Skip to the content

Cyber-attack ruling has significant implications for data protection litigation

A recent High Court decision has significant implications for data protection litigation as the claim for breach of confidence, misuse of private information and negligence was dismissed.

 The ruling in in Warren v DSG Retail Ltd clarified the limited circumstances in which claims by individuals for breach of confidence, misuse of private information and negligence when they are seeking compensation for distress relating to a cyber-security breach where the proposed defendant was itself a victim of a third-party cyber-attack.

The claimant, Mr Warren, purchased goods from DSG and claimed his personal information had been compromised in what was a complex cyber-attack. He brought a claim against DSG as the relevant data controller for damages limited to £5,000, which covered four causes of action: (1) breach of confidence; (2) misuse of private information; (3) common law negligence; and (4) claim for breach of statutory duty under the Data Protection Act 1998. DSG sought summary judgment against and/or an order to strike out claims 1-3.

The judge considered whether the breach of confidence, misuse of private information and common law negligence claims had a “real prospect of success” and concluded that they did not. The judge accepted DSG’s submission that there were two fatal problems with the negligence claim and also struck that out.

Mr Warren’s claim for breach of statutory duty arising from the alleged breach was not disputed and was allowed to proceed.

Data breach claims of the type considered in this case have been an increasing issue for businesses and public bodies. In restricting the manner in which these types of claims must be brought, the Court has established an important precedent.

It is likely to be welcomed by corporate victims of third party cyber-attacks who may then be exposed to claims in respect of compromised personal data as it narrows the potential causes of action under which they could be held liable.

The decision is also notable as the costs implications arising out of the dismissal of the breach of confidence and misuse of private information claims could bring the economic viability of pursuing low-value claims into question.

It is also expected to make it harder to bring free standing/non-statutory cyber-security breach claims in England and Wales where the proposed defendant has not positively caused the breach and has also brought into question how such claims may be funded going forward in relation to “After-the-Event insurance”.

Whilst welcome news to UK businesses, this case shows the emergence of claims relating to data breaches. Although this claim failed further legal actions will be treated on their own merits and allegations of negligence are unlikely to disappear.

W Denis Insurance Brokers can advise on and obtain Data Breach and other “Cyber” related insurance quotations from nearly all insurers in the insurance market. If you would like to discuss this insurance or obtain a competitive quotation, please contact Daniel Moss at or on 0044 (0)113 2439812

Contact Us

Call us today on 0044 (0) 113 243 9812 or arrange a call back to find out how you could benefit from our intelligence-led insurance policies.