A Brit who tried to sue Dixons Carphone over the 2018 hack of 10 million customers’ details, including 5.9 million payment cards, has had his case booted out of the High Court.
Not only was Cardix owner DSG Retail Ltd almost completely successful in its application to strike out Darren Warren’s case against it, the one count Dixons didn’t succeed on saw the case relegated to the county court because of its low value.
Warren wanted to sue the retailer over a digital break-in that saw nearly 6,000 point-of-sale terminals infected with malware. DSG discovered the data-slurping malware almost a year after it was planted, prompting a £500,000 fine from the Information Commissioner’s Office.
He was caught up in that, he told the court, and wanted £5,000 in damages from DSG for “distress” after his personal data was obtained by criminals.
In total 5,646,417 payment cards were exposed to the crooks who compromised DSG, including 5,529,349 chip-and-PIN cards that showed the primary account number and expiry date. Names, addresses, phone numbers, email addresses, dates of birth, and more were also exposed.
It must have come as a surprise to Warren, therefore, when Mr Justice Saini ruled: “If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a ‘misuse of private information’ by me.”
Warren’s legal team had argued that DSG was liable for two civil wrongs: misuse of private information (MPI) and breach of confidence (BOC). Failing to properly secure its servers against intrusion was enough to see the company fined for breaching the Data Protection Act 1998 – but cut little ice with the High Court.
Branding the case against DSG “unconvincing,” the judge ruled that Warren’s arguments that MPI and BOC applied to the retailer simply wouldn’t work. BOC, he said in his written ruling, meant an “obligation not to disclose confidential information.” This is different from merely being crap at security: BOC requires the defendant to actively disclose the confidential thing to a third party. As Mr Justice Saini said: “Here, it was not DSG that disclosed the Claimant’s personal data, or misused it, but the criminal third-party hackers.”
MPI wouldn’t fit the legal bill either, in the judge’s words:
Warren’s case had the potential, if the judge accepted it, to create a new method for aggrieved people to sue companies that suffered breaches which exposed their data. Mr Justice Saini wasn’t prepared to do that, however, saying: “In my judgment, there is no room (nor indeed any need identified) to construct a concurrent duty in negligence when there exists a bespoke statutory regime for determining the liability of data controllers. That regime provides for relief of precisely the same nature as is claimed in negligence in this claim.”
Warren’s case was struck out except for one claim for breach of statutory duty under the seventh data protection principle, which says data ought to be protected against “unauthorised or unlawful processing.” That claim will be transferred to the county court. ®