- Accueil
- Actualités et public…
- Publications
- High Court rules tha…
- Sur cette page
21 septembre 2021
Disputes Quick Read – 58 de 103 Publications
Disputes Quick Read: High Court rules that failure to provide adequate data security is not a positive act
- Quick read
In Darren Warren v DSG Retail Limited earlier this year, the High Court struck out misuse of private information, breach of confidence and negligence claims, ruling that failure to provide adequate data security is not a positive act that can form the basis of such claims.
Background
DSG Retail Limited was the victim of a malware hack between 2017 and 2018 on 5,930 point of sale terminals. These terminals stored customer data, which the hackers compromised. The ICO investigated the attack and decided that DSG, as data controller, breached the seventh data protection principle (DPP7) – ie it failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of data. The ICO issued a monetary penalty, which is currently under appeal to the FTT.
Darren Warren was a victim of the hack and discovered that the hackers had stolen his personal information. This included his name, address, phone number, date of birth and email address. Mr Warren claimed damages of £5,000 for distress via claims for:
- breach of confidence (BoC)
- misuse of private information (MPI)
- negligence, and
- breach of the Data Protection Act (under the 1998 Act).
In response, DSG applied under CPR 24 and CPR 3.4(2) for summary judgment/strike out of the first three claims. DSG argued that these claims had no realistic prospect of success based on the facts and were untenable as a matter of law.
The decision
The court noted that, when ruling on strike out applications, it assumes the primary facts alleged are true. This means that the court should not strike out a claim unless it's certain that the statements of case disclose no reasonable grounds for bringing the claim.
Mr Warren had argued that:
- DSG intentionally and recklessly left his private information exposed to a real risk of intrusion from the world at large.
- By failing to keep the data safe, DSG's actions were "tantamount to publication".
- DSG's failure to implement basic security measures to protect information meant that it had effectively published Mr Warren's data to the third-party hacker.
Justice Saini disagreed and struck out the first three claims. He said that:
- the law of BoC and MPI was for "prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy".
- A positive action of the holder of the information would require something like publication or disclosure of information. A "misuse" or "use" or an "interference" with Article 8 rights requires a positive act, which was not the case here.
- DSG had not carried out a positive act, and DSG (itself the victim of the cyberattack) was not accused of any positive conduct. There was no suggestion that DSG facilitated the cyberattack.
- While DSG failed to keep Mr Warren's data safe, he could not advance claims for BoC and MPI on this basis, because these claims don't impose a data security duty on DSG.
The court also struck out Mr Warren's negligence claim. Justice Saini couldn't see the logic of imposing a common law duty of care when a statutory regime (ie the Data Protection Act 1998) was already in place, through which DSG owed duties to Mr Warren as the data controller. Warren had only claimed "distress", but a state of anxiety produced by a negligent act or omission – but which falls short of a clinically recognisable psychiatric illness – is not enough damage to complete a tortious cause of action.
Only Mr Warren's claim for breach of the Data Protection Act 1998 remained, which the court stayed pending the FTT case's outcome.
Key takeaways
- This case makes an interesting distinction between a hacker and the data controller they hack. In Tchenguiz v Imerman [2011] Fam 116 and PML v Persons Unknown [2018] EWHC 838 (QB), the court held that a hacker who breaks into a computer system and steals information is bound by a duty of confidence. Here, the company that allegedly failed to keep data safe was not bound by this same duty.
- Data controllers that have suffered cyberattacks but have not committed a positive act regarding the stolen information have less to fear from any subsequent data privacy claims. Only very brave claimants will proceed with BoC, MPI, and negligence claims, together with a data security claim, for fear of failing to resist a summary judgment/strike out application and ending up paying the cost.
- The other outcome of this application saw this claim transferred to the small claims track of the County Court. That is a bad place for claimants to litigate because of the poor costs recovery, even if successful, and capped costs, which would affect the amount of damages they keep.
- Turning to reputational damage, while CPR 53 PD B permits claimants to apply for and obtain a statement in open court if they wish to accept a Part 36 offer or other offer of settlement regarding a list of media law claims, data protection is not included in this list. Therefore, if BoC and MPI claims fall outside civil data breach claims, a successful claimant can't publicise a win via a statement in open court.
Find out more
To discuss the issues raised in this article in more detail, please reach out to a member of our Disputes & Investigation team.
Dans cette série
Opening the doors: how the January 2026 pilot will transform access to court documents
21 octobre 2025
par plusieurs auteurs
Collective actions impacting big tech - Ireland set to test the boundaries in ICCL v Microsoft
11 juin 2025
par Ryan Ferry, Edwina Kelly
Wirral Council v Indivior plc: Court of Appeal upholds strike out of opt-in representative action securities claim
30 janvier 2025
par Katie Chandler
What are the litigation trends in 2025?
