The High Court has provided welcome clarity on the scope of liability for companies which have suffered a cyber-attack, in a ruling with major implications for ATE insurance in data protection claims.

Background

Data breach litigation is a fast growing area and companies which are unfortunate enough to suffer a cyber-attack often find themselves facing multiple claims from individuals whose data has been affected.

The GDPR imposes a range of obligations on data controllers. If data controllers breach these obligations, data subjects can bring a claim for breach of statutory duty to recover damages for distress suffered as a result of the breach (subject to a triviality threshold). However, in addition to claims for breach of statutory duty, claimants frequently plead claims in misuse of private information and breach of confidence.

That is often because, unlike in most civil claims, the premiums for after-the-event (ATE) insurance policies (which covers potential liability for an opponent's legal costs) can be recovered from the opponent in "publication and privacy proceedings". This includes claims in defamation, misuse of private information, breach of confidence and harassment, but not claims under data protection legislation. Claimants therefore typically plead claims in privacy and/or breach of confidence, as well as in data protection, in part so they can claim the cost of their ATE premiums from the defendant, if they win.

The High Court has now ruled that when it comes to claims following cyber-attacks, this approach is not appropriate.

The claim

This claim arose out of a serious cyber-attack suffered by DSG in 2017-2018. The claimant's data was affected and he brought a claim for damages limited to £5,000, to compensate for distress suffered. As well as breach of the Data Protection Act 1998 (DPA), he pleaded misuse of private information, breach of confidence and common law negligence.

The High Court struck out all the claims except for the claim under the DPA. Applying established principles recently set out in cases such as Morrisons and Smeaton v Equifax, the Court held that a company which is the victim of a cyber-attack has not "misused" the claimant's data. Rather, any unlawful misuse or disclosure is by the attacker, not the company. Equally, data controllers have no duty to protect individuals' data from the actions of third parties, beyond their duties under data protection legislation. There was no need to construct an additional common law duty in negligence when a bespoke statutory regime governing the liability of data controllers already existed.

The only claim which had any prospect of success was therefore the claim under the DPA. That claim was transferred to the County Court for disposal there.

Comment

This judgment will be welcomed by data controllers, who will already be mindful of the ever-growing threat posed by malicious cyber-attacks. The Court has made clear that claimants who wish to seek redress following a cyber-attack can only do so through a claim for breach of data protection legislation, and should not plead a raft of other causes of action at the same time. This will greatly simplify such claims, most of which are now likely to be dealt with in the County Court. Crucially, any ATE premiums will not be recoverable.

The vast majority of claims arising out of cyber-attacks are very low value. With claimants no longer able to seek recovery of ATE premiums, they will be faced with a dilemma – pay for an insurance policy which will often cost more than the compensation they are hoping to recover, or take on the risk of issuing proceedings with no protection against an adverse costs award.

The full judgment is here: Warren v DSG Retail Limited [2021] EWHC 2168 (QB)