Cyber-attacks, data breaches and causes of action

A recent High Court claim was based on a core allegation that the defendant had failed to protect the claimant’s data from a cyber-attack. Peter Wake looks at the lessons to be learned.

In Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), the High Court struck out unnecessary and unfounded causes of action in a low-level data breach claim arising out of a cyber-attack. 

The claim arose out of events between 24 July 2017 and 25 April 2018 when the defendant, the retail operator of ‘Currys PC World’, was the victim of a “complex cyber-attack carried out by sophisticated and methodical criminals” during which the attacker accessed the personal data of numerous customers. The ICO investigated the incident and concluded the defendant was in breach of the seventh data protection principle, namely the requirement for “appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data”.

The claimant was an affected customer. He brought a claim relating to the compromise of his personal data in the form of his name, address, phone number, date of birth and email address. The claim, limited to £5,000 and seeking damages for distress, included allegations of breach of confidence (“BoC”), misuse of private information (“MPI”), breach of the Data Protection Act 1998 (“DPA”, the index events pre-dating DPA 2018/UK GDPR) and negligence. The defendant applied to strike out all the causes of action apart from the claim for statutory duty under the DPA. The application succeeded.

  • The claim was based on a core allegation that the defendant failed to protect the claimant’s data from the attack.
  • Neither BoC nor MPI imposed a “data security duty” of this type; rather, they required positive wrongful conduct.
  • The negligence claim was fatally flawed for two reasons – firstly, there is a statutory regime for the liability for data controllers and no co-extensive duty. Secondly, distress was not a form of actionable damage to complete the tort of negligence.

The claim was transferred to the county court for further directions in the DPA claim once the defendant’s appeal of the ICO’s decision had been determined.

Comment

There are a number of pertinent points from this concise judgment:

  • It clarifies the legitimate causes of action that arise in claims flowing from a cyber-attack.
  • Where the only viable cause of action is under the statutory data protection regime then ATE premiums will not form part of recoverable costs.
  • The transfer to the county court for the resolution of the extant low-value claim provides further support for the proposition that the High Court is not the suitable venue for this litigation.

Peter Wake is a partner at Weightmans.