22 janvier 2025
par plusieurs auteurs
Changes to the privilege rules between companies and shareholders
6 décembre 2024
Victory for energy companies/defeat for the environment?
14 novembre 2024
par Tim Strong, Kate Hamblin
Failure to prevent fraud offence to come into force in September 2025
14 novembre 2024
par Emma Allen
Essex Cricket Club charged by Cricket Regulator
30 octobre 2024
par plusieurs auteurs
UK introduces mandatory reimbursement rules to combat APP fraud
15 octobre 2024
par Emma Allen, Andrew Spencer
Notice of Claim: What constitutes 'reasonable detail'?
5 juillet 2024
par Stuart Broom, Tom Charnley
New SFO Director announces bold plans to tackle fraud
21 mars 2024
par Emma Allen, Amy Cheng
What are the litigation trends for 2024?
1 février 2024
par Katie Chandler, Emma Allen
ClientEarth v FCA: Challenging Regulator Decisions
12 février 2024
par Tim Strong, Nicole Baldev
First of its kind judicial guidance on the use of AI in the courts
14 décembre 2023
Witness familiarisation - does it affect the court's assessment of witness credibility?
13 décembre 2023
CAT to hear the first application for a collective settlement approval order
17 octobre 2023
par Katie Chandler
Supreme Court rules that APP fraud victims cannot rely on Quincecare Duty
4 août 2023
par plusieurs auteurs
The Law Commission's Consultation Process on the Arbitration Act 1996 – taking stock
21 juillet 2023
What does the latest decision of the CAT in the Mastercard/Visa proceedings mean for class actions?
10 juillet 2023
par Katie Chandler
Disputes Quick Read: ClientEarth refused permission to pursue directors of Shell
1 juin 2023
par plusieurs auteurs
Disputes Quick Read – developments in the fixed costs regime
3 mai 2023
par James Bryden
Disputes Quick Read: Service by email – are the rules any clearer?
20 avril 2023
par James Bryden
Disputes Quick Read: Breaking the north/south divide?
5 avril 2023
par Tom Charnley
Disputes Quick Read - What do practitioners think about making alternative dispute resolution (ADR) compulsory?
8 mars 2023
Disputes Quick Read: What are the litigation trends for 2023?
2 mars 2023
par Katie Chandler, Emma Allen
Disputes Quick Read: further guidance on witness statement preparation rules
14 février 2023
Disputes Quick Read: A cautionary tale – settlement agreement (un)wittingly releases all claims for fraud
13 février 2023
Disputes Quick Read: Why the UK should join the Hague Judgments Convention 2019
8 février 2023
par Jessie Prynne
Disputes Quick Read: extensive information orders granted against crypto exchanges following hack
19 janvier 2023
par Georgina Jones
Disputes Quick Read: A new approach to giving evidence? WhatsApp with that?
3 octobre 2022
par Gemma Broughall
Disputes Quick Read: Ethereum Merge - what legal issues arise?
22 septembre 2022
par Emma Allen
Disputes Quick Read: New obligations on cryptobusinesses to report under the UK sanctions regime
9 août 2022
par Nick Maday
Disputes Quick Read: Disclosure - What information can be redacted?
25 juillet 2022
Disputes Quick Read: what claims exist when a smart contract is breached?
6 juillet 2022
par Emma Allen
Disputes Quick Read: New gateway for serving Norwich Pharmacal Orders and Bankers Trust orders out of the jurisdiction
Welcome news for those pursuing fraud claims in the English Courts
28 juillet 2022
par Emma Allen
Disputes Quick Read: Defining the duty - the limits of the responsibility assumed by professionals
27 juillet 2022
par Stuart Broom
Disputes Quick Read: Climate change litigation – successful challenge to government's Net Zero Strategy
29 juillet 2022
par Jess Thomas, Lucy Waddicor
Disputes Quick Read: Judicial Review and Courts Act 2022 – now in force
17 juin 2022
par Stephanie High
Disputes Quick Read: an important reminder of the duty to disclose electronic documents in native format
13 juin 2022
Disputes Quick Read: ENRC prevails in claim against former solicitor
26 mai 2022
Disputes Quick Read: Climate change litigation update – McGaughey v Universities Superannuation Scheme Limited
31 mai 2022
par plusieurs auteurs
Don't lose your keys: Bitcoin developers do not have a duty to assist owners in recovering lost cryptocurrency
4 avril 2022
par Emma Allen
Disputes Quick Read: The new witness statement preparation rules – a year on
5 avril 2022
par Stephanie High
Disputes Quick Read: ClientEarth v Shell – climate change litigation shifts focus to UK companies
31 mars 2022
par plusieurs auteurs
Disputes Quick Read: High Court rules that failure to provide adequate data security is not a positive act
21 septembre 2021
par Matthew Caskie
Disputes Quick Read: Key changes to the Disclosure Pilot Scheme
13 septembre 2021
Disputes Quick Read: Judicial Review and Courts Bill – unpacking the UK government's proposed amendments
6 septembre 2021
par Stephanie High
Disputes Quick Read: Will litigants be compelled to participate in alternative dispute resolution?
