High Court provides clarity on causes of action in ‘external attacker’ cases

• United Kingdom

• Privacy, data protection and cybersecurity

06-08-2021

The UK’s High Court has confirmed that a “use” (or “positive action”) is required in order for the torts of breach of confidence and misuse of private information to be actionable in an “external, criminal third-party attacker” context.

This development will be welcomed by organisations facing cybersecurity threats which continue to grow in sophistication, frequency and coverage, because it: (1) signals claimant firms to reconsider citing extraneous causes of action in claims for compensation where data protection rights have been infringed; and (2) may serve to dissuade claimants from bringing proceedings in the first place due to growing uncertainty around the recoverability of ATE premiums.

Summary

The High Court recently handed down its judgment in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB). The claim arose following a data breach at DSG Retail Ltd (“DSG”) when it suffered a complex cyber-attack in 2017-2018. The claimant sought to bring an action against DSG in breach of confidence (“BOC”), misuse of private information (“MPI”), breach of the Data Protection Act 1998 (“DPA”) and in the alternative, common law negligence.

The Court struck out the claims for BOC and MPI, concluding that these were ill-founded as those causes of action did not impose a data security duty on DSG. The Court also found that the claim in negligence failed as damages for negligence were not established  unless and until damage has been suffered by the claimant.

The Court allowed the claim for breach of the DPA in relation to Data Protection Principle 7 (“DPP7”), which requires DSG to take “appropriate technical and organisational measures” against “unauthorised or unlawful processing, accidental loss or destruction of, or damage to, personal data”. The claim is currently stayed pending the outcome of DSG’s appeal to the First-tier Tribunal in relation to the £500,000 monetary penalty notice issued by the Information Commissioner’s Office (“ICO”). The penalty was issued under the old DPA regime, as the cyber-attack pre-dated the introduction of the GDPR.

Background

Between July 2017 and April 2018, DSG (operating the ‘Currys PC World’ and ‘Dixons Travel’ brands) was the victim of a complex cyber-security attack carried out by sophisticated and methodical criminals, resulting in DSG’s systems being infiltrated and malware installed on almost 6,000 point of sale terminals. The claimant had purchased goods from Currys PC World and claims that his name, address, phone number, date of birth and email address were compromised (along with many of DSG’s customers’ data).

The ICO investigated the circumstances of the attack and decided that DSG had breached DPP7 and issued a monetary penalty notice in the sum of £500,000. This is subject to an appeal to be heard later this year.

The claimant issued his claim, limited to £5,000, seeking damages for distress, BOC, MPI, breach of the DPA and negligence. DSG applied for summary judgment/strike out on the basis that the claimant’s claims for BOC, MPI and negligence were untenable. DSG did not seek to strike out the claim under the DPA.

The High Court Decision

The Court agreed with DSG’s application and struck out the claimant’s claims for BOC, MPI and negligence.

The Court found that the claim for BOC and MPI did not assist the claimant as a ‘misuse’ requires a ‘use’: that is, a positive action. In referencing Article 8 of the European Convention on Human Rights (the basis for MPI as a tort), the Court explained that there must be an ‘interference’ by DSG – which had not been shown to be the case.

The Court went on to express that the claimant’s argument that DSG’s conduct amounted to “publication” of information to the third-party hacker were “wholly artificial” and was an “unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”.

The claimant’s alternative pleading in negligence was also struck out, with the Court noting two fatal problems:

(1)  there is neither need nor warrant to impose a duty of care where the statutory duties under the DPA 1998 operate: Smeaton v Equifax Ltd [2013] 2 All ER 959; and

(2)  the nature of the claimed loss is not complete unless and until damage has been suffered by the claimant. A state of anxiety produced by some negligent act or omission, but falling short of a clinically recognisable psychiatric illness, does not constitute damage sufficient to complete a tortious cause of action.

The Court allowed the claim for breach of statutory duty in relation to DPP7 which is currently stayed.

Comment

This case provides needed clarity on the causes of action in ‘external attacker’ data breach cases. In concluding his judgment, Mr Justice Saini transferred the matter to the County Court for directions following expiry of the stay, indicating that the High Court is not the suitable Court for this type of litigation.

An ancillary impact of the judgment relates to costs recovery. By way of reminder, after-the-event (“ATE”) insurance premiums are recoverable in “publication and privacy proceedings”. However, claims for breach of data protection legislation are not classed as publication and privacy proceedings, which has led to claims being brought in MPI and BOC  to help secure the recovery of ATE premiums. So where the only viable cause of action is under the statutory data protection regime (which is looking increasingly likely given the judgment in Warren v DSG Retail Ltd), then ATE premiums will not form part of a successful claimant’s recoverable costs, which may dissuade claimants from pursuing litigation.