidential. Karyagdyyev and Garcia sought to strike out the claims for damages and injunctions on the basis that:

1) they did not know that the use or retention of the confidential information was not authorised by Media Entertainment (i.e. that the IT system administrator did not have the requisite authority to grant access); and

2) in any event, Media Entertainment did not plead such knowledge in their particulars of claim.

Master Dagnall differentiated between the claims for damages and injunctions and concluded that:

● Damages required Karyagdyyev and Garcia to have committed an ‘actionable wrong’. It was therefore necessary for Karyagdyyev and Garcia to have had sufficient knowledge that they lacked authorisation from Media Entertainment to act as they did. It was also necessary for such knowledge, and the facts upon which it was based or to be inferred, to be properly pleaded. As Media Entertainment had failed to do so, the damages claim was struck out.

● Injunctions did not require an ‘actionable wrong’ because the objective of the injunctions was to protect rights in and to confidential information. Therefore, as knowledge did not need to exist or be pleaded when the injunctions were sought, the application to strike out Media Entertainment’s claims for injunctions was refused.

We will wait to see if Media Entertainment amends its particulars of claim to include the knowledge of Karyagdyyev and Garcia so as to justify its claim for damages. In the meantime, the ruling is a cautionary reminder that when considering misuse of confidential information claims it is important to consider the relevance of knowledge and properly plead it in damages cases. For clarity, companies should also make it expressly clear in their IT policies that passwords relating to, and information held on, IT systems are confidential, and should not be shared without requisite authorisation.