A High Court ruling on a low-value data breach claim may stop claimants recovering after-the-event (ATE) insurance premiums in cases involving cyber-attacks, information law specialists have argued.
As a result, Mr Justice Saini’s decision could stem the number of claims brought by people based on security breaches, which is fast-growing area of legal practice.
Warren v DSG Retail  EWHC 2168 (QB) concerned a complex cyber-attack carried out on the retailer operating Currys PC World and Dixons Travel, which allowed the attackers to access the personal data of many of DSG’s customers.
The Information Commissioner fined the company £500,000 for breaching the seventh data protection principle (DPP7). DSG’s appeal against this will be heard later this year by the First-tier Tribunal.
Mr Warren, one of DSG’s customers, claimed £5,000 damages for distress caused by the data breach, relying on breach of confidence (BoC), misuse of private information (MPI), common law negligence and breach of the Data Protection Act 1998.
ATE premiums can still be recovered for publication and privacy proceedings – which include BoC and MPI – and it has become common practice for data protection claimants to also bring claims under these heads so they can recover their premium if the claim succeeds.
The premium can often be significantly more than the relatively small amount claimed in many data breach cases. Further, claims involving BoC must be commenced in the High Court
According to Pinsent Masons, which acted for DSG, one firm issued nearly 150 claims in the first half of 2021 alone.
DSG sought summary judgment and/or to strike out all of Mr Warren’s claims, apart from the one for breach of statutory duty arising from a breach of DPP7, which has been stayed pending appeal.
Finding for DSG, Saini J said the claim essentially sought to articulate some form of data security data – ie, that DSG failed to provide sufficient security for the claimant’s data.
“In my judgment, neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential).
“Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy.
“Counsel for the claimant submitted that applying the wrong of MPI on the present facts would be a ‘development of the law’. In my judgment, such a development is precluded by an array of authority.”
The judge said ‘misuse’ required a ‘use’ – a positive action by DSG, which there was not. The claim was “an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”.
Saini J also struck out Mr Warren’s claim in negligence, saying there was “no room (nor indeed any need identified) to construct a concurrent duty in negligence when there exists a bespoke statutory regime for determining the liability of data controllers”.
David Barker, the partner at Pinsent Masons acting for DSG, said: “This decision is a positive development for those defending data security breach claims as it means that it will no longer be possible to contend that ATE premiums are recoverable from unsuccessful defendants in such cases.
“The need to pay an (irrecoverable) ATE premium – the cost of which can be substantial in comparison with the amount sought by the claimant – is likely to mean a substantial reduction in such cases in future.”
Writing on the 4 Pump Court website, barrister Rebecca Keating agreed that the ruling cast doubt on the recoverability of ATE premiums, adding that it may affect allocation as well.
“If a claim under breach of confidence/misuse of private information is no longer viable, a claimant seeking recovery of a low amount of damages for breach of statutory duty under the Data Protection Act 1998/2018 or the General Data Protection Regulation may struggle to avoid allocation to the small claims track, where recovery of costs is not possible.”
Mr Warren was represented by Pure Legal Costs. Operations director Amanda Ashton said the case was “still ongoing”.
She went on: “Part of the claim for breach of confidence was struck out because the judge ruled there was no breach of confidence in this particular case due to the data leak being caused by a malicious hacking event.
“The pleadings were wrong in relation to the claim for negligence and the court acknowledged that permission to amend the pleadings would likely be granted.
“This case does not have any wide-ranging effect on other cases and the primary cause of action, that for breach of DPP7 is continuing and will be heard following DSG’s appeal against the Information Commissioner’s monetary penalty notice, which is due to be heard in November.”
Jon Else, a director at specialist data breach law firm Hayes Connor, described the decision as “disappointing” but said he was already in discussions with an ATE provider to design a product that would be “fit for purpose”, with the cost of the premium coming out of the damages.
“It narrows the field but it but won’t stop claims coming,” he said. “It will just narrow down the heads of loss we’re pleading in the particulars.”
Kingsley Hayes, head of data breach at Keller Lenkner UK, said the court had provided a “fact-specific” view of misuse of private information that related to a breach that occurred pre-GDPR and the DPA 2018, and “does not appear to account for all of the relevant authorities” in that area.
He said there was “nothing in this judgment” that would lead his firm to view cases involving security breaches as economically unviable .