Graeme Smith and other claimant groups (the Claimants) issued proceedings against TalkTalk Telecom Group plc in relation to alleged mass data breaches, seeking compensation under the Data Protection Act 1998 and in the tort of misuse of private information.

TalkTalk applied to strike out the Claimants’ claim for misuse of private information.

The Claimants alleged that TalkTalk had granted employees of a third-party service provider uncontrolled access to its IT systems and/or database, which they exploited by accessing the personal data and private information of up to 21,000 TalkTalk customers. The Claimants said that this was a result of TalkTalk’s conduct in system design and access and had caused customers’ personal data to be used in an “industrial-scale” fraud network in India in 2014. Fake call centres were set up where “employees” used the data to call customers and emulate a TalkTalk employee to convince victims to install a computer virus that permitted access to their online banking.

The Claimants referred to the ICO’s investigation in October 2014 which found, inter alia, that TalkTalk had breached the seventh data protection principle by failing to put in place appropriate technical and organisational measures against unauthorised and unlawful processing of customers’ personal data contained on a web-based platform that it had designed and to which it had given the third-party employees access.

The Claimants also pleaded a further mass data breach that occurred as a result of an external cyber-attack on TalkTalk’s systems in 2015. The Claimants said that TalkTalk had allowed this to occur because of its failure to put adequate measures in place to secure its IT estate. The central argument was that TalkTalk had provided access to an underlying database by publishing certain webpages using outdated software that contained a known vulnerability, which had enabled hackers to obtain customers’ personal data.

Again, the ICO investigated and found, inter alia, that TalkTalk had breached the seventh data protection principle by failing to put in place appropriate technical and organisational measures to ensure that a third party could not access data by performing an “SQL Injection” cyberattack.

In terms of the misuse of private information claim, the Claimants argued that TalkTalk’s conduct in respect of both the 2014 breach allegations and the 2015 cyber-attack had the effect of “enabling third parties to access the Claimants’ private information in breach of the Claimants’ reasonable expectation of privacy in respect of such information”. They also said that TalkTalk knew that third parties were recurrently accessing its customers’ private information. Mr Justice Saini said that the allegation of “enabling” access was key to deciding the application.

Saini J also noted that a claimant suing for misuse of personal information must plead the following:

1. the information said to be private;
2. the facts said to give rise to that reasonable expectation of privacy in respect of that information;
3. what the defendant has done (or threatens to do) which is said to amount of misuse of the information, i.e. the specific conduct said to amount to a misuse by the defendant;
4. why the claimant’s right to privacy takes precedence over any rights the defendant may have to use the information in the manner said by the claimant to be a misuse; and
5. detriment and relief sought.

The main issue in this case concerned element (iii) and whether the conduct complained of amounted to a misuse of the information by TalkTalk.

TalkTalk argued that the claim was defective because it proceeded on the mistaken basis that an alleged failure to apply appropriate security measures to private information amounted to a tortious misuse of that information; and, consistently with the principles identified in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), a failure to apply security measures cannot in principle amount to the tort of misuse. Saini J agreed, finding that the Claimants’ pleaded claim was a negligence action masquerading as a claim for misuse of private information:

1. although the Claimants alleged that TalkTalk had taken positive steps that had resulted in their personal data being vulnerable to unauthorised access by third parties, those steps could not constitute the “misuse” which caused the damage alleged in the claim; the “misuse” was the obtaining and use of information by fraudsters;
2. the Claimants’ case was focused on what TalkTalk allegedly did not do or did defectively in system design, as opposed to identifying an actual misuse by TalkTalk;
3. in relation to the 2014 breach, the Claimants’ case was essentially that TalkTalk had created a negligent portal which an authorised third party’s dishonest employees were able to exploit for unauthorised purposes; this was a claim that the systems put in place failed to ensure adequate security for the information; and
4. the same was true of the 2015 breach, which came down to an allegation that TalkTalk had negligently published webpages which, via a vulnerability which was known or should have been known, enabled criminal hackers to access the information.

In short, Saini J said, creating a situation of vulnerability (and thus enabling a fraud) was not a misuse of information within the tort. The emphasis on “enabling” misuse by others underlined that this was not a proper claim of misuse of information by TalkTalk.

As for the allegations that TalkTalk knew that its systems were being exploited by criminals, Saini J said that such conduct might give rise to liability under the DPA, but it did not amount to TalkTalk misusing the Claimants’ information within the tort of misuse of private information. The person “misusing” was still the criminal hacker. The issue of TalkTalk allowing others to misuse the Claimants’ information was a matter for data protection law under the DPA.

Accordingly, the claim in misuse of private information was struck out. The claim under the DPA was permitted to continue. (Graeme Smith and Others v TalkTalk Telecom Group Plc [2022] EWHC 1311 (QB) (27 May 2022) — to read the judgment in full, click here).