There was welcome news for data controllers this week, as a High Court judge dismissed a claim for compensation resulting from a data breach on the basis that the breach was trivial.
In granting summary judgment in favour of the defendant in Rolfe & Ors -v- Veale Wasbrough Vizards LLP  EWHC 2809 (QB), Master McCloud confirmed that it is not sufficient for claimants to merely establish that there had been a data breach; claimants must go further and establish that they have suffered a material (i.e. a financial loss) or non-material (such as distress) loss as a result of the data beach which is more than merely trivial.
The claim arose from solicitors sending a letter containing some personal information to the incorrect recipient who immediately notified the solicitors and subsequently deleted the e-mail. Master McCloud dismissed the claim on the basis that:
- there was no credible case that distress or damage over a de minimis threshold could be proved – the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown;
- in the modern world it is not appropriate for a party to claim, especially in the in the High Court, for breaches of this sort which were, frankly, trivial;
- the suggestion by the Claimants that the minimal breach caused significant distress and worry or even made them feel ill was “inherently implausible”; and
- no person of ordinary fortitude would reasonably suffer the distress claimed arising in such circumstances in the 21st century in a case where a single breach was quickly remedied.
Since GDPR came in to effect in May 2018 introducing wider grounds on which data subjects could bring a claim where there has been a data breach, organisations have been subjected to an ever growing number of compensation claims. Whilst there are genuine cases where loss is suffered, in the majority the nature of the breach is often trivial, and a claim for compensation are significantly disproportionate. Such claims are consuming for such organisations in having to incur time and cost in dealing with such claims.
Master McCloud’s pragmatic and real world approach ought to reassure organisations that courts will be slow to entertain trivial or low-level data breach claims, especially where such data breaches are remedied promptly and only relate to anodyne information.
A number of group actions relating to data breaches are currently being pursued, and it will be interesting to see the courts’ approach to damages if they are asked to consider the same.
How Blake Morgan can help
Our data protection experts work with business and organisations to help them navigate these issues. Should your organisation suffer a data breach, then Blake Morgan’s expert data protection lawyers can assist with your response – from determining whether the breach needs to be reported to the ICO or notified to data subjects and practical steps to take in response to the breach to dealing with claims for compensation as a result. Contact us at [email protected] for specific advice and support.
Enjoy That? You Might Like These: