What’s this all about?
Compensation claims for data breaches are becoming ever more common especially where the breach resulted from a cyber-attack. Such claims are continuing to turn into litigation, even where the sums being demanded are not so high. Attempts are frequently made to characterize claims in a creative way – they are not solely based on infringements of data protection law. In the recent case of Warren v DSG Retail Ltd the High Court in England & Wales appears to have narrowed the scope for bringing these claims. This article briefly looks at this ruling and its implications.
What’s the background to the case?
DSG, a retailer operating the Currys PC World and Dixons Travel brands, suffered a cyber-attack between 2017 and 2018. The third-party attackers infiltrated DSG’s systems and installed malware which ran on 5,930 point of sale terminals at their stores. In the course of the attack the attackers accessed the personal data of many of DSG’s customers.
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), undertook an investigation and concluded that (under the pre-GDPR data protection regime) DSG had breached data security requirements for which the ICO imposed a fine in 2020 of £500,000, which is still subject to appeal. There’s some background on the ICO investigation and fine here https://www.corderycompliance.com/pc-world-owner-fined-after-data-breach/.
Mr. Darren Lee Warren had purchased goods from Currys PC World and claimed that personal data concerning him was compromised in the cyber-attack, namely: his name, address, phone number, date of birth and email address. He said that this was information that could render him susceptible to identity fraud. Mr. Warren brought legal proceedings against DSG for damages in the sum of £5,000 in respect of distress he claimed that he had suffered as a result of his personal data being compromised and lost. His causes of action were based on:
- Misuse of Private Information;
- Breach of Confidence;
- Negligence; and,
- Various data protection law breaches, including one concerning data security requirements.
DSG applied for summary judgment (a ruling without a full trial when a claim etc. has no real prospect of success or cannot be successfully defended and there is no other compelling reason why judgment without trial should not be issued) and/or a striking out order (no reasonable grounds for bringing or defending a claim etc.) for each of these claims, apart from the data security data protection infringement claim (claimed as a breach of statutory duty. Just before the hearing Mr. Warren undertook to discontinue his claims in respect of other alleged breaches of data protection law.
What did the court decide?
The arguments and ruling were as follows:
- Misuse of Private Information & Breach of Confidence –:
- DSG argued that: (a) Mr. Warren’s claim was for distress damages arising out of a cyber-attack on DSG, in which an external, criminal third-party attacker obtained access to personal data by breaching DSG’s security systems; (b) consequently, according to DSG, the alleged breach is a failure to keep the data secure from unauthorised third-party access; (c) therefore, according to DSG, such an allegation does not amount in law to an allegation of either Breach of Confidence or Misuse of Private Information; (d) according to DSG, both of those causes of action required DSG to have taken some positive wrongful action in relation to the information in question, which DSG argued it had not in any event taken;
- Warren argued that: (a) the claim that “misuse” requires a positive action was not supported by case-law; and, (b) instead, argued that DSG had intentionally and recklessly left his private information exposed to a real risk of intrusion and/or “tantamount to publication” to the world at large, i.e. the third-party attacker;
- According to the judge: (a) the wrong is said to have been a “failure” which allowed the third-party attacker to access the personal data – there was no allegation of positive conduct by DSG said to comprise a breach or a misuse for the purposes of either Breach of Confidence or Misuse of Private Information; (b) instead, Mr. Warren’s claim is that DSG failed in alleged duties to provide sufficient security for his data; (c) however, according to the judge, neither Breach of Confidence nor Misuse of Private Information impose a data security duty on the holders of private or confidential information; (d) instead, Breach of Confidence and Misuse of Private Information are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy, and, according to the judge, Breach of Confidence is essentially about unauthorised use or unauthorised disclosure of confidential information, and, duty of confidence is different to duty of care in relation to data security; (e) as regards the “tantamount to publication” argument, the judge was not convinced and stated that ‘If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a “misuse of private information” by me. Recharacterizing my failure to lock the window as ‘publication’ of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of [Misuse of Private Information]’; (f), finally, the judge also rejected Mr. Warren’s attempt to distinguish his case from the facts of the 2019 (data protection) Morrisons Supermarkets judgment (see here https://www.corderycompliance.com/uk-court-of-appeal-ruling-in-morrisons-vicarious-liability-case/) where the court in that case held that Morrisons were not directly liable for Breach of Confidence or Misuse of Private Information by reason of its wrongdoer employee disclosing its employees’ data;
- Negligence –:
- DSG argued that where the statutory duties under the applicable data protection legislation apply a negligence claim was legally unnecessarily duplicative;
- Warren argued that: (a) the negligence claim would add substantively to the case; and, (b) as regards the alleged distress: “[t]he distress and anxiety has been exacerbated due to the sensitive personal nature of the data that was unlawfully processed by [DSG] and accessed by an unauthorised third party. Following the data breach [he] immediately became distressed and concerned for the safety of his personal data. As a result, he changed all of his passwords on his online accounts. [He] is concerned that his personal data can be used by a third party in an attempt to clone his identity and he is anxious about giving his details out to stores when shopping. [He] is also very reluctant to conduct further business with [DSG] following the data breach”;
- The judge ruled that: (a) there is no (negligence) duty of care where statutory duties under the applicable data protection operate – “[i]mposing a duty owed generally to those affected by a data breach would potentially give rise to an indeterminate liability to an indetermined class”; and, (b) “a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action”, and, even if Mr. Warren had an arguable case on duty of care, he hadn’t suffered any loss.
