High Court judgment limits claims after cyber-crimes
A recent judgment from the High Court in Warren v DSG Retail Ltd  EWHC 2168 (QB) has narrowed the criteria for a successful data breach claim following a cyber-attack; news which is no doubt welcome for those businesses which are already suffering significant losses as victims of cyber-crime.
The value of personal data – both in monetary and non-monetary terms – is quickly becoming clear to both individuals and companies in equal measure, as more individuals are pursuing their rights under the (now UK-) General Data Protection Regulation and the Data Protection Act 2018.
A data breach can occur in a variety of ways, including as a result of a cyber-attack. When data has been taken, destroyed or held to ransom by a cyber-criminal, the affected data subjects have been bringing claims for damages for the loss suffered following such an attack in the same way that they would as if the breach had been as a result of actions taken by the data controller.
The issue that has arisen questions whether, when the data controller is a victim itself, the data subjects can pursue damages under the same heads of claim.
DSG Retail Ltd (DSG) (a consumer electronics retail company which operates Dixons Travel and Curry’s PC World) was targeted in a cyber-attack between July 2017 and April 2018. The cyber-criminals infiltrated DSG systems and installed malware on thousands of store terminals. This malware was used to access the personal data of 14 million DSG customers.
In the aftermath of the attack, DSG had reported the matter to the Information Commissioner’s Office (ICO) as per their obligations. The ICO investigated the incident and found that DSG was in breach of the seventh Data Protection Principle (DPP7). DPP7 requires “appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data”. When ruling on the investigation, the ICO identified that DSG had been made aware of deficiencies in its security from as far back as four years before the attack, but had not remedied them. The ICO duly issued a Monetary Penalty Notices against DSG in the sum of £500,000. This decision is currently being appealed and is due to be heard by the First Tier Tribunal in November 2021.
Mr Darren Lee Warren (Mr Warren) was one of the affected customers whose data was affected in the attack. When Mr Warren was notified about the breach, he brought claims against DSG for breach of data protection law, breach of confidence, misuse of personal information and negligence. He was claiming damages in the sum of £5,000.
DSG made an application for the court to strike out the claims for breach of confidence, misuse of personal information and negligence. It said that these claims had no realistic prospect of success and were not tenable from a legal perspective.
Their case was that breach of confidence and misuse of private information need ‘positive wrongful conduct’ on the part of the defendant, and that does not include a data security duty. In addition, there is no duty of care in negligence with regard to conduct that is covered by data protection legislation.
In arguments, Counsel for Mr Warren conceded that the breach of confidence claim was not tenable and should not have been pleaded. However, they maintained that the claim for misuse of private information and negligence should proceed. Mr Warren’s Counsel submitted that the misuse of personal information claim held water because, by its nature, the information lost in the breach was private – Mr Warren’s full name, address, email, telephone number and date of birth; all the elements needed to commit identity fraud.
Mr Warren’s Counsel continued that when Mr Warren had provided this information to DSG, he had a reasonable expectation that they would take adequate steps to ensure it was protected and kept private. However, because of the known deficiencies in their system, DSG had “intentionally and recklessly” left his private information exposed. He said that this meant there was, in effect, publication to the hacker by DSG’s failure to implement basic security measures.
The Judge made several significant remarks about the case and implications for future claims attempting to use the same approach. He identified that the ‘wrong’ of which DSG was accused was the ‘failure’ which allowed the cyber-criminal to access the personal data; there was no allegation that DSG carried out any positive conduct which comprised a breach or a misuse for the purposes of a breach of confidence or a misuse of information claim. Indeed, DSG itself was the victim of a cyber-attack and there was no claim made by Mr Warren that DSG had in any way purposely facilitated or invited the attack.
The Judge quoted a precedent case regarding breach of confidence to confirm that such imposes “a negative obligation not to disclose confidential information.” As there was no positive act of disclosure carried out by DSG, and failure to implement security could not be considered an alternate ‘positive act’, the Judge could not find that there had been any breach of confidence (though he noted that, by this point in the proceeding, the breach of confidence claim was no longer being maintained but had not formally been discontinued, therefore judgment was passed).
Regarding the claim for misuse of private information, the Judge acknowledged that ‘misuse’ may be unintentional. However, it does require a ‘use’ in order to qualify as having been ‘mis-used’. The characterisation by Mr Warren’s Counsel that the cyber-attack had been ‘tantamount to publication’ due to DSG’s security failures was compared to being ‘wholly artificial’ and the Judge was not persuaded.
The Judge also considered the recent case of Morrisons and disagreed that it was distinguishable, again, on the basis that it was not DSG which disclosed or misused Mr Warren’s data, but the cyber-criminals.
It was concluded that the claims in breach of confidence and misuse of private information were ill-founded and were duly struck out.
The Judge then considered the claim for negligence. Considering the requirements to establish a duty of care (which must be present for there to be negligence) it was determined that there was no duty of care in this matter; data protection legislation clearly sets out the liability of data controllers and so to find that there was an additional duty would be to duplicate those responsibilities. Further, the distress being claimed by Mr Warren for the alleged negligence fell short of the damage sufficient to complete this type of claim, therefore the claim for negligence was struck out also.
The court concluded that DSG’s application was successful. All Mr Warren’s claims were dismissed and/or struck out except the claim for breach of statutory duty in relation to DPP7.
The trial of the matter will be heard after the First Tier Tribunal appeal of the ICO’s Monetary Penalty Notice. Therefore, it is possible that the Court will find that even the claim for damages under the DPA 1998 will not be successful.
*It must be noted that this cyber-attack took place before the commencement of the Data Protection Act 2018 and the (now UK-) General Data Protection Regulation; therefore, the outcome will be based on the Data Protection 1998 which is no longer in force. That being said, the decision set out above regarding the strike out of claims is anticipated to set a precedent which will be followed under current legislation, though the final judgment of the trial itself (based on the old DPA) may not be so reliable.*
The significant effect of the case is that where a data breach was caused by cyber-attack, damages recoverable by affected data subjects will be limited to compensation under breach of data protection legislation.
In a final note, there is potentially more good news for data controllers to come out of this
The claimants bringing these types of claims are often relying on After the Event (ATE) insurance premiums to fund their litigation. However, ATE policies expressly exclude data protection claims. Therefore, claimants may find themselves unable to avail themselves of this avenue of funding.
The courts are unlikely to permit relatively straightforward claims to be commenced and proceed through the High Court Media and Communications List. Instead, it would be reasonable to anticipate that claims of this nature, where there are no complex arguments to be had, will be handled in local County Courts on the Small Claims Track, where recoverable costs are extremely limited. Therefore, data controllers will avoid having to pay significant costs to claimants’ solicitors in addition to payment of damages.