Narrowing the scope of cyber-attack claims

Given the recent spate of cyber-attacks impacting every sector, from education and legal to manufacturing and pharmaceutical, when typically data is stolen, deleted or encrypted to extort a ransom, a recent ruling offers some hope for data controllers, worried about the fallout from such an attack.

The High-Court recently handed down its ruling in the case of Warren v DSG Retail Limited [2021] EWHC 2168 (QB), one which will undoubtedly have far reaching implications for data subjects who are considering bringing a claim against a data controller following a third-party cyber-attack.

For a period of nine months, starting in July 2017, DSG Retail Ltd (DSG), which operates the ‘Currys PC World’ and “Dixons Travel” brands, suffered a sophisticated cyber-attack. Criminals were able to infiltrate DSG’s systems and install malware across almost 6000 in-store point of sale terminals, which gave them access to the personal data of approximately 14 million customers.

The attack made personal data including customers’ names, addresses, phone numbers, date of birth and email addresses, potentially accessible to the attackers, resulting in the Information Commissioner’s Office (ICO) investigating this serious breach.

The ICO decided that DSG had breached the seventh data protection principle (DPP7), which requires “appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data”.

The Commissioner issued a Monetary Penalty Notice (MPN) for £500,000 in January 2020, although at the time of writing, this remains subject to an appeal, which will be heard later in 2021 before the First Tier Tribunal.

The claimant, Darren Lee Warren, had purchased goods from Currys PC World while the point of sale terminals were compromised and claimed that some of his personal data was stolen in the attack, resulting in him bringing a civil claim against DSG for:

  • Breach of statutory duty;
  • Breach of confidence;
  • Misuse of private information; and
  • Negligence.

Mr Warren sought £5,000 in damages for the distress he claimed he had suffered due to his personal data having been compromised in the cyber-attack. However, he did not bring any claim for financial loss or personal injury as a result.

The defendant DSG, applied for summary judgment or an order striking out the claims, with the exception of the claim for breach of statutory duty under the Data Protection Act 1998 (Article 5(1)(f) of the UK GDPR). This requires organisations to have appropriate technical and organisational measures in place to protect the data they hold, from unauthorised or unlawful processing or accidental loss, destruction or damage.

When organisations take cyber security seriously

In examining the facts of the case, the court found in favour of the Defendant DSG, for the following reasons:

(i) Claims for breach of confidence and misuse of private information do not “…impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy.”

(ii) A claim for misuse of private information requires a ‘use’. The court clarified that this would require a positive action on the part of the defendant and, where this is not the case, such a claim cannot succeed; and

(iii) The claim for negligence was unsuccessful for two reasons, namely, there was neither a “need nor warrant to impose such a duty of care where the statutory duties under the DPA 1998 operate” and where a claimant brings a cause of action in tort in order to recover damages for negligence, damage must have been suffered by the claimant. However, it was deemed that “a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action”.

In recent years, there has been an increase in the number of claims being brought by data subjects like Mr Warren for distress and in many cases, these claimants seek to claim for their after-the-event insurance (ATE) premiums.

As this is not recoverable in data protection claims but can be recovered in ‘privacy proceedings’, claimants have sought to circumvent this difficulty by re-framing their claims as claims for misuse of private information and breach of confidence.

In light of this important judgment, claimants whose data has been compromised due to a cyber-attack, will have to consider whether ATE insurance would be economically viable if the cost of such a premium is not recoverable, particularly given the cost of the claim is frequently greater than the damages awarded to the claimant should they be successful.

Additionally, whether such a broadly based claim should be brought at all, will require some consideration as, in the words of the presiding Judge, Mr Justice Saini, it may merely be seen as an “unconvincing attempt to shoehorn the facts of the data breach into the tort of [Misuse of Private Information]”.