Claim for “trivial” data breach dismissed by High Court
Many businesses will have experienced an email being sent to the wrong person, often due to a simple typo. Since the introduction of the General Data Protection Regulation in May 2018, there has been a wave of opportunistic claimants relying on mishaps such as this to pursue compensation for breach of data protection.
In a decision relevant to all data controllers, the High Court has thrown out a claim for compensation arising from a single, accidental data breach just like this. The judge ruled that the breach was insufficiently serious to amount to viable claim for damages.
In Rolfe & Ors -v- Veale Wasbrough Vizards LLP  EWHC 2809 (QB), Master McCloud granted summary judgment in favour of the Defendant. This was an expedited decision without a full trial. The judge commented that there was no credible case that the alleged damage or distress caused had reached a de minimis threshold. In other words, the purported harm was minimal and did not give rise to a right to financial compensation.
The claim related to a single email (and attachment) sent by the Defendant, a firm of solicitors, regarding unpaid school fees intended for one of the Claimants. As it transpired, the email was mistakenly sent to the wrong email address by a junior member of staff. Upon receipt of the email, the incorrect recipient immediately informed the solicitors of the error and subsequently deleted the email permanently (and confirmed that they had done so).
The information in the email and attachments contained references to the Claimants’ names, address and the sum owed. No other personal or sensitive data (such as health or financial information) was disclosed.
The Claimants sought to recover damages for, amongst other things, misuse of private information, breach of confidence and negligence. Like many of these cases, the Claimants sought an inflated sum for time spent dealing with the matter and the apparent distress caused whilst not being able to point to any actual financial loss.
The judge dismissed the claim because:
- “No person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st century”;
- It was “frankly, inherently implausible” that such a minimal breach had caused significant distress;
- A claim cannot succeed where any possible loss or distress is “trivial”; and
- As per the decision in Lloyd v Google  QB 747, the required threshold for damages was not reached where there was “an accidental one-off data breach that was quickly remedied”.
What this means for data controllers
The pragmatic judgment should provide organisations with a degree of comfort that the Courts are readily able to identify low-level data breach claims which are (in the eyes of the High Court) not appropriate in the modern world. It is hoped that this decision (and the £11,000 awarded to the defending party costs!) will deter data subjects, that have not suffered actual financial loss, from bringing claims and save businesses the time and cost involved in defending them.
The decision itself highlights the importance of:
- the nature of the breach;
- the nature of the information involved; and
- the steps taken to mitigate the breach.
It is therefore apparent that this decision may only be relevant in circumstances where the data breach itself is a one-off and minor incident which does not involve any significant personal or special category data.
It is expected that further guidance on compensation for wider scale data breaches will be provided by the Courts very soon when the eagerly awaited Supreme Court decision in Lloyd v Google is handed down.
Our data protection team are experienced in helping businesses in the event of a data breach or cyber-attack. We can assist at every stage from the immediate response to dealing with claims from data subjects and liaising with the Information Commissioner’s Office (ICO) (if necessary). Please contact us if you require our support.