English High Court Judgment Narrows The Scope of Data Breach Claims

Compensation claims for data breaches have become increasingly common in the UK, and are often issued in the High Court (Media and Communications List). However, the High Court’s recent judgment in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) may signal a reversal of that trend. At the very least, unless reversed on appeal, the decision will substantially reduce the scope of many such claims.

Background

Between July 2017 and April 2018, DSG Retail Ltd (“DSG”) was the victim of a cyber-attack, whereby an unauthorised third party installed malware on its systems and accessed the personal data of many of its customers. In January 2020, having investigated the attack, the Information Commissioner fined DSG £500,000 for breach of the Data Protection Act 1998 (the “DPA”).

Mr Warren brought a claim in the High Court against DSG. He alleged that his personal data (name, date of birth, address, telephone number and email) had been compromised in the attack, causing him to suffer distress, for which he sought damages of £5,000. In addition to breach of the DPA, his pleaded causes of action included breach of confidence and misuse of private information (together the “Privacy Claims”), as well as common law negligence. 

DSG applied for summary judgment and/or an order striking out each of Mr Warren’s claims, apart from the claim under the DPA. 

Decision

The application succeeded. Regarding the Privacy Claims, Mr Justice Saini held that both causes of action require positive conduct on the part of the data controller; they do not impose a data security duty. Mr Warren had not pleaded any such positive conduct, which was “unsurprising, given that DSG was the victim of the cyber-attack”. It followed that the Privacy Claims had no realistic prospect of success.

As for the negligence claim, the Judge considered that this had “two fatal problems”. First, given the bespoke statutory regime for determining the liability of data controllers in the form of the DPA (and now the UK GDPR), there was no need nor justification for constructing a concurrent duty of care in negligence. Secondly, Mr Warren had no actionable loss in circumstances where he had suffered neither pecuniary loss nor psychiatric harm amounting to personal injury.

Commercial consequences

Claimants in data breach litigation typically protect their costs exposure through After the Event (“ATE”) insurance policies, the premiums on which can be considerable and often exceed the damages claimed. While ATE premiums are generally not recoverable from defendants following the Jackson reforms (and are not recoverable for claims for breach of data protection legislation), they remain recoverable for breach of confidence and misuse of information claims. 

Following the High Court’s judgment, it will be harder to bring such claims, as there will often be no demonstrable positive act by the data controller. As a result, many claimants will be unable to recover ATE premiums, and will have to weigh up their costs exposure against potential damages in the usual way. At the same time, ATE policies may become more difficult to obtain and/or premiums may increase, as insurers recognise the growing possibility of privacy claims being struck out.

Moreover, to the extent that low-value data breach claims are limited to breaches of the statutory regime, and no longer include privacy or negligence claims, they are more likely to be allocated to the small claims track, where recovery of legal costs is not possible.

Consequently, data breach claims arising out of cyber-attacks may become uneconomical for many individual claimants. The extent to which this reduces the volume of such claims, and/or leads to them increasingly being brought as higher-value group litigation (so that they can be issued in the High Court and the cost of ATE policies shared between a large number of claimants) remains to be seen, but the landscape is changing.