A High Court judge’s decision on a security breach claim could prevent policyholders from claiming after-the-event (ATE) insurance coverage for cyber attacks, which could result in a drop in the number of people making claims, cyber security law specialists have suggested.
Justice Pushpinder Saini has dismissed claims for distress damages made by Darren Lee Warren against DSG Retail Limited arising from the breach of his personal data.
Court documents showed that Warren sought £5,000 in compensation for the “distress and anxiety” he suffered resulting from the retailer’s “breach of confidence (BoC), misuse of private information (MPI), breach of the Data Protection Act 1998, and common law negligence.”
Saini struck out all claims except for breach of data protection, which DSG has appealed and which will be heard later this year by the First-tier Tribunal. The Information Commissioner has fined DSG £500,000 for breaching the seventh data protection principle (DPP7).
“In my judgment, neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential),” Saini wrote. “Both are concerned with prohibiting actions by the holder of information, which are inconsistent with the obligation of confidence/privacy.”
“Counsel for the claimant submitted that applying the wrong of MPI on the present facts would be a ‘development of the law.’ In my judgment, such a development is precluded by an array of authority,” he added.
Saini added that misuse requires positive action, which he noted there was not.
“[The claim] is an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI,” he stated.
With regards to the negligence claim, Saini wrote that there was “no room (nor indeed any need identified) to construct a concurrent duty in negligence when there exists a bespoke statutory regime for determining the liability of data controllers.”
In an interview with Legal Futures, Pinsent Mason partner David Barker, who represented DGS, described the decision as a “positive development” for companies defending data breach claims.
“It means that it will no longer be possible to contend that ATE premiums are recoverable from unsuccessful defendants in such cases,” he said. “The need to pay an (irrecoverable) ATE premium – the cost of which can be substantial in comparison with the amount sought by the claimant – is likely to mean a substantial reduction in such cases in future.”
Rebecca Keating, barrister at 4 Pump Court, agreed and added that the ruling might also impact allocation.
“If a claim under breach of confidence/misuse of private information is no longer viable, a claimant seeking recovery of a low amount of damages for breach of statutory duty under the Data Protection Act 1998/2018 or the General Data Protection Regulation may struggle to avoid allocation to the small claims track, where recovery of costs is not possible,” she wrote in her analysis of the decision.