It’s good to TalkTalk – Part 1: misuse of private information claims for data breaches

It's good to TalkTalk

1. Introduction

Two recent cases demonstrate two very different privacy issues arising out data breaches suffered by the telecommunications company TalkTalk in 2014 and 2015. Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) concerned claims for damages for both breaches; whilst Sterritt v Telegraph Media Group Ltd [2022] NIQB 43 (09 June 2022) concerned the privacy of one of the hackers involved in the second breach. In this post, I want to look at the limits of claims for misuse of private information for both breaches in Smith. In the next post, I will look at Smith (again) and at Sterritt, to consider the limits of a claim in negligence in such cases.


2. Smith and the 2014 TalkTalk breach: no misuse of private information

In Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) (noted on Panopticon), in September 2014, TalkTalk customers began to receive scam calls purporting to be from TalkTalk, which were ultimately traced to data obtained by users of Wipro, a third party providing network services to TalkTalk. However, Wipro put no adequate controls in place to prevent unauthorised access by its users to the data supplied by TalkTalk. In August 2017, the Information Commissioner’s Office (ICO) imposed a fine of £100,000 on TalkTalk for their failure to implement appropriate security measures (see “Monetary Penalty Notice” (ICO, 7 August 2017) (pdf)).

In an action for damages for the breach, Saini J held that, for there to be a misuse of private information, there must be a misuse – an action or interference – by the defendant. There is now a long line of authority to the effect that a defendant who did things which enabled access to information by an unauthorised person did not, in any true sense, itself misuse the information for the purposes of the tort of misuse of private information, and Saini J applied that line of authority to dismiss the damages claim.

For example, in WM Morrison Supermarkets plc v Various Claimants ([2018] 3 WLR 691, [2017] EWHC 3113 (QB) (01 December 2017), Skelton, an employee of Morrisons, uploaded to the Internet a file containing personal details of 99,998 fellow employees. At first instance, Langstaff J rejected the argument that this disclosure per se gave rise to a claim against Morrisons for misuse of private information (at [66]):

the assertion that there is direct liability in respect of … misuse of private information … fails: it was not Morrisons that disclosed the information or misused it: it was Skelton, acting without authority and criminally.

This matter was not pursued on appeal to the Court of Appeal for England and Wales ([2019] QB 772, [2018] EWCA Civ 2339 (22 October 2018)), or to the Supreme Court ([2020] AC 989, [2020] UKSC 12 (01 April 2020)) where it was ultimately held that Morrisons were not vicariously liable for Skelton’s actions.

In the leading case of Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) (30 July 2021) (noted on Inforrm’s blog), sophisticated hackers had infiltrated the defendant’s computer systems and installed malware on 5,930 point of sale terminals at the defendant’s the Currys PC World and Dixons Travel retail stores. In January 2020, the ICO imposed a fine of £500,000 on DSG for failing to secure the personal data of at least 14 million customers (see “Monetary Penalty Notice” (ICO, 7 January 2020) (pdf) (an intended appeal against this fine (Warren [2]) does not seem to have come on yet). As a customer who had purchased goods from Currys PC World, the plaintiff sought damages for distress for that breach. Saini J adopted Longstaff J’s reasoning, and held that those who had misused the claimant’s personal data were the criminal third-party hackers, and not the defendant which had been hacked ([2021] EWHC 2168 [31]). This was approved by HHJ Lewis in Stadler v Currys Group Limited [2022] EWHC 160 (QB) (31 January 2022) [47]-[59] (noted on Out-Law) and by Nicklin J in Underwood v Bounty UK Ltd [2022] EWHC 888 (QB) (13 April 2022) [52] (noted on Panopticon).

In Smith, Saini J referred to this line of authority, and reaffirmed his earlier decision in Warren. Effectively, therefore, a failure on the part of the transferor of data, to make appropriate arrangements regarding the security that data in the transferee’s hands, is unlikely to amount to a misuse of private information. However, this seems a rather harsh result, driven by the happenstance of the word “misuse” in the title of the recently-emergent tort. Moreover, why is the transfer of data without adequate security not a misuse? In any event, this is a finding that the transferor is not primarily liable for the transferee’s misuse. But it is an open question whether the transferor might still be secondarily liable (see, eg, Paul S Davies Accessory Liability (Hart Publishing, 2017) chapter 6). Saini J rejected joint-liability or common design (at [52]), but this is still a species of primary liability, and he did not consider any claims of accessory or secondary liability. Given that the door has been squarely closed on primary liability claims, it remains to be seen whether plaintiffs and their lawyers seek to plead secondary liability claims against defendants in these circumstances.

3. Smith and the 2015 TalkTalk breach: still no misuse of private information

In October 2015, a breach saw the personal details of 156,959 TalkTalk customers accessed, including the bank details of 15,656 customers (see “TalkTalk cyber attack – how the ICO’s investigation unfolded” (ICO)). The defendant’s database management software was infected by a bug, for which the software vendor made a fix available in 2012. However, the defendant did not adopt this update, and the hackers exploited it to gain access to customers’ personal data. In September 2016, the ICO imposed a then-record fine of £400,000 on TalkTalk for their failure to implement basic cyber security measures to prevent that breach (see Annual Report and Financial Statements 2017-18 (ICO, 2018) (pdf) p9 and and “Monetary Penalty Notice” (ICO, 30 September 2016) (pdf)). The claim in misuse of private information in respect of this hack failed for the same reasons that the claim in respect of the 2014 breach did: Saini J held there was no misuse of private information by the defendant. The failure to update the software, or otherwise to protect the database, was plainly a Bad Thing; but it did not, in Saini J’s view, amount to a misuse of private information. Again, as with the 2014 breach, this seems a rather harsh result, driven by the happenstance of the word “misuse” in the title of the recently-emergent tort. However, unlike the earlier breach, it is not easy to posit a misuse on the part of the defendant in respect of the 2015 breach. And it is also an open question whether the defendant might still be secondarily liable in these circumstances.

4. Conclusion

In cases like Warren and Smith, where the breach is committed not by data controllers, but by processors (Warren) or by hackers (Smith), data subjects will usually have data protection claims pursuant to sections 168 and 169 of the Data Protection Act 2018 (if the breach or hack is after 25 May 2018; or to section 13 of the Data Protection Act 1998 if the breach or hack is before that date). But damages for such claims are usually modest, and have been constrained by the decision of the UK Supreme Court in Lloyd v Google LLC [2021] 3 WLR 1268, [2021] UKSC 50 (10 November 2021). It is unsurprising, therefore, that plaintiffs are testing the limits of alternative claims. My next post will consider whether claims in negligence will do that job. What is clear from this post is that, at least so far as Saini J is concerned in Warren and Smith, claims in misuse of private information will not fill that gap, no matter how clever the pleadings.