2 août 2021
Disputes Quick Read: Freezing injunctions – maximum custodial sentence imposed for breach
21 juillet 2021
Disputes Quick Read: The online future of civil justice – the end of the legal profession or the end of legal drudgery?
15 juillet 2021
par Jess Thomas
Disputes Quick Read: Will the courts change forever post-COVID?
26 mai 2021
par David de Ferrars
Disputes Quick Read: One Blackfriars administrators cleared of misfeasance
5 mai 2021
par Stephen O'Grady
Disputes Quick Read: Not your prerogative – the Independent Review of Administrative Law reports its recommendations on judicial review
21 avril 2021
par Stephanie High
Disputes Quick Read: Amendments to the Disclosure Pilot Scheme – a step in the right direction
31 mars 2021
Disputes Quick Read: UK Supreme Court rules on the territorial extent of the SFO's powers
26 février 2021
par Tim Strong
Disputes Quick Read: No dropping anchor – parent company liability for environmental claims
24 février 2021
Disputes Quick Read: What lawyers need to know about new witness statement preparation rules
20 janvier 2021
par Stephanie High
Disputes Quick Read: Should you still choose the English courts to have jurisdiction in your international contracts after Brexit?
12 janvier 2021
par Tim Strong
Disputes Quick Read: Privilege lost in the EU post-Brexit (with exceptions)
23 novembre 2020
Disputes Quick Read: Law on interest applicable to US dollar awards reaffirmed
16 octobre 2020
Disputes Quick Read: Care required when drafting SPA claim notices
23 septembre 2020
par Stuart Broom
Disputes Quick Read: Why the modernised LCIA rules are a welcome update
7 octobre 2020
par Nick Storrs
Disputes quick read: Mandatory changes to Statements of Truth
18 mai 2020
par Katie Chandler
Disputes Quick Read: COVID-19 and supply chain disruption – key issues
9 avril 2020
par plusieurs auteurs
Disputes Quick Read: High Court orders parties to explore options for 5-week remote trial
15 avril 2020
Disputes Quick Read: Tomlin Orders – ensuring the confidentiality of settlement terms
27 avril 2020
Disputes Quick Read: UK's OFSI fines Standard Chartered Bank £20 million for sanctions breaches
21 avril 2020
par Stephanie High
Disputes Quick Read: A different approach to witness evidence
11 mars 2020
par James Bryden
Disputes Quick Read: Coronavirus - a growth in virtual courts?
17 mars 2020
par Stuart Broom
Disputes quick read: climate change activism by litigation
26 février 2020
par Tim Strong, Andrew Howell
Disputes Quick Read: Commercial Court's arbitral power shift
21 février 2020
par Andrew Howell
Disputes Quick Read: Court stays evictions during COVID-19 – is this lawful?
2 juin 2020
par Georgina Jones
Disputes Quick Read: Will the civil justice system change forever post COVID-19?
16 juin 2020
par Georgina Jones
Disputes Quick Read: Privilege waiver warning
2 juillet 2020
par Tim Strong, Georgina Jones
Disputes Quick Read: Retailers reign supreme in Visa and Mastercard proceedings
9 juillet 2020
Disputes Quick Read: The contra proferentem rule reconsidered?
21 juillet 2020
Disputes Quick Read: Scope of duty and the SAAMCo counterfactual following Manchester Building Society
3 décembre 2021
Disputes Quick Read: Facilitating transactions in cryptoassets - Lord Leggatt and the point of commercial law
24 novembre 2021
par Stuart Broom
Disputes Quick Read: Privy Council clarifies the law on freezing injunctions in aid of foreign proceedings
8 octobre 2021
par Katie Chandler
Disputes Quick Read: Climate change litigation – what's the latest?
10 janvier 2022
par Tim Strong, Jess Thomas
Disputes Quick Read: Court decisions on the Disclosure Pilot Scheme – the 2021 roundup
20 janvier 2022
par Natalia Faekova
Disputes Quick Read: Climate change litigation update
8 mars 2022
par Jess Thomas, Lucy Waddicor
Disputes Quick Read: Assumption of responsibility - tax schemes and investors
22 mars 2022
par Stuart Broom
Disputes Quick Read: Dealing in crypto? Be careful what you call it
7 avril 2022
par Emma Allen, Georgina Jones
