Lonestar Communications Corp LLC v. Kaye
Lonestar Communications Corporation LLC v. Kaye
[2023] EWHC 421 (Comm)
In the High Court of Justice, Business and Property Courts of England and Wales, Commercial Court (KBD)
Case CL-2018-000648
Before Justice Foxton
Decided on February 17, 2023
Relevancy of the case: Claim for damages suffered due to successful DDoS attacks against the claimant
Statutes and Provisions Involved
- The Human Rights Act 1998 (Section 2)
- The Computer Misuse Act 1990 (Section 3(1), 3A(1), 5)
- The Liberian Telecommunications Act 2007 (Section 76, 77, 80)
- The Liberian Civil Procedure Act 1972 (Section 1.3, 9.3)
- The Liberian General Construction Law 1956 (Section 40)
Relevant Facts of the Case
- The claimant company (“Lonestar”) was a victim of a DDoS attack campaign between October 2015 and February 2017. The company has claimed that the first defendant orchestrated this campaign with assistance from the second and third defendants.
- These DDoS attacks only targeted Lonestar’s data-related work. While it had access to the technical data essential to identify the attacks, it did not retain it.
- The second defendant paid the first defendant to cause damage to Lonestar’s systems. In October alone, for 10 days, the Huawei mitigation system exceeded the capacity of Lonetar’s network and cleaning systems.
- Earlier, in a 2015 DDoS attack, the performance of Lonestar systems did not suffer any harm. In February 2015, the company faced 2 major DDoS attacks.
- On October 31, 2016, the first defendant gained access to the MiraiBot. This led to severe DDoS attacks on Lonestar’s systems, which caused serious damage. In December 2016, due to the continuous attacks, it had to reduce data prices to sustain its business operations.
Prominent Arguments by the Counsels
- The claimant’s counsel:
- Liberian law allows broad claims for “action of damages for wrong” beyond specific torts like negligence or nuisance.
- The foundation for a broad rule against vicarious liability for intentional wrongs was weak. Several Liberian cases held companies liable for employees’ intentional torts, undermining the supposed exemption.
- DDoS attacks impacted the claimant’s revenue, with data revenue suffering more. In late 2016, voice call services experienced a significant revenue impact.
- The fifth defendant’s counsel:
- American and English law principles are not easily adopted into Liberian law. For instance, Liberian law does not allow vicarious liability for employees’ intentional wrongdoing, citing Woodin & Company v. Gibson and Hariss v. Cavalla Rubber cases.
- “Action of damages for the wrong” was only a historical pleading form, not a substantive cause of action. Liberian law recognised only specific torts after 1972.
Opinion of the Bench
- The bench stated that historical sources did not support the idea of a closed list of torts. The 1972 procedural reforms did not restrict the factual circumstances for tort remedies.
- Previous Supreme Court cases continued to treat “action of damages for wrong” as a substantive claim. The weight of authority did not firmly establish a broad exemption from vicarious liability for intentional employee wrongdoing under Liberian law.
- There was a 50% attribution of a $0.40 swing in Data ARPU to DDoS attacks and rejected the 70% attribution proposed.
- The DDoS attacks did not significantly impact Voice ARPU initially and attributed to 50% of the remaining Voice ARPU swing to DDOS Attacks after adjustments.
- The court quantified a total profit loss of $3,602,349. The end dates for subscriber losses were aligned to April 2020, and the ARPU impact was set for September 2019.
Final Decision
- The court awarded the claimant compensation for damage amounting to $3,602,349 for loss of profit, $707,738.36 for unnecessary expenditures, and $170,000 against the second defendant in punitive damages.
- The court also noted that the fifth defendant is entitled to 100% contribution from individual defendants and 50% from Cellcom BVI, the third defendant.
Harmannat Kour, an undergraduate student at the Law School, University of Jammu, Kashish Saxena, an undergraduate student at the National Law University, Jodhpur, and Prachi Chakravarty, an undergraduate student at University Law College, Bangalore University, prepared this case summary during their internship with The Cyber Blog India in May/June 2024.