Stemming the tide of data breach litigation: Warren v DSG and practical advice

18th October 2021

Why is this case of interest to UK businesses?

The threat of a data breach and ensuing litigation is today, unfortunately, ever-present on the corporate risk agenda.  Individuals are more aware of their data rights than ever before and the tide of litigation has been fuelled by claims management companies who have made it their business to encourage individuals affected by a data breach to take action.

Many such claims for breach of UK data protection legislation, breach of confidence, misuse of private information and negligence are of a relatively low value but, as they are often backed by ‘no win, no fee’-type agreements and After the Event (ATE) insurance against adverse costs orders, there is little to stop claimants pursuing even spurious or unmeritorious claims.  That can result in increased management time being spent dealing with data breach fallout and an increased risk of additional reputational damage for defendant organisations.  Plus, of course, large numbers of low settlements can make for high value data breach loss over all (as has been demonstrated by a number of recent high profile class actions).

Walker Morris recently published practical advice about how organisations can proactively protect themselves against the risk of data breach litigation.  In this briefing, Commercial Dispute Resolution and data breach litigation specialists Gwendoline Davies offers advice arising from the case of Darren Lee Warren v DSG Retail Ltd [1], published towards the end of the summer, which should hopefully assist in stemming the flow of data breach claims brought by individuals against businesses.  The case should also enable organisations to be more robust in their defensive strategies.

What advice arises?

While it is not absolutely a nail in the coffin for all data breach claims [2], the Warren v DSG case confirms:

• Going forward, the courts will take a narrow view of data breach claims advanced on the basis of breach of confidence, misuse of private information and negligence.
• For a claim in breach of confidence and/or misuse of private information to succeed, a claimant will now be required to establish some positive action on the part of the defendant company which has caused or significantly contributed to the data breach or is inconsistent with confidence or privacy. In many cases that will be difficult to plead and/or prove.
• It will be difficult for a claimant to succeed with a claim in negligence because:
  • No concurrent duty of care in negligence exists where an organisation is already under statutory data duties; and
  • A negligence claim requires recoverable loss. The claimant here had not suffered any pecuniary loss.  Compensation for anxiety/distress does not suffice.
• ATE insurance generally underpins, and makes financially worthwhile, pursuing a low value claim on a ‘no win, no fee’ arrangement. ATE premiums (which can be high) are only recoverable in the case of certain limited causes of action, of which breach of confidence and misuse of private information claims are two.  If breach of confidence and misuse of private information are unavailable to a claimant for the reasons set out above, then it is unlikely to be financially viable for them to pursue a claim at all.
• We may therefore begin to see fewer data breach claims brought by individuals. Where an individual does bring a data breach claim in breach of confidence, misuse of private information or negligence, it should be more viable for organisations to defend their position robustly.
• Warren v DSG may, however, prompt an increase in collective data breach actions, which may be more economically viable for groups of ‘same interest’ claimants.
• The Supreme Court’s decision in the Lloyd v Google [3] litigation (pending) is awaited with interest as it should confirm whether such collective actions can be brought on an ‘opt out’ basis, and whether distress-only damages are recoverable in data breach claims. Walker Morris will monitor and report on developments.

This case, along with recent comments from Oliver Dowden (Secretary of State for Digital, Culture, Media and Sport of the United Kingdom) in which he confirmed that the Government intends to diverge from key parts of the General Data Protection Regulation with a view to allowing data to be used more flexibly (in certain circumstances), could signal a general shift towards more of a balanced approach to protecting people’s privacy without unnecessarily stifling businesses.

How we can help

Walker Morris’ Commercial Dispute Resolution lawyers are highly experienced in resolving and defending data breach claims. This expertise, when combined with our specialist Regulatory & Compliance team’s comprehensive understanding of the regulatory background, ensures that an informed and robust strategy can be adopted.

As well as helping you to respond quickly and effectively if and when a data breach occurs and any claim is threatened, our specialist solicitors can help you to refine your pre-emptive risk management strategies, whether that be carrying out health checks in respect of policies and procedures with a view to mitigating against claims of this nature, training staff and/or keeping you up to date with the legal and regulatory matrix.

If you would like to discuss any of the issues covered in this or our earlier briefings, please do not hesitate to contact Gwendoline Davies who will be very happy to help.

[1] [2021] EWHC 2168 (QB)

[2] as the case does not impact an individual’s ability to pursue a cause of action which derives from statute (UK data protection legislation/GDPR)

[3] see our earlier article