It’s good to TalkTalk – Part 2: negligence claims for data breaches

It's still good to TalkTalk

1. Introduction

Two recent cases demonstrate two very different privacy issues arising out data breaches suffered by the telecommunications company TalkTalk in 2014 and 2015. Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) concerned claims for damages for both breaches; whilst Sterritt v Telegraph Media Group Ltd [2022] NIQB 43 (09 June 2022) concerned the privacy of one of the hackers involved in the second breach. In my previous post, I looked at the limits of claims for misuse of private information for both breaches in Smith. In this post, I want to look at Smith (again) and at Sterritt, to consider the limits of a claim in negligence in such cases.

2. Negligence claims in Smith

The main problem in Smith is that TalkTalk did not take steps to secure the data involved in the 2014 breach and the 2015 hack. This sounds like a failure to take reasonable care. But a negligence claim in such circumstances was not pleaded, as it was probably precluded by authority.

In Swinney v Chief Constable of Northumbria Police Force [1997] QB 464, [1996] EWCA Civ 1322 (22 March 1996), the plaintiff saw a car which had hit and killed a police officer, and provided that information to the police. Her personal details were in a file stolen from a police car, and they eventually made their way to the alleged driver. The plaintiff and her husband were subject to threats of violence and arson. The Court of Appeal held that there was an arguable case that there was a special relationship between the parties so as to give rise to a duty of care owed by the police to the plaintiff. However, absent such a special relationship, there would have been no grounds for such a duty of care. This was followed with approval by Saini J in Smith (at [60]).

In Smeaton v Equifax plc [2013] EWCA Civ 108 (20 February 2013), the defendant, Equifax, had registered the plaintiff’s bankruptcy on their credit reference service, but had not registered that it had been discharged. After the discharge, the plaintiff had been denied a bank loan on foot of defendant’s inaccurate information. The plaintiff’s claim that the defendants were negligent and in breach of a duty of care owed him failed. Tomlinson LJ held that, although data protection legislation imposed duties upon controllers, that was insufficient of itself to give rise to a statutory duty for the purposes of the tort of breach of statutory duty: “you cannot derive a common law duty of care directly from a statutory duty” ([73] citing Customs and Excise Commissioners v Barclays Bank [2007] 181, 200, [2006] UKHL 28 (21 June 2006) [39] (Lord Hoffmann)). Nor had Equifax voluntarily assumed responsibility towards every member of the public simply by choosing to operate as a credit reference agency: such an approach would “assign to the concept of voluntary assumption of responsibility so wide a meaning as to deprive it of effective utility” ([74] citing Barclays Bank ibid 217, [74] (Lord Mance)). Nor would it be fair, just or reasonable to impose a duty of care, because to impose a duty owed to members of the public generally would potentially give rise to an indeterminate liability to an indeterminate class ([75](2)). For these reasons, in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) (30 July 2021), Saini J rejected a claim that TalkTalk were negligent and had breached a duty of care to the plaintiffs: “there is no room (nor indeed any need identified) to construct a concurrent duty in negligence when there exists a bespoke statutory regime for determining the liability of data controllers” ([35](iii); cp Smeaton [75](3) (Tomlinson LJ), [81] (Davis LJ)).

Waldorf and Statler
Waldorf (l) and Statler (r)

In Stadler v Currys Group Ltd [2022] EWHC 160 (QB) (31 January 2022) (noted on Out-Law), the plaintiff traded-in a smart television to the defendant retailer, Curry’s, which sold it to a third-party. Curry’s did not wipe the data from the tv before selling it on, and the third-party used the customer’s account on one of the applications on the television to purchase a film, but Curry’s refunded this cost. The plaintiff’s claim in negligence failed. HHJ Lewis held that he had suffered no loss, harm or injury. The cost of the film had been refunded, and he suffered no cognizable distress. As a result, HHJ Lewis held that the plaintiff had not pleaded a complete cause of action in common law negligence (at [63]-[64]). He noted that, in Warren, Saini J had held that there was no room for the court to construct a concurrent duty in negligence where there existed a bespoke statutory regime for determining the liability of data controllers, but since he held that there was no loss on the facts before him, HHJ Lewis did not need to consider this prior question of whether there would have been a duty of care in the first place (at [61]). He need not have been so coy, Warren is clear authority that there would not have been, and this is presumably why matter was not pressed in Smith.

