In a judgment handed down on 30 July 2021, Mr Justice Saini considered a number of important issues in data protection/privacy claims. The judgment related to a claim brought by Darren Warren against DSG Retail Ltd (“DSG” - the owner of Curry’s and Dixons Travel). DSG had been the victim of a complex cyber-attack between July 2017 and April 2018. The Information Commissioner had investigated and concluded that DSG had breached the Seventh Data Protection Principle (relating to the security of data) and had fined DSG £500,000. However, that decision is the subject of an appeal.
Mr Warren had purchased goods from Curry’s and claimed that his name, address, phone number, date of birth and email address had been compromised in the cyber-attack. He brought a claim, limited to £5,000 in damages, for breach of confidence, misuse of private information, breach of the Data Protection Act 1998 (“the DPA 1998”) and common law negligence.
DSG applied for summary judgment on all of these heads of claim apart from a data protection claim relating to the Seventh Data Protection Principle (which essentially provides that data must be kept securely). The claimant abandoned his other claims (which were not specified in the judgment) in relation to other alleged breaches of data protection principles.
The Judge concluded that the ‘wrong’ that formed the basis of the claim was a failure which allowed the attacker to access Mr Warren’s personal data. The Judge said “It is clear that the Claimant does not allege any positive conduct by DSG said to comprise a breach or misuse for the purpose of either [breach of confidence or misuse of private information]. That is unsurprising, given that DSG was the victim of the cyber-attack. There can be no suggestion that DSG purposefully facilitated the Attack, and that is not pleaded in the claim. In any event, there is no evidence to that effect, and it is contrary to common sense.
Rather, the Claimant’s claim is that the DSG [sic] failed in alleged duties to provide sufficient security for the claimant’s data. That is, in essence, the articulation of some form of data security duty. In my judgment, neither [breach of confidence nor misuse of private information] impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy. Counsel for the Claimant submitted that applying the wrong of [misuse of private information] on the present facts would be a “development of the law”. In my judgment, such a development is precluded by an array of authority”.
The Judge said that misuse could include an unintentional use but still required a “use” (ie. a positive action). The Judge drew on the decision in Various Claimants v William Morrison Supermarkets plc  QB 772 (which related to the use of data by a rogue employee for whom Morrison’s were held not to be vicariously liable) in which the Court had held that Morrison’s had not breached the data protection principles as the acts said to have broken the principles were those of a third party and not Morrison’s. The Court had also found that Morrison’s did not have direct liability for breach of confidence or misuse of private information as it was not Morrison’s that had disclosed or misused the information concerned.
The Judge in Warren also agreed with DSG’s submissions that there were two fatal problems with the negligence claim. Firstly, the Court of Appeal in Smeaton v Equifax Ltd  2 All ER 959 had said that there was no need to impose a duty of care where the statutory duties under the DPA 1998 operated. The Judge concluded that, as had been the view of the Court of Appeal in Smeaton, imposing a duty would potentially give rise to an indeterminate liability to an indeterminate class, doing so would be otiose given the obligations imposed by the DPA 1998 and there was no room (nor any need) to construct a concurrent duty of negligence where there was already a bespoke statutory regime for determining the liability of data controllers. The Judge said that proximity was not created by the existence of a customer relationship and that it would not be fair, just or reasonable to impose such a duty. Secondly, a cause of action in tort for damages for negligence required damage to have been suffered by the claimant. The Judge said that “…. a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action”.
The Judge transferred the remainder of the claim to the County Court for directions pending the outcome of the appeal in relation to the claim relating to the alleged breach of the Seventh Data Protection Principle.
This is a very sensible and helpful judgment. We frequently see claims for relatively straightforward breaches of data protection legislation framed as claims for misuse of private information, breach of confidence, negligence and breach of the claimant’s human rights. This seems to be an effort on the part of the claimant’s lawyers to paint a picture of such claims being extremely complex. This, in turn, is used to justify very high claimant solicitors’ costs and to support arguments that these claims are suitable only for the multi-track and should be issued in the High Court when, in fact, they are often straightforward.
This judgment has a number of important potential consequences:
1. Whilst this specific claim related to a cyber attack and not the accidental disclosure of information, it is very helpful in all claims where a third party stole, disclosed or accessed data. It now seems clear that in claims involving cyber attacks, claims for breach of confidence and misuse of private information will fail.
2. The fact that claims for breach of confidence and misuse of private information are likely to fail has additional consequences. Claimants who pursue such claims can usually recover any After The Event (“ATE”) insurance premium. As a result, claimants in data breach claims frequently take out (or threaten to take out) ATE cover. If they are unable (as would appear to be the case following this judgment) to recover any ATE premiums from the defendant (because their claims for breach of confidence and/or misuse of private information fail) they are unlikely to take out such cover. There is every prospect that claimants without ATE cover will show far less enthusiasm for pursuing claims (especially weaker claims) and/or that the fact that they do not have such cover will make them take a far more realistic approach towards quantum than is the case where they feel that they have no exposure to the defendant’s costs. Although such claims might still be pursued in the small claims court, where a successful defendant will not be able to recover any substantive costs, this will have the benefit that claimant solicitors will not be able to recover substantive costs either.
3. The judgment makes it clear that claims for negligence in all types of data breach claim should fail.
4. The fact that the Judge transferred the balance of the claim to the County Court further reinforces our longstanding view that claims like this should not (contrary to the arguments put forward by claimants’ solicitors) be pursued in the High Court and/or the multi-track.
In the circumstances, this is a very helpful judgment for all businesses facing data breach claims and their insurers, particularly those insurers who specialise in providing cyber insurance.