Posted by Tom Llewellyn, Partner
Claims management companies and data breach claims: what you need to know
Since the GDPR came into force in 2018 (replaced by the UK GDPR post Brexit) there has been a steady rise in the number of claims for damages brought by claims management companies and no win-no fee law firms.
These often take relatively the same form despite the range of firms involved – one even recently brought a claim against another for breach of copyright in their precedent data breach letter of claim (JMW v Hayes Connor).
The firms involved are largely the same firms that were involved in bringing claims for PPI misselling. Most businesses responsible for PPI misselling were either smaller financial institutions with insurance cover or large financial institutions with deep pockets. GDPR breaches, however, can affect any size or type of businesses, and most don’t have any form of insurance cover for these breaches. All businesses are at risk and whilst class action claims can arise from the large scale data breaches, claims are also regularly brought following one off minor data breaches. This could be something as simple as sending an email containing personal data to the wrong individual.
Even if such a simple breach is rectified immediately, or even where there has been no loss, claims management companies or no win no fee law firms will seek to bring claims on behalf of their clients. Whilst the causes of action are wide, significant reliance is placed on the Court of Appeal’s decision in Lloyd v Google in which the Court held that there was no need to prove actual loss where there had been a loss of control of personal data. However, it was also held that there was a de Minimis threshold below which a claimant still has to prove actual loss – this being “an accidental one-off data breach that was quickly remedied”.
In this regard, Lloyd v Google is concerned with the systematic use of personal data for monetary gain by Google. It is therefore quite a different scenario to small scale one off data breaches which seemingly don’t meet the de Minimis threshold. As such, in the absence of any actual evidence of loss, there is no basis to bring a claim for small one off data breaches. However, that seems to matter not to firms who bring damages for regardless, coupled with wholly disproportionate legal costs. How to respond to such cases needs careful consideration to avoid falling into a trap of settling the claim at low value but then ending up in a further dispute over legal costs.
There will likely be lots of developments in this area in the future, not least with Lloyd v Google due to be heard in the Supreme Court this month (April 2021), but also regarding what type of claims fall within the de Minimis threshold.
We will be providing a detailed discussion on data breaches in the upcoming Grey Matters webinar, and will be keeping you updated about all developments here – including the important Lloyd v Google decision.
Business skills for effective leadership webinar
We are delighted to announce our next In Conversation with… Dr. Catherine McGregor, author of Business Thinking in Practice for In-House Counsel: Taking Your Seat at the Table.
Catherine will explore the grey areas around some of the themes in her book: leadership, purpose, culture and creativity. Using real-life examples to bring these themes to life, Catherine will demonstrate the importance of human centred business skills, how they are becoming central to legal teams and what savvy GCs and in-house lawyers should be thinking about to maximise their team’s success.
When: Thursday 13 May
Timings: 11pm – 12pm
If you have any questions or need advice on GDPR, please get in contact with a member of our Grey Matters team
01865 268 681 Email us
There are many areas of the law that aren’t black or white. Grey Matters is our know-how programme to help you discuss these intricacies.