In Warren v DSG Retail Limited, an individual who alleged that his personal data was compromised in a cyber-attack on a company brought various claims against that company, seeking compensation for distress.
The English High Court struck out several of the claims – those for breach of confidence (BoC), misuse of private information (MPI) and common-law negligence – and the claimant was left to proceed with only a claim for breaches of the Data Protection Act 1998 (DPA).
The decision will have a significant impact on how claims arising out of data breaches are pleaded in the future.
Another effect of the case may be to deter some low-value claims from being issued in the first place because of increased risks to claimants regarding legal costs.
Between July 2017 and April 2018, DSG Retail Limited (DSG) was the victim of a methodical and sophisticated malware attack.
The threat actor infiltrated DSG’s security systems, enabling it to access the personal data of certain DSG customers.
An Information Commissioner’s Office (ICO) investigation found that DSG had breached the seventh data protection principle (DPP7), which requires 'appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data'. DSG is appealing the ICO’s monetary penalty notice.
The claimant (a former customer of DSG) claimed that his personal information (name, address, telephone number, date of birth and email address) was compromised in the malware attack and he instructed lawyers to bring civil proceedings against DSG for 'damages in respect of the distress he suffered as a result of his personal data being compromised and lost'.
The claimant’s claims were founded in:
- the tort of BoC;
- the tort of MPI;
- common-law negligence; and
- breach of the DPA.
DSG applied for summary judgment or an order striking out all of the claims, save for the claim for breach of the DPA.
DSG argued that:
- The BoC and MPI claims have 'no realistic prospect of success on the basis of the uncontroversial facts and/or are not tenable as a matter of law', as they both require a ‘use’ or ‘positive wrongful action’ in relation to the claimant's information on the part of DSG (ie disclosing it to a third party or making some other unauthorised use of it); and
- The negligence claim should fail because:
- 'there is neither need nor warrant to impose a duty of care in negligence on DSG where the statutory duties under the DPA 1998 operate'; and
- the claimant has failed to plead any recoverable loss.
Mr Justice Saini granted DSG’s application and struck out the claimant’s claim for BoC, MPI and negligence.
BoC and MPI
Mr Justice Saini agreed with DSG that a ‘use’ of the personal data or ‘positive wrongful action’ was required on the part of DSG:
'[Neither BoC nor MPI] impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy… [A] ‘misuse’ may include unintentional use, but it still requires a ‘use’: that is, a positive action'.
Clearly, in this case, there was no ‘use’ or ‘positive wrongful action’ on the part of DSG. DSG did not take any active steps; instead, the personal data was stolen from DSG.
'[I]n my judgment, the wrong is thus said to have been a 'failure' which allowed the Attacker to access the personal data. Despite the way in which Counsel for the claimant has attractively sought to recharacterize her client's case, it is clear that the Claimant does not allege any positive conduct by DSG said to comprise a breach or a misuse for the purposes of either BoC or MPI. That is unsurprising, given that DSG was the victim of the cyber-attack. There can be no suggestion that DSG purposefully facilitated the Attack, and that is not pleaded in the claim. In any event, there is no evidence to that effect, and it is contrary to common sense.'
The claimant’s claim in negligence was also struck out. Mr Justice Saini stated at paragraphs 34 and 40-42 of the judgment:
- '[T]he Court of Appeal has held that there is neither need nor warrant to impose such a duty of care where the statutory duties under the Data Protection Act 1998 operate'; and
- 'A cause of action in tort for recovery of damages for negligence is not complete unless and until damage has been suffered by the claimant. Some damage, some harm, or some injury must have been caused by the negligence in order to complete the claimant's cause of action. However, a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action… The Claimant does not allege personal injury, but only distress… Accordingly, even if the Claimant had an arguable case on duty of care, the Claimant has suffered no loss'.
Mr Justice Saini allowed the claim for breach of statutory duty in relation to DPP7, which is currently stayed pending the appeal of the ICO’s monetary penalty notice.
Until now, it has been common to see claims brought in negligence and for BoC and MPI against organisations that have suffered data breaches. However, the Warren v DSG Retail Limited judgment restricts how many claims arising out of data breaches can be brought in future.
The court’s reasoning is logical: a statutory remedy already exists for this kind of wrong, and there is little value in creating parallel common law remedies. Actions such as MPI were clearly developed to deal with a different kind of privacy infringement to data breaches – something that is readily apparent from a review of the cases involving the media/publishing, which make up the majority of MPI actions.
The High Court’s judgment may also deter individuals from pursuing claims via conditional fee agreements ('no-win, no-fee') or damages-based agreements. These claims are often covered by after-the-event (ATE) insurance. If the only action available to individuals is under the statutory data protection regime (and not common-law privacy actions), ATE premiums are unlikely to be recoverable from a defendant. This is because claims under the statutory data protection regime do not fall into the category of 'publication and privacy proceedings', unlike BoC and MPI claims. (Since 1 April 2013, ATE insurance premiums have not been recoverable from the other side unless the policy either was taken out before that date or relates to one of the excepted cases, which include publication and privacy proceedings.)
Another effect of these claims no longer being classified as 'publication and privacy proceedings' is that low-value claims are more likely to be allocated to the small claims court, where it is harder for claimants to recover costs. Together, these effects may well deter some would-be claimants from issuing proceedings because they entail additional costs risks.
Whether or not you view Warren v DSG Retail Limited as a welcome addition to the case law relating to data breaches, the judgment underlines how embryonic and limited that body of case law is. Given the continuing prevalence of cyber-attacks globally, more jurisprudence will surely follow.
Here, it was not DSG that disclosed the Claimant's personal data, or misused it, but the criminal third-party hackers. [Warren v DSG Retail Ltd  EWHC 2168 (QB), para.31]