A recent decision from the High Court of Justice in England (Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)) tackles the tricky issue of who is liable when a company gets hacked by an attacker and personal information is exposed – is it the attacker who is liable? Or the company?
The Dilemma
Privacy torts often have a requirement of some degree of intentionality. For instance, in Canada, the Court of Appeal’s decision in Jones v. Tsige (2012), 2012 ONCA 32 (CanLII) which imported the tort of intrusion upon seclusion into Ontario law, held that establishing the tort requires proof of the following (emphasis added):
a. The defendants’ conduct must be intentional, which can include recklessness;
b. The defendants must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and
c. A reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.
A claimant is rarely in a position to sue the actual attacker (assuming the attacker can be identified, which is usually impossible) and so will claim instead against the attacked organization, usually on the theory the that the organization’s failure to protect the personal information was sufficiently reckless so as to satisfy the intentionality requirement.
Similar arguments have been made in respect of employees who deliberately misuse an organization’s personal information – though these claims often include allegations of vicarious liability.
The law in Canada is evolving in this area, with the number of claims seeking to attach liability to organizations is on the rise.
Facts
The Defendant DSG is a UK retailer and in 2017/2018 it was the victim of a cyberattack in which malware was installed on almost 6,000 point of sale terminals at its stores. In the course of the attack, the attackers accessed the personal data of many of the Defendant’s customers.
The Claimant, Warren, made a purchase from the Defendant and claimed that his name, address, phone number, date of birth and email address were therefore compromised in the attack and brought a claim for damages for £5,000.00. The damages were not claimed as a result of any personal injury but are damages in respect of distress the Claimant alleged he suffered as a result of his personal data being compromised and lost.
The causes of action relied upon were breach of confidence, misuse of private information, breach of the Data Protection Act 1998, and common law negligence.
The Defendant sought summary judgment and/or an order striking out each of these claims (apart from the claim for breach of statutory duty arising out of alleged breach of the Data Protection Act).
Positions of the Parties
As regards both misuse of personal information and breach of confidence claims, the Defendant argued both those causes of action require the defendant to have taken some positive wrongful action in relation to the information in question (typically, disclosing it to a third party or making some other unauthorised use of it). The Defendant noted that it did not itself take any such positive wrongful action
The Claimant conceded the breach of confidence point, but maintained the misuse of personal information and negligence claim had a real chance of success. The Claimant argued that in providing his personal information to the Defendant, the Claimant had a reasonable expectation that his information would be adequately protected and, thereby, kept private. It was argued that misuse of personal information encompasses not only the disclosure / publication of information, but also with privacy ‘intrusion’ and the means by which the information is obtained.
The Claimant argued that the Defendant had intentionally and recklessly left the Claimant’s private information exposed to a real risk of intrusion and/or “tantamount to publication” to the world at large. Accordingly, it was argued that, put in another way, the Claimant’s case, properly understood, was a publication case: the Defendant’s failure to implement basic security measures to protect his information meant that there was – in effect – publication to the third-party hacker.
Decision
Breach of confidence
Although the breach of confidence claim was no longer maintained, the Court nonetheless addressed the issue for completeness.
The Court found that the Claimant’s claims were all based on the cyber-attack, and that the wrong alleged was thus a ‘failure’ which allowed the attacker to access the personal data. The Court noted that the despite the manner in which the Claimant sought to recharacterize the case, it was clear that the Claimant did not allege any positive conduct by the Defendant said to comprise a breach or a misuse for the purposes of either breach of confidence or misuse of personal information.
Rather, noted the Court, the Claimant’s claim was that the Defendant failed in alleged duties to provide sufficient security for the Claimant’s data. The Court found that this, in essence, is the articulation of some form of data security duty. The Court commented: “In my judgment, neither breach of confidence nor misuse of personal information impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy.”
Misuse of personal information
Framing a case as misuse of personal information did not assist the Claimant either as misuse of personal information also imposes an obligation not to misuse private information. The Court accepted that a ‘misuse’ may include unintentional use, but it nonetheless still required a ‘use’: that is, a positive action. The Court went on to say:
I have not overlooked the Claimant’s argument that the conduct of DSG was “tantamount to publication”. Although it was attractively presented, I do not find it persuasive. If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a “misuse of private information” by me. Recharacterizing my failure to lock the window as “publication” of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of misuse of personal information.
The Court adopted the reasoning in Various Claimants v Wm Morrison Supermarkets plc [2019] QB 772. In that case a wrongdoer employee copied personal data of Morrisons’ employees and later disclosed it online. The Claimants, individuals whose data had been disclosed online, sued Morrisons in breach of confidence, misuse of personal information. The Court held that the actions of the wrongdoer employee could not found direct liability on Morrisons. The employee was the wrongful actor, and (save for the data security duty imposed by the Data Protection Act), any such causes of action were good only against him.
The Court therefore accepted the Defendant’s submission that the Claimant’s claims in breach of confidence and misuse of personal information were ill-founded with no realistic prospect of success and both claims were struck.
Implications for businesses
While not binding in Canada, the decision in this case represents the potential for similar developments in Canada. The law in Canada is currently unclear in respect of both (a) damages available for mental distress alone, and (b) the liability of a business for the bad acts of a threat actor. As businesses have the deeper pockets, they will continue to be the target of such litigation, at least until there is definitive law otherwise.
Businesses can develop internal processes which can make such claims more difficult to succeed. For instance, robust documented controls that align with industry standards and/or recognized international standards will make it harder for claimants to prevail on any claim that is premised on recklessness as a proxy for intentionality.
In the ransomware context, where attackers are generally more interested in locking up a company’s IT systems and data and then extorting money to unlock them, there is the possibility that such attackers may not actually exfiltrate the data. From their perspective, there is no need to – locking up the systems/data is enough. However, where a company can offer compelling evidence that there has been no such exfltration, a claimant prevailing on damages claimed for mental distress alone will be less likely.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, data mapping and gap analysis, and training in respect of personal information.
