Important new High Court judgment on data breach litigation

The High Court (Saini J) has today handed down judgment in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) (available here: Warren v DSG judgment). It is pithy and important stuff for data protection litigation, especially as regards accidental data breaches and the recoverability of ATE premiums.

The case concerned a low-value claim brought against Dixons Carphone (‘DSG’) in relation to a 2018 data breach, in which external cyber-attackers had penetrated DSG’s systems. The claim was brought in misuse of private information, breach of confidence, breach of the Data Protection Act 1998, and negligence.

DSG applied to strike out / for summary judgment upon all the causes of action save for breach of the data security duty (DPP7). The DPP7 point is to be shelved pending the outcome of DSG’s appeal to the First-Tier Tribunal against the Information Commissioner’s monetary penalty notice.

DSG argued that the other causes of action should be struck out or summary dismissed because (i) breach of confidence (‘BoC’) and misuse of private information (‘MPI’) require positive wrongful conduct on the part of the Defendant, and do not encompass a data security duty; and (ii) there is no duty of care in negligence in respect of conduct covered by the data protection legislation (Smeaton v Equifax plc [2013] 2 All E.R. 959). That application was granted by Mr Justice Saini, holding that (at [22):

[T]he Claimant’s claim is that the DSG failed in alleged duties to provide sufficient security for the Claimant’s data. That is in essence the articulation of some form of data security duty. In my judgment, neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy. Counsel for the Claimant submitted that applying the wrong of MPI on the present facts would be a “development of the law”. In my judgment, such a development is precluded by an array of authority.”

As regards MPI, see also this (at [27]):

“I accept that a ‘misuse’ may include unintentional use, but it still requires a ‘use’: that is, a positive action.”

The decision provides welcome clarity on the causes of action that can properly be brought in ‘external attacker’ data breach cases. It is, moreover, of potential wider significance, given the inter-relationship of these causes of action and costs recovery.

Data breach claims (both individual and group) are commonly issued together with notices of funding indicating that the claimant has costs protection by way of After the Event (‘ATE’) insurance, and will seek to recover the ATE premium from the Defendant. The ATE premium often matches or exceeds the damages claimed in the action. But ATE premia are not generally recoverable in civil litigation. There is a carve-out for ‘publication and privacy proceedings’ (‘PPPs’), where ATE premia are recoverable, but the definition of PPPs[1] includes proceedings for ‘misuse of private information’, or ‘breach of confidence involving publication to the general public’, but not data protection claims.

Following this judgment, there must be (as a minimum) considerable doubt as to whether claimants can seek to recover ATE premia from defendants in ‘external attacker’ data breach cases and, if they cannot, as to the economic value of such cases for claimants.

Rupert Paines of 11KBW and Panopticon fame acted for DSG, led by Antony White QC and instructed by David Barker and Caroline Henzell of Pinsent Masons LLP.

[1] See art. 1(2) Legal Aid, Sentencing and Punishment of Offenders Act 2012 (Commencement No. 13) Order 2018 (SI 2018/1287).


Robin Hopkins