Skip to content

Impactful High Court judgment on damages related to cyberattacks

On 30 July 2021, the UK High Court handed down a helpful judgment clarifying the causes of action likely to be available (or otherwise) to claimants in cases where a data breach occurs through “external” attacks.

A low value claim on a range of actions

In this particular case, Warren v DSG Retail Ltd [2021] EWHC 2168 (QB),  Mr Warren brought a damages claim of GBP 5,000 against DSG (the retailer) for his distress following loss of personal data through the DSG cyberattack, which happened between July 2017 and April 2018 (more details can be found on the UK Information Commissioner’s Office’s (ICO) website here). 

Mr Warren claimed that the compromise of his personal data (including name, address, phone number, date of birth and email address) when cyber-attackers penetrated the DSG systems amounted to a breach of confidence, misuse of private information, breach of the Data Protection Act 1998, and negligence.

DSG applied for summary judgment

DSG, however, applied to have the breach of confidence, misuse of private information and negligence claims struck out (the action for breach of the Data Protection Act 1998 is paused until after DSG’s ongoing appeal to the First Tier Tribunal against the ICO’s monetary penalty notice (as linked above)).

The High Court clarified that breach of confidence, misuse of private information and negligence claims were inappropriate in this context 

Mr Justice Siani found in favour of DSG, concluding that in order to bring a breach of confidence or misuse of private information claim, there had to be a positive action comprising such a breach or misuse. “Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy.” He clarified that, as there was no duty to provide sufficient security for the data under breach of confidence or misuse of private information, a failure to secure information does not constitute a breach of confidence or misuse of private information.

Mr Justice Siani went on to reiterate the position established by the Court of Appeal regarding the negligence claim, that is, there is no reason to impose a duty of care where the statutory duties of the Data Protection Act 1998 operate. More specifically in this case, the Judge considered that there was no room to construct a concurrent duty in negligence where there exists a bespoke statutory regime for determining liability of data controllers. He also noted that in any event, the claimant hadn’t actually shown any recoverable loss and so even if a negligence claim was possible in theory, there was no loss to recover in practice.

Implications for litigation funding

The “Jackson” reforms to civil litigation back in 2012 ended the practice of After The Event (ATE) insurance premiums being recoverable as costs where a conditional fee agreement was in place. These policies are taken out after the event to insure against having to pay the other side’s legal costs if you lose. Successful claimants used to be able to recover from the losing defendant the cost of the insurance premium. The “Jackson” reforms ended this for almost all types of litigation.

Privacy proceedings — defined as proceedings for defamation, malicious falsehood, breach of confidence, misuse of private information, or harassment — are a rare exception. However, if data breaches such as in this case no longer fall within scope of the exception, it casts doubt on the ability of successful claimants to recover their ATE insurance premium and may dissuade some from bringing the claim at all. 


The judgment is available here.


Related blog topics