High Court Limits Scope of Claims for Data Breach

If you run a business that handles personal data of customers, and you are worried about the risk of claims if your company suffers a cyber-attack or some other accidental loss of data, you may take some comfort from the recent High Court judgement of Warren v. DSG Retail Ltd.

DSG Retail Ltd, which owns Currys PC World, suffered a major cyber-attack in 2017/18.   Malware was installed on the company’s systems and  the personal data of several million people was potentially accessed.  The company was subsequently fined DFG £500,000 by the Information Commissioner’s Office and that decision is currently being appealed.

Meanwhile, Mr. Warren, one of those whose data may have been accessed, brought a claim against DSG for £5000, for breach of confidence, misuse of private information, breach of the Data Protection Act 1998 and negligence.

The High Court dismissed all these claims except for breach of the DPA in relation to data protection principle 7 and that claim is on hold pending the outcome of DSG’s appeal against its fine by the ICO.

The judge said that neither claims for breach of confidence nor misuse of private information impose a data security duty on the holders of the information even if it’s private or confidential.  Rather, they are concerned to prohibit actions by the holder of the information that are inconsistent with the obligation of confidence/privacy.  Also, “while ‘misuse’ may include unintentional use, it still requires a ‘use’  that is, a positive action.” That was not the case here.

Similarly, a claim for damages for negligence can only succeed if the claimant has suffered some loss or damage.  A state of anxiety produced by some negligent act or omission which falls short of causing a recognisable illness does not constitute damage that would allow such a claim to proceed.

For the thousands of companies handling personal data, this pragmatic judgement can only be helpful, even if it does not exempt them from claims under the Data Protection Act.   And the decision may deter organised group/class actions against larger companies following a cyber breach.