High Court strikes out claims for compensation for distress for misuse of private information, breach of confidence and negligence
Warren v DSG Retail Ltd  EWHC 2168 (QB)
Can misuse of private information, breach of confidence and the tort of negligence be asserted as causes of action in a claim for a data breach arising from a cyber-attack?
The key takeaway
A claim against a business concerning data breaches arising from a third-party cyber-attack should be considered under the relevant data protection legislation, not as a claim for misuse of private information, breach of confidence and the tort of negligence.
The case concerns an individual claim (for approximately £5,000) brought against Dixons Carphone (DSG). In 2018, DSG was the victim of a cyber-attack under which the attackers accessed the personal data of many of DSG’s customers.
The ICO investigated the incident and found that DSG had breached Data Protection Principle 7 under the Data Protection Act 1998, which requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data (the ICO Decision). A £500,000 Monetary Penalty Notice (MPN) was also issued against DSG. Both the ICO Decision and the MPN were appealed by DSG.
The claimant, who had purchased goods from Currys PC World, subsequently brought a civil claim against DSG claiming that his personal information, including his address, phone number and date of birth, had been compromised in the attack and that he had suffered distress as a result. The claimant alleged breach of confidence, misuse of private information, breaches of the Data Protection Act 1998 and negligence, and sought damages from DSG of up to £5,000 for distress suffered. Except for the claim for alleged breach of statutory duty, the DSG applied to the court for summary judgment and/or an order striking out the claims.
The High Court struck out the claims, save for the claim for breach of statutory duty.
Breach of confidence and misuse of private information
A successful claim for breach of confidence and misuse of private information would require a form of positive wrongful action on the part of DSG, for example, disclosing the private information in question to a third-party without permission. Whilst highlighting that DSG were the victims of a cyber-attack, the judge remarked that “both [claims] are concerned with prohibiting actions by the holder of information which are consistent with the obligation of confidence/privacy”. However, neither cause of action imposed a duty of data security on DSG.
Under English law, there was no need to impose such a duty of care where the statutory duties applied (in this case, those under the Data Protection Act 1998). Imposing a duty owed generally to those affected by a data breach would potentially give rise to an indeterminate liability to an undetermined class, which would serve no purpose given the obligations imposed under the Act. Even if a duty of care had been established, the claimant had failed to outline the loss suffered properly and the suffering of “distress” did not constitute damage sufficient to successfully plead a tortious cause of action. This claim was also struck out.
Why is this important?
The High Court’s decision sets clear boundaries for the claims that can be brought in relation to a third-party cyber-attack. It has established that claims attempting to “dress up” such data breaches as breach of confidence / misuse of information torts, or alleging negligence where no separate duty of care is established, will not be accepted.
Claimants in these types of disputes often obtain “After the Event” (ATE) insurance to provide costs protection. ATE premiums are not generally recoverable for the defendant; although there is an exception for “publication and privacy proceedings” (which include claims for “misuse of private information” and “breach of confidence involving publication to the public”; but not data protection claims). This judgment should therefore prevent Claimants seeking to recover ATE premiums for claims which are properly data protection claims.