As the regulatory and legislative landscape in the world of cybersecurity develops at pace, so too have the potential financial implications for organisations who fall victim to data breaches caused by cyber-attacks. In such cases, it has become increasingly common for affected individuals to seek compensation from the impacted organisations. As we have discussed previously, here and here, affected individuals and the law firms representing them are increasingly pursuing such claims on a collective basis (either as opt-in group litigation claims or opt-out representative actions). We are also continuing to see claims made on an individual basis.
These claims often rely on multiple causes of action: most obviously, breach of data protection law, but also misuse of private information (MPI), breach of confidence (BoC) and / or negligence. One of the reasons for adding MPI and BoC claims is that they are one of the few categories of case in which "After The Event" (ATE) insurance premiums remain recoverable from a defendant if the claim is successful.
However, the recent case of Warren v DSG Retail Limited  EWHC 2168 (QB) now makes it highly unlikely that claims related to third party cyber-attacks can proceed on any basis other than a breach of data protection law, so cutting off the viability of taking out ATE insurance and making claims less likely to be brought without the backstop of insurance cover for legal costs.
DSG is a well-known retailer, operating the household name brands of Curry's PC World and Dixons Travel. Between 2017 and 2018, DSG's systems were hacked by sophisticated attackers who installed malware on nearly 6000 point of sale terminals in stores, and accessed the personal data of many DSG customers, including names, addresses, phone numbers, birthdays and email addresses. The claimant, Darren Lee Warren, was a Curry's PC World customer, who claimed his personal data was compromised during the attack. He brought a claim on an individual not collective basis against DSG on four grounds; breach of the data security principle in the Data Protection Act 1998 (DPA 1998) , MPI, BoC and negligence. The attack, it should be noted, had already been the subject of what was then (prior to GDPR) the maximum fine that could be issued by the Information Commissioner.
DSG applied for summary judgment and / or strike out in respect of all the claims except the data protection claim; in other words, DSG asked the Court to dismiss those claims. The Court granted DSG's application, holding that neither MPI nor BoC impose a data security duty on the holders of information, even if that information is private or confidential. Rather, these types of claim require some kind of positive action, such as disclosing the information to a third party.
DSG was a victim of a criminal third-party attack and had not actively disseminated the claimant's personal information. Mr Warren argued that DSG's failure to keep the data secure and prevent the attack from taking place was "tantamount to publication". The court was not persuaded by this argument and cited a number of authorities for the principle that privacy and confidentiality claims require a positive act, and cannot be derived purely from a failure to keep data secure.
The negligence claim was also dismissed, on the basis that i) there was neither a need nor justification to impose a duty of care on a data controller such as DSG where the statutory duties under the data protection legislation exist, and ii) Mr Warren did not plead a complete cause of action in common law negligence. All claims, except the data protection one, were therefore dismissed.
The long-term impact of the decision in Warren v DSG remains to be seen, but we would expect it to lead to a reduction in the number of compensation claims following a cyber-attack as claimants and their lawyers may see them as too risky and unviable without backing from insurance. In addition, if organisations face such claims based on multiple causes of action they now have a ready means to push back immediately, backed by this case, to say that MPI, BoC and negligence claims are without any foundation.
Of course, this does not detract from the ongoing legal obligations organisations must comply with to keep personal data secure. While DSG was fined £500,000 by the ICO (being the maximum under the DPA 1998), fines available under the new regime (the UK General Data Protection Regulation and DPA 2018) are considerably higher (up to 4 per cent of annual turnover or £17.5Million, whichever is higher). The ICO has already flexed its muscles in some high-profile cases, while there is evidence of some astronomical fines coming out of other jurisdictions (albeit involving Big Tech's failures in a non-cyber-attack context). And the viability of collective actions in data breach cases remains an issue of considerable uncertainty, but one which still has the potential to severely impact organisations.
 ATE insurance covers the legal costs and expenses involved in litigation
 The events in question took place prior to the General Data Protection Regulation and Data Protection Act 2018 coming into force
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, September 2021