20 August, 2021
The High Court have recently handed down a judgment in the case of Warren v DSG retail who operate as Dixons. The claim arose after they suffered a cyberattack where hackers obtained the personal information of thousands of customers, one of whom was Mr Warren. He brought a claim against them after the ICO (Information Commissioner Office) fined Dixons £500,000 for failing to have appropriate technical and organisational measures to protect personal data in accordance with Principle 7 of the Data Protection Act 1998 and Article 5(1)(f) GDPR (General Data Protection Regulations) DSG are appealing this.
Mr Warren's claimed up to £5,000 for breach of confidence, misuse of private information, breach of statutory duty, and negligence. DSG asked the court to strike out all his claims. The court agreed, with the exception that his GDPR claim could continue. That part of the claim has been postponed pending the outcome of DSG's appeal against the ICO fine.
The court concluded that for the claim for breach of confidence and misuse of private information would require some positive wrongful action on the part of DSG. The court found they were the victims of a cyberattack and had not breached any duty of confidence or misused private information. The law was concerned with prohibiting actions by the holder of such information and did not impose a data security duty even if it was private or confidential.
The negligence claim failed because under English law there is no duty of care where the statutory duties operate i.e. the data protection regulations. The court noted there were no details of any losses set out in the claim, which are required to make a claim in negligence.
In practical terms claims arising from cyberattacks are likely to be of limited value and only sustainable where there has been a failure to take appropriate technical and organisational measures to protect the personal data. Proving that can be difficult without expert evidence. The best hope, as in Mr Warrens case, is a finding from the ICO that appropriate measures had not been taken. Even then any losses sustained may have limited value and legal costs may not be recoverable.
This case does not however undermine claims where personal and sensitive data is released by accident or delivered to the wrong address by post hand or e-mail. There are many instances where personal medical records, financial information and other sensitive information has been sent out in error. These claims are still viable and can be run on a "No Win, No Fee" basis.
Although the Warren case does not directly deal with costs and After the Event insurance, commentators are suggesting it raises some important issues concerning the recovery of Insurance premiums. As a general rule, the loser is usually ordered to pay some or all of the winner's costs. To protect their position a claimant can insure against this risk with a After the Event Insurance policy (ATE Insurance).
The premium for this is recoverable in civil claims involving "publication and privacy proceedings" which include proceedings for "misuse of private information", or "breach of confidence involving publication to the general public" It does not cover claims for breach of statutory under the GDPR or Data Protection Act 2018. Whilst it is correct to say Mr Warren can probably no longer recover any insurance premium because he is now only left with a data breach claim, that would not apply in a case where personal sensitive information is sent out by mistake. Such an incident is likely to involve a breach of confidence or misuse of private information, where costs and any insurance premium are likely to be recoverable.
If you have been the victim of a data breach involving sensitive personal information being sent to the wrong place or released by mistake you are likely to have claim. Here at Forbes solicitors, we can advise on whether you may have a case. We act on a No win no fee basis.
For more information contact John Bennett in our Data Breach Claims department via email or phone on 01254 872111. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Data Breach Claims department here