Damages for data security breaches

Warren v DSG Retail (High Court) [2021]

Data controllers and data processors face unprecedented financial liabilities for data security breaches both from fines imposed by regulators and potential damages claims from data subjects whose data is the subject of unauthorised access. Damages claims are particularly worrying because of the sheer number of potential claimants. This case is one of the first to consider in detail the basis and extent of such damages claims.


Mr Warren was one of a number of customers of DSG (the owner of Currys and PC World) whose personal data was the subject of a cyber-attack in an incident that spanned a nine-month period from July 2017 to April 2018. The personal data involved included the names, addresses, telephone numbers, dates of birth and email addresses of approximately 14 million data subjects who were customers of DSG.

Mr Warren brought a claim against DSG alleging:

  • Breach of the Data Protection Act 1998 (DPA 1998), the relevant statute in force at the time of the cyber-attack.
  • Breach of confidence.
  • Misuse of private information.
  • Negligence.
  • He sought damages of £5,000 in respect of the distress caused to him as a result of his personal data being compromised during the cyber-attack. Mr Warren argued that DSG had intentionally and recklessly left his personal data exposed to a real risk of intrusion or that its conduct was tantamount to publication of the data. Mr Warren relied on the findings in a monetary penalty notice (MPN) that the Information Commissioner issued in January 2020 in respect of the cyber-attack. DSG was fined £500,000 for a serious contravention of the seventh data protection principle (DPP7), which requires companies to have appropriate technical and organisational security measures in place in respect of personal data. DSG is appealing the MPN and the parties had agreed before the hearing that the DPA 1998 claim would be stayed pending the conclusion of the MPN appeal.

    DSG applied for the remaining claims (except for the DPA 1998 claim) to be struck out.


    The court granted DSG’s application and struck out Mr Warren’s claims for breach of confidence, misuse of private information and negligence. In doing so, it held that:

    Neither breach of confidence nor misuse of private information rights of action impose a positive data security duty on holders of information, even in relation to private or confidential information. Rather, such rights of action are concerned with prohibiting [positive] actions on the part of the information holder that are inconsistent with the principles of confidence and privacy.

    The wrong here was a [negative] "failure" to take appropriate steps to protect the data which allowed the cyber-attack. Claims for breach of confidence and misuse require positive wrongful conduct on the part of the defendant party, such as actively disclosing data to a third party or making some other unauthorised use of the data, neither of which DSG had done. While misuse may include unintentional use, it still requires a “use”, which has to be a positive action. The court drew comparison to a scenario in which a burglar enters a home through an open window, which the homeowner had carelessly left open, and steals some bank statements. Characterising the failure to lock the window as “publication” of the bank statements was wholly artificial. As a result, the court was not persuaded that DSG’s conduct was tantamount to publication and called the claim an unconvincing attempt to shoehorn the facts of the data breach into the tort of misuse of private information.

    With regard to the negligence claim, the court held that there is established Court of Appeal authority that where duties under the DPA 1998 or other applicable data protection legislation apply, there is no place for a duplicative action in negligence (Smeaton v Equifax Ltd [2013]). Second, the nature of the claimed loss, one purely for distress and anxiety without direct financial loss, does not constitute damage sufficient to amount to a tortious cause of action.

    The court also rejected Mr Warren’s efforts to distinguish his case from the facts of Wm Morrison Supermarkets plc v Various Claimants, where the Court of Appeal held that the actions of the wrongdoer employee in that case could not found direct liability on Morrisons, other than in relation to DPP7. In Morrison, the employee was the wrongful actor. Similarly, in the present case, it was not DSG that disclosed the personal data, but the cyber-attacker.

    Points to Note:

    back to archive