The High Court in Warren v DSG Retail Limited  EWHC 2168 (QB) has struck out several claims which had been issued against DSG Retail Limited (DSG), following a publicised cyberattack on the retailer in 2017-18 (the claimant claims to have been an affected customer). The decision will be welcome news for organisations defending low-value claims by individuals following data-security incidents.
Between July 2017 and April 2018, DSG, which owns and operates Currys PC World and Dixons Travel, was the victim of a cyberattack by an unknown criminal third party. The attack resulted in the loss of personal data belonging to some of its customers.
Following an investigation into the data incident, the Information Commissioner's Office (ICO) held that DSG had failed to abide by the seventh data protection principle, that is, it had failed to take appropriate technical and organisational measures to protect the personal data. DSG was fined £500,000 by the ICO, which DSG has appealed. The appeal is scheduled to be heard later this year.
Claim against DSG
The claimant was among the customers who claimed to have been affected by the data incident and alleged that his name, address, phone number, date of birth and email address had been compromised. He issued a claim against DSG seeking damages limited to £5,000 in respect of alleged distress he claimed to have suffered as a result of the data incident. His claims were framed as actions for breach of confidence, misuse of private information, common law negligence and breach of the Data Protection Act (DPA) 1998, which was the data protection statute applicable at the time of the data incident.
DSG applied for summary judgment and/or to strike out all of the claims, except for the claim alleging breach of the DPA 1998. It did so on the basis that the breach of confidence, misuse of private information and common law negligence claims had no basis in law and/or had no reasonable prospect of success.
The High Court's decision
DSG's application for strike out and/or summary judgment was successful on all grounds and the claim was transferred to the County Court.
Breach of confidence and misuse of private information
In relation to the breach of confidence and misuse of private information claims, the judge, Mr Justice Saini, confirmed that neither of these causes of action imposes a ''data security duty'' upon the data controller, and each cause of action (to succeed) requires the defendant to carry out some positive wrongful action (which was absent here, as this was a cyberattack by a third party).
The judge held that: ''neither [breach of confidence claims] nor [misuse of private information claims] impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy [emphasis added].''
The judge observed that: ''a ‘misuse’ may include unintentional use, but it still requires a ‘use’: that is, a positive action… If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a “misuse of private information” by me. Recharacterizing my failure to lock the window as “publication” of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI [misuse of private information].''
The claimant had also advanced a common law negligence claim against DSG as a result of the Data Incident, alleging that he had suffered distress and anxiety upon learning of the Data Incident. The judge considered that there were ''two fatal problems with the negligence claim.''
First, the Court of Appeal previously has confirmed that there is no need to impose a duty of care where a statutory duty already arises under the DPA 1998, and that this reasoning (although not binding in the present circumstances) was applicable to the present claim. The judge therefore concluded that no common law duty of care existed in the circumstances.
Secondly, the judge observed that a cause of action for damages in negligence requires that damage is actually suffered by the claimant. Significantly, the judge concluded that: ''a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action. [emphasis added].''
All three claims forming the subject of the summary judgment and strike-out application (breach of confidence, misuse of private information and negligence) were therefore struck out, with the remaining data protection claim transferred to the County Court and stayed, pending a decision in DSG's appeal in relation to the ICO decision.
There has been a growing trend of individuals seeking compensation and issuing low-value claims alleging distress and other damage against organisations that suffer cyberattacks and other data security incidents. Such claims are often driven by law firms operating on a "no win no fee" basis, backed by insurance to cover the other side's costs if they lose. The legal costs in such claims tend to far exceed any damages claimed and recovered upon success (typically, amounts claimed for minor data breaches vary between £1,500 and £5,000, although likely awards are often even lower).
It is common in such claims for claimant lawyers to adopt the "kitchen sink" approach of adding in claims for breach of confidence, misuse of private information and common law negligence even though they add very little to claims for unlawful data processing. The main motivation for including these claims appears to be so that they can claim recovery of the ATE (after the event) insurance premium if successful. (ATE insurance provides cover for the legal costs of pursuing or defending a claim and is taken out after the claim has arisen.)
The recovery of ATE premiums was abolished in civil litigation by s.44 of the Legal Aid, Sentencing and Punishment of Offenders Act 2012, but an exception was maintained in relation to "publication and privacy proceedings", which were defined as including claims for "(a) defamation, (b) malicious falsehood, (c) breach of confidence involving publication to the general public, (d) misuse of private information or (e) harassment, where the defendant is a news publisher." No mention was made of data protection claims, even where these claims are against media publishers. Claimant lawyers have therefore attempted to characterise data protection claims as "misuse of private information" claims, even when there is no publication element involved.
This judgment brings welcome and timely confirmation that non-data protection claims cannot be pursued where the data security incident is perpetrated by a third party, as opposed to a positive act of publication by the defendant. This means that the ATE insurance premiums in these cases would not be recoverable from the defendant even upon success of the remaining unlawful data processing claim. This considerably weakens the viability of such claims for claimant law firms, because it is those firms, rather than their clients, who are typically liable to pay the insurance premium, which can run into many thousands of pounds.
The decision of the judge to transfer the case to the County Court is also interesting. Recovery of costs in the County Court is usually severely limited. Again, this means that claimant law firms intent on racking up costs in the hope of recovering in excess of 70% of them may need to think again as to the viability of "funding" such claims through conditional fee agreements.
Does this mean there is an "access to justice" issue? We are awaiting a Supreme Court decision as to where the "minimum threshold" of damage lies as to when individuals affected by a data breach are entitled to seek compensation. In the meantime, some law firms chasing low-value data protection claims may need to reassess their business models.