With society increasingly concerned about data privacy, the spectre arises of claims against businesses for damages caused by cyber-security breaches.
There are no known cases in Hong Kong, yet. But the English case of Warren v DSG Retail Ltd  EWHC 2168 (QB) provides insight into the possible approach of courts to data breach litigation.
In the UK, claimants have brought claims for breach of statutory duty under the (UK) Data Protection Act 1998 (DPA 1998), accompanied by claims for breach of confidence, misuse of private information and the tort of negligence. These low value claims are often supported by no win, no fee arrangements and After the Event (ATE) insurance against adverse costs orders.
Spared any costs consequences, claimants are motivated to bring such claims even if unmeritorious. This Legal Update, however, focuses on the court’s analysis of the merits of the claimant’s claim against businesses subject to cyber-attack, resulting in compromised customer personal data.
The Defendant (DSG), a well-known retailer operating the “Currys PC World” and “Dixons Travel” brands, fell victim to a complex cyber-attack between July 2017 and April 2018. As a result, the attackers accessed personal data of many DSG customers.
The Claimant (Mr Warren), who had purchased goods from DSG, claimed to be one such customer and sought damages of £5,000 in respect of distress. There were four causes of action, namely (i) breach of confidence, (ii) misuse of private information, (iii) common law negligence and (iv) breach of DPA 1998. DSG sought to strike out and/or obtain a summary judgment against the first three claims.
The High Court in England struck out claims (i) to (iii), allowing only claim (iv) under DPA 1998 to proceed.
(i) Breach of Confidence and (ii) Misuse of Private Information
The High Court determined that both causes of action required some positive wrongful actions by DSG (for example, misuse), finding that DSG’s wrong was a “failure” to keep the data secure from unauthorised third-party access – and such failure did not amount to positive conduct, given that DSG was a victim of the cyber-attack.
The Court also confirmed that these two claims do not impose a data security duty on information holders, but are concerned with prohibiting actions by the information holder which are inconsistent with the obligation of confidence and privacy. For these reasons, the Judge struck out Mr Warren’s claims for breach of confidence and misuse of private information.
(iii) Common Law Negligence
The Court found two fatal problems with this cause of action – first determining that it is unnecessary to impose a duty of care when the statutory duties under DPA 1998 operate. Imposing a duty of care in negligence would not be fair, just or reasonable.
Second, the cause of action for damages in negligence is only complete if damage has been suffered. Damage such as mere distress falling short of a clinically recognisable psychiatric illness is insufficient to complete the tortious cause of action. Consequently, the Court opined that this was not a complete cause of action in common law negligence and claim (iii) was struck out.
(iv) Breach of DPA 1998
While this claim was allowed to proceed, it had been stayed pending the outcome of DSG’s appeal against the decision of the Information Commissioner that DSG breached the seventh data protection principle. The Commissioner issued a Monetary Penalty Notice in the amount of £500,000 in this regard.
Businesses can breathe a sigh of relief as the judgment significantly limits potential liabilities for data breaches arising from cyber-attack.
Importantly the decision narrows the scope of causes of action available to claimants with regards to data breach claims. The causes of action based on (i) and (ii) required some positive wrongful actions by DSG, and that would be difficult to establish.
The UK position under Section 13 of DPA 1998 is similar to the position in Hong Kong under the Personal Data (Privacy) Ordinance (PDPO). Section 66(1) of the PDPO provides that an individual who suffers damage in contravention of the PDPO by a data user is entitled to compensation from the data user for that damage. Section 66(2) clarifies that damage referred to in Section 66(1) may include injury to feelings.
Accordingly, we can expect that the reasoning in Warren v DSG Retail Ltd is likely to be applicable and persuasive to the Hong Kong courts in respect of a cause of action based on (iii), namely that it is unnecessary to impose a duty of care when the statutory duties under PDPO operate – and that such a cause of action will fail given similar circumstances.
In addition, the English courts have also highlighted the need for claimants to demonstrate material damage in cyber-security breach claims. In Lloyd v Google LLC  UKSC 50 and Rolfe & Ors v Veale Wasbrough Vizards LLP  EWHC 2809 (QB), the Court ruled that it is possible to recover damages for distress caused by a data breach, but the claimant must show distress or damage over a de minimis threshold.
However, this may be tempered by the Court’s reasoning in Tsang Po Mann v. Tsang Ka Kit  HKDC 208 – finding that the Plaintiff’s “feelings must have been hurt as a result of the misuse of the personal data collected by the Defendants in the CCTV footages despite the fact that the photos per se were not particularly offensive”; and that “the threat that the Defendants would misuse the CCTV footages again to the Plaintiff was not unreal”. This finding suggests that the threshold of “injury to feelings” under the PDPO may be lower than that of “distress or damage” under UK DPA 1998.
The number of potential data breach claims is thus further reduced by excluding the trivial ones, although data users should review their processes for PDPO compliance.
In particular, given that “injury to feelings” under the PDPO appears to be relatively lower threshold, data users should ensure they have taken all practicable measures to safeguard personal data in their possession to avoid being found in contravention of the PDPO in the event of a data breach. Going forward, we can expect continuing discussion on what constitutes a sufficient positive act in data breach claims for the defendant to be held liable.