Where is the threshold for compensation in data breach claims
In a recent decision in the High Court by Master McCloud (Rolfe and others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB), the Master struck out a claim against a firm of solicitors and awarded them indemnity costs. The claim related to a single email (with attachments) that was sent by the defendant solicitors in circumstances where the first and second claimants (the third claimant is their child) owed school fees and the defendants had been instructed to seek payment.
The Facts
The information in the email and attachments included the claimants’ names, address, the amount of school fees owed, a statement of account of the school fees for the past 5 years and a reference to proposed legal action which would be taken if the debt was not paid. It did not contain the first or second claimants’ financial information (in terms of bank card details, income or financial position) or any reference to the third claimant’s location (other than the school she attended and her parents’ address). The only other material consisted of standard documents such as the school’s terms and conditions.
The email had been sent to the parents but, due to there being one letter difference in the email address of the mother, it was sent to someone with an identical surname and the same first initial. The recipient responded promptly indicating that they thought that the email was not intended for them. The defendant solicitors replied promptly asking the (incorrect) recipient to delete the message and the recipient confirmed that she had done so. It is not clear whether the claimants were aware of this.
The claimants instructed solicitors who pursued claims for misuse of confidential information, breach of confidence, negligence, breach of the General Data Protection Regulation and Data Protection Act in relation to which they sought a declaration and injunction.
The Decision
The Master acknowledged that she had to refuse summary judgment in the defendant solicitor’s favour if the claim had a “more than fanciful” prospect of success.
That said she concluded that the position was exactly as set out in the defendant’s skeleton argument which said : “On the facts of this case, it is simply not plausible that Cs have suffered distress above a de minimis threshold in relation to the accidental sending of this email to one recipient who quickly deleted it. Whilst unfortunate, the incident is simply not of a sufficiently serious nature to have caused damage over the threshold”.
The Master said that “What harm has been done, arguably? We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant mis-use could result, given the minimally private nature of the data). We have a plainly exaggerated claim for time spent by the claimants dealing with the case and frankly an inherently implausible suggestion that the minimal breach caused significant distress or worry or even made them “feel ill”. In my judgment, no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st century, in a case where a single breach was quickly remedied.
There is no credible case that distress or damage over a de minimis threshold will be proved. In a modern world, it is not appropriate for a party to claim, (especially in the High Court) for breaches of this sort which are, frankly, trivial. The case law referred to above provides ample authority that whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown”.
What this means for you
Whilst this judgment is extremely helpful for those involved in claims arising from a simple one-off misdirection of an email containing no sensitive information, it contrasts with our own recent experience in the High Court where the court refused to strike out a claim and/or enter a summary judgment on very similar facts.
In the circumstances, at present it seems to be something of a lottery as to whether a particular judge on a particular day will take a robust stance and strike out a claim such as this or whether they will not be willing to do so. This level of unpredictability can be frustrating, as can allowing such claims to continue given what may appear to be the inherent implausibility of substantial distress being suffered in such circumstances (for example where a disclosure was extremely limited and was of insignificant information and where the breach, if any, was quickly remedied).
Whilst individual judgments such as those in Rolfe are to be welcomed, it may require more of them (or the intervention of a higher court) before more cautious judges are willing to alter their approach. We are currently some way off being able to say, with any certainty, how likely applications to strike out such claims and/or for summary judgment are to succeed. However, what does seem clear is that more and more defendants are willing to robustly challenge these claims; that they are beginning to succeed when they do so and that this may assist in deterring claimants (and claimant firms) from pursuing them in the first place.
By BLM, 26 October 2021
https://www.blmlaw.com/news/where-is-the-threshold-for-compensation-in-data-breach-claims-