Data breach claims: New High Court Ruling

The right of an individual to pursue a civil claim for compensation in circumstances where their personal data has been infringed either by loss, theft, unlawful disclosure or even accidental deletion has been a developing area of law ever since the General Data Protection Regulation (GDPR) came into force in May 2018.

But it seems that compensation lawyers have been including the ‘kitchen sink’ when it comes to beefing up their clients’ claims.

Not anymore. In its judgment in Warren v DSG Retail Limited [2021] EWHC 2168 (QB), the High Court has made clear that in cases where an individual’s personal data has been stolen by third party criminal hackers, their claim should exclude claims of misuse of private information and breach of confidence in the absence of any positive action on the part of the organisation whose security systems have been breached. Put simply, unless the individual can prove that the organisation processing their data in some way deliberately or negligently disclosed their personal information, their claim should be limited to a claim for statutory breach of the GDPR and Data Protection Act 2018.

On first consideration this seems a bitter blow for innocent victims of personal data breaches. The good news, however, is that each individual data breach is fact specific and there will be many occasions when an organisation will have fallen foul of its obligations to protect an individual’s personal information, thus allowing the individual to bring multiple claims against the defaulting business.

For further information on bringing or defending personal data breach claims, including advice on recoverable compensation awards, cyber insurance claims and supply chain litigation please contact Clive Mackintosh on [email protected].