The judgment handed down by the High Court in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) gives data controllers some much needed clarity on the appropriate causes of action for breaches resulting from cyber attacks, accidental data breaches and the recoverability of After the Event (ATE) premiums. The curtailment of available heads of claim, and the resulting uncertainty around the availability of ATE cover, is likely to force claimant firms to more carefully consider the viability of their clients' claims before issuing proceedings.

What was the case about?

The defendant, Dixon Carphone (DSG) was the victim of a cyber attack from 2017 to 2018, in which the attackers penetrated DSG's systems and accessed the personal data of many of DSG's customers. The claimant, Mr Warren, brought a claim against DSG, relying on four causes of action:

  1. Misuse of private information.
  2. Breach of confidence.
  3. Breach of the Data Protection Act 1998.
  4. Negligence.

DSG argued that the claims of misuse of private information, breach of confidence and negligence had no realistic prospect of success, and applied for summary judgement and/or an order to strike out each cause of action except for the breach of the data security duty under the Data Protection Act 1998.

DSG argued that:

  • Misuse of private information and breach of confidence require positive wrongful conduct by the defendant and do not confer a data security duty (i.e. a duty to provide sufficient security for the claimant's data) upon the defendant
  • There is no duty of care in negligence for data controllers' conduct where it is covered by data protection legislation.

What did the court say?

The High Court granted DSG's application. Mr Justice Saini held that misuse of private information and breach of confidence are concerned with prohibiting actions by the data controller which are inconsistent with the obligation of confidence and privacy. Saini J accepted that a 'misuse' may include unintentional use but it still requires a 'use', i.e. a positive action. Regarding the duty of care in negligence, the court applied the principle established in Smeaton v Equifaxplc [2013] 2 All E.R. 959, that there is no need to impose a further tortious duty of care where a bespoke statutory regime already exists.

What does this mean for data controllers?

This decision provides welcome clarity on the causes of action that can properly be brought in cases concerning cyber attack. In terms of what this means in practice for organisations:

  1. Increased pressure on claimants to demonstrate improper use before pursuing claims for misuse of private information, breach of confidence and claims in negligence for data protection/ cyber claims. Claimant law firms typically rely upon multiple heads of claim to bolster their client's claim. Although the facts of these cases tend to be simple, and the sums sought relatively low, the costs of defending these claims can be significant. Saini J's articulation of the applicability of the common law torts of misuse of private information and breach of confidence is also highly relevant for cases involving an accidental data breach. If there has not been a 'use' of the data concerned, then these heads of claim are unlikely to be appropriate.

  2. Greater uncertainty around claimants' ability to recover ATE insurance premiums in data protection/ cyber claims. Claimant law firms often persuade their clients to take out ATE insurance and will in turn try to recover the ATE premium from the defendant as part of their claim. ATE premiums may be recoverable for misuse of private information and certain types of breach of confidence claims but are not recoverable for breaches of the GDPR, which is often the core cause of action at the heart of a claim. This judgment therefore casts considerable doubt as to whether claimants can seek to recover ATE premiums from defendants in claims resulting from a cyber attack. If the ATE premiums cannot be recovered this may deter some from issuing claims.

The High Court's decision is part of a rapidly developing body of case law (see also our recent analysis of Lloyd v Google LLC), which is helping to delineate the bounds of data privacy compensation claims. At Womble Bond Dickinson our international team of data privacy lawyers have significant experience of strategically defending and pursuing data privacy claims, as well as advising clients on the UK's data protection regime and transatlantic privacy issues.

Attributed to Simon Lellouche, Trainee Solicitor.

This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.