Accidental data breaches: High Court clarifies causes of action


3 mins

Posted on 17 Aug 2021

Accidental data breaches: High Court clarifies causes of action

The High Court has provided important clarification on litigation concerning accidental data breaches (Warren v DSG Retail Limited). 

Background 

A claim was brought against Dixons Carphone (DSG) following a data breach in 2017 – 2018 when external hackers accessed DSG’s systems. The claim was brought by an affected customer who alleged his personal data, including his name, address, phone number, date of birth and email address had been compromised. He claimed against DSG for misuse of private information, breach of confidence, breach of the Data Protection Act 1998 (“DPA 1998”) and negligence.

DSG applied for strike out/summary judgment for all the claims except the claim for breach of the duty to keep data secure under the DPA 1998.

DSG argued the other claims had “no realistic prospect of success,” so should be struck out, because:

  • breach of confidence and misuse of private information claims require a positive wrongful action and do not place a data security duty on the defendant, and
  • there is no duty of care in negligence for a data controller’s conduct where that conduct is covered by the data protection legislation.

DSG’s application succeeded. The Court noted that misuse of private information and breach of confidence claims scrutinise the actions of data controllers to assess whether they are inconsistent with the obligation of confidence and privacy. The Court also noted that while misuse can include unintentional use, it still necessitates ‘use’, which is a positive action. In this case, it was not Dixons that had used the data, but an external hacker. 

ATE Insurance Costs 

Data breach claims are often issued with notice of funding that the claim has After the Event (ATE) insurance, and, if successful, that this premium will be recovered from the Defendant. The High Court held that ATE premiums do not form part of the recoverable costs, where the only viable cause of action is under the data protection legislation.

What does this mean for data breach litigation?

Data breach litigation is a fast-growing area. The judgment appears to significantly limit the types of claim that can be brought for data breaches from external hackers or cyberattacks.

The decision is equally important for those defending data breach claims and those deciding whether to pursue such claims. If ATE premiums cannot be recovered in a successful claim, this must be considered at the outset when deciding what types of claims to bring – if the ATE premium is more expensive than the likely damages, it would be cost prohibitive, but without ATE insurance a claimant would be exposed to an adverse cost award. 

Key Contacts

Piers Leigh-Pollitt

Piers advises a mixture of corporates and individuals on a wide range of HR/employment law matters and data protection issues (mainly from an HR perspective). Piers is also the firm’s internal compliance officer and handles all regulatory and internal compliance matters. He also heads up the firm's Data Privacy team and holds the Practitioner Certificate in Data Protection (GDPR).

  • Partner & Compliance Officer for Legal Practice
  • T: +44 (0)118 951 6761
  • Email me

View profile

Mike Hibberd

Mike is an employment and data privacy law expert advising both organisations and senior individuals on a wide range of human resources and related issues.

  • Legal Director
  • T: +44 (0)118 951 6765
  • Email me

View profile

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top