Reflection of surrounding buildings on RPC's building.
  1. Home >
  2. Snapshots >
  3. Data protection >
  4. >
  5. Damages denied for a minor data breach which is remedied quickly

SHARE:

Damages denied for a minor data breach which is remedied quickly

Published on 17 January 2022

The question

Can a minor data breach that is quickly remedied entitle a claimant to damages for misuse of confidential information and breach of data protection rules?

The key takeaway

A claimant will have no cause of action where the harm suffered following an accidental data breach is minimal. Such a claim brought is likely to be summarily dismissed by the court.

The background

The claimants were parents at a fee-paying school who owed a sum of school fees. The school instructed the defendant, a law firm (Veale Wasbrough Vizards LLP), to write to the claimants with a demand for payment. The defendant did so via email. This email contained the claimants’ names and home address, the invoice for the fees (which were publicly available on the school’s website), a statement of account for the past five years and reference to proposed legal action which would be taken if the debt was not paid. 

Due to a typographical error, the email was sent to the wrong recipient. The recipient replied promptly that the email was not intended for them and the defendant in turn replied promptly requesting deletion of the email. The recipient then confirmed the deletion. 

The claimants then brought a claim against the defendant for misuse of confidential information, breach of confidence, negligence and for damages under Article 82 of the General Data Protection Regulations (GDPR) and Section 169 of the Data Protection Act 2018 (DPA). It was the claimants’ assertion that the data breach had caused them significant distress and worry and had made them feel ill.

The defendant argued that the damage and/or distress caused, if any, was so low that it did not satisfy the de minimis threshold implicit in the case law. They contended that, importantly, the data breach did not contain any information about health, sexual relationships, bank details or details of the state of the claimants’ finances. Further, they had dealt with the breach promptly and requested deletion of the email by the recipient.

The decision

The Court summarily dismissed the claim. It was held that minimal harm had been suffered by the claimants on the basis that the data breach contained minimally significant information, with nothing especially personal such as bank details or medical matters. Further, there had been a very rapid set of steps to ask the recipient to delete the email, which she confirmed, and there was no evidence of further transmission or any consequent misuse. 

The Court held that the claimants’ suggestion that the minimal data breach caused significant distress and worry or made them feel ill was inherently implausible. It was said that no person of ordinary fortitude would reasonably suffer the distress claimed in the circumstances in the 21st century, where the breach had been quickly remedied. Whatever cause of action was relied on, there was no credible case that distress or damage over a de minimis threshold would be proved. It was said that the law would not supply a remedy in a case where effectively no harm had credibly been shown or was likely to be shown. 

The claimants were ordered to pay the defendant’s costs on an indemnity basis due to strong observations of the Court about exaggeration, lack of credible evidence of distress, the speculative nature of the claim and the fact that the defendant had made a Part 36 offer which had been rejected. 

Why is this important?

The case provides authority for the fact that minor data breaches that are quickly remedied will not entitle a claimant to damages. The decision is likely to act as a deterrent to potential claimants in bringing such claims in the future, especially given the order for costs to paid on an indemnity basis.

Any practical tips?

Where an accidental data breach does occur, deal with it quickly! If the breach is via email, promptly request that the incorrect recipient deletes the email from both their inbox and deleted items folder. Provided the information disclosed is not of an overly sensitive nature, this should close the door on any potential claim by the data subject.