Information Law analysis: This judgment concerned several applications in a claim based on alleged mass data breaches. The claimants sought damages from the defendant in the tort of misuse of private information (MOPI) and compensation for breach of statutory duty under the Data Protection Act 1998 (DPA 1998). In allowing the defendant’s application to strike out the MOPI claim, Mr Justice Saini rejected the claimants’ argument that the defendant could be liable for the tort by ‘creating a situation of vulnerability’ whereby the claimants’ data was open to exploitation by criminal third parties. The judge held that, insofar as liability under the MOPI claim was concerned, the relevant conduct in this scenario was the misuse of the claimants’ information by the criminals, not any prior acts or failures of the defendant. This part of Saini J’s judgment effectively precludes a claimant from pleading a cause of action in MOPI in relation to third-party hacking incidents. However, in rejecting the defendant’s application to strike out parts of the claimants’ data protection claim which related to so-called ‘unconfirmed breaches’, Saini J allowed the claimants to proceed on the basis of an inferential case which he acknowledged was ‘not the clearest’. This aspect of the decision suggests that the court may be pre-pared to grant claimants a degree of leniency in pleading data protection cases where they are unable to access the information required to precisely set out the circumstances of an alleged breach, provided they have a tenable inferential case.

What are the practical implications of this case?

It now seems unlikely, if not impossible, for a claimant to plead a cause of action for MOPI in relation to a third-party hacking incident. In Warren v DSG [2021] EWHC 2168 (QB), a Saini J judgment that also dealt with a claim for MOPI in the context of an external data breach, the judge held that the critical component of the tort is a misuse or ‘positive act’ by the defendant. He held that the defendant in that case had committed no such act; indeed, it was itself a victim of the external cyber-attack.

To distinguish their case from the facts in Warren, the claimants in Smith had attempted to characterise the defendant’s failures to adequately secure their data as a series of positive acts which made their personal data available to third parties. Saini J rejected the claimants’ argument that the defendant’s conduct could be construed as a ‘misuse’ of private information for the purposes of the tort. ‘The real complaint he said, is not about misuse by the defendants but about conduct which allowed others to misuse the claimants’ information.’

If there was any lingering doubt after Warren, it is now clear that for a defendant to be found liable in MOPI, the defendant’s ‘positive act’ must be the relevant or material act from which the alleged harm to the claimant flows, not an act or series of acts that enables another party to commit the tort.

By effectively barring a claimant from pleading a cause of action in MOPI in these circumstances, the decision further limits the commercial viability of mass data breach claims. The attraction to claimants of pleading a cause of action in MOPI in a data breach case is, in part, that ATE insurance premiums are potentially recoverable in MOPI claims, but not for breaches of the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) regime that has now replaced the DPA 1998. By effectively barring a claim for MOPI in mass data breach scenarios, Smith means that claimants in these circumstances will only now be able to recover compensation under data protection law and such awards tend to be relatively low.

What was the background?

The claim related to two data breaches in 2014 and 2015 and further ‘unconfirmed’ breaches. The defendant is a telecoms company based in the UK.

The claimants, all of whom purported to have been actual or prospective customers of the defendant and/or relatives of such persons, submitted that unknown criminals obtained their personal data from the defendant’s IT systems and then used this data to defraud them.

The claimants were divided into three groups. Group 1 consisted of 16 individuals who claimed to be affected by the 2014 breach. Group 2 consisted of 56 individuals who said that they were affected by the ‘unconfirmed’ breaches. Group 3 consisted of 313 claimants who argued that they had had their personal details put online as a result of the 2015 breach.

In relation to the 2014 and 2015 breaches, the claimants argued that the defendants had failed to adequately protect their data and, in some cases, had been aware of ongoing criminal wrongdoing in relation to the exploitation of their data.

The second group of claimants sought to rely on ‘unconfirmed breaches’. These claimants contended that they had been ‘scammed by criminals who (as a matter of obvious inference) were using data held by the defendant and which must have been subject of a data breach’.

In relation to the 2014 and 2015 breaches, the claimants sought damages for MOPI and compensation under the DPA 1998. In relation to the ‘unconfirmed breaches’ the claimants only sought compensation under the DPA 1998.

The defendant applied to strike out and/or dismiss the MOPI claim on a summary basis because, in line with Warren, ‘a failure to apply security measures cannot in principle amount to the tort of misuse of private information’. In addition, the defendant also sought to strike out references in the Particulars of Claim to the ‘unconfirmed breaches’ because the defendant had ‘not pleaded facts sufficient to establish a cause of action’.

Concurrently, the claimants applied for permission to amend their Particulars in light of the decision in Warren and, pursuant to CPR 18, made an application for further information in relation to the unconfirmed breaches.

What did the court decide?

Saini J struck out the MOPI claim. Following his own decision in Warren, he agreed with the defendants that the fact that it ‘did things which enabled access to information by an unauthorised person’ did not amount to ‘the defendant itself misusing the information within the tort’. However, although Saini J reaffirmed his decision in Warren, he departed from the language that he used to characterise the issues in that case. In Warren, the defendant’s liability was understood to turn on whether it had performed a positive act capable of being described as a ‘misuse’. In Smith, Saini J described the distinction between positive acts and omissions as largely a ‘distinction of form and not substance’. Instead, he suggested that the court should concern itself with a different question: ‘Was the conduct complained of by the claimant a misuse by the defendant of the information?’ Looked at in this way, the claimants’ attempt to rely on the defendant’s positive actions which enabled the third parties to access to the claimants’ data was impermissible. The claim as pleaded, according to the judge, was ‘a negligence action masquerading as a claim for MOPI’.

As regards the ‘unconfirmed breaches’ the judge rejected the Defendant’s strike out application and instead gave a direction for the claimants to amend their pleading. While acknowledging that the claimants’ case was not the clearest, Saini J considered that they had provided sufficient particulars prior to disclosure to ‘set out the essential elements’ of their case. Following Arcadia Group Ltd v Visa [2014] EWHC 3561 (Comm), a competition law case, the judge accepted that as a matter of general principle, the court should be reluctant to strike out a claim where, by the nature of the tort itself, the claimant cannot know the precise means by which it occurred until after disclosure. In Smith, only the defendant could have the required knowledge of its internal IT systems to know whether and how a data breach occurred. In such circumstances, it was ‘unattractive’ for a defendant ‘who holds all the cards’ to seek to strike out a ‘tenable inferential case’. However, the court made a direction that the claimants must amend their pleading to more clearly reflect the case as the court understood it.

 

This article was first published on Lexis® PSL on 6 June 2022 and is reproduced with permission and thanks.