Data breaches and common trends

We recently discussed some common themes in data breach claims in our CDR in 10 video. Since then, there have been cases involving two of the themes we highlighted. Firstly, there’s a tendency for claims firms to issue claims in the High Court to increase their potential costs recovery. Secondly, parties can face numerous difficulties in assessing what sum, if any, a claimant may recover in a data breach claim.

In this update, we explore the two cases and highlight what they may mean for you in practice.

Joseph Cleary v Marston (Holdings) Limited [2021] EWHC 3809 (QB)

In this case, an employee of the defendant sent a letter intended for the claimant to another employee. All parties admitted this was an error, and a claim firm issued the claim in the High Court.

The Court noted that the costs of the matter had hit £50k for a £3k claim. Unfortunately, this is common in these types of claims when claimant firms focused on data litigation are involved. Our CDR in 10 video explains that these firms often work on a no win no fee basis, with their clients using After the Event (ATE) insurance to cover for the costs of an adverse judgment. Firms then seek to recover their - often disproportionate - costs by issuing a claim in the High Court rather than the County Court and on the multi-track (rather than the small claims track where legal costs are typically unrecoverable).

The Court ordered to transfer the data breach claim to the small claims track in the County Court, which reflects the courts’ growing confidence in taking this approach. While data protection is not the most straightforward area of law, the Court in this case made it very clear that Judges of the County Court are well able to deal with these types of disputes.

Key takeaways from this case

This result is good news for defendants. However, the Judge also recognised that if the court allocates low value data breach claims in this way, claimants may be unable to find lawyers willing to represent them.

It should be noted that the small claims track is meant to allow parties to bring cases themselves without lawyers. Although data protection legislation can be complex, the basic principles are straightforward. As such, there is no reason why a claimant could not bring a claim themselves in this way. Defendants are unlikely to see a significant decrease in these sorts of claims as a consequence.

Claimant firms will also find ways to continue structuring their clients’ claims so they fall within the remit of the High Court. For example, they may include breach of confidence and misuse of private information claims to strengthen their arguments for cases to be heard in the High Court. Not only that, but these types of claims are some of the remaining few for which the ATE premium is recoverable. That said, in the Cleary case, the Court made it clear that it would be prepared to “look behind” these tactics where the breach of confidence claim was in effect a duplicate of the data protection claim.

Driver v Crown Prosecution Service [2022] EWHC 2500 (KB)

In this case, someone from the CPS confirmed to a member of the public that a charging file relating to an investigation had been referred to the CPS. Although not named, the claimant was linked to the investigation already. The member of the public sent the email on, which caused the claimant distress.

It was confirmed that there was a data breach, and the claimant was entitled to compensation. However, the claimant did not have medical evidence and therefore it was not clear whether the stress he felt was the result of the investigation itself or the disclosure. The Court also noted that the email repeated what was in the public domain and the claimant could not have suffered more than “a very modest degree of distress”, and so the Judge valued the damages at £250.

In this case, no confidential and sensitive material was shared, but given that there is not a great deal of reported material on quantum for data protection breaches, it is interesting to have a lower figure confirmed. It will certainly be a useful case in point when negotiating similar cases.

Summary – the outlook for data breach claims

As mentioned in the CDR in 10 video, it can be difficult to know where both parties stand in this fast-moving and developing area, with principles being developed in the courts and vital post-Brexit legislation coming in the new future. We have also seen a pendulum swing of decisions that are more favourable to claimants to perhaps a retrenchment from that. These two recent cases certainly support that view and do provide defendants with clarity and useful authority when seeking to defend data breach claims. However, we are unlikely to see a decrease in data breach claims as a result of these rulings.

Please get in touch if you have any questions relating to data protection disputes.