Data Breach Decisions: A Turning of The Tide?
Client Alert | 7 min read | 01.26.22
Compensation claims for data breaches have become increasingly common in the UK in recent years. However, 2021 may come to be seen as a turning of the tide, as the English Courts made a number of decisions that will substantially reduce the scope of such claims and/or make them less attractive to funders. This alert looks at a few such decisions and their potential consequences.
Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)
This case concerned a cyber-attack on DSG Retail Ltd (“DSG”). Mr. Warren (whose personal data were allegedly compromised) brought common law claims against DSG including breach of confidence, misuse of private information and negligence, seeking damages of £5,000 to compensate for distress. DSG applied for summary judgment dismissing the common law claims, and succeeded for the following reasons:
- Breach of confidence and misuse of private information both require positive conduct on the part of the data controller (which will be difficult to prove where the defendant is the victim of an attack).
- Given the existence of a bespoke statutory regime for determining the liability of data controllers (now in the form of the UK GDPR), there is no need nor justification for constructing a concurrent duty of care in negligence. In any event, Mr Warren had no actionable loss for negligence in circumstances where he had suffered neither pecuniary loss nor psychiatric harm amounting to personal injury.
By making it harder to bring the above common law claims, this decision may lead to low-value data breach claims arising out of cyber-attacks becoming uneconomical, because:
- Many such claims will now be limited to breaches of the statutory regime, such that they are more likely to be allocated to the small claims track, where legal costs are not recoverable.
- Breach of confidence and misuse of private information claims are exceptions to the general rule that ATE premiums are not recoverable from defendants. As such, it will be harder for claimants to recover such premiums and the policies themselves may become more expensive and/or difficult to obtain, forcing claimants to weigh up their costs exposure against damages in the usual way.
Lloyd v Google LLC [2021] UKSC 50
The Supreme Court’s judgment in Lloyd v Google LLC [2021] UKSC 50 was an even more significant step. The claim was a representative action (an opt-out form of litigation brought on behalf of everyone falling within a defined class) against Google for alleged breaches of the Data Protection Act 1998 (the “DPA 1998”). Because such actions do not permit individualised assessments of damages, the claim was made only for compensation for “loss of control” of personal data, seeking around £750 per claimant. However, with the class of claimants numbering more than 4 million, that meant a potential liability for Google in the region of £3 billion.
To the relief of data controllers worldwide, the Supreme Court unanimously held that:
- As a matter of statutory interpretation, the DPA 1998 did not give data breach victims a right to compensation without proof of material damage or mental distress. There must be distinct damage caused by the unlawful data processing; the damage cannot be the unlawful processing itself.
- Even if damages were available for the unlawful processing itself, the effect of said processing was not uniform across the class, so that individualised assessment of damages would be required, rendering the claims unsuitable for a representative action.
While the Court declined to address claims under the current UK GDPR regime (which specifically permits compensation for “non-material damages”), it is difficult to see how such claims could overcome the need for individualised assessment in order to be brought as representative actions. The Court suggested a “bifurcated process”, whereby a representative action would determine common issues (such as breach), after which other issues (such as damages quantum) could be addressed by way of individual claims, but such a procedure may not be economically viable, and it would certainly be less attractive to funders.
The decision is therefore very likely to reduce the number of representative actions for data breach claims, and may even sound the death knell for such claims.
Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB)
This case arose out of an email inadvertently sent to the wrong recipient by the defendant law firm. The claimants brought claims for breach of the statutory regime, misuse of private information, breach of confidence and negligence, maintaining that: (i) they had lost sleep worrying about the possible consequences of the breach; (ii) it “had made them feel ill”; (iii) they had spent extensive time dealing with the issue; (iv) they were distressed by “fear of the unknown” as to who the recipient might have been; and (v) they were the subject of phishing phone messages, which (it was inferred) resulted from the breach.
The Court gave summary judgment in favour of the defendants, and awarded them costs on the indemnity basis. The final paragraphs of its judgment are reproduced below, as they are symptomatic of an increasing reluctance to entertain speculative claims arising out of minor breaches, and provide a stark lesson for potential claimants on the consequences of bringing such claims:
12. What harm has been done, arguably? We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data). We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them 'feel ill'. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied.
13. There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim (especially in the in the High Court) for breaches of this sort which are, frankly, trivial. The case law referred to above provides ample authority that whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown.
Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB) and Ashley v Amplifon Limited [2021] EWHC 2921 (QB)
Similar to Rolfe discussed above, these cases each involved one-off incidents where the claimant’s personal data were inadvertently emailed to the wrong party, the error quickly identified, and the email deleted. Both claimants brought claims in the High Court for misuse of private information and breach of confidence, as well as for breaches of the statutory regime.
Unlike Rolfe, in neither case did the Court grant the defendant’s application for summary judgment on the entire claim, on the basis that there was a realistic prospect of the claimant proving distress or damage over a de minimis threshold. However, the judgments nevertheless make clear that the Courts are running out of patience with claimants apparently over-complicating their claims in an attempt to bring them in the High Court for costs recovery purposes. In particular:
- In Johnson, the Court held that: (i) the misuse of private information and breach of confidence claims were struck out on the basis that they added nothing to the statutory claim, such that they were likely to “obstruct the just disposal of [the] proceedings and take up disproportionate and unreasonable court time and costs”; (ii) the claim had “all the hallmarks of a Small Claim Track claim”, and there was “no basis” for it having been issued in the High Court, which amounted to “a form of procedural abuse”; and (iii) the statutory claim was accordingly transferred to the Small Claims Track.
- In Ashley, while the Court did not strike out the misuse of private information or breach of confidence claims, it still allocated the case to the Small Claims Track. As such, even if claimants are able to overcome the difficulties with these claims discussed elsewhere in this alert (for example, by framing claims arising out of cyber-attacks in such a way that involves a positive act by the defendant), it is by no means guaranteed that they will be allowed to proceed in the High Court.
These cases appear to highlight an inexorable shift by the Courts to limit the potential exposure of data controllers to mass claims and class actions, and reduce the possibility of frivolous or fanciful claims being brought for data breaches which have caused little or no actionable damage.
Insights
Client Alert | 8 min read | 11.21.24
New Legislation Introduced in Congress Proposes Ending Normal Trade Relations with China and More
On November 14, 2024, Rep. John Moolenaar (R-Mich.), chair of the House Select Committee on the Chinese Communist Party, introduced the Restoring Trade Fairness Act, seeking to suspend China’s Permanent Normal Trade Relations (“PNTR”) status.
Client Alert | 9 min read | 11.20.24
2024 GAO Bid Protest Report Shows Notable Decrease in Merit Decisions
Client Alert | 3 min read | 11.19.24