A recent High Court ruling on a data breach claim may lead to an overall reduction in the number of data breach claims being prusued. The ruling in the case of Warren v DSG Retail may negatively affect future claimants’ abilities to recover the costs of ATE premiums following data breach claims for cyber attacks. The case is also likely to impact allocation and costs recovery. The outcome of this case has left some legal professionals concerned about the future of these these types of claims due to the financial risks involved in running data breach cases.
Warren v DSG Retail: Case Summary
DSG Retail, which operates Currys PC World and Dixon Travel, were subject to a complex cyber attack between July 2017 and April 2018, in which attackers gained access to their customers’ personal data. The company was fined £500,000.00 by the Information Commissioner for their breach of DPP7; which requires “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data” by notice on 07/01/2020 in relation to their computer system and organisational measures. An appeal is due to be heard later this year.
A number of claims have since been brought against DSG Retail under the Data Protection Act 1998 (DPA 1998).
The claimant ; Warren, commenced an action claim for an alleged breach of data protection principles, negligence, misuse of private information and breach of confidence.
Damages were sought only in respect of distress. No claim was made for financial loss or personal injury following the cyber-attack.
The Defendant made an application for a summary judgment and/ or for the Court to strike out all claims apart from the breach of statutory data protection principles claim. In considering the Defendant’s application
Mr Justice Sani stated the following:
“in my judgment…..it is clear that the Claimant does not allege any positive conduct by DSG said to comprise a breach or a misuse for the purposes of either BoC or MPI……In my judgment neither BoC nor MPR impose a data security duty on the holders of information. I accept that a misuse may include intentional use , but it still requires a ‘use’; that is a positive action.”
The Claimants sought to argue that a failure to protect the data was “tantamount to publication”. Mr Justice Sani did not find that persuasive, using the following analogy:-
“If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a ‘misuse of private information’ by me. Recharacterising my failure to lock the window as a ‘publication’ of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”
“In my judgment, neither [breach of confidence nor misuse of private information] impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy. Counsel for the Claimant submitted that applying the wrong of [misuse of private information] on the present facts would be a “development of the law”. In my judgment, such a development is precluded by an array of authority.”
Regarding the negligence claim, he stated:
“[t]here is neither need nor warrant to impose such a duty of care where the statutory duties under the DPA 1998 operate” and ……“[a] cause of action in tort for recovery of damages for negligence is not complete unless and until damage has been suffered by the claimant. Some damage, some harm, or some injury must have been caused by the negligence in order to complete the claimant’s cause of action. However, a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action.”
Mr Justice Sani therefore dismissed the claims for breach of confidence, misuse of private information and negligence. The breach of statutory data protection principles claim was transferred for directions at the County Court.
The impact of Warren v DSG on future data breach claims
Following the ruling in this case, there have been concerns amongst claimant solicitors that many causes of action, other than breaches of statutory data protection principles, will be dismissed by the High Court.
The significant costs consequences following the failure of these types of claims may lead to a curtailment in future data breach claims.
David Barker from Pinset Masons, acting for DSG Retail stated:
“The need to pay an (irrecoverable) ATE premium – the cost of which can be substantial in comparison with the amount sought by the claimant – is likely to mean a substantial reduction in such cases in future.”
Barrister, Rebecca Keating discussed the potential costs impacts for claimants in these types of cases by stating the following;
“If a claim under breach of confidence/misuse of private information is no longer viable, a claimant seeking recovery of a low amount of damages for breach of statutory duty under the Data Protection Act 1998/2018 or the General Data Protection Regulation may struggle to avoid allocation to the small claims track, where recovery of costs is not possible.”
Costs Lawyer, Victoria Morrison-Hughes considers that the limited availability of ATE providers and products in this (Data breach) market together with the level of premiums charged before this decision made it prohibitive to most litigants and this decision is only likely to restrict that marketplace even further. The requirement for a claimant to then demonstrate a “clinically recognisable psychiatric illness” coupled with the risk that these cases could be allocated to the Small Claims Track means it could become unviable for legal practitioners to take on these types of claims. It is of course worth noting that the value of the case is merely one factor in determining the correct track [CPR 26.8]. Is this yet another blow to the Jackson utopia where the real effect is restricting access to justice?
It is worth noting; however, that this case is due to be appealed so the full impact of the case is yet to be known.
How can R&R Solutions assist?
R&R Solutions can assist firms wishing to exit specific areas of law. You may decide to exit the market of data breach claims.
We offer a positive solution to any law firm by helping them exit any legal market, and ensuring they get the most out of their files.
Whatever the reason for exiting a market, R&R Solutions will ensure the most positive and profitable outcome is achieved. An additional benefit being that the firm’s clients not only get a seamless transfer, but they are also married up with a firm specialised in their particular needs. The unique scheme offered by R&R Solutions is suitable for law firms and professional advisors, including restructuring solicitors, and accountants. Our team manage the transfer of files from start to finish, placing case files with an approved law firm so as to protect the integrity of the client’s case.
We will provide you with all the advice and support you need, and we guarantee 100% confidentiality for all clients. If you would like to find out more about R&R Solution’s process, feel free to get in touch today via email (firstname.lastname@example.org), telephone (0845 056 1258) or contact Sally Dunscombe at email@example.com or 07774 205 870.
Retirement Project - Grant Saw Solicitors LLP
“With our claimant personal injury partner retiring in we decided the time was right to step back from PI work. We reviewed the market options, were disappointed at the discounts being applied by potential buyers of the WIP and were referred to R&R’s offering the full realisation of WIP over time. It has effectively delivered what it “said on the tin” - over the project period we have seen a steady flow of receipts being accounted for to us, allowing us to recover the full value we had built up in the files."
- Mike Clary, Partner
Restructuring Project - Copley Clark
“Having taken a strategic decision to be completely step out of the claimant personal injury sector we were R&R’s first client to step back on a phased basis. R&R customised their offering specifically for us and I am happy to say it has worked a treat. We could focus our own resource on matters where we had a possibility of concluding within our timetable and utilised R&R’s panel firms to continue to work on other matters. Not only have their services allowed us to retain the value we had built in the files, the nature of the services ensured we were able to offer our clients the option of moving to firms with the skill sets required to best service their specific needs. For firms considering restructuring we would have no hesitation recommending R&R Solutions."
- Malcolm Lawrence, Partner
Restructuring Project - Farley Dwek Solicitors
" We had an extremely positive experience working with R&R Solutions after making the strategic decision to move away from an area of law and retune our business model. The process was very straightforward, and we were really pleased with the overall outcome. We would highly recommend the Recovery First model as a practical solution to any law firm wishing to exit a specific sector.”
Jonathan Dwek, Director
Ticking all the boxes for a quick, clean, confident exit from legal markets due to restructuring or retirement.
Contact us now in the strictest confidence
07774 205 870
07887 796 989
106 Kennedy Building
PO Box 632