On July 30, 2021, the UK High Court handed down its judgment in the case of Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), determining that the claimant could not seek damages on the basis of misuse of personal information, breach of confidence or common law negligence following a data breach.
In 2018, DSG Retail Limited (“DSG”) experienced a cyber attack in which hackers infiltrated DSG’s systems and installed malware that ran on point of sale terminals in DSG stores. As a result of the breach, DSG was fined £500,000 by the UK Information Commissioner’s Office for violating the seventh data protection principle (“DPP7”) under the Data Protection Act 1998 (“DPA”) (i.e., the requirement to implement appropriate security measures). That fine is under appeal.
In the case at hand, the claimant, Darren Lee Warren, brought a claim for damages against DSG, based on distress suffered as a result of the breach of his personal data, which included his name, address, phone number, date of birth and email address. In his claim, Warren relied on theories of breach of confidence (“BoC”), misuse of private information (“MPI”), breach of the DPA and common law negligence.
DSG sought to have the BoC, MPI and common law negligence claims dismissed on the basis that they had no realistic prospect of success. DSG challenged the BoC and MPI claims, contending that neither could stem from a failure to keep data secure because both causes of action require a positive wrongful act on the part of the defendant (whereas, in this case, the breach resulted from an external attack). With respect to the negligence claim, DSG argued that, where duties under the DPA apply, the same action cannot be brought in negligence. In addition, DSG argued that negligence required pleading of a recoverable loss, which was not present in this instance.
While the claimant conceded that the BoC claim was untenable, he argued the validity of the MPI claim, stating that he had provided DSG his data with the reasonable expectation it would remain private and that DSG’s failure to protect that data through basic security measures was tantamount to publication of the data. On the negligence claim, the claimant argued that, although the duty of care under negligence “informs” the judicial approach under DPP7, the two duties are separate and the claim under the DPA therefore did not preclude a negligence claim.
The judge disagreed, stating that neither BoC nor MPI imposed a data security duty on the holders of information but instead prohibit actions by the holder that are inconsistent with the obligations of confidence and privacy. The argument that DSG’s failures constituted a positive action was rejected, with the judge describing it as an “unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI.” With respect to negligence, the judge relied on Court of Appeal precedent in holding that there was no common law duty of care, due to the already applicable statutory duty under the DPA. Further, the judge determined that “a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action,” but the DPA, on the other hand, allows compensation for distress resulting from a controller’s breach of DPP7; therefore, the claimant had failed to allege any relevant loss under a negligence action.
Ultimately, the judge dismissed the BoC, MPI and negligence claims , while the claim based on breach of DPP7 has been stayed pending a final determination of DSG’s appeal against the ICO fine.