Legal development

Litigation Trending

Insight Hero Image

    Cyber-attacks are ever growing in number, scope and sophistication, and with large organisations increasingly reliant on third-party service providers for critical services such as cloud computing, the litigation and regulatory risk arising from cyber-attacks and resultant data loss is now a mainstay of any corporate risk management agenda.

    The precise contours of the litigation risk are, however, not yet well-defined. In that context, a recent decision by the High Court that struck out claims for compensation for distress for breach of confidence, misuse of private information (MPI) and common law negligence, following a cyber-attack and loss of data (Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)) will be welcomed by many.

    The decision is significant in that it effectively narrows the types of claims that can be brought following a data breach. It also makes it less likely that claimants will be able to recover After The Event Insurance (ATE) premiums for data breach claims, thereby reducing the economic viability of bringing such claims for many.

    The cyber-attack

    In 2018, DSG Retail Ltd (DSG) was the victim of a cyber-attack which saw hackers infiltrate their systems and gain access to the personal data of many of their customers.

    The Information Commissioner’s Office (ICO) investigated the cyber-attack and fined DSG £500,000 for breaching the seventh data protection principle (DPP7) of the Data Protection Act 1998 (DPA 1998), which requires data controllers to implement “appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data”. This fine is currently under appeal.

    Separately, Darren Lee Warren (the Claimant), a customer of DSG, brought a claim for damages against DSG, based on distress suffered as a result of the breach of his personal data. Mr Warren was seeking damages of only £5,000 and relied on claims of breach of confidence, MPI, breach of the DPA 1998 and common law negligence.

    The decision

    Ultimately, Mr Justice Sani dismissed the breach of confidence, MPI and negligence claims. He allowed the claim for breach of the DPA 1998, however this claim is currently stayed pending the outcome of DSG’s appeal.

    Breach of confidence and misuse of private information

    DSG argued that the breach of confidence and MPI claims should be dismissed because, in order to be successful, both claims would require DSG to have taken a positive wrongful act in relation to the information in question (as opposed to falling victim to external, criminal hackers).

    The Judge agreed and struck out the claims. He pointed out that the claimant clearly did not allege any positive conduct by DSG said to comprise a breach or a misuse for the purposes of either breach of confidence or MPI. Importantly, the Court also confirmed that neither obligations of confidence nor any obligations not to misuse private information imposes any positive data security duty on DSG. Instead, they prohibit actions that are inconsistent with the obligations of confidence and privacy. The Court also disagreed with the claimant's argument that DSG's alleged failings were "tantamount to publication", and thereby constituted a positive action. Accordingly the claims for breach of confidence and MPI were dismissed.

    Common law negligence

    DSG argued that there were "two fatal problems" with the claimant's negligence claim:

    1. where duties under the DPA 1998 apply, the same action cannot be brought in negligence; and

    2. a negligence claim requires there to have been a recoverable loss, which was not present here.

    Again, the Judge agreed and dismissed the negligence claim, holding that there was no common law duty of care because the statutory duty under the DPA 1998 was already applicable. He also determined that Mr Warren had not suffered any pecuniary loss and that "a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action.” Therefore Mr Warren had failed to establish any relevant loss for a negligence claim.

    Implications of this decision

    As noted above, the contours of the litigation risk from data breach claims have not yet been well-defined. Many claims are brought following data breaches on the basis of generalised allegations of MPI, breach of confidence and common law negligence. This decision is therefore welcome.

    The decision may also impact on the recoverability of ATE premiums. Claims arising out of data breaches are often supported by ATE insurance. Successful claimants cannot usually recover these premiums in civil litigation, but there is an exception to this general rule for "publication and privacy proceedings" (which includes claims for breach of confidence and MPI, but not claims for breach of the DPA 1998). Therefore, by bringing claims for breach of confidence and MPI, claimants have historically been able to take advantage of this exception and recover the ATE premium from the defendant(s).

    Given that this decision is likely to limit a claimant's ability to successfully bring claims for breach of confidence and MPI, where the data breach was caused by a third party, it seems unlikely that claimants will be able to recover the ATE premiums in these cases. In turn, the uncertainty around the recoverability of ATE premiums may force potential litigants to carefully consider the economic viability of their claims and lead to a reduction in the number of data breach claims brought.

    While significant, this is not likely to be the most significant decision of 2021 relating to data breach claims. That accolade will almost certainly go to the Supreme Court decision in Lloyd v Google. As we mentioned in our Top 10 Commercial Disputes Trends for 2021, the Supreme Court will determine in Lloyd v Google whether claims for "pure" loss of control of data may proceed on an opt-out basis as a representative action under CPR r19.6 – and, indeed, whether "loss of control of data" is itself a valid basis for a claim. Whichever way the Supreme Court goes, the ramifications of the decision will be significant, particularly in the fast evolving litigation landscape of data breach claims. Watch this space.

    Authors: Catrin Southgate, Solicitor, Tim West, Senior Associate

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.