Failure to prevent a cyber attack is not negligence, breach of confidence or misuse of private information

17 August 2021

Notices of a potential data breach have become facts of life. For companies sending those notices, so have lengthy letters threatening a variety of damages claims as a result.

Robust responses will become more common following the High Court’s recent judgment in Warren v DSG Retail, which struck out various claims relating to a cyber attack on Currys and Dixons (DSG) in 2017/18. 

Mr Warren brought a claim for distress damages under the Data Protection Act (DPA) which was suspended pending the outcome of an appeal by DSG against a £500,000 ICO fine for inadequate security measures.

However, as is now common practice, Mr Warren also claimed the same distress damages for breach of confidence, misuse of private information, and negligence.

The High Court struck out those additional claims, confirming that:

  • breach of confidence and misuse of private information must involve a positive action by the offender – DSG’s failure to prevent an attack by someone else is insufficient;
  • DSG owed no data security duty of care to Mr Warren beyond the statutory duties imposed by the DPA; and
  • Mr Warren’s anxiety about identity theft does not constitute damage recoverable in negligence.

The judgment makes bringing data breach claims significantly riskier for claimants and their representatives in two key respects.

First, DPA-only claims are more straightforward, making them harder to justify bringing in the High Court (a common claimant tactic to maximise adverse publicity and defence costs for a defendant). Mr Warren’s claim was transferred down to the County Court following the judgment.

Second, DPA-only claims carry a significantly higher costs risk for claimants and claimant firms. Unlike in the High Court, costs are generally irrecoverable on small claims in the County Court. And even if a claim sticks in the High Court, DPA-only claims without misuse of private information or breach of confidence do not allow even a successful claimant to recover the (often high) costs of insuring against adverse costs awards at the outset of the claim.

Claimant firms will inevitably attempt to distinguish their cases from Mr Warren’s and continue to send aggressive pre-action letters seeking to force a settlement. However, the judgment ought to provide them with pause for thought before commencing a Court claim.

For companies, although a helpful precedent, the decision does not negate the risk of civil claims arising from data breaches entirely. Mr Warren’s DPA breach claim remains, as will the appetite of claimant firms to explore collective actions for data breaches (see our recent update on the pending judgment in Lloyd v Google here). Companies therefore need to continue to keep information security a top priority and to implement governance and procedures to enable them to respond swiftly to breaches and mitigate losses to data subjects.

If a burglar enters my home through an open window (carelessly left open by me) and steals my son's bank statements, it makes little sense to describe this as a "misuse of private information" by me. Recharacterizing my failure to lock the window as "publication" of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI.