Experience – Cybersecurity and cybercrime

Selected experience

[Incident handling, ransomware, game development] We represented one of Poland’s largest developers of Triple-A video games, which fell victim to a sophisticated ransomware attack that breached the company’s confidential and sensitive business information, including the source codes of its latest games and employees’ personal data. We represented the client in criminal proceedings related to the incident and advised the prosecutor’s office on investigative measures and contacts with foreign law enforcement agencies. We also coordinated legal actions in other jurisdictions (both civil and criminal) to take down stolen content hosted by various internet service providers.

[Incident handling, ransomware, physical security] We advised a global provider of security and access control solutions following a ransomware cyber-attack. We assisted in assessing and mitigating the impact of the cyber-attack on the group’s Polish subsidiary. We advised on the inventory of data potentially affected by the breach and the appropriate remedial measures. We reviewed contracts with customers potentially affected by the incident and analysed the subsidiary’s potential exposure to compensation claims. We coordinated the process of notifying the relevant authorities of the potential breach, including aspects of personal data and confidential information.

[Litigation support, business email compromise, banking] We represented a Danish shipowner that fell victim to a business email compromise (BEC) fraud. We represented the client in criminal proceedings, where we were able to secure early release of a significant portion of the stolen funds from the account used by the criminals. However, the rest of the funds had been moved out of Poland and the EU in a series of transfers and ATM withdrawals. Since the criminal investigation failed to identify the perpetrators, our client filed a claim against the international bank that had opened the accounts used to remove the funds. We pursued a civil case against the bank, where we argued that the bank was responsible for the client’s losses because it had contributed by failing to comply with its anti-money laundering obligations, particularly know-your-customer procedures and suspicious activity monitoring and reporting. It was the first case of its kind heard in the Polish courts.

[Litigation support, cryptocurrency exchange collapse] We represented clients of Poland’s oldest cryptocurrency exchange in proceedings against its administrator to recover funds after the exchange’s website was unexpectedly shut down and deposits were suspected to have been lost because of a cybersecurity incident. We also represented the victims in criminal proceedings led by the newly established cybercrime division in the prosecutor’s office. The case was groundbreaking, as it was the first case involving the issue of liability for the loss of cryptocurrency by a cryptocurrency exchange operator and the first known case of a Polish court granting interim relief involving a cryptocurrency wallet.

[Regulatory advice, NIS1, healthcare] We conducted a comprehensive audit at a province-run hospital in southwestern Poland, including compliance with the GDPR and other data protection regulations, as well as compliance with the National Cybersecurity System Act (shortly after the audit was launched, the Minister of Health issued a decision recognising the hospital as the operator of a vital service). In the course of six months, we analysed over 25,000 pages of documentation and conducted visits and interviews with about 20 of the hospital’s administrators and staff.

[Regulatory advice, DORA, FinTech] We assist a Polish FinTech company developing integrated solutions for factoring, purchase finance and online lending in achieving DORA compliance. We are involved in all stages of the implementation project (applicability verification, gap analysis and rollout). We are pursuing the project in cooperation with an information security service provider responsible for technical aspects such as incident simulation and red team analysis.

[Regulatory advice, combating online child sexual abuse] We advised a Polish developer of mobile video games on potential child sexual abuse incidents in the chat features of its games. We assisted the client in developing guidelines for assessing the seriousness of incidents, especially involving minors, and the proper response. We advised on Polish laws regarding mandatory reporting of online child sexual abuse and data protection implications. We also coordinated a study for the client on laws concerning monitoring and mandatory reporting of online child sexual abuse incidents in other key jurisdictions.

[Regulatory advice, NIS2, industrial products manufacturing] We advised an Austrian manufacturer of industrial products regarding compliance with the NIS2 Directive. We assessed the applicability of proposed Polish regulations implementing the directive to the group’s Polish subsidiary, as well as expected differences between the obligations under the directive and the Polish implementing act.

[Contract advice, supply chain, food producer] We advised a Polish food producer and distributor in negotiating a contract with an external service provider, including a data security assessment and optimisation audit. We negotiated amendments to the contract to ensure appropriate standards for managing cybersecurity risks during the audit, including supply chain risk management and robust reporting mechanisms in the event of any incidents involving disclosure of data to the service provider during the audit.

[Contract advice, supply chain, broadband internet] We advised a provider of satellite broadband internet services in connection with a service interruption caused by a cyber incident which the EU authorities later attributed to Russian-backed hackers. Early on the morning of 24 February 2022, the Ka-SAT satellite (used by the client to deliver B2C and B2B services in Poland and other European countries) was the subject of a cyber-attack which caused permanent damage to individual users’ modems. Our advice involved the client’s potential liability as an internet service provider for the service interruption and damage to the modems, the possibility of invoking force majeure as a defence against claims, and potential reporting of the incident to the Polish authorities, particularly the telecom regulator.