Authors

Michael Yates

Senior counsel

Read More

Edward Spencer

Senior counsel

Read More

Matthew Caskie

Associate

Read More
Authors

Michael Yates

Senior counsel

Read More

Edward Spencer

Senior counsel

Read More

Matthew Caskie

Associate

Read More

21 September 2021

Disputes Quick Read – 2 of 39 Insights

Disputes Quick Read: High Court rules that failure to provide adequate data security is not a positive act

  • Quick read

In Darren Warren v DSG Retail Limited earlier this year, the High Court struck out misuse of private information, breach of confidence and negligence claims, ruling that failure to provide adequate data security is not a positive act that can form the basis of such claims. 

Background

DSG Retail Limited was the victim of a malware hack between 2017 and 2018 on 5,930 point of sale terminals. These terminals stored customer data, which the hackers compromised. The ICO investigated the attack and decided that DSG, as data controller, breached the seventh data protection principle (DPP7) – ie it failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of data. The ICO issued a monetary penalty, which is currently under appeal to the FTT. 

Darren Warren was a victim of the hack and discovered that the hackers had stolen his personal information. This included his name, address, phone number, date of birth and email address. Mr Warren claimed damages of £5,000 for distress via claims for:

  • breach of confidence (BoC)  
  • misuse of private information (MPI)
  • negligence, and 
  • breach of the Data Protection Act (under the 1998 Act). 

In response, DSG applied under CPR 24 and CPR 3.4(2) for summary judgment/strike out of the first three claims. DSG argued that these claims had no realistic prospect of success based on the facts and were untenable as a matter of law. 

The decision

The court noted that, when ruling on strike out applications, it assumes the primary facts alleged are true. This means that the court should not strike out a claim unless it's certain that the statements of case disclose no reasonable grounds for bringing the claim.

Mr Warren had argued that: 

  • DSG intentionally and recklessly left his private information exposed to a real risk of intrusion from the world at large.
  • By failing to keep the data safe, DSG's actions were "tantamount to publication". 
  • DSG's failure to implement basic security measures to protect information meant that it had effectively published Mr Warren's data to the third-party hacker. 

Justice Saini disagreed and struck out the first three claims. He said that:

  • the law of BoC and MPI was for "prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy". 
  • A positive action of the holder of the information would require something like publication or disclosure of information. A "misuse" or "use" or an "interference" with Article 8 rights requires a positive act, which was not the case here.
  • DSG had not carried out a positive act, and DSG (itself the victim of the cyberattack) was not accused of any positive conduct. There was no suggestion that DSG facilitated the cyberattack. 
  • While DSG failed to keep Mr Warren's data safe, he could not advance claims for BoC and MPI on this basis, because these claims don't impose a data security duty on DSG.

The court also struck out Mr Warren's negligence claim. Justice Saini couldn't see the logic of imposing a common law duty of care when a statutory regime (ie the Data Protection Act 1998) was already in place, through which DSG owed duties to Mr Warren as the data controller. Warren had only claimed "distress", but a state of anxiety produced by a negligent act or omission – but which falls short of a clinically recognisable psychiatric illness – is not enough damage to complete a tortious cause of action. 

Only Mr Warren's claim for breach of the Data Protection Act 1998 remained, which the court stayed pending the FTT case's outcome. 

Key takeaways

  • This case makes an interesting distinction between a hacker and the data controller they hack. In Tchenguiz v Imerman [2011] Fam 116 and PML v Persons Unknown [2018] EWHC 838 (QB), the court held that a hacker who breaks into a computer system and steals information is bound by a duty of confidence. Here, the company that allegedly failed to keep data safe was not bound by this same duty. 
  • Data controllers that have suffered cyberattacks but have not committed a positive act regarding the stolen information have less to fear from any subsequent data privacy claims. Only very brave claimants will proceed with BoC, MPI, and negligence claims, together with a data security claim, for fear of failing to resist a summary judgment/strike out application and ending up paying the cost. 
  • The other outcome of this application saw this claim transferred to the small claims track of the County Court. That is a bad place for claimants to litigate because of the poor costs recovery, even if successful, and capped costs, which would affect the amount of damages they keep. 
  • Turning to reputational damage, while CPR 53 PD B permits claimants to apply for and obtain a statement in open court if they wish to accept a Part 36 offer or other offer of settlement regarding a list of media law claims, data protection is not included in this list. Therefore, if BoC and MPI claims fall outside civil data breach claims, a successful claimant can't publicise a win via a statement in open court.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Disputes & Investigation team.

In this series

Disputes & investigations

Disputes Quick Read: Care required when drafting SPA claim notices

QUICK READ

by Multiple authors

Disputes & investigations

Disputes Quick Read: The latest on Unexplained Wealth Orders

QUICK READ

by Multiple authors

Disputes & investigations

Disputes Quick Read: Tomlin Orders – ensuring the confidentiality of settlement terms

QUICK READ

by Multiple authors

Disputes & investigations

Disputes quick read: pilot error?

by Andrew Howell

Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.

Subscribe
Subscribe

Related Insights

businesspeople-talking
Reputation management & privacy protection

Protecting corporate reputation in the age of volatility – Five things you need to know

7 October 2020
Quick read

by multiple authors

Click here to find out more
Reputation management & privacy protection

Fake news and how to spot it

9 October 2019

by Michael Yates

Click here to find out more
Copyright & media law

Privacy: there's more to it than GDPR

4 February 2019

by multiple authors

Click here to find out more