RESPONDING TO DATA BREACH CLAIMS
A COMMON SENSE APPROACH
Walker Morris LLP
Legal News | 21/07/21
In the run-up to GDPR, the focus was on the fines that data protection regulators can impose for infringements. Another issue that has become increasingly significant is that of data breach claims, compensation and costly group litigation.
Under GDPR and the Data Protection Act 2018, individuals can claim through the courts for compensation for “material” (i.e. financial) and/or “non-material” damage, including distress and loss of control over their personal data.
No hard and fast rules have developed regarding the level of compensation. The judge will take into account all the circumstances, including how serious the infringement was and its impact on the claimant. While the amounts to date (under the old Data Protection Act) have tended to be modest, in group litigation with high claimant numbers the total could be considerable. It is also not yet clear whether compensation may be higher now.
The Court of Appeal’s decision in Lloyd v Google, currently subject to a Supreme Court appeal, marked a turning point concerning how group claims are brought. A representative was allowed to claim on behalf of himself and an estimated class of 4.4 million people who do not have to opt in to the litigation. If the Supreme Court agrees, we are likely to see an increase in mass data breach claims.
We are seeing an uptick in the volume of these types of claims often brought by claims management firms. Often they are spurious and/or not fully documented but the amount claimed is usually small (up to £2500) and firms may be tempted to make a settlement payment as it is not cost-effective to litigate. However, such strategies can open the floodgates to more claims if you are characterised as a soft target. We had a case recently where an employee was claiming compensation for a data breach because his payslip had been sent in error to a colleague; on investigation the colleague had returned the slip unopened to the employer – so in fact there had been no data breach at all!
It is therefore important that firms take a common sense approach where each case is investigated and considered on its merits.
In Lloyd v Google, the court referred to a threshold of seriousness which it said would undoubtedly exclude a damages claim for an accidental one-off data breach that was quickly remedied. If the court decided that the infringement was trivial it would be entitled to refuse to make an award for loss of control damages. Firms should consider these factors carefully in light of the facts of each case, and the sensitivity of the personal data involved, when deciding whether an offer of compensation is justified.
Head of the Regulatory & Compliance
Walker Morris LLP