Disputes Quick Read: High Court rules that failure to provide adequate data security is not a positive act

Quick read

In Darren Warren v DSG Retail Limited earlier this year, the High Court struck out misuse of private information, breach of confidence and negligence claims, ruling that failure to provide adequate data security is not a positive act that can form the basis of such claims.

Background

DSG Retail Limited was the victim of a malware hack between 2017 and 2018 on 5,930 point of sale terminals. These terminals stored customer data, which the hackers compromised. The ICO investigated the attack and decided that DSG, as data controller, breached the seventh data protection principle (DPP7) – ie it failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of data. The ICO issued a monetary penalty, which is currently under appeal to the FTT.

Darren Warren was a victim of the hack and discovered that the hackers had stolen his personal information. This included his name, address, phone number, date of birth and email address. Mr Warren claimed damages of £5,000 for distress via claims for:

breach of confidence (BoC)
misuse of private information (MPI)
negligence, and
breach of the Data Protection Act (under the 1998 Act).

In response, DSG applied under CPR 24 and CPR 3.4(2) for summary judgment/strike out of the first three claims. DSG argued that these claims had no realistic prospect of success based on the facts and were untenable as a matter of law.

The decision

The court noted that, when ruling on strike out applications, it assumes the primary facts alleged are true. This means that the court should not strike out a claim unless it's certain that the statements of case disclose no reasonable grounds for bringing the claim.

Mr Warren had argued that:

DSG intentionally and recklessly left his private information exposed to a real risk of intrusion from the world at large.
By failing to keep the data safe, DSG's actions were "tantamount to publication".
DSG's failure to implement basic security measures to protect information meant that it had effectively published Mr Warren's data to the third-party hacker.

Justice Saini disagreed and struck out the first three claims. He said that:

the law of BoC and MPI was for "prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy".
A positive action of the holder of the information would require something like publication or disclosure of information. A "misuse" or "use" or an "interference" with Article 8 rights requires a positive act, which was not the case here.
DSG had not carried out a positive act, and DSG (itself the victim of the cyberattack) was not accused of any positive conduct. There was no suggestion that DSG facilitated the cyberattack.
While DSG failed to keep Mr Warren's data safe, he could not advance claims for BoC and MPI on this basis, because these claims don't impose a data security duty on DSG.

The court also struck out Mr Warren's negligence claim. Justice Saini couldn't see the logic of imposing a common law duty of care when a statutory regime (ie the Data Protection Act 1998) was already in place, through which DSG owed duties to Mr Warren as the data controller. Warren had only claimed "distress", but a state of anxiety produced by a negligent act or omission – but which falls short of a clinically recognisable psychiatric illness – is not enough damage to complete a tortious cause of action.

Only Mr Warren's claim for breach of the Data Protection Act 1998 remained, which the court stayed pending the FTT case's outcome.

Key takeaways

This case makes an interesting distinction between a hacker and the data controller they hack. In Tchenguiz v Imerman [2011] Fam 116 and PML v Persons Unknown [2018] EWHC 838 (QB), the court held that a hacker who breaks into a computer system and steals information is bound by a duty of confidence. Here, the company that allegedly failed to keep data safe was not bound by this same duty.
Data controllers that have suffered cyberattacks but have not committed a positive act regarding the stolen information have less to fear from any subsequent data privacy claims. Only very brave claimants will proceed with BoC, MPI, and negligence claims, together with a data security claim, for fear of failing to resist a summary judgment/strike out application and ending up paying the cost.
The other outcome of this application saw this claim transferred to the small claims track of the County Court. That is a bad place for claimants to litigate because of the poor costs recovery, even if successful, and capped costs, which would affect the amount of damages they keep.
Turning to reputational damage, while CPR 53 PD B permits claimants to apply for and obtain a statement in open court if they wish to accept a Part 36 offer or other offer of settlement regarding a list of media law claims, data protection is not included in this list. Therefore, if BoC and MPI claims fall outside civil data breach claims, a successful claimant can't publicise a win via a statement in open court.