High Court narrows the scope of data breach claims – welcome news for corporates

England and Wales

On Friday 30 July the High Court handed down an important judgment for businesses at risk of litigation following accidental data breaches. This is an increasingly prevalent issue. In March this year, the Government reported that nearly 40% of UK businesses suffered a cyber security breach or cyber-attack in the preceding 12 months.[1] These incidents can have regulatory and reputational impact, and – increasingly – they lead to litigation, with claimant firms specifically targeting companies that have suffered data breaches. 

The decision in Warren v DSG Retail Ltd [2021] EWHC 2168 brings some welcome cheer; its practical impact is that for most accidental data breaches, claimants will only be able to rely on claims under data protection legislation. To date, in claims following a data breach, claimants have typically asserted claims for misuse of personal information (“MPI”), breach of confidence (“BoC”) and negligence – all in addition to breach of data protection law. Importantly, claimant law firms assert that they can recover premiums for after-the-event insurance (“ATE”) from the defendants for “publication and privacy proceedings”. 

In summary and unless reversed on appeal, this decision narrows the legal basis for bringing claims against defendants – only claims for breach of data protection law remain viable – and litigation funding may become more difficult to obtain as ATE premiums will not be recoverable from defendants.

Background

Following a cyber-attack on Dixons Carphone (“DSG”) that exposed the data of the Claimant (alongside at least 14 million others), he brought concurrent claims for data protection breaches, BoC, MPI and negligence. The damages claimed were £5,000.

These claims followed the monetary penalty notice that the Information Commissioner (“IC”) had issued against DSG in January 2020 (the “MPN”). Under the MPN, the IC fined DSG £500,000 on the basis of a breach of DPP7[2] (DPP7 under the previous data protection regime was the requirement to have appropriate technical and organisation measures in respect of personal data). In the MPN, the IC concluded that DSG’s culpability was “striking” and that it had knowledge of some deficiencies from 2014 and others from around mid-2017, but they were not remedied. The IC fine was subject to appeal, and the parties accepted that the data protection claim and any other claims surviving the strike out action would be heard following the conclusion of that appeal.

DSG applied to strike out the claims for BoC, MPI and negligence on the basis that they had no realistic prospect of success and/or were not tenable as a matter of law. While the Claimant conceded that the BoC claim should not have been pleaded, it maintained that the MPI claim was proper because the information that was the subject of the breach was prima facie private (being his full name, contact address, email address, telephone number, date of birth), and therefore rendered the Claimant susceptible to identity fraud. Since the BoC claim had not been formally discontinued the Judge (Mr Justice Saini) considered both the BoC and the MPI claims.

Breach of confidence and misuse of private information

DSG submitted that “misuse” in the context of an MPI claim requires a positive action, but the Claimant alleged that due to the deficiencies in DSG’s systems DSG had intentionally and recklessly left the Claimant’s private information exposed in a way that was “tantamount to publication” to the world at large.

Based on the Claimant’s pleadings, the Judge concluded that the relevant wrong for the BoC and MPI claims was said to have been a failure to provide sufficient security for Claimant’s data that allowed the attacker to access the personal data, and that the Claimant did not allege any positive conduct by DSG constituting a breach for BoC or a misuse for MPI.

The Judge found that neither BoC nor MPI impose a data security duty on holders of private or confidential information, but that those claims are about prohibiting actions that are inconsistent with confidence or privacy.

For BoC, this was supported by the authorities, which all turn around unauthorised use or unauthorised disclosure of confidential information. The Judge also relied on leading texts that distinguished a duty of confidence from a duty of care in relation to data security, including Toulson & Phipps which states (emphasis added)“[duty of confidence] is an obligation of conscience, which requires the recipient not to misuse the information or documents. [A data security duty of care] is a duty of a different character and…will arise only if there is a special relationship between the parties giving rise to a duty of care under the law of negligence.”

As for MPI, the Judge found that a ‘misuse’ requires a ‘use’, which is a positive action. Relying on Article 8 ECHR (as the basis for MPI claims) the Judge held that MPI requires an “interference” by the defendant which is unjustified. The Judge was not persuaded that DSG’s conduct was “tantamount to publication” and called it an “unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”.

The Judge also rejected the Claimant’s attempt to distinguish his case from the facts of Various Claimants v WM Morrisons Supermarkets plc [2019] QB 772, where the Court held that Morrisons were not directly liable for BoC or MPI by reason of its wrongdoer employee disclosing its employees’ data.

Negligence

The Judge also accepted DSG’s submissions that there were “two fatal problems” with the Claimant’s negligence claim.

Firstly, the Judge applied the Court of Appeal’s reasoning in Smeaton v Equifax Ltd [2013] 2 All ER 959 where it found that there is no duty of care where statutory duties under the DPA 1998 operate. The reasons given were that imposing such a duty would potentially give rise to an “indeterminate liability to an indetermined class”, that imposing such a duty would be “otiose” given the obligations imposed by the DPA, and there was no need for a concurrent duty in negligence given the statutory regime.

Secondly, the Judge also sided with DSG on the issue of the nature of the claimed loss. The Claimant had claimed “distress and anxiety” as a result of the negligence. The Judge found that anxiety that fell short of a clinically recognisable psychiatric illness did not constitute damage sufficient to complete a tortious cause of action (although on this point it appears that the Judge intended to refer to an action in negligence, given that MPI is also a tort and it is well-established that one can claim for “distress” alone in MPI).

On the basis of the Judge’s reasoning, the strike out application therefore succeeded and the Claimant is left with a claim for breach of DPP7.

Comment

This claim only sought £5,000, and so in isolation it might be assumed that this is not a significant judgment. But, in fact, the decision could have broad impact. Companies are increasingly facing individual threatened and actual litigation following data breaches. The claims may be individual, in small groups or brought as large groups/class actions. This judgment could significantly impact these types of claims by narrowing the basis on which they can be brought. To date BoC, MPI and negligence are almost always claimed alongside data protection breaches, with the BoC and MPI claims being vital additions for the recoverability of ATE premiums. In this case, the claimant did not plead that the defendant had taken any positive act, and this was fatal to the BoC and MPI claims. In the future, claimants may try and plead that companies that have suffered data breaches somehow undertook one or more positive acts, but this is likely to be challenging. If claimants are unable to devise creative ways of pleading data breaches as a positive act then, subject to any appeal, future data breach claims are likely to be brought only for breach of data protection law, and not for BoC and MPI.


[2] Under the Data Protection Act 1998, which applied given that the breach had occurred between July 2017 and April 2018, being pre-GDPR and DPA 2018