Not so long ago, following the Court of Appeal’s judgment in the seminal case of Lloyd v Google LLC  EWCA Civ 1599, commentators and media outlets predicted an era where organisations would be submerged in a rising tide of US-style ‘class-action’ data breach claims.
On the contrary, 2021 has given us three recent cases which have decisively reshaped the likely future landscape of these claims. They are:
- Darren Lee Warren v DSG Retail Limited  EWHC 2168 (QB)
- Alan Rolfe & Ors v Veale Wasborough Vizards LLP  EWHC 2809 (QB)
- Lloyd v Google LLC  UKSC 50
In the first installment of our data protection claims series, our data protection lawyers will be discussing case one: Darren Lee Warren v DSG Retail Limited  EWHC 2168 (QB).
The background facts:
The cyberattack which hit DSG Retail (known for operating the Currys PC World and Dixons Travel brands) between 24 July 2017 and 25 April 2018 resulted in the infiltration of DSG’s systems, including over 5,000 point of sale terminals, by cybercriminals. The Information Commissioner’s Office (ICO) investigated the incident and found DSG Retail’s data security to be insufficient, issuing a Monetary Penalty Notice (MPN) in the amount of £500,000 (the maximum penalty that could be imposed at the time, as the incident had occurred before the GDPR came into force).
Mr Warren, who had purchased goods from Currys PC World, had his personal data compromised in the incident. He brought a claim for £5,000 for his distress against DSG Retail, raising a number of potential causes of action, including:
- Breach of confidence (BoC)
- Misuse of private information (MoPI)
- Breach of the Data Protection Act 1998 (DPA 1998)
- The common law doctrine of negligence
In July of this year, the High Court considered a summary judgment and/or strike out application brought by DSG Retail in respect of Mr Warren’s claims, save for the claim arising out of the alleged breach of the data security duty (DPP7) under the DPA 1998. DSG Retail argued the BoC, MoPI and negligence claims had no realistic prospects of success and/or were not tenable as a matter of law.
The negligence claim can be dealt with shortly, as there is no tenable claim where there is a specific statutory regime available to the Claimant (as in this case, the DPA 1998 regime). The judgment of the High Court on the BoC and MoPI claims is more interesting.
Mr Justice Saini, handing down the judgment, agreed with DSG Retail. There was no dispute that Mr Warren’s claims all arose from the cyberattack itself. The ‘wrong’ which is said to have happened to the Claimant was a failure of security, allowing the cybercriminals to access his personal data. However, it was not alleged that this failure was a positive act by the Defendant, DSG Retail – which, as the Judge would go on to say, is necessary to found a claim in either BoC or MoPI.
The Judge clarified that neither BoC nor MoPI impose a data security duty on the holders of information . By contrast, both causes of action are concerned with prohibiting actions by the holder of information that are inconsistent with the obligations of confidence or privacy, respectively. Whilst a ‘misuse’ could include an unintentional use, it would still require a positive action in order for either of these causes of action to be made out .
Finally, the Judge noted that the Claimants in the case of Various Claimants v Wm Morrison Supermarkets plc  QB 772 had attempted a very similar argument in that case, but the High Court had held that it was the positive actions of the wrongful actor (the aggrieved employee in that case, who had misappropriated the data), not those of Morrisons that could found a claim in BoC or MoPI – after all, it had not been Morrisons who disclosed the information, nor misused it.
The effect of this judgment is to narrow the potential causes of action that are available to Claimants in a case where an organisation has suffered from a cyberattack.
This means that in future a claim against the data controller for this sort of attack could only be brought under the new United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). Such a claim would include an alleged breach of Article 32 UK GDPR, which is structurally similar to the data security duty under the DPA 1998, therefore the cases under the ‘old law’ remain informative.
Although the High Court has not yet determined the question of whether or not DSG Retail breached the data security duty (DPP7), the Claimant may face an uphill struggle. He will need to show that DSG retail failed to implement measures that ensured a level of security appropriate to the nature of the data to be protected and the harm that might result from a data breach, having regard to both the state of technological development and the cost of implementing those measures at the time.
Whilst it assists the Claimant that the ICO has issued an MPN setting out DSG Retail’s failures, it is not determinative or binding on the High Court. It is worth remembering that the Claimants in the Morrisons case failed to make out any breach by the supermarket chain of DPP7 (save for a minor breach), in spite of the facts in that case involving their internal data security measures and access to data by their own employee, over which they potentially had a greater degree of available control. Here, by contrast, it does not appear to be contested that DSG Retail suffered from a sophisticated external attacker, and they only need to show that their level of security was appropriate in the specific context to protect the Claimant’s data, not to have anticipated and fended off a complex cyberattack.
Finally, even if the Claimant is successful in making out their claim, it is worth noting that the awards of damages for ‘distress’ under the DPA 1998 have a tendency to be far lower than those damages which have been awarded historically in MoPI claims. This will be welcome news for organisations that are ‘totting up’ the total potential costs and exposure to claims following on from a cyberattack.