Clifford Chance

The English High Court has confirmed that claims for breach of confidence (BOC), misuse of private information (MOPI), and negligence in relation to data breaches in a cyber incident will fail, unless the defendant has taken some positive wrongful action in relation to that information.

The Court's decision should provide corporate victims of cyber-attacks with some comfort in relation to their liability to customers for these types of breaches. Further, as we discuss below, the judgment impacts the claimants ability to fund such claims.

Nevertheless, there remains a wider question about whether or not there may be a future route to establish liability under data protection legislation in relation to cyber incidents – an option which will largely depend on the upcoming decision of the Supreme Court in Lloyd v Google.

Background

Between 24 July 2017 and 25 April 2018, UK retailer DSG Retail Limited ("DSG"), which operates the 'Currys PC World' and 'Dixons Travel' brands, was the victim of a cyber incident, during which the attackers accessed the personal data of DSG's customers. Following an investigation into the incident, the Information Commissioner issued DSG with a Monetary Penalty Notice (MPN) in the amount of £500,000 for breach of the seventh data protection principle ("DPP7"). The MPN is subject to an appeal which will be heard later this year before the First Tier Tribunal.

The Claimant alleged that certain personal information – his name, address, phone number, date of birth and email address – was compromised in the attack, and brought claims for BOC, MOPI, breach of the Data Protection Act 1998 ("DPA") and negligence. He sought damages in the amount of £5,000 in respect of distress suffered as a result of his personal data being compromised and lost.

DSG sought a summary judgment to dismiss the BOC, MOPI and negligence claims (but not the breach of the DPA claim). The Court had to consider whether the Claimant had no real prospect of succeeding on the BOC and MOPI claims.

Decision

The Court agreed with DSG and dismissed those claims.

The Court made it clear that for a claim for BOC or MOPI to succeed, there must be some positive wrongful action in relation to the Claimant's information: BoC imposes "a negative obligation not to disclose confidential information" (Sports Direct v Rangers at [26]); while MOPI imposes an obligation "not to misuse private information", the term "misuse" requiring a positive action (Warren at [26] – [27]). In addition, the Court compared the present case to Various v Morrison Supermarkets, where a wrongdoer employee had copied the personal data of Morrisons' employees and later disclosed it online – in that case, the court had held that Morrisons was not liable for BOC or MOPI because that act had been committed by a third party (the employee). Likewise, here, it was not DSG that had disclosed the Claimant's personal data or misused it, but the third-party cyber attackers ([30] – [31]).

In relation to the negligence claim, the court found that no duty of care was owed by DSG to the Claimant. The Court applied the principles in Smeaton v Equifax, where the Court of Appeal held that there is no need to impose a duty of care where the statutory duties under the DPA 1998 operate. As a result, the negligence claim failed.

What does this mean for cyber-attack defendants?

The case confirms that the English Courts will be unlikely to find a corporate victim of a cyber incident liable for BOC or MOPI, unless that entity took a positive wrongful action in relation to that information. This has provided helpful clarification on the limits of possible BOC and MOPI claims in a cyber-attack context. For more information on the potential different claims that firms may face following a data breach, please refer to our briefing, Data Collective Actions: The Costs of Losing Control.

More broadly, the Court's decision also makes it clear (following the rationale established in Various v Morrison Supermarkets) that a company may avoid liability for BOC or MOPI if the disclosure or misuse of information is by a third party – whether that third party is an employee or a hacker.

Nevertheless, both the present case and Various v Morrison Supermarkets confirm that in circumstances where personal data held by a company is compromised by a third party, the company in question may still be liable under the data protection principles (namely, DPP7).

Civil liabilities of defendants under data protection legislation are expected to be further clarified when The Supreme Court hands down its judgment following the appeal from the Court of Appeal decision in Lloyd v Google.  In particular, the Supreme Court is expected to opine on whether loss of control of data alone, without the need to identify specific financial loss and/or distress, gives rise to a claim in damages under the DPA.

A further point that will interest potential defendant organisations relates to the funding of cases of this kind.  Many cases are funded using "After the Event" insurance, and successful claimants would recover the success fees (payable to their lawyers) from unsuccessful defendants. That position changed in 2019 for all cases other than "publication and privacy proceedings". Those proceedings include proceedings for MOPI, or BOC where there has been publication to the general public, but the definition does not include data protection claims.  If a claimant can only rely on data protection claims in this type of case, they will become much more difficult to fund and are unlikely to be attractive to claimants or their lawyers.

For more information on data litigation from a defendant perspective, please refer to our briefing, Data Litigation: A Toolkit for Defendants, which sets out the key defences to civil claims arising out of data breaches.