High Court Judgment narrows the Claimant’s route to a successful data breach claim

| Author: Secretariat | Filed under: General News
High Court Judgment narrows the Claimant’s route to a successful data breach claim

Warren -v- DSG Retail Limited[1]

The recent judgment handed down by the High Court in this case is important for the corporate victims of cyber-attacks and their insurers. The Court dismissed claims for compensation for distress for Misuse of Private Information, Breach of Confidence and Negligence causes of action arising out of a common type of data breach by a national retailer relating to customer payment details.


The claim was brought against DSG Retail which owns the Currys PC World and Dixons Travel brands. Between 24 July 2017 and 25 April 2018, DSG was the victim of a complex cyber-attack carried out by sophisticated criminals. The attackers infiltrated DSG’s systems and installed malware which was running on 5,930 point of sale terminals at the stores, which allowed the attackers to access the personal data of many of DSG’s customers.

As a result of the security breach, the Information Commissioner’s Office (ICO) investigated the cyber-attack and decided that DSG breached the seventh data protection principle (DPP7) under the Data Protection Act 1998[2]. DPP7 requires “appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data”. The ICO concluded that “there were a number of distinct and fundamental inadequacies in the security arrangements for DSG’s systems…[including]…multiple, systemic and serious“ security failures. The ICO issued a Monetary Penalty Notice in the amount of £500,000 (the maximum fine available at that time) which is subject to an appeal to be heard later this year.

The Claimant had purchased goods from Currys PC World and claimed that his name, address, phone number, date of birth and email address were compromised in the attack. The Claimant could not point to any specific financial loss but brought a claim against DSG for the alleged distress and anxiety he suffered arising from the data breach limited to £5,000.00[3]. Such claims are being increasingly generated by claims management companies seeking to tap into a new revenue stream and looking to replace their PPI cash cow. The Claimant relied on the following causes of action:

  • Breach of Confidence (“BoC”);
  • Misuse of Private Information (“MPI”);
  • Breach of the Data Protection Act 1998 (“DPA”); and
  • Common law negligence.

DSG applied for summary judgment and an order striking out each of these claims, other than the claim for breach of statutory duty arising out of alleged breach of DPP7. DSG argued that the BoC, MPI and negligence claims had no realistic prospect of success based on the facts.


The Court dismissed all the Claimant’s claims save as regards the claim for breach of statutory duty in relation to DPP7 which will proceed to trial.

The judge held that neither the BoC nor MPI causes of action imposed a positive data security duty on DSG i.e. to take positive action to protect a customer’s data. To succeed, the BoC and MPI causes of action required a positive misuse of the confidential data by DSG. However, DSG had not disclosed or misused the Claimant’s personal data; rather, the criminal third-party hackers had.

The Judge rejected the Claimant’s argument that DSG’s failure to protect the data constituted a positive action, describing the argument as an “unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI.” He stated that a ‘misuse’ requires a ‘use’, which is a positive action and added that “If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a misuse of private information by me”.

In respect of the negligence claim, the Judge held that there was neither need nor warrant to impose a duty of care in negligence where the statutory duties under the Data Protection Act 1998 already operated. The Judge held that “a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action”.


Whilst the quantum claimed in this case was small, circa £5,000, these types of claims have recently been on the increase. The Court’s judgement has thankfully materially narrowed the basis on which such cyber-related claims for data breach can be brought.

Most importantly on a practical level, the BoC and MPI causes of action are one of the few remaining litigation claims where a Claimant can recover his/her ATE premium from the Defendant. This ATE premium recovery potential was an important part to the claimant farm business model developing around these types of low value data breach claims both (i) protecting the Claimant from any adverse costs order and (ii) materially increasing the Defendant’s overall costs exposure. With this part of the business model now unavailable to Claimants, we may see a material reduction in these types of low value but attritional claims and certainly such low value claims will need to be brought in the County Court going forward.

Source:  Lexology

Working with the Law Society

The ABI is the only association in this industry to be recognised by the Law Society of England and Wales, and included in the Law Society of Scotland's approved Supplier Scheme.

The highest independent professional bodies for solicitors put their trust in us. We’re confident you can do the same.

The ABI other partners also recognise the value of affiliation to the principal professional body in the investigation and litigation support sector:

COURTSDESK SEARCHER is an on-demand search for court cases, or parties involved in court cases, in England and Wales and the Republic of Ireland.

Scotland Law Society logo
Professional Indemnity Insurance
Thank you, your message has been sent.
A member of our team will be in touch shortly.