Data breach litigation – What now for claims management companies?
In this claim, DSG Retail Limited (“DSG”), which operates the likes of ‘Currys PC World’ and ‘Dixons Travel’ brands, suffered a third party cyber-security attack which compromised around 14 million customer records. This included the Claimant, Darren Lee Warren (“Mr Warren”). As a result of the breach the Information Commissioner’s Office (“ICO”) issued a fine of £500,000 against DSG, which is currently being appealed.
Mr Warren has also sought to recover damages in the sum of £5,000 from DSG for breach of confidence, misuse of private information, common law negligence, and breaches of various provisions of the Data Protection Act 1998 (“DPA 1998”) including the seventh principle under the DPA 1998 which requires controllers to take “appropriate technical and organisational measures… against unauthorised or unlawful processing of data”. The matters in question occurred before the Data Protection Act 2018 and the General Data Protection Regulation (“GDPR”) were in force.
DSG successfully applied for summary judgment and/or an order striking out each of the claims apart from claim relating to the seventh data protection principle.
The High Court summarily struck out Mr Warren’s claims for breach of confidence and misuse of private information on the basis that there had to have been some “positive wrongful action” to be taken by DSG for these claims to arise, and there was no positive wrongful action in circumstances where DSG was the victim of an attack and had not purposefully facilitated the data breach.
The Court held that the actions for breach of confidence and misuse of private information do not impose any data security obligations upon DSG. The Court drew upon the case Various Claimants v WM Morrison Supermarkets plc  QB 772, judgment concerning a data breach in which the court held that the supermarket could not be directly liable in breach of confidence or misuse of private information where the acts amounted to a breach or misuse were carried out by a third party. The judge was not persuaded by Mr Warren’s arguments that DSG’s conduct was “tantamount to publication” and responded to this claim as an “unconvincing attempt to shoehorn the facts of the data breach into the tort of misuse of private information”.
The judge adopted the reasoning in the Morrison’s case, stating that “here it was not DSG that disclosed the Claimant’s personal data, or misused it, but the criminal third-party hackers”. Accordingly, it follows that where a company is the target of a cyber-attack by third party hackers allowing them to gain access to an individual’s data, disclose and misuse it, it would be the third party that is liable in breach of confidence and misuse of private information, not the data controller itself.
For the common law negligence claim, there was also no such duty and the judge applied the principle established in Smeaton v Equifax  2 ALL ER 959 that there was no need to impose a tortious duty of care on a data controller, where statutory duties under the DPA 1998 already operate. The legislative framework serves to protect personal data and the ICO is its watchdog.
Furthermore, the Court held that a state of anxiety which falls short of clinically recognised psychiatric harm i.e. distress did not constitute actionable damage to complete a tortious cause of action in negligence.
The High Court judge also transferred the proceedings to the County Court given the low value of the claim.
Whilst it is by no means the end of data breach litigation, this decision will have important implications, in particular clarifying the relevant causes of action in this scenario and undermining the business model of CMCs using ATE insurance to offset their cost risk.
The transfer of the claim to the County Court reinforces that the High Court is not appropriate for low-value data breach claims.
This decision will be a welcome relief for defendants in data breach claims issued by CMCs for several reasons:
1 - The recovery of costs for claims of this value are limited in the County Court; and
2 - Where the only arguable cause of action is under data protection legislation, CMCs will be prevented from recovering “after the event” (“ATE”) premiums as part of their costs from unsuccessful defendants.
Although this is a positive result for defendants, there remain some unanswered questions which will need to be determined by further Court decisions:
- What sort of “positive wrongful act” may justify a privacy, breach of confidence or common law negligence claim i.e. will they only be protected in the event of a cyber-attack?
- The ongoing uncertainty around the appropriate valuation of claims.
- The need for further clarity on whether distress only damages are recoverable for breaches of the UK GDPR.
We may now see a change in focus from CMCs to bringing collective, rather than individual, actions. The decision is likely to deter CMCs from adopting the “the kitchen sink” approach when it comes to pleading data breach claims. We expect that claimants will attempt to argue their data security was compromised by a positive act where they have suffered a hack but we do not expect Courts to be convinced by this. However, until the eagerly awaited Supreme Court decision in Lloyd v Google is handed down, we do not expect the decision in Warren v DSG will deter CMCs yet.
The remaining data protection claim will now be considered in the County Court upon the conclusion of DSG’s appeal in the First-Tier Tribunal in November 2021 against the fine imposed by the ICO.