This case arises from data breaches that occurred in 2014 and 2015 for which TalkTalk had been fined by the Information Commissioner’s Office (“ICO”). The Claimants, both actual and potential customers of TalkTalk, alleged that TalkTalk had taken insufficient security measures to protect their personal data, enabling unknown criminal third parties to access and use their personal data for fraudulent purposes.

In bringing their MPI claim, the Claimants’ filed a last minute amendment to their claim in an attempt to distinguish their facts from Warren by asserting that TalkTalk’s security failures were themselves ‘acts’, rather than omissions. However, Saini J rejected the arguments as form over substance, by a ‘clever pleader’. Saini J instead focussed on whether the alleged conduct amounted to a misuse of the private information by TalkTalk, and found that it did not.

The decision also provides further welcomed news by defendants and their insurers, given claimants often seek recovery of After the Event Insurance (“ATE”) premia in data breach claims. The premia usually exceeds the damages sought. The usual rule is that they are irrecoverable in DPA/GDPR claims but recoverable in MPI and Breach of Confidence claims. The decision in Smith, which struck out the MPI claims, further confirms that claimants cannot recover ATE premia in cyber-attack and third-party misuse cases.

Background

The Defendant is a telecoms company based in the UK. The claim related to two data breaches in 2014 and 2015 and further ‘unconfirmed’ breaches. The Claimants, all of whom purported to have been actual or prospective customers of the Defendant, submitted that unknown criminals obtained their personal data from the Defendant’s IT systems and then used this data to defraud / scam them.

The Claimants were divided into three groups:

• Group 1 consisted of 16 individuals who claimed to be affected by the 2014 breach. The facts of the 2014 breach were summarised by Saini J as “dishonest employees of a third-party service providers were, due to the conduct of the Defendant in system design and access, able to obtain unauthorised access to the Claimant’s private information”. In 2017, the ICO issued a Monetary Penalty Notice (“MPN”) for £100,000;

• Group 2 consisted of 56 individuals who said that they were affected by the ‘unconfirmed’ breaches. The claimants allege that they have been victims of scamming and could have been affected by the 2014 breach, 2015 breach and/or some other ‘unconfirmed breach’; and

• Group 3 consisted of 313 claimants who argued that they had had their personal details put online as a result of the 2015 breach (and/or other breaches of the Defendant’s IT infrastructure and systems) for a number of years and allege that their data remains available online. The 2015 breach was an external cyber-attack, where the claimants allege that it occurred due to TalkTalk’s failure to put in place adequate measures to secure its IT infrastructure and systems. In 2016, the ICO issued a MPN for £400,000 in relation to the 2015 breach.

In relation to the 2014 and 2015 breaches, the Claimants argued that the Defendants had failed to adequately protect their data and, in some cases, had been aware of ongoing criminal wrongdoing in relation to the exploitation of their data. The Claimants sought damages for Misuse of Private Information; and compensation under the Data Protection Act 1998 (“DPA 1998”). The Breach of Confidence claim was discontinued by the claimants and there was no claim for negligence.

The second group of Claimants sought to rely on ‘unconfirmed breaches’. These Claimants contended that they had been ‘scammed by criminals who (as a matter of obvious inference) were using data held by the Defendant and which must have been subject of a data breach’. In relation to the ‘unconfirmed breaches’ the claimants only sought compensation under the DPA 1998.

Justice Saini heard three contested and connected applications:

1. The Defendant's application to strike out and dismiss: (a) the Claimants' MPI claim, and (b) references in the Particulars of Claim to what were pleaded as ‘unconfirmed breaches’, under CPR 3.4 (2) because the claimant had ‘not pleaded facts sufficient to establish a cause of action’. As regards the MPI claim, the Defendant also brought a parallel application for "reverse" summary judgment pursuant to CPR 24.2. The Defendant relied on Warren for its strike out confirming that ‘a failure to apply security measures cannot in principle amount to the tort of misuse of private information’.
2. The Claimants' application for permission to update the Particulars of Claim considering recent case law on misuse of private information - the decision in Warren; where the court struck out an MPI claim in a data breach claim. There was an issue as to whether Warren was to be distinguished and/or was wrongly decided.
3. The Claimants' application under Part 18 CPR for further information ("the RFI Application"). This application related to what are said by TalkTalk to be fatal deficiencies in the claim concerning the pleading of ‘unconfirmed breaches’.

Judgment

Privacy Claim: Misuse of Private Information

Saini J struck out and dismissed the MPI claim. As originally formulated, the Claimants' case fell foul of Warren because it expressly alleged a breach of a security duty as the basis for the MPI. Despite the Claimants’ last minute amendment to its claim, Saini J confirmed that their re-pleading did not work. Saini J concluded that the Claimants’ claims were in truth “a negligence action masquerading as a claim for MPI”. 

Following his own decision in Warren, Saini J agreed with the Defendant that the fact the Defendant ‘did things which enabled access to information by an unauthorised person’ did not amount to ‘the defendant itself misusing the information within the tort’. Conversely, although Saini J reaffirmed his decision in Warren, he departed from the language that he used to characterise the issues in that case. Saini J avoided to embark on the act/omission distinction and focused instead on whether the alleged conduct amounted to a misuse of the private information by TalkTalk. In his judgment, Saini J held that if the Court should concern itself on the alleged conduct only then the Claimants’ attempts to rely on the Defendant’s positive actions which enabled the third parties to access to the Claimants’ data was inadmissible.

Data Protection Claim: The ‘Unconfirmed Breaches’

There is a further important point to consider in Smith, regarding what were termed, the ‘Unconfirmed Breaches’. It was alleged that the criminals who defrauded, or attempted to defraud, the Unconfirmed Breach Claimants using the Claimants’ personal data had access to, and had exploited, personal data obtained via a 2014 breach and/or a 2015 breach and/or some other unconfirmed breach (a breach of the seventh DPA principle). TalkTalk sought to strike out this aspect of the claim, which was effectively that there must have been an incident at an unspecified point in time.

Saini J agreed with the Claimants and concluded that in a situation where a customer was the victim of an attempted scammer who had details of the customer’s TalkTalk account, it follows that the scammer / criminal had obtained the information from a vulnerability in the Defendant’s systems (and therefore this is a data breach). 

Saini J refused the strike out application and ordered the Claimants to amend their pleading, but dismissed the MPI claim and refused permission to amend it.

The Request for Further Information and Disclosure

TalkTalk opposed the Claimants’ application for further information referring to it as a “fishing expedition”, however, Saini J agreed that the Claimants’ request for information would be adjourned to be heard at a later stage. In relation to disclosure, Saini J rejected the Defendant’s argument that it would be “cumbersome” and did not strike out this claim. Instead Saini J left the disclosure management and any proportionality arguments arising out of it to the case management stage.

Outcome

If there was any doubt post-Warren at to the merits of pleading MPI in data breach claims, the High Court has now provided further clarity. Saini J confirmed that for a defendant to be found liable in MPI, there must be a ‘positive act’ by the defendant from which the alleged harm to the claimant flows, not an act or series of acts that enables another party to commit the misuse.

It is yet to be seen whether or not the Claimants will Appeal the decision. For now, defendants can take comfort from this further nail in the coffin for MPI claims and the recoverability of ATE premia.