Data breach litigation decision signals less Warren more peace for victim organisations
15 October 2021
Data breaches have a long tail and organisations can’t hang up their hats once an incident has been remediated and regulatory interactions about said incident concluded. Instead, they have to prepare for the inevitable wave of identikit and (for the most part) low-to-no value claims which follow.
These are commonly brought by personal injury law firms keen to leave their ambulance-chasing days behind and instead focus on data breaches where they seek opportunistically to leverage any adverse regulatory findings for financial gain. If appropriate for any court (which is debatable), these claims are suitable for allocation to the small claims track where there is limited ability to recover costs. But since these claims are really only about the claimant’s legal costs, they are issued in the High Court and brought with After The Event (‘ATE’) insurance which offers the claimant protection against a costs liability if they lose.
The recent case of Warren v DSG  EWHC 2168 (QB) is a development which will be welcomed by defendants because it signals that these ATE insurance premiums – which often dwarf the damages claimed – might not be recoverable, at least insofar as attacks by external hackers are concerned. Claimants are unlikely to want to risk bringing a claim without ATE insurance in place, otherwise they’ll be on the hook personally for any adverse costs. As a result, this development is likely to make many of these claims economically unviable and disincentivise many of the claimant firms that bring them on a ‘no win, no fee’ basis.
Mr Warren was a customer of DSG (an electronics retailer with well-known brands) and claimed that his personal data – name, address, phone number, date of birth and email address – had been compromised in a cyberattack some 4 years earlier. He limited his claim to £5k seeking damages for distress as a result of his personal data being lost and compromised. The causes of action he relied on were breach of confidence (‘BoC’), misuse of private information (‘MPI’), breach of the Data Protection Act 1998, and common law negligence.
DSG sought successfully to strike out all causes of action except for the data protection claim which was based on an alleged breach of the Security Principle at DPP7. This requires organisations to have “appropriate technical and organisational measures” in place. In new money, that’s Article 5(1)(f) GDPR.
The BoC and MPI claims are relevant because for some years now claimants have been unable to recover ATE insurance premiums from defendants unless their claims fall within one of the few exceptions. Publication and privacy proceedings are one such exception and include claims for BoC and MPI but, importantly, not claims for breach of statutory duty related to data protection laws. Put another way, without BoC and MPI as causes of action, claimants cannot recover their ATE insurance premiums. So a lot was riding on the strike-out application in Warren.
In relation to BoC and MPI, the Judge, Saini J, held that  “neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy.” He went on helpfully to observe that  “a ‘misuse’ may include unintentional use, but it still requires a ‘use’: that is, a positive action”. This led him to conclude that  “it was not DSG that disclosed the Claimant’s personal data, or misused it, but the criminal third-party hackers.” As such the MPI and BoC claims were “ill-founded”.
The negligence claim fared no better. There was no need to impose a duty of care given the statutory duties under data protection law; and in any event Mr Warren had suffered no loss (a tortious cause of action requires a clinically recognisable psychiatric illness, unlike data protection law which allows compensation for distress resulting from a breach of, say, the Security Principle).
Defendants will welcome Warren as a positive development. But many will consider that the decision does not go far enough to stop the proliferation of these low-value claims which have inundated the High Court and which are the bane of controllers and processors given the entirely disproportionate costs involved in defending them. Whilst victims of cyberattacks “carried out by sophisticated and methodical criminals” (to use Saini J’s words) will benefit from this judgment, it remains to be seen whether incidents resulting from internal errors (e.g. misdirected emails, misconfigured systems, software bugs etc) will too. Meanwhile, defendants will continue to wait with bated breath for a decision on other defences commonly raised in response to these types of low-value claim which might act as a further deterrent to would-be claimants. Those defences include whether any damages claimed even meet the threshold of seriousness needed to be actionable, especially where the personal data affected are relatively banal. If DSG is defending the data protection claim on that basis (as well as others, no doubt) and succeeds, more Warren will perhaps lead to more peace for victim defendants … eventually.