Is ATE Insurance Recoverable in Data Breach Claims?
Since April 2013, when the Legal Aid, Sentencing and Punishment of Offenders Act 2012 (LASPO) came into effect, most after the event insurance (ATE) premiums have no longer been recoverable from the opponent, meaning that the insured must discharge the premiums from their damages.
One exception to the changes was made for “publication and privacy” proceedings, such as claims in defamation, breach of confidence and misuse of private information. ATE premiums in respect of these cases have remained recoverable.
In recent years, there has been an increase in so called “data breach” litigation. Claims for pure breach of data protection legislation do not fall within the “publication and privacy” exemption in LASPO and so it has become common practice for claimants to also plead breach of confidence and misuse of private information in addition to the data breach complaint, the rationale being that the ATE premium for at least the latter causes of action will be recoverable. In practice, few defendants challenged the point and often the full ATE premium was recovered.
It is likely that the recoverability of the premium, enabling claimants to obtain protection for adverse costs for no direct cost to them, has significantly contributed to a rise in data breach claim volumes in recent times.
Darren Lee Warren v DSG Retail Limited
It has long been expected that eventually this practice would be challenged and the recent judgment in Darren Lee Warren v DSG Retail Limited clarifies the position and, whilst perhaps unsurprising, will be a significant obstacle to claimants pursuing certain data breach litigation going forward.
The claim arose out of a serious cyber-attack suffered by DSG (operating the “Currys PC World” and “Dixons Travel” brands) in 2017-2018 and the claimant, an individual customer, sought £5,000 damages for breach of the Data Protection Act 1998 (DPA) (as the incident was prior to the GDPR coming into force), breach of confidence, misuse of private information and common law negligence. The defendant applied for summary judgment and/or an order striking out all causes of action save the claim relating to the DPA, and Saini J ruled in the defendant’s favour.
The court concluded that the defendant company had not “misused” the claimant’s data. The unlawful misuse was by the attacker, not the victim of the attack. The judge ruled that the non-DPA claims required some form of positive conduct by a defendant which was not present where DSG was the passive victim of an attack. Moreover, the negligence pleading was struck out as there is no need to impose a tortious duty of care where a bespoke statutory regime already exists.
In his judgment, Saini J reasoned:
“I accept that a ‘misuse’ may include unintentional use, but it still requires a ‘use’: that is, a positive action. In the language of Article 8 ECHR (the basis for the MPI (misuse of private information) tort), there must be an ‘interference’ by the defendant, which falls to be justified. I have not overlooked the Claimant’s argument that the conduct of DSG was “tantamount to publication”. Although it was attractively presented, I do not find it persuasive. If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a “misuse of private information” by me. Recharacterizing my failure to lock the window as “publication” of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI.”
The claim under the DPA was transferred to the County Court for disposal.
The court made it clear that claimants seeking redress following a cyber-attack are limited to doing so through a claim solely for breach of data protection litigation. This will have the effect of simplifying such claims but the key implication for claimant firms is that claimants will no longer be entitled to seek recovery of the ATE premium from the opponent in claims arising from cyber-attacks. As these claims are typically low value, it is unlikely to be economical to pay for an insurance policy on single claimant matters so the claimants will be faced with the decision on whether to proceed uninsured against a potential adverse costs order. Group claims may well still be viable, and are likely to continue to increase, as the cost of an ATE policy can be spread between a large number of claimants.
Most specialist data breach firms will be working on delegated authority schemes which enable them to quickly issue ATE policies on behalf of a specific insurer and no doubt the eligibility criteria for these programs will be quickly adjusted to reflect this judgment.