• home
• about us
• what we do
  • business clients
    • summary
    • contracts
      • technology
      • outsourcing
      • commercial
      • end-to-end deal support
      • post-signature assistance
    • e-commerce
    • data protection
    • risk audits and due diligence
    • training
  • public sector
    • summary
    • procurement compliance
    • contracts
      • ICT
      • outsourcing
      • supply
      • end-to-end procurement support
      • post-signature assistance
    • data protection and FOI
    • risk audits and due diligence
    • training
• our lawyers
  • summary
  • Paul Golding
  • Tracey Tarrant
• who we act for
  • summary
  • SMEs
  • nationals/multi-nationals
  • overseas companies
  • public sector
  • in-house lawyers
  • law firms
  • our clients
  • what others say
• our fees
• legal updates
• contact us

TRG law

law simplified

Damages for data security breaches

Warren v DSG Retail (High Court) [2021]

Data controllers and data processors face unprecedented financial liabilities for data security breaches both from fines imposed by regulators and potential damages claims from data subjects whose data is the subject of unauthorised access. Damages claims are particularly worrying because of the sheer number of potential claimants. This case is one of the first to consider in detail the basis and extent of such damages claims.

Facts:

Mr Warren was one of a number of customers of DSG (the owner of Currys and PC World) whose personal data was the subject of a cyber-attack in an incident that spanned a nine-month period from July 2017 to April 2018. The personal data involved included the names, addresses, telephone numbers, dates of birth and email addresses of approximately 14 million data subjects who were customers of DSG.

Mr Warren brought a claim against DSG alleging:

Breach of the Data Protection Act 1998 (DPA 1998), the relevant statute in force at the time of the cyber-attack.

Breach of confidence.

Misuse of private information.

Negligence.

He sought damages of £5,000 in respect of the distress caused to him as a result of his personal data being compromised during the cyber-attack. Mr Warren argued that DSG had intentionally and recklessly left his personal data exposed to a real risk of intrusion or that its conduct was tantamount to publication of the data. Mr Warren relied on the findings in a monetary penalty notice (MPN) that the Information Commissioner issued in January 2020 in respect of the cyber-attack. DSG was fined £500,000 for a serious contravention of the seventh data protection principle (DPP7), which requires companies to have appropriate technical and organisational security measures in place in respect of personal data. DSG is appealing the MPN and the parties had agreed before the hearing that the DPA 1998 claim would be stayed pending the conclusion of the MPN appeal.

DSG applied for the remaining claims (except for the DPA 1998 claim) to be struck out.

Decision:

The court granted DSG’s application and struck out Mr Warren’s claims for breach of confidence, misuse of private information and negligence. In doing so, it held that:

Neither breach of confidence nor misuse of private information rights of action impose a positive data security duty on holders of information, even in relation to private or confidential information. Rather, such rights of action are concerned with prohibiting [positive] actions on the part of the information holder that are inconsistent with the principles of confidence and privacy.

The wrong here was a [negative] "failure" to take appropriate steps to protect the data which allowed the cyber-attack. Claims for breach of confidence and misuse require positive wrongful conduct on the part of the defendant party, such as actively disclosing data to a third party or making some other unauthorised use of the data, neither of which DSG had done. While misuse may include unintentional use, it still requires a “use”, which has to be a positive action. The court drew comparison to a scenario in which a burglar enters a home through an open window, which the homeowner had carelessly left open, and steals some bank statements. Characterising the failure to lock the window as “publication” of the bank statements was wholly artificial. As a result, the court was not persuaded that DSG’s conduct was tantamount to publication and called the claim an unconvincing attempt to shoehorn the facts of the data breach into the tort of misuse of private information.

With regard to the negligence claim, the court held that there is established Court of Appeal authority that where duties under the DPA 1998 or other applicable data protection legislation apply, there is no place for a duplicative action in negligence (Smeaton v Equifax Ltd [2013]). Second, the nature of the claimed loss, one purely for distress and anxiety without direct financial loss, does not constitute damage sufficient to amount to a tortious cause of action.

The court also rejected Mr Warren’s efforts to distinguish his case from the facts of Wm Morrison Supermarkets plc v Various Claimants, where the Court of Appeal held that the actions of the wrongdoer employee in that case could not found direct liability on Morrisons, other than in relation to DPP7. In Morrison, the employee was the wrongful actor. Similarly, in the present case, it was not DSG that disclosed the personal data, but the cyber-attacker.

Points to Note:

• Data controllers and data processors will welcome confirmation that the basis on which claims of this nature can be brought has been significantly narrowed.
• The fact that a duty of confidence does not impose a positive data security duty on the recipient of information underlines why confidentiality undertakings and contracts generally include positive obligations to take reasonable care to safeguard data. Quite why Mr Warren’s claim was not framed as a pure breach of contract claim (on the basis perhaps of an implied obligation / expectation that the retailer would take reasonable care of the data provided) is not entirely clear.
• However, that is not the end of the story. The outcome of DSG’s appeal against the MPN will be eagerly awaited and depending upon how that goes, the final element of Mr Warren’s claim may be resurrected. DSG’s appeal is scheduled for November 2021 and so the judgment in relation to that element could be several months’ away.
• Whilst mere ‘distress’ may not be sufficient upon which to form a claim for negligence, the DPA has been interpreted by the courts as allowing compensation on such a basis.
• Part of the judgment may also have a significant impact on the commercial viability of such claims in future. The general principle is that the winning party in litigation is awarded a proportion of their legal costs from the losing party. This is important given that such claims, whilst numerous, are, individually, small in value (as was the case here). For that reason, any potential liability of the claimant for legal costs should they lose is often covered by so called ‘After the Event’ (‘ATE’) insurance. The premiums for such insurance will often be greater than the damages being claimed. Therefore, being able to recover the cost of the premium if your action is successful is crucial. The rules governing civil litigation and the award of legal costs in England are complex but, crucially, whilst ATE premiums can be recovered in respect of proceedings for "misuse of private information", or "breach of confidence involving publication to the general public", they are not recoverable for claims for breach of statutory duty related to the GDPR or the Data Protection Act 2018. More generally, claimants may find that claims of this nature are allocated to the so called ‘small claims track’ where recovery of legal costs is not permitted. This may further impact upon the economic viability of such claims in the future.

back to archive

© 2012 - TRG Law Limited | legal notices | privacy & cookies | sitemap | website design and hosting by projectfive
tel: +44 (0) 1483 730303  email: info@TRGlaw.com