Warren v DSG Retail Ltd – Shifting the Liability Landscape in Post‐Cyberattack Litigation

August.18.2021

Since the General Data Protection Regulations ("GDPR") came into force in 2018, companies in the United Kingdom (UK) that have suffered cybersecurity attacks often face civil claims from individuals whose data has been impacted by that attack, seeking compensation. These claims are often speculative, formulaic, and brought on a "no-win, no-fee" basis. The English High Court recently handed down an important judgment in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) ("Warren") which casts doubt on three of the potential heads of claim typically pleaded in the wake of a cybersecurity breach and which could impact on how these claims are brought, and funded, going forward.

The Facts

In 2017, DSG Retail Ltd ("DSG"), which operates electronics stores Dixons and Carphone Warehouse, suffered a cyberattack resulting in the unauthorised access of personal data. The Information Commissioner's Office ("ICO") investigated the incident and found DSG in breach of Data Protection Principle 7 under the Data Protection Act 1998 ("DPA 1998"), which corresponds to Article 5(1)(f) of the UK General Data Protection Regulations ("UK GDPR") and requires organisations to have in place appropriate technical and organisational measures to protect personal data (the "ICO Decision"). The ICO also issued a Monetary Penalty Notice ("MPN") against DSG for £500,000. DSG is appealing both the ICO Decision and the MPN.

The claimant subsequently brought a civil claim against DSG alleging: (i) breach of confidence; (ii) misuse of private information; (iii) breach of statutory duty; and (iv) negligence and sought damages of £5,000. DSG applied to the court for summary judgment and/or an order striking out each of these claims apart from the claim for breach of statutory duty arising out of alleged breach of statutory duty connected with the ICO Decision.

The Decision

In his judgment, Saini J struck out all claims bar the claim for breach of statutory duty which was allowed to proceed. The rationale for the striking out of the claims for breach of confidence and misuse of private information is of particular significance. Saini J determined that a successful claim for breach of confidence or misuse of private information would require some positive wrongful action in relation to the information in question on the part of the defendant such as disclosing it to a third party or making some other unauthorised use of the relevant data. To the contrary, Saini J emphasised that DSG was the victim of the cyberattack and held that "neither [breach of confidence] nor [misuse of private information] impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy."

The negligence claim was also struck out on the basis that under English law there is neither need nor warrant to impose such a duty of care where the statutory duties (such as those under the DPA 1998) operate. In addition, Saini J noted that there was a complete failure on the part of the claimant to particularise any loss suffered, and a claim of "distress" was not enough in relation to claiming negligence.

The claim for breach was not subject to the application and can continue, although that claim is stayed pending the outcome of DSG's appeal of the ICO's Decision and the MPN.

The Potential Consequences

As noted by Saini J, "it was not DSG that disclosed the Claimant's personal data, or misused it, but the criminal third-party hackers." However, claims like that brought by Mr Warren, are often a corollary where a cyber incident leads to a personal data breach. The court's ruling on the attempt to "shoehorn" data breaches into misuse of private information torts and to pursue negligence claims in the absence of a duty of care and damages below the required threshold (distress versus personal injury, i.e. psychiatric illness) is an important development. It remains to be seen whether the firms which have begun to make a cottage industry from bringing these formulaic claims, which typically include all four of the allegations made in Warren, change their formula to reflect this decision. It will also be interesting to see how this impacts the economic viability of these claims in general (see below).

For organisations faced with defending these claims, the court's approach in Warren demonstrates that many heads of claim which typically feature in post-cybersecurity attack claims will often fail. In addition, as was the case here, the "boilerplate" nature of these claims which often lack specificity on key elements such as causation and loss may get short shrift in court. In short, claims of this nature, can be successfully defended.

It is worth noting that, where the factual background of a claim is not a cybersecurity attack and where there are allegations of systemic, positive acts by the defendant company, the argument successfully pleaded by the Defendant in Warren may not succeed.

The Potential Impact on the "No Win, No Fee" Model

In addition to changing the way in which these types of cases may be argued in the future, the decision in Warren may have a significant impact on the funding model utilised by claimants. In the English court system, 'costs shifting' typically applies, in which the loser in litigation is usually ordered to reimburse (at least a portion of) the winner's costs. A claimant will therefore seek protection against any potential future costs liability in the form After the Event Insurance (the "ATE Insurance").

Due to the peculiarities of English procedural rules, in particular Civil Procedure Rules 48.1 and 48.2, there are some circumstances where the premium for ATE Insurance is recoverable in civil claims. This includes "publication and privacy proceedings" which include proceedings for "misuse of private information", or "breach of confidence involving publication to the general public", but importantly does not include claims for breach of statutory duty related to the GDPR or Data Protection Act 2018.

In the post-Warren landscape this will likely leave potential claimants, who can no longer bring claims which constitute "publication and privacy proceedings", unable to recover the cost of their ATE Insurance premiums. As these premiums often exceed the damages claims for post cybersecurity attack claims, it is hard to see how these kinds of claims will be economically viable going forward.