Since last year, Warren has proved a thorn in the side of those bringing claims arising out of external cyber-attacks – appearing, at least, to bar such Claimants from relying on the torts of negligence and misuse of private information (MPI), as well as breach of confidence. That appearance was confirmed to be reality by Saini J in Graeme Smith & ors v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB). Avid readers of Panopticon will observe that it was Saini J who also decided Warren, thus confirming the position in Smith (not the South African cricketer), in the face of attempts by the Claimants initially to suggest that Warren was wrongly decided; diluted subsequently to seek to distinguish it on the facts. Saini J’s confirmation of the position post-Warren (and explaining that had given consideration to the case of Swinney v Chief Constable of Northumbria Police Force [1997] QB 464), is important, as it makes the law clear, following HHJ Pearce’s decision in Collins & Ors v Ticketmaster UK Limited [2022] Costs LR 123. . In Collins, the Court had not decided the point, but did permit an amendment to plead MPI in a data breach case despite Warren – although “could not say that the claim went beyond that which was arguable”. HHJ Pearce permitted the amendment in Collins where the claimants had argued that Warren could be distinguished and did not apply to cases where the defendant had taken a deliberate decision to conduct its business in a manner that did not comply with the relevant industry standard – as opposed to ‘pure’ omission cases. The clarity now provided by Saini J is welcome, given the importance of the feasibility of MPI claims in this field to claimants potentially being able to recover ATE premia (the conventional wisdom being that they are irrecoverable in DPA/GDPR claims).
There are two salient messages to be drawn from Smith. Both require an understanding of the nature of the data incidents which form the basis of the claim. These are threefold:
- The 2014 Breach, the Claimants’ case summarised by the Judge as “dishonest employees of a third-party service providers were, due to the conduct of the Defendant in system design and access, able to obtain unauthorised access to the Claimant’s private information”.
- The 2015 Breach – a classic external cyber-attack, pleaded by the Claimants as having occurred because of TalkTalk’s failure to put in place adequate measures to secure its IT estate.
- The ‘Unconfirmed Breaches’ – breaches which the Claimants infer have could have occurred because they were the subjects of scamming after the 2015 Breach, meaning that the Claimants cannot determine if the scamming was as a result of the 2014 Breach, the 2015 Breach and/or some other ‘unconfirmed’ breach.
As presaged above, the first key takeaway is Saini J’s decision to strike out the Claimants’ MPI claim is in line with Warren. This is important, if not novel – making clear that Warren remains good law in the case of third-party attacks. The Claimants clearly made a good show of seeking to distinguish Warren on the facts, or at least to try and ground their arguments in what they saw as a distinction drawn by Saini J in Warren between a defendant’s ‘failure’ and their ‘positive conduct’ said to comprise a breach (Warren at [21]).
In Smith, however, Saini J eschewed the act/omission distinction and focused instead on whether the alleged conduct amounted to a misuse by TalkTalk. The Judge noted the “clever pleader” who had recast the Claimants’ case in terms of ‘acts’ by TalkTalk, rather than alleged failures. That, though, was a matter of presentation, not substance. Saini J set out at [48] his conclusion that the Claimants’ claims was in truth “a negligence action masquerading as a claim for MPI”. He reasserted his conclusion from Warren that, in claims of this nature, the relevant conduct is not a misuse of private information by the defendant, but rather of the criminal third-party actors: “creating a situation of vulnerability…is simply not a misuse of information within the tort”: [49].
So much, so orthodox. Indeed, TalkTalk sits within a longer line of authorities which are consistent on the point, including Morrisons, as well as, more recently Stadler v Currys Group Ltd [2022] EWHC 160 (QB) and Underwood & Underwood v Bounty UK Ltd & or [2022] EWHC 888 (QB) – the latter in particular being of note, given that the judgment was given by Nicklin J, the Judge in Charge of the Media and Communications List.
The second takeaway from Smith is arguably the more interesting and raises strategic questions for both claimants and defendants to future actions. This concerns the claim for breach of data protection legislation that was alleged on the basis of what was described in the Particulars of Claim as so-called ‘Unconfirmed Breaches’, which claim TalkTalk sought to strike-out. The Claimants’ case on the Unconfirmed Breaches was said by the Claimants’ counsel at the hearing to be based on two inferences: (1) if their data (as used by scammers) was not obtained in the 2014 or 2015 Breaches, it may have been some other unlawful accessing of TalkTalk’s systems; and (2) absent some form of system failure by TalkTalk, their personal data would not have been accessible.
Saini J recognised that the Claimants’ case on this latter aspect had not been clearly pleaded, but nevertheless refused to strike out these claims. Instead, he permitted this aspect of the case to proceed, on the proviso that the Claimants amend their pleading to set out their case clearly, as the Court had understood it. Saini J appeared to place some reliance on the fact that this is a category of case in which, by its nature, a claimant may not know the nature of any tort that may have occurred until after disclosure. At this stage, therefore, the Judge considered that the Claimants could properly mount an inferential case that, where their TalkTalk account data had been used by a scammer, “the scammer had obtained that information from a vulnerability in [TalkTalk’s] systems (and thus a data breach)”, thus rendering TalkTalk liable under the GDPR.
It is this aspect of the reasoning which is likely to be the most controversial. Saini J was careful not to overlook the submission that “the fact that there has been an incident affecting an individual’s personal data does not per se mean that the Defendant is legally liable in respect of that incident” [75]. However, he then goes on to conclude that, although the Claimants’ pleading could be “better expressed”, it appeared to “rely on the breach of [the] seventh principle by way of inference…”. There is an immediate question as to whether such a highly permissive attitude of the Court to permitting Claimants to plead, and take to trial, allegations of breach of the security principle is legally tenable, particularly given that it leaves in place a claim that appears to be highly speculative, and reliant upon little more than the (presumed to be true) fact that their personal data has ended up in the hands of an unauthorised third party. It is difficult to identify any pleaded fact from which the Claimants could establish that the scammers had obtained the data specifically as a result of some unlawful conduct by the Defendant. In respect of the alleged ‘Unconfirmed Breaches’, this is not even the case where Claimants can point to a specific incident or event and plead an inferential case that it must have involved a breach of data protection legislation. Rather, the claim is broadly that there must have been an incident at some unspecified point in time; and that incident entailed a breach of the legislation – without a pleading of why or how, and all the while ignoring the fact that the Claimants have themselves asserted in their pleading that their data was obtained in the 2014 and/or 2015 incidents.
This raises obvious practical questions regarding the scope of the claim and how a defendant is expected to give disclosure against such a plea. That explains TalkTalk’s attempts to resist an RFI made by the Claimants as a “fishing expedition” – although that issue has been adjourned to another day. The Judge took a similar approach to the issue of disclosure – rejecting the argument that the cumbersome nature of the disclosure exercise that would be entailed bore any impact on the question of strike-out: “Disclosure management and proportionality considerations are for case management in due course” [74].
The permissive approach taken by the Court does appear to mark a new departure in the approach to pleading data breach claims. Quite how far the Court has gone, or will go, perhaps remains to be seen. Saini J pointed out that the Claimants in TalkTalk “believe that access [to their records] was either the 2014 or 2015 incidents, but they are seeking to cover other bases”. Whether the Court will be so permissive if Claimants are not merely ‘covering other bases’, but founding their entire claim on speculation of this nature will be a question for another day.
Anya Proops QC and Zac Sammour act for the Defendant, TalkTalk Telecom Group plc, instructed by Mason Hayes Solicitors.
Daniel Isenberg