FAQ Received Since the High Court Hearing on 13 March 2023

What are the costs implications of the Court Order?

The Claimants have been ordered to pay 50% of the PFEW's costs of the application. These costs will either need to be agreed between PFEW and Keller Postman on behalf of the Claimants, or, if agreement cannot be reached, determined by the Court.

In any event the Claimants have been ordered to pay £50,000 of PFEW's costs by 14 April 2023.

Will my claim be taken forward in the litigation?

The litigation will now proceed through a "lead claimant" process. PFEW will agree with Keller Postman a small number of lead claims that will proceed in the litigation and the identity of those lead claimants. Any one of Keller Postman's clients could proceed as a lead claimant in the litigation.

Where a Claimant is chosen to be a "lead claim" they will be required to proceed through the litigation process through to trial. This will include: being an active part of the litigation process; providing disclosure on the relevant issues; providing evidence to the Court; and being cross examined at trial. The lead claimants will be selected by both parties in collaboration with each other. The number of lead claimants has not yet been decided.

Will the lead claimants be anonymous?

Any Claimant will have the ability to apply to the Court for an order that they be anonymised. No such application was made at the recent court hearing. The PFEW has made clear that it will not oppose any application for anonymity which complies with the procedural rules for such applications and meets the strict legal test required for such an order.

What happens if my claim is not a "lead claim"?

Only the lead claims will proceed through the litigation process in the first instance. All other claims will be stayed (i.e. paused) until the lead claims have reached a final determination.

How long will the lead claims take to get to trial?

The Court has set a timetable until March 2024. If the proceedings are not delayed further, the Court will then consider the procedural timetable further at a hearing, including fixing a date for trial. The trial may not be listed until 2025.

Once the lead cases have been resolved, will the rest of the cases proceed in the High Court?

If one of more of the lead cases are found to be viable and other cases follow, the PFEW is likely to seek an order from the Court that any further cases be transferred to the County Court where procedures are less complex and expensive.

What steps did PFEW take to notify retired officers of the Data Incidents?

PFEW's website and social media communications regarding the incidents were issued publicly, and were accessible to current and retired members, as well as any other interested party.

In addition, on 23 March 2019 communications regarding the incidents were provided to the National Association of Retired Police Officers ("NARPO"), together with a list of FAQs. PFEW understands that copies of these communications were in turn forwarded to NARPO's Branch Secretaries for them to share with local members directly, and to NARPO’s National Executive Committee. NARPO used these communications to produce an update for its members, which it published on its central website (which can be accessed here).

FAQs Surrounding The Claim, It's Impact On Members and Associated Themes

What is ransomware?

Ransomware is a type of malware, which is malicious software that is designed to block access to a computer system unless a ransom is paid. Attackers have been utilising such malicious software to prevent businesses from accessing business-critical data. Even if businesses do pay the ransom, there is no guarantee that the attackers will provide the decryption key required to access the data.

Some ransom attackers seek to obtain personal data in order to add leverage to their ransom demands.

There is no evidence that this was the case with the 2019 cyber incidents PFEW suffered. In fact, the evidence indicated that this was not the motive of the attackers.

Law enforcement does not encourage or endorse the payment of ransoms and this position is supported by the UK's Information Commissioner's Office.

PFEW did not pay a ransom in either attack. 

What was the impact on member data?

Leading cyber forensic experts have confirmed that there is no evidence that any personal data was taken during the cyber incidents.

During the incidents, the attackers had the theoretical ability to access:

• As part of the first incident, the National Membership Database, the Hotel Booking Database and the Claims Management Database.
• As part of the second incident, local Branch Databases.

During the incidents, PFEW could not access the above databases for a period of time. PFEW's email system was also down.

How did we communicate the cyber incidents to members?

PFEW did everything it reasonably could to notify members of the cyber incidents, as quickly as possible. Keller Postman allege that PFEW failed to notify members of the cyber incidents and that this is a breach of the relevant data protection law. This is not correct.

Communicating the issue was not simple. PFEW's desire to communicate with members had to be balanced against the ongoing criminal investigation. The incidents were complex and it was necessary to investigate them carefully so that we could provide accurate information to members. It was also a considerable logistical operation, which had to be conducted carefully in collaboration with the National Police Chiefs Council (NPCC), the 43 separate branches of PFEW and local police forces.

PFEW's communications included the following:

1. On 21 March 2019, a statement regarding the first cyber incident was issued publicly on PFEW’s website;
2. On 21 March 2019, communications in relation to the first cyber incident were published on multiple social media platforms, including via PFEW’s Twitter account;
3. On 22 March 2019, a second statement regarding the second cyber incident was issued publicly on PFEW's website, together with a list of FAQs;
4. Between 22 March 2019 and 5 April 2019, a dedicated helpline was set up which could be used by any member that had queries regarding the cyber incidents;
5. On 23 March 2019, communications were provided to The National Association of Retired Police Officers, together with a list of FAQs; and
6. In the April/May 2019 edition of POLICE magazine, a communication was published prominently. This edition was made available via our website and in hard copy at all local branches.
7. In addition, local branches also communicated the fact of the cyber incidents separately.

Why did PFEW oppose the anonymity order?

Keller Postman recently, and on behalf of its clients, applied for a blanket anonymity order to keep the identity of members bringing the claims secret. This application was made without PFEW being allowed to make any representations on its position in advance. The normal position is that English proceedings are conducted 'in public', in the interests of open justice. 

We noted that the order obtained was based on witness evidence that included a number of false statements concerning the personal circumstances of certain members. We raised this with Keller Postman and they voluntarily corrected their application and sought an amended order.

An amended order has now been made by the court such that members will be named in any action they bring against PFEW but their home addresses will be kept confidential.

PFEW would not object to any individual member who applied for anonymity on a sound legal basis, as is consistent with our wider approach to supporting anonymity in appropriate cases.

How long do members have to bring individual legal claims against PFEW?

PFEW will continue to consider individual claims from members who consider themselves to have suffered genuine distress as a result of the cyber incidents. If, after raising their proposed claim with PFEW, members feel strongly about issuing a legal claim, they are able to do so up until March 2025 if the claim is based on data protection law.