Narrowing the Scope of Data Breach Claims? – Warren v DSG Retail Ltd
Over the past few years, there has been an increasing number of claims against businesses and public bodies for distress caused by data breaches. The pattern is, by now, a familiar one. A claimant will make a claim for breach of data protection legislation, seeking damages at a relatively low value for the distress and anxiety they say has been caused by the data breach. This claim will be accompanied by claims for one or more of: misuse of private information, breach of confidence and negligence. Added on to the damages claimed will be the legal costs of the claimant’s lawyers, together with the after-the-event (“ATE”) insurance premium for the policy the claimant will have procured to bring a privacy claim. As a result, the defendant is faced with a difficult decision – pay over the odds for a claim where the claimant has suffered no financial loss, or fight litigation with the risk of mounting costs on both sides if the decision goes against them.
Following a cyber-attack in 2017 and 2018, this is the situation that faced DSG Retail Limited (“DSG”), and which has led to an important judgment for these data breach claims, Warren v DSG Retail Ltd  EWHC 2168 (QB).
DSG had been the victim of a criminal cyber-attack, whereby the attackers accessed personal data such as names, addresses, telephone numbers, dates of birth and email addresses of many of its customers. Mr. Warren claimed to be one such customer. The cyber-attacker had breached DSG’s security systems on in-store terminals, allowing them to access data on DSG’s system.
Mr. Warren brought his claim against DSG in the High Court seeking £5,000 in damages for distress, alleging that DSG was liable for (1) breach of the Data Protection Act 1998 (the “DPA”), (2) breach of confidence, (3) misuse of private information, and (4) negligence. DSG sought to strike out or obtain summary judgment dismissing the latter three claims.
DSG sought to have the misuse of private information and breach of confidence claims struck out/summarily dismissed because, it said, these causes of action required the defendant to have committed a positive, wrongful act in disclosing or otherwise misusing the data. As DSG had been the victim of a cyber-attack, it had not taken any positive action on which a claim could be founded. The Court agreed. Whilst it was alleged that DSG had failed to take appropriate security measures to protect the data, this did not equate to positive conduct which would constitute a breach of confidence or misuse of private information. The court confirmed that these claims do not impose data security requirements but are primarily concerned with prohibiting activity by the data controller which is inconsistent with the concepts of confidence and privacy. To put it another way, whilst a ‘misuse’ of private information may be unintentional, it still requires there to be a ‘use’. Paraphrasing the judge’s example, if you carelessly leave your window open and a burglar enters and steals your child’s bank statements, it would make little sense to describe this as a misuse of private information by you.
Accordingly, the breach of confidence and misuse of private information claims were bound to fail and were struck out. The negligence claim was also dismissed. First, applying existing Court of Appeal authority, the Court found that there was no need to impose a duty of care in circumstances where the DPA already imposed statutory duties. It was, therefore, not fair, just or reasonable to impose such a duty of care to found a negligence claim. Additionally, unlike the ability under the DPA to claim damages for distress, claims in negligence require some damage or harm to have been suffered. Anxiety falling short of recognized psychiatric illness was not sufficient damage. As a result, Mr. Warren had suffered no loss which he was entitled to recover by way of a negligence claim.
Implications of the Decision
As a result of the Court’s ruling, only Mr. Warren’s claim for breach of the DPA will be allowed to proceed. The claim has also been transferred from the High Court down to the County Court, where it is currently stayed pending the outcome of DSG’s appeal against the Monetary Penalty Notice imposed on it by the Information Commissioner in respect of the cyber-attack.
Given that the value of damages claimed will likely remain the same, one may well ask the significance of this decision. DSG remains ‘on the hook’ for the same loss as before. However, it is the wider implications of this case where this decision has real significance.
Claimants bringing data breach claims will typically have taken out ATE policies to protect them against any adverse costs. They then seek to claim the premium on those policies back from the defendant. This will provide a substantial increase on the sums sought from the defendant, usually well in excess of the amount claimed. An ATE premium is not generally recoverable from an opposing party in litigation, but there is an exception to this for publication and privacy proceedings. This includes claims for misuse of private information or breach of confidence, but, importantly, does not include data protection claims. As a result, it now appears unlikely that Mr. Warren will be able to recover any ATE premium from DSG, even if his claim is ultimately successful. Given the usual level of ATE premiums, an inability to claim these sums back from the defendant at the conclusion of proceedings is likely to make many claims uneconomical for claimants to bring in the manner we have typically seen.
This decision has a significant, potential chilling, impact on the numbers of these types of claims being brought. If claimants have to fund their own ATE premium, which will take up the majority of or even outstrip the damages claimed, they may well be dissuaded from bringing claims for distress alone, particularly given the growing willingness of the judiciary to transfer these low value claims down to the County Court where cost recover is more limited. This will be a welcome development for corporates frustrated by what they see as a growing cottage industry in minor data breach claims.
However, whilst this decision adds useful clarity in this developing area, questions are left open:
First, while the need for a positive act is now clear for misuse of private information and breach of confidence claims, it is not yet clear whether, with some further thought, claimants will be able to find a sufficient positive act on which to hang their hat, to maintain their claims.
Moreover, this decision will only influence the position where the potential defendant has been the subject of an attack by a third party bad actor. Other circumstances, such as the accidental minor data breach of an email copied to the wrong person, or the wrong address on an envelope, are not materially affected by this judgment.
Data breach claims of the type considered in this case have been an increasing issue for businesses and public bodies, with the value in dispute far outweighed by the cost of each side in dealing with them. This often forces settlement at an early stage, even for unmeritorious claims. In restricting the manner in which these types of claims must be brought, the Court has made an important precedent which will have much wider ranging implications than such a small case would have you believe. Only time will tell if it truly does cause a tactical rethink for both those claiming damages for a breach of their data rights and those seeking to defend such claims made against them.