Threat of follow-on civil claims against companies suffering cyberattack dampened by recent court judgment
22 September 2021
Cyber incidents have a serious regulatory and reputational impact, and increasingly form the subject of follow-on civil litigation. Such civil claims may be less financially attractive for claimants as a result of this case, in which the High Court struck out certain claims against a company that had been the victim of a cyberattack, seeking civil damages for breach of confidence, misuse of private information and negligence. This limited the claimant’s cause of action to a breach of data protection laws. Claimants cannot recover ATE insurance premiums for claims for breach of statutory duty, thus making these types of follow-on claims less financially attractive: Warren v DSG Retail Ltd  EWHC 2168.
Cyberattack and resultant regulatory action
The defendant is a well-known retailer. In 2017/2018, it fell victim to a criminal cyberattack, resulting in the installation of malware on point of sale terminals in its stores. This malware gave third party attackers access to customers’ personal data. Following an investigation, the Information Commissioner determined that the defendant had breached the seventh data protection principle (DPP7), which requires “appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data”. In January 2020, the defendant was issued with a GBP500,000 monetary penalty notice (the Notice) (then the maximum amount, and currently subject to appeal).
Nature of attempted follow-on civil claims
The individual claimant (the claimant) had purchased goods from one of the defendant’s stores. He claimed that his personal information (name, address, phone number, date of birth and email address) was compromised in the attack, and claimed GBP5,000 in damages for distress suffered.
Alongside the claim for breach of statutory duty under the Data Protection Act 1998 (DPA 1998) (which was allowed to proceed), the claimant alleged three broader causes of action: (i) breach of confidence; (ii) misuse of private information; and (iii) common law negligence. The defendant argued that these three causes of action had no reasonable prospect of success and sought strike-out or summary judgment.
No general data security duty found
The claimant’s case on the three causes of action was unsuccessful.
Breach of confidence/misuse of private information: The claimant was unable to show that the defendant itself took any positive wrongful action. There was no suggestion that the defendant purposely facilitated the attack, even if the Notice issued by the Information Commissioner described failings in its data systems and controls.
The action for breach of confidence imposes a negative obligation not to disclose confidential information; similarly, the tort of misuse of private information imposes an obligation not to positively misuse information. They do not give rise to a general duty to keep data secure.
As such, a failure to keep data sufficiently secure from unauthorised third party access (ie an omission) was not considered at law to be a sufficiently positive act to amount to a breach of confidence or misuse of private information.
Common law negligence: The negligence claim was similarly unsuccessful, on two grounds. First, there was no duty of care: there was no need to construct a concurrent duty of care in negligence where there was a bespoke statutory regime determining the liability of data controllers (ie the DPA 1998). Second, the nature of the claimed loss was distress only – while this could form the basis of a claim for breach of statutory duty under the DPA, it was not sufficient personal injury to base a claim in negligence.
Accordingly, all three causes of action were struck out.
Breach of statutory duty claim remains available
The claimant’s claim for breach of statutory duty arising from the alleged breach of DPP7 was not disputed and was allowed to proceed. However, it was stayed pending determination of the appeal against the Information Commissioner’s Notice.
Implications for future litigation
The decision significantly limits the legal causes of action available to claimants where a data controller company suffers an external cyberattack. Such claims are an increasing issue for businesses and public authorities, as the increase in criminal cyber-activity continues, and the value of each individual claim post-attack generally far outweighs associated litigation costs.
Typically, there is significant strategic advantage to claimants bringing these now-dismissed causes of action as part of efforts to recover from a company subject to a data breach, as an ATE insurance premium is recoverable for such privacy-based causes of action. However, if the only remaining cause of action is for breach of statutory duty, ATE premiums will not form part of a successful claimant’s recoverable costs. This may dissuade claimants from pursuing low-value litigation in the event of a data breach through external attacks.
As ever, however, there will likely be attempts in future litigation to limit the application of this case. This could include attempts to re-characterise a lack of care for data security into some sort of de facto positive act, and limit the findings in the case to circumstances where the data breach arises from third party/external actions (rather than internally facilitated data breaches).