In an important decision for data controllers and processors who are the victims of cyber-attacks, the High Court has struck out claims for breach of confidence, misuse of private information and negligence based on data loss resulting from such an event.
Of further significance is the implication of this judgment on a claimant's ability to recover their ATE insurance premium, which casts considerable doubt on the commercial viability of claims based on 'external attacker' data breaches in the future.
The defendant in the case, the retail operator of Currys PC World and Dixons (DSG), was the victim of an external cyber-attack in which the perpetrators accessed DSG's 'point of sale' computer system and along with it the personal data of many customers, affecting at least 14 million people.
The claimant had been a customer of DSG and claimed that as a result of the cyber-attack his personal data (name, address, phone number, date of birth and email address) had been compromised. Consequently, the claimant brought claims for breach of confidence, misuse of private information, negligence and breach of the Data Protection Act 1998.
However, the High Court roundly rejected all but one of the claimant's causes of action, striking out his claims for (i) breach of confidence and misuse of private information, as they both require positive wrongful conduct on the part of the defendant, and do not encompass a data security duty; and (ii) negligence, as there is no duty of care in negligence in respect of conduct covered by the data protection legislation. The claimant was left with only a claim under data protection legislation (a claim which is stayed pending the outcome of DSG's appeal of the ICO's monetary penalty against DSG).
The judgment also has an important impact on a claimant's ability to recover their 'after the event' (ATE) insurance premiums, which can often exceed the value of the damages sought in the underlying claim. In general terms, ATE insurance premiums are not recoverable in civil litigation, but a carve-out exists for 'publication and privacy proceedings' (PPPs), which include claims for misuse of private information and breach of confidence. Data breach claimants routinely include claims of this nature alongside their principal cause of action under data protection legislation in order to recover their ATE premium if their claim succeeds. However, in the light of this decision, the commercial viability of bringing data breach claims of this kind is severely undermined: those claimants will no longer have claims falling within the PPPs carve-out and as such they are unable to recoup their ATE premium even if successful; and their damages for the data breach may not cover, let alone exceed in a meaningful way, the value of their ATE premium. This judgment may, therefore, significantly stifle the flow of data breach claims based on external cyber-attacks or similar where there has been no positive action on the part of the defendant.