For a period of nine months in 2017/18, DSG Retail Ltd, which operates the “Currys PC World” and “Dixons Travel” brands, suffered a complex cyber-attack by sophisticated criminals who infiltrated DSG’s systems and installed malware across in-store point of sale terminals, accessing the personal data of many of DSG’s customers.

The Information Commissioner investigated and decided that DSG had breached the seventh data protection principle (DPP7), which requires “appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data”. She issued a Monetary Penalty Notice (MPN) for £500,000 (which is subject to an appeal to be heard later this year before the First Tier Tribunal).

The claimant, Darren Lee Warren, had purchased goods from Currys PC World and claimed that certain of his personal data was compromised in the attack, namely his name, address, phone number, date of birth and email address. Mr Warren issued proceedings against DSG for damages for distress he had suffered as a result of his personal data being compromised. He relied on breach of confidence, misuse of private information, breach of DPP7 of the Data Protection Act 1998, and common law negligence.

DSG applied for summary judgment and/or an order striking out each of the claims, except the claim for breach of statutory duty.

Mr Justice Saini found that neither breach of confidence nor misuse of private information imposed a data security duty on the holders of information, even if private or confidential. Further, breach of confidence imposed a negative obligation not to disclose confidential information, rather than a positive obligation or duty. Misuse of private information imposed an obligation not to misuse private information. “Misuse” might include unintentional use, but it still required a “use”, i.e., a positive action.

Saini J also referred to Various claimants v WM Morrison Supermarkets plc [2019] QB 772, in which the court found that the actions of the wrongdoer employee could not place direct liability on Morrisons, other than in relation to DPP7.

Saini J held that the claims in breach of confidence and misuse of private information had no realistic prospect of success and should be struck out.

As for negligence, Saini J said that there was no need nor warrant to impose a duty of care where the statutory duties under the DPA 1998 operate:

1. imposing a duty owed generally to those affected by a data breach would potentially give rise to an indeterminate liability to an indetermined class;
2. doing so would be otiose, given the obligations imposed by the DPA; and
3. there was no room nor need to construct a concurrent duty in negligence when there existed a bespoke statutory regime for determining the liability of data controllers.

Accordingly, Saini J said, there was no duty of care. Proximity was not created by the customer relationship, and it would not be fair, just or reasonable to impose such a duty.

Further, Saini J found, Mr Warren had suffered no loss. A state of anxiety produced by some negligent act or omission that fell short of a clinically recognisable psychiatric illness did not constitute damage sufficient to complete a tortious cause of action.

DSG’s application therefore succeeded, and all claims were dismissed and/or struck out, except for the claim for breach of statutory duty in relation to DPP7. (Darren Lee Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) (30 July 2021) — to read the judgment in full, click here).