![HT-2020-000448 - [2024] EWHC 1185 (TCC)](https://backend.juristeca.com/files/emisores/logo_yJUntHA.png){kind=logo}
The Security Incidents
The Security Incidents
It is common ground that there were three data breaches:
the “Basics Certificates Data Breach” when on 2 February 2018, more than 1000 Basic Certificates were delivered to an individual’s address, each of which contained sensitive personal information relating to other individuals;
the “Barred List Deletion of Records Incident”, when on 12 April 2018, a member of the public using the Barring Portal inadvertently managed to delete 294 cases and 95 individuals from the Barring List; and
the “Victim Records Breach”, when on 19 June 2018 it was discovered that the records of individual victims were being inadvertently attached to the wrong cases, affecting 114 allocated, 552 unallocated, and 6020 closed cases.
In its Spigelman Schedule, DBS indicated for the first time that it sought ‘nominal damages’. No claim for damages, even nominal, is pleaded in respect of the security incidents. It is not suggested that the incidents caused any financial loss to DBS.
DBS, in its Written Closing Submissions, contended that the significance of the security incidents is that they (1) illustrate the existence of defects in the Solution at the time of Go-Live and the potentially serious consequences of such defects for DBS and its users; (2) demonstrate TCS’s unsatisfactory attitude and actions in relation to remedying defects which existed at Go-Live; and (3) contributed to DBS’ loss of confidence in TCS and its ability to deliver, an important factor relevant to DBS’ decision to partially terminate the Agreement and de-scope R1 Disclosure.
The only pleaded reference is to part of the justification for the validity of the Partial Termination. Whilst the security incidents may have, as a matter of fact, informed part of DBS’s strategy to remove R1-D, I have already found that the security incidents could not have been relevant to the contractual entitlement to remove R1-D by way of Partial Termination in accordance with Clause 55.11.
The security incidents are, as a result, irrelevant to the issues which I have had to decide. Were it relevant to have done so, I would have preferred the evidence of Dr Hunt that each of the incidents arose out of a breach on the part of TCS to have designed and coded the system in accordance with Good Industry Practice. That said, I also conclude that for each of these incidents, the immediate issue was resolved quickly, preventative steps were taken, and there were no other similar incidents. They did not demonstrate systematic problems with the solutions or a generally unsatisfactory attitude, as suggested.
Given that it should have been clear to DBS that these incidents were analytically irrelevant to any remedy sought, and that they were (at most) capable of providing some colour in the context of the overall relationship, it was unnecessary for quite so much time to have been spent in witness evidence (both factual and expert) and at trial on these matters.
- Heading
- CONTENTS
- IntroductiON
- The Factual Witnesses
- Expert Evidence
- Programming Experts
- Forensic Accounts
- The Parties Submissions
- Principles Applicable to Issues of Construction
- The Defendant’s Obligations and Responsibilities
- Clause 15
- Clause 9.5 which states
- Clause 14.5 of Schedule 2-6 which states
- The Delay and Notice Provisions
- Clause 7
- Conditions Precedent: Clauses 5 and 6
- Conditions Precedent: the authorities
- Clause 5.6
- Clause 6
- Clause 8
- Limitations of Liability
- A single or multiple caps?
- The Delay Damages cap under Clause 52.2.5
- Is TCS’s claim for loss of anticipated costs savings excluded by Clause 52?
- Compliance with Clause 5.3, Agreement and Estoppel Introduction
- Express Agreement
- Estoppel
- Introduction
- R1 B&B Delays
- Mr Britton’s First Analysis
- Mr Britton’s Second Analysis
- Conclusion on Mr Britton’s Analyses
- TCS’s submission based upon Mr Jardine’s analysis
- Responsibilities for Delay on the ‘Infrastructure’ Critical Path
- R1-D
- Compliance with Notice Provisions
- Analysis of Delays
- Up to August 2017
- From August 2017 to 19 September 2018
- Analysis
- Failed to confirm its desired functional scope of R1 Disclosure in relation to the Customer-to-Business portal and Accountable Officer’s Update Service functionality. Such confirmation was a prerequis
- Failed to make available an end-to-end test environment for the Interactive Voice Response system
- Failed to agree upon a data migration approach, without which the Claimant could not complete the build of a data migration environment so that anonymised data could be made available for testing
- Failed to ensure that relevant external stakeholders were available to participate in Final Systems Integration Testing
- Partial Termination
- TCS’s Claims
- Non-Manpower Costs
- Anticipated Cost Savings
- Summary of TCS’s Delay Claim Recovery
- DBS’s Claims
- Delay Payments
- R1-B&B Delay
- Disclosure Scotland Extension Costs – Item 1 of the Updated Schedule of Loss
- Loss of Anticipated Savings – Item 3 of the Updated Schedule of Loss
- R1-D Delay
- R0 Licence Costs – Item 4 of the Updated Schedule of Loss
- R0 Hosting and Infrastructure Costs - Item 5 of the Updated Schedule of Loss
- R0 Technology Refresh – Item 6 of the Updated Schedule of Loss
- R0 N-1 Sustainment Costs – Item 7 of the Updated Schedule of Loss
- R0 Maintenance Costs – Item 8 of the Updated Schedule of Loss
- Savings
- Introduction
- Quality-related Obligations
- Good Industry Practice and Defects
- Digital by Default Standards
- Section 71
- The Basics Portal
- Section 73
- The Barring Portal
- Section 75
- Section 76
- Barring Portal: Loss of productivity - Item 11 of the Updated Schedule of Loss
- LPF Portal
- Siebel Useability Issues
- Redaction
- Document naming, bundle creation and performance
- Adobe Licence (Item 20)
- Document Storage (Item 21)
- Other B1 Barring Quality Issues
- Scan on Demand
- Special Characters
- Letters
- Item 24 : Loss of Efficiency Claims arising out of R1 Barring Quality/Useability Issues
- N-1 Sustainment Costs
- Causation and Loss
- Exit/Service Transfer
- Identification of all services (3.2.2)
- Knowledge Transfer (3.2.6 and 3.2.7)
- Section 95
- Providing all documentation to a replacement contractor (3.2.1 and 3.2.10)
- The identification of all leases, maintenance agreement and support agreements in connection with the provision of the services (3.2.3)
- Providing any other information or assistance reasonably required by a replacement contractor (3.2.14)
- Causation and Loss
- The Security Incidents
- The Charges Variation Dispute Introduction
- Issue 1: How the amount of an ‘over-recovery of the Forecast Revenue’ (Clause 2.8.4) or ‘under-recovery of the Forecast Revenue’ (Clause 2.8.5) is to be measured
- Section 104
- Issue 4: How Clause 2.8.5 of Schedule 2-3 applied to Volume Based Service Charges in Service Year 5
- Issue 2: Whether the Predicted Volumes for Basics in Service Year 4 were 1,000,000 (TCS’s case) or 320,374 (DBS’s case)
- Conclusion on Volume Based Service Charge
- Conclusions