So, a duty of care can arise in data breach cases, but only if there are factors such as a special relationship (Swinney) or a voluntary assumption of responsibility (Smeaton). If there is no such factor, there is no basis to impose a duty of care owed by a data controller to a data subject. There was no such factor in Warren, so the claim in negligence failed. And since there would seem not have been any such factor in Smith, as a claim in negligence was not pleaded. Even if it had been, Stadler illustrates that it would be difficult to establish an actionable loss. Although negligence claims often fill in gaps elsewhere in the law, there will usually be no such gap to fill in here; and, just as we saw in Part 1, misuse of private information claims will usually not be available in cases like Warren and Smith, neither will negligence claims.

3. Negligence claims in Sterritt

A claim in negligence also failed in Sterritt v Telegraph Media Group Ltd [2022] NIQB 43 (09 June 2022). In October 2015, the plaintiff (then aged 15) was arrested in relation to the TalkTalk breaches. Several newspapers, including the defendant, published material which revealed his identity. The plaintiff claimed that the defendant was in breach of a duty of care in of negligence in publishing material which led to his identification. Humphreys J struck out that claim. Without reference to Swinney, Smeaton, Warren, Stadler or Smith, he held that a newspaper owes no duty not to carelessly cause harm to anyone about whom it publishes material, and he held that this was particularly so where the material published was true ([2022] NIQB 43 [33]).

Although Humphreys J struck out the claim in negligence, nevertheless, by reference to Bloomberg LP v ZXC 2022] 2 WLR 424, [2022] UKSC 5 (16 February 2022), he permitted a claim in misuse of private information to proceed. A previous claim that the plaintiff’s privacy rights had been infringed by the failure to commence Article 22(1) of the Criminal Justice (Children) (NI) Order 1998 – which would have provided for reporting restrictions before charge – failed (In re Sterritt [2021] NICA 4 (25 January 2021)). Permission to appeal to the Supreme Court of the United Kingdom was refused in March 2022 on the grounds that the application did not raise an arguable point of law.

Of course, the facts of Sterritt are very different from those in, say, Warren, both cases illustrate the same point that the courts are reluctant to deploy duties of care in negligence where data protection and privacy concerns are more than adequately served by more appropriate remedies such as those under data protection legislation or pursuant to misuse of private information.

4. Where are the hackers now?

As for Skelton, Morrisons’s disgruntled employee, in July 2015, he was convicted of offences pursuant to the Computer Misuse Act 1990 and the Data Protection Act 1998, and sentenced to 8 years in prison ([2017] EWHC 3113 (QB) [8]; [2020] UKSC 12 [8]; BBC News, 17 July 2015).

As for the TalkTalk hackers, in September 2017, Sterritt pleaded guilty to a charge under section 1 of the Computer Misuse Act 1990 ([2021] NICA 4 [6]); and, in February 2018, the matter was concluded with a Youth Conference Order ([2022] NIQB 43 [12](v)). He is currently facing similar charges in the US (The Times, 5 July 2020). Of the dozen or so others involved, in December 2016, a 17-year-old boy was given a rehabilitation order (BBC News, 13 December 2016); and, in November 2018, two others went to went to jail (BBC News, 19 November 2018). Finally, in June 2016, a Welsh hacker, Daniel Kelley, pleaded guilty to 11 charges including involvement in that breach, and he subsequently received a four-year sentence (BBC News, 10 June 2019). However, unlike Sterritt, Kelley (@danielmakelley on Twitter) is now apparently a reformed character, seeking to pursue a legitimate cyber security career (Computer Weekly, 18 June 2022).

5. Conclusion

In cases like Warren and Smith, plaintiffs will usually have data protection claims, but they are also testing the limits of alternative claims. In my previous post, I observed that claims in misuse of private information will not fill that gap. The conclusion in this post is that claims in negligence will not do so either.