Data breach litigation: Common sense decision to curb claims

10th November 2021

The trend

The UK GDPR [1] currently gives individuals a right to claim compensation from an organisation where they have suffered damage as a result of a breach of data protection legislation. This includes both ‘material damage’ (such as monetary loss) and ‘non-material damage’ (such as distress) [2].

Walker Morris recently published practical advice about how organisations can proactively protect themselves against the risk of data breach litigation given the increase in claims in this area. Following on from that, Commercial Dispute Resolution and data breach litigation specialists Gwendoline Davies and Nick McQueen explain why a recent case should stem the flow of trivial or meritless data breach claims brought by individuals against businesses and should enable organisations to be more robust in their defensive strategies.

Why is Rolfe v Veale Wasbrough Vizards of interest?

In Rolfe & others v Veale Wasbrough Vizards LLP [3] a claim for damages for misuse of confidential information, breach of confidence, negligence and damages under Article 82 of the UK GDPR was summarily dismissed and indemnity costs were awarded against the claimants for their “exaggeration and lack of credible evidence of distress”.

The claim related to an email, sent to an incorrect recipient, which attached a letter including the claimants’ names, addresses, the amount of school fees owed, a statement of school fees for the past five years and a reference to proposed legal action which would be taken if the debt was not paid. The error was swiftly rectified by the incorrect recipient deleting the email on the same day that it was sent.

Whilst this case will not put an end to all minor and exaggerated data breach claims, it is a common sense decision that will no doubt be welcomed by organisations for the court’s recognition of the distinction between trivial/exaggerated actions which are being advanced opportunistically and legitimate data breach claims.

The practical implications

The following legal and practical points arise:

• The claim involved “minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data)”.
• The claim was plainly exaggerated and included a “frankly implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’.
• The court placed emphasis on the fact that the single breach was quickly remedied, and doubted that distress or damage over a de minimis threshold would be proven. It made clear that it is not appropriate to claim for such trivial breaches.

This case, along with others such as Warren v DSG, indicate a shift within the courts which may lead to claims at the trivial end of the scale increasingly being dismissed, potentially with cost sanctions being imposed.  It may, therefore, act as a deterrent against claims of this nature.

How we can help

Walker Morris’ Commercial Dispute Resolution lawyers are highly experienced in resolving and defending data breach claims. This expertise, when combined with our specialist Regulatory & Compliance team’s comprehensive understanding of the regulatory background, ensures that an informed and robust strategy can be adopted.

As well as helping you to respond quickly and effectively if and when a data breach occurs and any claim is threatened, our specialist solicitors can help you to refine your pre-emptive risk management strategies, whether that be carrying out health checks in respect of policies and procedures with a view to mitigating against claims of this nature, training staff and/or keeping you up to date with the legal and regulatory matrix.

If you would like to discuss any of the issues covered in this or our earlier briefings, please do not hesitate to contact Gwendoline Davies or Nick McQueen who will be very happy to help.

[1] The GDPR provisions retained by the United Kingdom following the end of the transition period amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019

[2] The Supreme Court recently handed down its judgment in Lloyd v Google [2021] UKSC 50 which considered the position in relation to loss of control damages. See our briefing.

[3] [2021] EWHC 2809 (QB)