High Court Judgment narrows the Claimant’s route to a successful data breach claim

Warren -v- DSG Retail Limited[1]

The recent judgment handed down by the High Court in this case is important for the corporate victims of cyber-attacks and their insurers. The Court dismissed claims for compensation for distress for Misuse of Private Information, Breach of Confidence and Negligence causes of action arising out of a common type of data breach by a national retailer relating to customer payment details.

Background

The claim was brought against DSG Retail which owns the Currys PC World and Dixons Travel brands. Between 24 July 2017 and 25 April 2018, DSG was the victim of a complex cyber-attack carried out by sophisticated criminals. The attackers infiltrated DSG’s systems and installed malware which was running on 5,930 point of sale terminals at the stores, which allowed the attackers to access the personal data of many of DSG’s customers.

As a result of the security breach, the Information Commissioner’s Office (ICO) investigated the cyber-attack and decided that DSG breached the seventh data protection principle (DPP7) under the Data Protection Act 1998[2]. DPP7 requires “appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data”. The ICO concluded that “there were a number of distinct and fundamental inadequacies in the security arrangements for DSG’s systems…[including]…multiple, systemic and serious“ security failures. The ICO issued a Monetary Penalty Notice in the amount of £500,000 (the maximum fine available at that time) which is subject to an appeal to be heard later this year.

The Claimant had purchased goods from Currys PC World and claimed that his name, address, phone number, date of birth and email address were compromised in the attack. The Claimant could not point to any specific financial loss but brought a claim against DSG for the alleged distress and anxiety he suffered arising from the data breach limited to £5,000.00[3].  Such claims are being increasingly generated by claims management companies seeking to tap into a new revenue stream and looking to replace their PPI cash cow. The Claimant relied on the following causes of action:

• Breach of Confidence (“BoC”);
• Misuse of Private Information (“MPI”);
• Breach of the Data Protection Act 1998 (“DPA”); and
• Common law negligence.

DSG applied for summary judgment and an order striking out each of these claims, other than the claim for breach of statutory duty arising out of alleged breach of DPP7. DSG argued that the BoC, MPI and negligence claims had no realistic prospect of success based on the facts.

Judgement

The Court dismissed all the Claimant’s claims save as regards the claim for breach of statutory duty in relation to DPP7 which will proceed to trial.

The judge held that neither the BoC nor MPI causes of action imposed a positive data security duty on DSG i.e. to take positive action to protect a customer’s data. To succeed, the BoC and MPI causes of action required a positive misuse of the confidential data by DSG. However, DSG had not disclosed or misused the Claimant’s personal data; rather, the criminal third-party hackers had.

The Judge rejected the Claimant’s argument that DSG’s failure to protect the data constituted a positive action, describing the argument as an “unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI.” He stated that a ‘misuse’ requires a ‘use’, which is a positive action and added that “If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a misuse of private information by me”.

In respect of the negligence claim, the Judge held that there was neither need nor warrant to impose a duty of care in negligence where the statutory duties under the Data Protection Act 1998 already operated. The Judge held that “a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action”.

Comment

Whilst the quantum claimed in this case was small, circa £5,000, these types of claims have recently been on the increase. The Court’s judgement has thankfully materially narrowed the basis on which such cyber-related claims for data breach can be brought.

Most importantly on a practical level, the BoC and MPI causes of action are one of the few remaining litigation claims where a Claimant can recover his/her ATE premium from the Defendant.  This ATE premium recovery potential was an important part to the claimant farm business model developing around these types of low value data breach claims both (i) protecting the Claimant from any adverse costs order and (ii) materially increasing the Defendant’s overall costs exposure.  With this part of the business model now unavailable to Claimants, we may see a material reduction in these types of low value but attritional claims and certainly such low value claims will need to be brought in the County Court going forward.

[1] 27.7.21 – Warren -v- DSG Retail Limited [2021] EWHC 2168 (QB)

[2] In force at the relevant time, since superseded by the Data Protection Act 2018.  The underlying events were pre-implementation of the GDPR in May 2018.

[3] Despite the low claim value, breach of confidence claims must be commenced in the High Court Media and Communications List.