Warren v DSG Retail Limited
In a recent High Court decision that will be welcomed by data controllers and processors, the courts have reduced the number of legal claims that can be brought for damages following data breaches due to a cyber-attack.
The judge struck out claims based on breach of confidence, misuse of private information and negligence and henceforth claimants will only be able to seek damages for breach of the relevant data protection rules.
The Claimant was seeking damages of £5,000 against Dixons Carphone (DSG). In 2018, DSG was the subject of a cyber-attack whereby its systems were accessed by an unauthorised hacker. The hacker succeeded in installing malware on over 5,000 point of sale terminals, accessing personal data of approximately 14 million data subjects and around 5 million card payment details.
As the data breaches took place between July 2017 and April 2018, the ICO investigation and fine was carried out under the old 1998 Data Protection Act, which resulted in the maximum fine of £500,000 levied against DSG. Inadequate security arrangements included:
- inadequate software patching;
- lack of a local firewall;
- lack of network segregation;
- lack of routine security testing.
High Court’s decision
Despite the serious data security lapses by DSG, the judge held that the breach of copyright and misuse of private information claims could not be argued as there needed to be some “positive conduct” by DSG, whereas in practice there had merely been a failure to act following the cyber-attack. In essence, the court decided that there had been no disclosure or misuse of personal data by DSG, as that was solely caused by the third party hacker.
In addition, neither cause of action imposed a separate data security duty on DSG, as this only arose under the data protection legislation. In addition, the claimant could not bring a separate claim in negligence as there was no need to impose a duty of care given the clear statutory duties under the DPA and insufficient loss had been suffered: the distress caused was not felt to be sufficiently serious to allow a negligence claim.
The decision will be welcomed by organisations who hold and process large amounts of personal data: whilst they will still need to justify their personal data security under the DPA, they will not be subject to claims based on breach of confidence, misuse of private information or negligence. The number of claims is likely to fall.
Unless this judgement is reversed, data subjects affected by cyber-attacks will in future only be able to pursue damages as a result of a breach of the data protection legislation. Consequently, if it is no longer possible to bring claims based upon misuse of private information or breach of confidence, there will be a serious threat to recovering “after the event” (ATE) insurance as it is permitted to recover ATE premiums in relation to publication in privacy proceedings (which includes misuse of private information or breach of confidence), but not in relation to data protection claims.
In addition, it will now be more likely that this type of low value data breach case will be seen as relatively straightforward and so allocated to the courts’ small claims track, where recovery of legal costs is not possible – this could well mean that many victims of personal data loss will feel that they cannot afford to take legal action at all to claim damages. As a result, this decision will be seen by many as unfortunate in that it could lead to less enforcement of the DPA rules through damages claims.
How Moore Barlow can help
We have teams of specialists covering every aspect of commercial law. Our expertise covers commercial contracts, IT and telecommunications, IP, copyright, outsourcing, regulatory advice, data protection and GDPR, franchising and licensing.
Whatever your business sector, our expert teams can provide you with dedicated support.