The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

No Misuse of Private Information or Breach of Confidence in a Cyber Attack

5 August 2021

Warren v DSG Retail Limited [2021] EWHC 2168 (QB)

Saini J heard a strike out application by DSG, the company which operates Currys PC World and Dixons Travel. The point of sale computer system at Currys PC World had been the subject of a large scale malware attack in 2017 and 2018. This allowed the attackers to gain access to the personal data of many DSG customers, including the claimant who had previously made a purchase from the company. The pleaded claim was predicated on DSG’s alleged failures to put in place proper IT security systems and measures.

Mr Warren made his claim under the Seventh Principle of the Data Protection Act 1998 (appropriate technical and organisational measures), in negligence, and as a misuse of private (MPI) information and in breach of confidence (BoC). DSG sought strike out of all claims except for the DPA claim.

The Court held that the BoC and MPI claims were not properly arguable. Both causes of action required a positive act on the part the defendant. These facts were likened to a home owner who left their window unlocked, creating the potential for a burglar to enter their home. That was not positive conduct causing the breach or misuse. DSG was a victim of the cyber attack. BoC and MPI do not impose a data security duty.

The negligence claim too was struck out, there being no duty of care. The customer relationship did not create proximity, and it was not fair, just or reasonable to impose a duty. Saini J held that Finally, even if the Claimant had an arguable case on duty of care, he had suffered no loss.

One final point arises from this judgment. The case has been transferred from the High Court to the County Court. This will be of note to solicitors, with many low value data protection cases of late being issued in the High Court.

Further reading

Warren v DSG Retail Limited

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)