Managing Speculative Claims Following a Data Breach
Increased public awareness of data protection regulations has sparked a rise in claims for damages associated with distress caused by data breaches. Many claims are made in response to serious breaches that have caused financial loss or significant distress, however organisations are increasingly receiving significant financial claims for relatively minor breaches. In the recent decision of Rolfe and others v Veale Wasbrough Vizards LLP  EWHC 2809 (QB), the High Court confirmed that awards for trivial claims will not only be refused, but may result in adverse costs orders.
The right to compensation for distress
Article 82 of the GDPR and section 169 of the Data Protection Act 2018 give individuals a right to receive compensation for damage suffered due to a breach of data protection legislation. Previously a right to compensation was only available if an individual could show that they had suffered financial loss. However, the decision in Vidal-Hall v Google Inc  EWCA Civ 311 and section 169(5) of the DPA 2018 extend the right to cover other types of damage such as distress.
Examples of circumstances where individuals have obtained compensation for the significant distress that they have suffered include:
Trivial claims for distress
The Claimants in Rolfe and others v Veale Wasbrough Vizards LLP sought compensation for distress after the Defendant, a firm of solicitors, mistakenly sent an email intended for them to someone else following a typographical error. The email and its attachments demanded payment of school fees by the Claimants to their daughter’s school. However, other than the Claimants’ names and home address, the email did not disclose any personal information. The Defendant was quickly notified of the error, and immediately asked the unintended recipient to delete the email. The unintended recipient complied and confirmed deletion.
The Claimants alleged that they suffered distress following the incident including loss of sleep and worry to the extent that they felt physically ill. However, the judge dismissed these claims stating that they were “plainly exaggerated” and “inherently implausible”. The personal data that the Defendant mistakenly disclosed contained minimally significant information. The law firm also dealt with the mistake promptly, and encrypted the original email meaning that only those with access to the unintended recipient’s email account could see the data.
The judge concluded that the Claimants case did not exceed the de minimis threshold, and in granting summary judgment concluded that it was inappropriate to bring such a trivial claim before the court, especially in the modern world. On account of the de minimis nature of the breach, the judge ordered the Claimant to pay the Defendant’s costs on an indemnity basis, as opposed to the standard basis. The court awards indemnity costs as compensation for wrongful conduct of proceedings as they entitle the Defendant to a higher percentage of their legal costs.
How should organisations respond to trivial claims?
This case is a warning to those contemplating raising a trivial claim for distress under the data protection rules. The courts will not look favourably upon such claims and are likely to reflect this when awarding costs. Organisations often have to decide whether to incur legal costs defending speculative claims, or buy off the risk with a settlement offer in excess of the actual loss or distress suffered.
We regularly work with clients to respond to data breaches, engage with the Information Commissioner’s Office (ICO) and manage any claims that follow. There is limited guidance about what is considered “de minimis” in the context of a data breach, but this is a welcome indication that the courts will take a pragmatic approach.