A recent High Court ruling on a claim for breach of data protection legislation may lead to an overall reduction in data breach claims. The ruling in the case of Warren v DSG Retail may hinder future claimants’ abilities to recover the costs of After the Event insurance premiums following claims for cyber-attacks. The case is also likely to have an impact on allocation and costs recovery. The outcome of this case has left some claimant solicitors concerned that they will be unable to continue to run these types of claims due to the financial risks involved.
Warren v DSG Retail  EWHC 2168 (QB)
DSG Retail, which operates Currys PC World and Dixon Travel, were subject to a complex cyber attack between July 2017 and April 2018, in which attackers gained access to their customers’ personal data. The company was fined £500,000.00 by the Information Commissioner for their breach of DPP7; which requires “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data” by notice on 07/01/2020 in relation to their computer system and organisational measures. An appeal is due to be heard later this year.
A number of claims have since been brought against DSG Retail under the Data Protection Act 1998 (DPA 1998).
The claimant ; Warren, commenced an action claim for an alleged breach of data protection principles, negligence, misuse of private information (MPI) and breach of confidence (BoC).
Damages were sought only in respect of distress, and no claim was made for financial loss or personal injury following the cyber-attack.
The Defendant made an application for a summary judgment and/ or for the Court to strike out all claims apart from the breach of statutory data protection principles claim. In considering the Defendant’s application
Mr Justice Sani stated the following:
“in my judgment…..it is clear that the Claimant does not allege any positive conduct by DSG said to comprise a breach or a misuse for the purposes of either BoC or MPI……In my judgment neither BoC nor MPR impose a data security duty on the holders of information. I accept that a misuse may include intentional use , but it still requires a ‘use’; that is a positive action.”
The Claimants sought to argue that a failure to protect the data was “tantamount to publication”. Mr Justice Sani did not find that persuasive, using the following analogy:-
“If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a ‘misuse of private information’ by me. Recharacterising my failure to lock the window as a ‘publication’ of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”
“In my judgment, neither [breach of confidence nor misuse of private information] impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy. Counsel for the Claimant submitted that applying the wrong of [misuse of private information] on the present facts would be a “development of the law”. In my judgment, such a development is precluded by an array of authority.”
Regarding the negligence claim, he stated:
“[t]here is neither need nor warrant to impose such a duty of care where the statutory duties under the DPA 1998 operate” and ……“[a] cause of action in tort for recovery of damages for negligence is not complete unless and until damage has been suffered by the claimant. Some damage, some harm, or some injury must have been caused by the negligence in order to complete the claimant’s cause of action. However, a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action.”
Mr Justice Sani therefore dismissed the claims for breach of confidence, misuse of private information and negligence. The breach of statutory data protection principles claim was transferred for directions at the County Court.
The impact of Warren v DSG on future data breach claims
Following the ruling in this case, there have been concerns amongst claimant solicitors in this area of law that many causes of action, other than breaches of statutory data protection principles, will be struck out by the High Court.
The significant costs consequences following the failure of these types of claims may lead to a curtailment in future data breach claims.
David Barker from Pinset Masons, acting for DSG Retail stated:
“The need to pay an (irrecoverable) ATE premium – the cost of which can be substantial in comparison with the amount sought by the claimant – is likely to mean a substantial reduction in such cases in future.”
Barrister, Rebecca Keating discussed the potential costs impacts for claimants in these types of cases by stating the following;
“If a claim under breach of confidence/misuse of private information is no longer viable, a claimant seeking recovery of a low amount of damages for breach of statutory duty under the Data Protection Act 1998/2018 or the General Data Protection Regulation may struggle to avoid allocation to the small claims track, where recovery of costs is not possible.”
Costs Lawyer, Victoria Morrison-Hughes considers that the limited availability of ATE providers and products in this (Data breach) market together with the level of premiums charged before this decision made it prohibitive to most litigants and this decision is only likely to restrict that marketplace even further. The requirement for a claimant to then demonstrate a “clinically recognisable psychiatric illness” coupled with the risk that these cases could be allocated to the Small Claims Track means it could become unviable for legal practitioners to take on these types of claims. It is of course worth noting that the value of the case is merely one factor in determining the correct track [CPR 26.8]. Is this yet another blow to the Jackson utopia where the real effect is restricting access to justice?
It is worth noting; however, that this case is due to be appealed so the full impact of the case is yet to be known.
How can Recovery First assist?
Recovery First can assist firms wishing to exit specific areas of law. You may decide to exit the market of data breach claims.
We offer a positive solution to any law firm by helping them exit any legal market whilst remaining solvent, maintaining cash flow, and ensuring they get the most out of their files.
As well as assisting firms who are going through restructuring, we also assist many firms who are going through the formal insolvency process. We work alongside the insolvency team to come up with the right plan tailored to meet the needs of each specific firm.
Whatever the reason, Recovery First will ensure the most positive and profitable outcome is achieved. An additional benefit being that the firm’s clients not only get a seamless transfer, but they are also married up with a firm specialised in their particular needs. The unique scheme offered by Recovery First is suitable for law firms and professional advisors, including restructuring and insolvency solicitors, insolvency practitioners and accountants. Our team manage the transfer of files from start to finish, placing case files with an approved law firm so as to protect the integrity of the client’s case.
We will provide you with all the advice and support you need, and we guarantee 100% confidentiality for all clients. If you would like to find out more about Recovery First’s process, feel free to get in touch today via email (email@example.com), telephone (0845 056 1258) or contact Sally Dunscombe at firstname.lastname@example.org or 07774 205 870.
It's never too late to speak to Recovery First. Contact us now in the strictest confidence
07774 205 870
07887 796 989
106 Kennedy Building
PO Box 632