Out-Law Analysis 3 min. read
03 Aug 2021, 2:28 pm
Many of the growing number of data protection-related claims being filed against businesses to have fallen victim to cyber attacks are being brought not just under data protection legislation but also in the alternative as claims for breach of confidence or misuse of private information.
A recent ruling should give businesses confidence that they can successfully apply to have those additional causes of action struck out. The case also has wider ramifications in relation to the recoverability of “after the event” (ATE) adverse costs insurance premiums and may therefore affect commercial viability of such claims for claimants.
Since the Jackson reforms of civil court costs, successful claimants’ ability to recover their lawyers’ success fees and ATE premiums has been significantly curtailed by measures aimed at curbing what was perceived to be a growing litigation culture. One exception to this broad reform was made for the purposes of “publication and privacy proceedings”, i.e. claims in defamation, malicious falsehood, misuse of private information, breach of confidence and harassment. Though the scope of this exception was reduced in April 2019 to exclude success fees from being recoverable in publication and privacy proceedings under conditional fee arrangements entered into from that point onwards, the exception otherwise remains in place in relation to the recoverability of ATE premiums in publication and privacy proceedings.
When a claimant raises claims for breach of data protection legislation, these are not considered to be publication and privacy proceedings. It has therefore become common practice for claimants to bring claims in misuse of private information and breach of confidence alongside claims for breach of data protection legislation with a view to recovering an ATE premium if the claim is successful. This has ramifications for the commercial dynamics of such cases where the amount claimed is often small in comparison to the cost of the ATE premium. In addition, claims involving breach of confidence must be commenced in the High Court, which has led to the Media and Communications List at the court becoming heavily populated with these low value claims. One claims management company issued close to 150 such claims in the first half of 2021 alone.
In his claim, Darren Warren is seeking to recover damages for distress caused following a cyber incident. He advanced his claim under various guises, arguing that there had been breach of confidence, misuse of private information, negligence and breach of various provisions of the Data Protection Act 1998 provisions – including the seventh data protection principle under the Act which concerns data security (DPP7). DSG Retail Ltd applied to the court for strike-out of all the claims made other than that under DPP7. Although the case was decided by reference to the 1998 Act, the same points will apply to claims under the current UK GDPR regime.
Mr Justice Saini ruled in favour of DSG. The judge struck out Warren’s claims in both breach of confidence and misuse of private information, finding that both causes of action require some form of “positive conduct” by a defendant and that this is lacking in a cyber attack scenario.
In reaching this conclusion, the judge considered case law arising from a 2019 judgment concerning a data breach experienced by Morrisons in which the High Court held that the supermarket could not be directly liable in breach of confidence or misuse of private information where the acts alleged to amount to a breach/misuse were carried out by a third party. In the Morrisons case, the third party was an employee who had gone rogue. By analogy, where third party hackers access, disclose or misuse an individual’s data it is they that are properly liable in breach of confidence and misuse of private information and not the data controller in question. As Mr Justice Saini confirmed, a data security duty does not arise on data controllers under the common law concerning breach of confidence or misuse of private information, and there is no need for the law to be extended in that way given that such a duty already exists under data protection legislation.
Mr Justice Saini also struck out Warren’s claim in negligence, applying the principle established in the case of Smeaton v Equifax in 2013 that there is no need to impose a tortious duty of care on a data controller where a bespoke statutory regime for determining their liability already exists.
The judge’s findings mean that Warren’s claim is now limited to a claim for breach of DPP7 only, Warren having conceded that the other breaches of the DPA 1998 that had been alleged should be withdrawn. The remaining claim will be considered by the County Court but not until after DSG’s appeal against a fine imposed on it by the Information Commissioner’s Office in relation to the incident has been ruled on by the first-tier information rights tribunal.
This decision is a positive development for those defending data breach claims as it means that it will no longer be possible to contend that ATE premiums are recoverable from unsuccessful defendants in such cases. The need to pay an irrecoverable ATE premium – which can be 50% or more of the claimant’s estimated losses in such cases – is likely to mean a substantial reduction in such cases in future.
Co-written by Caroline Henzell of Pinsent Masons.