A recent decision made in the High Court may significantly limit data breach litigation by claimant firms.
When a business suffers a data breach involving the personal data of its customers, claimant firms seek to sign up affected customers, issuing multiple claims for damages. Such claims are often for breach of the UK GDPR, breach of confidence, misuse of private information and negligence backed by confidential fee arrangements and After the Event (“ATE) insurance. Due to the perceived complexity of data claims and cost exposure created by ATE premiums, claimant firms have opted to create their own business model fuelled by out-of-court settlements.
In the case of Warren v DSG, the defendants – Currys PC World (“DSG”) – suffered an external attack which resulted in the compromise of c. 10 million customer records, and a £500,000 fine by the UK Information Commissioner’s Office for violating the seventh data protection principle under the Data Protection Act 1998 (“DPA”) by not implementing appropriate security measures.
The claimant is one of these customers, who sought £5,000 for breach of the DPA (now replaced by the UK GDPR), breach of confidence, misuse of private information and negligence. Following claims for breach of confidence, misuse of private information and negligence being dismissed, the claimants were left with only a UK GDPR claim.
Such claims were dismissed for the following reasons: (1) all of the causes of action required some positive wrongful action to be taken, and there was no positive wrongful action in such circumstances as DSG was the passive victim of an attack, thus had not intentionally facilitated the data breach; (2) such actions do not impose any form of duty on DSG; and (3) there was no clinically recognised psychiatric harm in order to find a claim in negligence.
The decision in Warren v DSG will have now considerably simplify the defence of similar claims, as well as making it increasingly difficult for claimant firms to recover ATE premiums in such cases due to the lack of a privacy claim, undermining the business model of claimant firms.
The judgement can be read here: https://www.bailii.org/ew/cases/EWHC/QB/2021/2168.html
 Darren Lee Warren v DSG Retail Limited  EWHC 2168 (QB)