21 September 2021
Disputes Quick Read – 33 of 78 Insights
Disputes Quick Read: High Court rules that failure to provide adequate data security is not a positive act
In Darren Warren v DSG Retail Limited earlier this year, the High Court struck out misuse of private information, breach of confidence and negligence claims, ruling that failure to provide adequate data security is not a positive act that can form the basis of such claims.
Background
DSG Retail Limited was the victim of a malware hack between 2017 and 2018 on 5,930 point of sale terminals. These terminals stored customer data, which the hackers compromised. The ICO investigated the attack and decided that DSG, as data controller, breached the seventh data protection principle (DPP7) – ie it failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of data. The ICO issued a monetary penalty, which is currently under appeal to the FTT.
Darren Warren was a victim of the hack and discovered that the hackers had stolen his personal information. This included his name, address, phone number, date of birth and email address. Mr Warren claimed damages of £5,000 for distress via claims for:
- breach of confidence (BoC)
- misuse of private information (MPI)
- negligence, and
- breach of the Data Protection Act (under the 1998 Act).
In response, DSG applied under CPR 24 and CPR 3.4(2) for summary judgment/strike out of the first three claims. DSG argued that these claims had no realistic prospect of success based on the facts and were untenable as a matter of law.
The decision
The court noted that, when ruling on strike out applications, it assumes the primary facts alleged are true. This means that the court should not strike out a claim unless it's certain that the statements of case disclose no reasonable grounds for bringing the claim.
Mr Warren had argued that:
- DSG intentionally and recklessly left his private information exposed to a real risk of intrusion from the world at large.
- By failing to keep the data safe, DSG's actions were "tantamount to publication".
- DSG's failure to implement basic security measures to protect information meant that it had effectively published Mr Warren's data to the third-party hacker.
Justice Saini disagreed and struck out the first three claims. He said that:
- the law of BoC and MPI was for "prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy".
- A positive action of the holder of the information would require something like publication or disclosure of information. A "misuse" or "use" or an "interference" with Article 8 rights requires a positive act, which was not the case here.
- DSG had not carried out a positive act, and DSG (itself the victim of the cyberattack) was not accused of any positive conduct. There was no suggestion that DSG facilitated the cyberattack.
- While DSG failed to keep Mr Warren's data safe, he could not advance claims for BoC and MPI on this basis, because these claims don't impose a data security duty on DSG.
The court also struck out Mr Warren's negligence claim. Justice Saini couldn't see the logic of imposing a common law duty of care when a statutory regime (ie the Data Protection Act 1998) was already in place, through which DSG owed duties to Mr Warren as the data controller. Warren had only claimed "distress", but a state of anxiety produced by a negligent act or omission – but which falls short of a clinically recognisable psychiatric illness – is not enough damage to complete a tortious cause of action.
Only Mr Warren's claim for breach of the Data Protection Act 1998 remained, which the court stayed pending the FTT case's outcome.
Key takeaways
- This case makes an interesting distinction between a hacker and the data controller they hack. In Tchenguiz v Imerman [2011] Fam 116 and PML v Persons Unknown [2018] EWHC 838 (QB), the court held that a hacker who breaks into a computer system and steals information is bound by a duty of confidence. Here, the company that allegedly failed to keep data safe was not bound by this same duty.
- Data controllers that have suffered cyberattacks but have not committed a positive act regarding the stolen information have less to fear from any subsequent data privacy claims. Only very brave claimants will proceed with BoC, MPI, and negligence claims, together with a data security claim, for fear of failing to resist a summary judgment/strike out application and ending up paying the cost.
- The other outcome of this application saw this claim transferred to the small claims track of the County Court. That is a bad place for claimants to litigate because of the poor costs recovery, even if successful, and capped costs, which would affect the amount of damages they keep.
- Turning to reputational damage, while CPR 53 PD B permits claimants to apply for and obtain a statement in open court if they wish to accept a Part 36 offer or other offer of settlement regarding a list of media law claims, data protection is not included in this list. Therefore, if BoC and MPI claims fall outside civil data breach claims, a successful claimant can't publicise a win via a statement in open court.
Find out more
To discuss the issues raised in this article in more detail, please reach out to a member of our Disputes & Investigation team.
In this series
Failure to prevent fraud – a new offence?
14 August 2023
by Multiple authors
Supreme Court rules that APP fraud victims cannot rely on Quincecare Duty
4 August 2023
by Multiple authors
The Law Commission's Consultation Process on the Arbitration Act 1996 – taking stock
21 July 2023
What does the latest decision of the CAT in the Mastercard/Visa proceedings mean for class actions?
10 July 2023
Disputes Quick Read: ClientEarth refused permission to pursue directors of Shell
1 June 2023
by Multiple authors
Disputes Quick Read – developments in the fixed costs regime
3 May 2023
by James Bryden
Disputes Quick Read: Service by email – are the rules any clearer?
20 April 2023
by James Bryden
Disputes Quick Read - What do practitioners think about making alternative dispute resolution (ADR) compulsory?
8 March 2023
Disputes Quick Read: What are the litigation trends for 2023?
2 March 2023
Disputes Quick Read: further guidance on witness statement preparation rules
14 February 2023
Disputes Quick Read: A cautionary tale – settlement agreement (un)wittingly releases all claims for fraud
13 February 2023
Disputes Quick Read: Why the UK should join the Hague Judgments Convention 2019
8 February 2023
Disputes Quick Read: extensive information orders granted against crypto exchanges following hack
19 January 2023
Disputes Quick Read: A new approach to giving evidence? WhatsApp with that?
3 October 2022
Disputes Quick Read: Ethereum Merge - what legal issues arise?
