Data breach litigation: Pursuing low value or exaggerated claims = abuse of process

19th November 2021

The threat of a data breach and ensuing litigation is today, unfortunately, ever-present on the corporate risk agenda.  Individuals are more aware of their data rights than ever before and a spate of litigation has been fuelled by claims management companies who have made it their business to encourage individuals affected by a data breach (often only a minor one) to take action.

In this article, Walker Morris’ data breach litigation experts explain why a recent case is the latest to suggest that the tide is turning, and that the courts are likely to give short shrift to low value or exaggerated claims.

Why is Johnson v Eastlight Community Homes of interest to data controllers?

Walker Morris has reported recently [1] on a run of cases which look set to stem the flow of trivial or meritless data breach claims brought by individuals against businesses.  Emma Louise Johnson v Eastlight Community Homes Ltd [2] is the latest decision to continue that trend.  It contains strong guidance from the court that pursuing low value or exaggerated claims constitutes an abuse of process and is “simply unacceptable”.

What practical advice arises?

The following legal and practical points arise:

• • The court will take into account the nature, severity and any continuity of breach.
    • Here, the claimant’s name, address and recent rent payments were accidentally disclosed (albeit they were buried within a document which was almost 7,000 pages long); the breach was remedied in less than three hours; the defendant apologised; the recipient deleted the information (most likely without having read it); the matter was reported to the Information Commissioner’s Office, which took no action; the information was not of an overtly sensitive nature in itself; and the claimant was not ex-directory and she had not taken steps to withhold her details from the claim or publicly available channels.
  • The court will take into account the value of the claim, the likely costs, proportionality and potential detriment to the wider public in terms of court resources. The de minimis principle and Jameel [3] authority therefore apply in respect of General Data Protection Regulation 2016/679 and Data Protection Act 2018 cases.
    • Here, the claim was, at best, worth no more than £3,000. However the claimant had already incurred, by the instant summary judgment hearing, costs of some £15,000, and its estimated overall costs were £50,000.
  • The court will take a dim view of unmeritorious attempts to layer multiple causes of action in an attempt to add credibility to a claim, to convey a greater impression of its importance than is justified, and to present the claim in a forum that is not appropriate.
    • Here, the court was highly critical of the claimant’s and its solicitors’ presentation of this case before the High Court (when it should never have been anything more than a Small Claim) and of their unfounded and misconceived claim for an injunction. The claim for an injunction was entirely inappropriate and without merit where there was absolutely no evidence to suggest any ongoing threat to the claimant’s data.
  • Whilst it is arguable that the claim should have been struck out in its entirety, the judge decided instead to remit the case to the Small Claims Court and to allocate it back to himself. He indicated his hope, in light of the robust criticism of the claimant and its solicitors in this judgment, that the resolution of the claim and the matter of costs might now be agreed between the parties.
  • It is unlikely, in light of the judge’s approach, this litigation will continue. The judgment is therefore likely to stand and to be of comfort and assistance to data controllers facing similar low value, exaggerated claims.  Ideally, the case will also act as a significant deterrent against claimants and claims management firms pursuing any such claims in the first place.

How we can help

Walker Morris’ Commercial Dispute Resolution lawyers are highly experienced in resolving and defending data breach claims. This expertise, when combined with our specialist Regulatory & Compliance team’s comprehensive understanding of the regulatory background, ensures that an informed and robust strategy can be adopted.

As well as helping you to respond quickly and effectively if and when a data breach occurs and any claim is threatened, our specialist solicitors can help you to refine your pre-emptive risk management strategies, whether that be carrying out health checks in respect of policies and procedures with a view to mitigating against claims of this nature, training staff and/or keeping you up to date with the legal and regulatory matrix.

If you would like to discuss any of the issues covered in this or our earlier briefings, please do not hesitate to contact us.

[1] See our recent briefings on Warren v DSG, Rolfe v Veale Wasbrough Vizards, Lloyd v Google and how organisations can protect themselves

[2] [2021] EWHC 3069 (QB)

[3] The de minimis principle provides that while data breach damages can, in principle, be recovered for breaches of data protection law even where only distress is caused, the distress must be more than trivial; Jameel v Down Jones & Co Inc [2005] QB 246 confirmed that pursuing a claim which is disproportionate to the likely costs (i.e. where “the game is not worth the candle”) constitutes an abuse of process and can be struck out