On 30 July 2021, Saini J handed down judgment on the Defendant’s strike-out application in Warren v DSG Retail Limited [2021] EWHC 2168 (QB). His decision addresses the viability (or, more properly, the lack thereof) of breach of confidence (BoC) and misuse of private information (MPI) claims against data controllers who have suffered cyber attacks and, in so doing, provides much needed clarity on the recoverability of ATE adverse costs insurance premiums in such claims.

First, a quick recap. Following the Jackson reforms, the recoverability of success fees and ATE premiums was significantly curtailed in an attempt to curb what was perceived to be a growing litigation culture.  One exception to this broad reform was made for the purposes of “publication and privacy proceedings”, i.e. claims in defamation, malicious falsehood, MPI, BoC and harassment.  In April 2019 the scope of this exception was reduced: success fees ceased to be recoverable in publication and privacy proceedings under CFAs entered into from that point onwards. To date, however, the exception remains in relation to the recoverability of ATE premiums in publication and privacy proceedings. 

Claims for breach of data protection legislation are not publication and privacy proceedings. It has therefore become common practice for claimants to bring claims in MPI and BoC alongside claims for breach of data protection legislation with a view to recovering an ATE premium if the claim is successful.  This has ramifications for the commercial dynamics of such cases where the amount claimed is often small in comparison to the cost of the ATE premium. In addition, claims involving BoC must be commenced in the High Court, which has led to the Media and Communications List becoming heavily populated with these low value claims. One firm had issued close to 150 such claims in the first half of 2021 alone. 

In his claim, Mr Warren seeks to recover damages for distress caused following a cyber incident. His claim advanced various causes of action, including BoC, MPI, negligence and breach of various DPA 1998 provisions including DPP7 (i.e. the data security duty which is found at Article 5(1)(f) of GDPR). DSG applied for strike-out and/or summary judgment of all causes of action other than that under DPP7.

Finding for DSG, Saini J struck out Mr Warren’s claims in both BoC and MPI, finding that both causes of action require some form of “positive conduct” by a Defendant and that this is lacking in a cyber-attack scenario. In reaching this conclusion, the judge adopted the reasoning of Langstaff J in Morrisons [2019] QB 722 that Morrisons could not be directly liable in BoC or MPI where the acts alleged to amount to a breach/misuse were carried out by a third party. In Morrisons the third party was an employee who had gone rogue. By analogy, where third party hackers access, disclose or misuse an individual’s data it is they that are properly liable in BoC and MPI and not the data controller in question. As Saini J states, BoC and MPI do not impose a data security duty on data controllers, and there is no need for the law to be extended in that way given that such a duty already exists under data protection legislation.

Saini J also struck out Mr Warren’s claim in negligence, applying the principle established in Smeaton v Equifax [2013] 2 All ER 959 that there is no need to impose a tortious duty of care on a data controller where a bespoke statutory regime for determining their liability already exists.  

Saini J’s findings mean that Mr Warren’s claim is now limited to a claim for breach of DPP7 only, Mr Warren having conceded that the other breaches of the DPA 1998 that had been alleged should be withdrawn. The case was stayed pending DSG’s FTT appeal with the remaining claim being transferred to the County Court on the expiry of the stay.

This decision is a positive development for those defending data security breach claims as it means that it will no longer be possible to contend that ATE premiums are recoverable from unsuccessful defendants in such cases.  The need to pay an (irrecoverable) ATE premium – the cost of which can be substantial in comparison with the amount sought by the claimant – is likely to mean a substantial reduction in such cases in future.

David Barker (Partner) and Caroline Henzell (Associate) are members of the TMT Disputes Team at Pinsent Masons LLP and acted for DSG in this case, instructing Antony White QC of Matrix Chambers and Rupert Paines of 11 KBW.