22 September 2022
by Ben Jones, Emma Allen
Disputes Quick Read: New obligations on cryptobusinesses to report under the UK sanctions regime
9 August 2022
by Nick Maday
Disputes Quick Read: Disclosure - What information can be redacted?
25 July 2022
Disputes Quick Read: what claims exist when a smart contract is breached?
6 July 2022
by Emma Allen
Disputes Quick Read: New gateway for serving Norwich Pharmacal Orders and Bankers Trust orders out of the jurisdiction
Welcome news for those pursuing fraud claims in the English Courts
28 July 2022
Disputes Quick Read: Defining the duty - the limits of the responsibility assumed by professionals
27 July 2022
by Stuart Broom
Disputes Quick Read: Climate change litigation – successful challenge to government's Net Zero Strategy
29 July 2022
Disputes Quick Read: Judicial Review and Courts Act 2022 – now in force
17 June 2022
Disputes Quick Read: an important reminder of the duty to disclose electronic documents in native format
13 June 2022
Disputes Quick Read: ENRC prevails in claim against former solicitor
26 May 2022
Disputes Quick Read: Climate change litigation update – McGaughey v Universities Superannuation Scheme Limited
31 May 2022
by Multiple authors
Don't lose your keys: Bitcoin developers do not have a duty to assist owners in recovering lost cryptocurrency
4 April 2022
Disputes Quick Read: The new witness statement preparation rules – a year on
5 April 2022
Disputes Quick Read: ClientEarth v Shell – climate change litigation shifts focus to UK companies
31 March 2022
by Multiple authors
Disputes Quick Read: High Court rules that failure to provide adequate data security is not a positive act
21 September 2021
by Multiple authors
Disputes Quick Read: Key changes to the Disclosure Pilot Scheme
13 September 2021
Disputes Quick Read: Judicial Review and Courts Bill – unpacking the UK government's proposed amendments
6 September 2021
Disputes Quick Read: Will litigants be compelled to participate in alternative dispute resolution?
2 August 2021
Disputes Quick Read: Freezing injunctions – maximum custodial sentence imposed for breach
21 July 2021
Disputes Quick Read: The online future of civil justice – the end of the legal profession or the end of legal drudgery?
15 July 2021
Disputes Quick Read: Will the courts change forever post-COVID?
26 May 2021
Disputes Quick Read: One Blackfriars administrators cleared of misfeasance
5 May 2021
Disputes Quick Read: Not your prerogative – the Independent Review of Administrative Law reports its recommendations on judicial review
21 April 2021
Disputes Quick Read: Amendments to the Disclosure Pilot Scheme – a step in the right direction
31 March 2021
Disputes Quick Read: UK Supreme Court rules on the territorial extent of the SFO's powers
26 February 2021
Disputes Quick Read: No dropping anchor – parent company liability for environmental claims
24 February 2021
Disputes Quick Read: What lawyers need to know about new witness statement preparation rules
20 January 2021
Disputes Quick Read: Should you still choose the English courts to have jurisdiction in your international contracts after Brexit?
12 January 2021
by Tim Strong
Disputes Quick Read: Privilege lost in the EU post-Brexit (with exceptions)
23 November 2020
Disputes Quick Read: Law on interest applicable to US dollar awards reaffirmed
16 October 2020
Disputes Quick Read: Care required when drafting SPA claim notices
23 September 2020
by Multiple authors
Disputes Quick Read: Why the modernised LCIA rules are a welcome update
7 October 2020
by Nick Storrs
Disputes Quick Read: COVID-19 and supply chain disruption – key issues
9 April 2020
by Multiple authors
Disputes Quick Read: High Court orders parties to explore options for 5-week remote trial
15 April 2020
Disputes Quick Read: Tomlin Orders – ensuring the confidentiality of settlement terms
27 April 2020
by Multiple authors
Disputes Quick Read: UK's OFSI fines Standard Chartered Bank £20 million for sanctions breaches
21 April 2020
Disputes Quick Read: A different approach to witness evidence
11 March 2020
by James Bryden
Disputes Quick Read: Coronavirus - a growth in virtual courts?
17 March 2020
by Stuart Broom
Disputes Quick Read: Embracing remote hearings – the experience to date
26 March 2020
by Multiple authors
Disputes quick read: climate change activism by litigation
26 February 2020
Disputes Quick Read: Commercial Court's arbitral power shift
21 February 2020
Disputes Quick Read: Court stays evictions during COVID-19 – is this lawful?
2 June 2020
Disputes Quick Read: Will the civil justice system change forever post COVID-19?
16 June 2020
Disputes Quick Read: Retailers reign supreme in Visa and Mastercard proceedings
9 July 2020
Disputes Quick Read: The contra proferentem rule reconsidered?
21 July 2020
Disputes Quick Read: Scope of duty and the SAAMCo counterfactual following Manchester Building Society
3 December 2021
Disputes Quick Read: Facilitating transactions in cryptoassets - Lord Leggatt and the point of commercial law
24 November 2021
by Stuart Broom
Disputes Quick Read: Privy Council clarifies the law on freezing injunctions in aid of foreign proceedings
8 October 2021
Disputes Quick Read: Climate change litigation – what's the latest?
10 January 2022
Disputes Quick Read: Court decisions on the Disclosure Pilot Scheme – the 2021 roundup
20 January 2022
Disputes Quick Read: Assumption of responsibility - tax schemes and investors
22 March 2022
Disputes Quick Read: Dealing in crypto? Be careful what you call it
7 April 2022
by Multiple authors
Related Insights
Protecting corporate reputation in the age of volatility – Five things you need to know
by multiple authors
Fake news and how to spot it
Privacy: there's more to it than GDPR
by multiple authors