The court therefore struck out the Breach of Confidence, Misuse of Private Information and Negligence claims. The data security data protection infringement claim remains and so the case continues concerning that aspect (to go to the County Court) but only after the appeal against the fine has been concluded (currently set for a November 2021 hearing).
What are the key takeaways?
The key takeaway from this case is that potentially this ruling reduces the scope of compensation litigation risk for businesses for data security breaches, i.e. for what might be called “kitchen-sink” type claims where Breach of Confidence, Misuse of Private Information and Negligence are all thrown in. Instead, those seeking to make a claim are likely to only be able to rely on claims for infringement of data protection legislation. But, it remains conceivable that, depending on the given facts, an individual tries to argue that under Breach of Confidence and/or Misuse of Private Information, positive wrongful acts were committed by a business in a data security breach occurrence that give rise to a compensation claim.
The other takeaways are to consider the preparations that you might make in case you are faced with a claim for compensation for a data protection infringement – these may include the following:
- Make staff aware (including through training) of the risk that compensation claims can be brought not only where there has been malicious external activity such as a cyber-attack but also where internally staff have been careless e.g. by losing computer hardware. Also ensure that the Board is aware of compensation claim risks;
- Be ready to respond to claims promptly. We’re seeing far more claims across our desk especially after a data breach or for alleged cookie law breaches. Not all of these claims have merits. Make sure you have access to lawyers who are experienced in these type of cases to help you sort out the wheat from the chaff;
- Set up and undertake regular compliance reviews in order to identify, rectify and prevent issues that could involve a compensation claim;
- Check the liability provisions in vendor agreements and revise them where appropriate, and, check in a given situation if you might be a joint data controller and, if so, clearly set out your responsibilities including as regards compensation claims;
- Check your insurance – consider whether policies provide the necessary cover for the full range of potential civil claims under data protection legislation;
- Consider setting up an ex gratia compensation scheme for cases that merit compensation, which can be deployed quickly; and,
- In an internal investigation of a data security breach, where appropriate, ensure that legal professional privilege applies.
For more information
We have written about data compensation claims here https://www.corderycompliance.com/data-protection-breaches-and-compensation-litigation-issues-for-consideration/ and about the EU class-action claims rules here https://www.corderycompliance.com/eu-class-action-faqs/.
We have written about the UK Morrison’s vicarious liability case here https://www.corderycompliance.com/uk-court-of-appeal-ruling-in-morrisons-vicarious-liability-case/ and the UK Data Protection Representative liability limitation case here https://www.corderycompliance.com/dpr-liability-limits-ruling/.
We have written about ransomware issues here https://www.corderycompliance.com/ransomware-pay-or-not/ and here https://www.corderycompliance.com/client-alert-ransomware-covid19-and-upgrading-defences/ and made a video here https://www.corderycompliance.com/cordery-head-to-head-don-smith-ransomware/.
Cordery’s GDPR Navigator subscription service is an expansive set of resources and a community of peers helping companies deal with GDPR and related issues. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
We report about data protection issues here https://www.corderycompliance.com/category/data-protection-privacy/.
We report about compliance issues here https://www.corderycompliance.com/news/.
The Warren v DSG Retail Ltd High Court judgement can be found here https://bit.ly/3fPyaV8 and the ICO’s decision fining DSG can be found here https://ico.org.uk/action-weve-taken/enforcement/dsg-retail-ltd/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|