Data Breach Claims: New High Court Ruling

A briefing note on recent High Court judgment clarifying the causes of action a claimant can rely on in a civil claim for data breach compensation following a cyber attack on a third party organisation processing the claimant's data.

The right of an individual to pursue a civil claim for compensation in circumstances where their personal data has been infringed either by loss, theft, unlawful disclosure or even accidental deletion has been a developing area of law ever since the General Data Protection Regulation (GDPR) came into force in May 2018.

But it seems that compensation lawyers have been including the ‘kitchen sink’ when it comes to beefing up their clients claims.

Not anymore. In its judgment in Warren v DSG Retail Limited [2021] EWHC 2168 (QB), the High Court has made clear that in cases were an individual’s personal data has been stolen by third party criminal hackers, their claim should exclude claims of misuse of private information and breach of confidence in the absence of any positive action on the part of the organisation whose security systems have been breached. Put simply, unless the individual can prove that the organisation processing their data in some way deliberately or negligently disclosed their personal information, their claim should be limited to a claim for statutory breach of the GDPR and Data Protection Act 2018.

GDPR Rep works with businesses of all sizes in assisting with cyber security defence planning  , security breach investigations, incident management, regulatory representation , claims handling and insurance investigations.