Data breach litigation: a tap on the brakes or the end of the road for claimant firms?

The recent Warren v DSG decision may significantly limit the recent wave of data breach litigation by claimant firms. The High Court summarily dismissed claims for breach of confidence, misuse of private information and negligence.

Introduction

Last week, the High Court handed down judgment in Darren Lee Warren v DSG Retail Limited [2021] EWHC 2168 (QB), a decision that may significantly limit the recent wave of data breach litigation by claimant firms.

The claims follow a now familiar trajectory. A business suffers a data breach involving the personal data of its customers. Consumer-focussed claimant firms then seek to sign up affected customers, issuing multiple claims for damages for breach of the UK GDPR, breach of confidence, misuse of private information and negligence backed by conditional fee agreements and After the Event (“ATE”) insurance.

Leveraging the perceived complexity of data claims, the lack of clear authority regarding quantum and the cost exposure created by ATE premiums in publication and privacy proceedings, claimant firms have created a business model fuelled by out-of-court settlements.

In Warren v DGS, the High Court summarily dismissed the claimant’s claims for breach of confidence, misuse of private information and negligence, leaving only the UK GDPR claim. Not only will this considerably simplify the defence of similar claims, it makes it increasingly unlikely that claimant firms will be able to recover ATE premiums in similar cases. This is because the recovery of ATE premiums was entirely dependent on the existence of a privacy claim, being one of the few classes of claim where ATE premiums are still recoverable.

Case overview

Currys PC World (“DSG”) suffered an external attack resulting in the compromise of c. 10 million customer records. The ICO subsequently issued a monetary penalty notice of £500,000, the highest possible at the time (although DSG’s appeal against this penalty is pending).

The claimant, an individual customer, sought £5,000 for breach of the Data Protection Act 1998 (the “DPA”) (as the incident took place before the coming into force of the UK GDPR), breach of confidence, misuse of private information and negligence.

Whilst the parties agreed to stay proceedings relating to the breach of the DPA pending DSG’s appeal against the monetary penalty notice (due to be heard in November 2021), DSG applied for summary judgment on the remaining claims.

Reasoning

The High Court summarily dismissed the non-DPA claims on the basis that: a) all of the causes of action required some positive wrongful action to be taken (for example, deliberate disclosure of personal data, or wrongful use); and b) there was no positive wrongful action in circumstances where DSG was the passive victim of an attack and had not purposefully facilitated the data breach.

The court held that the actions for breach of confidence and misuse of private information do not impose any form of data security duty on DSG. For the negligence claim, there was also no such duty. Further, the court found that a state of anxiety which falls short of clinically recognised psychiatric harm is not sufficient damage to found a claim in negligence.

Commentary

Implications 

Whilst unsurprising, this is a welcome and timely decision for organisations responding to data breaches.

Although the decision does not mean the end of follow-on litigation following data breaches, it will have a number of important implications for data litigation. In particular, it will:

• considerably narrow the issues in dispute, rightly (in the authors’ view) focusing such disputes on the key question of whether the incident in question involved breaches of the UK GDPR; and
• undermine the business model of claimant firms which have been bringing multiple individual claims using ATE insurance to offset their cost risk and pressure defendant companies to pursue into settlements well above the level they would be likely to recover if the matters went to court.

Unanswered questions

However, there are still a number of important legal questions that need to be resolved before the legal liability position in this area becomes clearer:

• Collective actions: Whilst bringing multiple individual claims is one approach to dealing with data breach litigation, it may be that this decision simply shifts the focus to claimant firms towards bringing collective, rather than individual, actions. In particular, practitioners are eagerly awaiting the Supreme Court’s decision in Lloyd (Respondent) v Google LLC (Appellant) UKSC 2019/0213 which will clarify both whether ‘distress only’ damages are recoverable for breaches of the UK GDPR, and whether such claims can form the basis of same-interest collective claims. If the Supreme Court allows ‘opt out’ collective actions of this sort, it is likely to have a seismic effect on litigation in this area (see our commentary on Lloyd v Google here) but increased group litigation in this area is likely in any event.

• Quantum: There is also considerable uncertainty regarding the quantum available. Whilst rare cases involve serious harm, the majority of data breach claims involve individuals who have experienced real but comparatively minor distress and inconvenience as a result of an incident. Cases such as R. (on the application of M) v Chief Constable of Sussex [2021] EWCA Civ 42 (£500 damages for a relatively serious breach involving details of a subject’s sex life) suggest that the damages recoverable by individuals affected by data breaches are likely to be quite modest. However, claimant firms routinely suggest to their clients that damages of £5,000 to £10,000 may be recoverable and judicial guidance is urgently needed in this area. Similarly, there is some suggestion (see TLT v Secretary for Home Department [2016] EWHC 2217 (QB)) that there may be a de minimis threshold for harm in cases of this sort but where this threshold may lie remains unsettled.

• Causation: The decision also leaves open the question of what sort of “positive wrongful act” may justify a privacy, breach of confidence or negligence claim. In DSG the court provided limited guidance, relying on the fact that it was not pleaded that DSG had purposefully facilitated the hack and the premise that it would also be “contrary to common sense” for it to have done so (para. 21). However, there are still a number of data breaches which arguably arise from positive acts (for example, sending personal data to unauthorised recipients). Further, a number of positive acts in the chain of causation leading to a breach arguably have a causative effect on an incident (for example, misconfiguration by an agent or employee or a decision to deprioritise patching or penetration testing in favour of other corporate priorities). The ICO recently found, for example, that the transgender charity Mermaids had “a negligent approach” towards data protection, with inadequate policies and a lack of staff training. The result was that discussions between a private email group became publicly available via an internet search engine. It remains to be seen whether actions of this sort would be enough to found privacy, breach of confidence and negligence claims. The decision also has less impact on other emerging areas of consumer litigation, such as litigation around the use of cookies.

To discuss this or any similar issues, please contact Matthew MacLachlan.