Accidental data breaches: High Court clarifies causes of action

The High Court has provided important clarification on litigation concerning accidental data breaches (Warren v DSG Retail Limited). 

Background 

A claim was brought against Dixons Carphone (DSG) following a data breach in 2017 – 2018 when external hackers accessed DSG’s systems. The claim was brought by an affected customer who alleged his personal data, including his name, address, phone number, date of birth and email address had been compromised. He claimed against DSG for misuse of private information, breach of confidence, breach of the Data Protection Act 1998 (“DPA 1998”) and negligence.

DSG applied for strike out/summary judgment for all the claims except the claim for breach of the duty to keep data secure under the DPA 1998.

DSG argued the other claims had “no realistic prospect of success,” so should be struck out, because:

• breach of confidence and misuse of private information claims require a positive wrongful action and do not place a data security duty on the defendant, and
• there is no duty of care in negligence for a data controller’s conduct where that conduct is covered by the data protection legislation.

DSG’s application succeeded. The Court noted that misuse of private information and breach of confidence claims scrutinise the actions of data controllers to assess whether they are inconsistent with the obligation of confidence and privacy. The Court also noted that while misuse can include unintentional use, it still necessitates ‘use’, which is a positive action. In this case, it was not Dixons that had used the data, but an external hacker. 

ATE Insurance Costs 

Data breach claims are often issued with notice of funding that the claim has After the Event (ATE) insurance, and, if successful, that this premium will be recovered from the Defendant. The High Court held that ATE premiums do not form part of the recoverable costs, where the only viable cause of action is under the data protection legislation.

What does this mean for data breach litigation?

Data breach litigation is a fast-growing area. The judgment appears to significantly limit the types of claim that can be brought for data breaches from external hackers or cyberattacks.

The decision is equally important for those defending data breach claims and those deciding whether to pursue such claims. If ATE premiums cannot be recovered in a successful claim, this must be considered at the outset when deciding what types of claims to bring – if the ATE premium is more expensive than the likely damages, it would be cost prohibitive, but without ATE insurance a claimant would be exposed to an adverse cost award.