Taylor Walton Solicitors

Narrowing the scope of cyber attack claims

Given the recent spate of cyber attacks impacting every sector, from education and legal to manufacturing and pharmaceutical, when, typically, data is stolen, deleted or encrypted to extort a ransom, a recent ruling off ers some hope for data controllers, worried about the fallout from such an attack. T e High Court recently handed down its ruling in the case of

Warren v DSG Retail Limited [2021] EWHC 2168 (QB), one which will undoubtedly have far-reaching implications for data subjects who are considering bringing a claim against a data controller following a third-party cyber attack. For a period of nine months, starting in July 2017, DSG Retail Ltd

(DSG), which operates the Currys PC World and Dixons Travel brands, suff ered a sophisticated cyber attack. Criminals were able to infi ltrate DSG’s systems and install malware across almost 6,000 in-store point of sale terminals, which gave them access to the personal data of approximately 14 million customers. The attack made personal data, including customers’ names,

addresses, phone numbers, date of birth and email addresses, potentially accessible to the attackers, resulting in the Information Commissioner’s Offi ce (ICO) investigating this serious breach. The ICO decided that DSG had breached the seventh data

protection principle (DPP7), which requires ‘appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data’.


Peter Kouwenberg Associate Solicitor Taylor Walton Solicitors

The Commissioner issued a Monetary Penalty Notice (MPN) for £500,000 in January 2020, although at the time of writing, this remains subject to an appeal, which will be heard later in 2021 before the First Tier Tribunal. The claimant, Darren Lee Warren, had

purchased goods from Currys PC World while the point of sale terminals were compromised and claimed that some of his personal data was stolen in the attack, resulting in him bringing a civil claim against DSG for: - Breach of statutory duty - Breach of confi dence - Misuse of private information - Negligence

Mr Warren sought £5,000 in damages for the distress he claimed he had suffered due to his personal data having been compromised in the cyber attack. However, he did not bring any claim for fi nancial loss or personal injury as a result. The defendant, DSG, applied for summary

judgement or an order striking out the claims, with the exception of the claim for breach of statutory duty under the Data Protection Act 1998 (Article 5(1)(f) of the UK GDPR). T is requires organisations to have appropriate technical and organisational measures in place to protect the data they hold, from unauthorised or unlawful processing or accidental loss, destruction or damage.

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54