Introduction

The recent judgment in Farley v Paymaster (trading as Equiniti)[2024] EWHC 383 (KB) confirms the courts' growing impatience with exaggerated data breach claims brought for alleged distress. It also serves as a reminder that cases where there is no evidence of personal data being at risk of misuse should not be pursued.

Background

Equiniti administered the pension scheme for the Sussex Police Force. In August 2019, Equiniti posted the claimants' annual pension statements to their former addresses, as opposed to their current addresses, in error. The letter broadly contained the individual's name, date of birth, occupation as a current or former police officer, salary, pension details and national insurance number.

In response, Equiniti offered the affected individuals fraud protection through CIFAS, with these fees paid by Equiniti. Only 37 individuals took up the CIFAS protection. In addition, the matter was reported to the Information Commissioner's Office (ICO), but the ICO confirmed to Sussex Police that it was taking no further action.

As a result of this error, 474 Sussex Police Force officers brought a claim against Equiniti. The claims were submitted in a single claim form and the claimants proposed that a selection of lead claims be taken forwards. The vast majority of the claimant's cases relied on the Court inferring that their letter had been opened and read by a third party and thus that the claimant's personal data contained in the letter was at risk of misuse. The individual claimants brought claims for 'anxiety, alarm, distress and embarrassment by the fact that the Personal Data has passed and/or may have passed into the hands of unknown third parties'.

Of the 474 claimants, only 14 pleaded that their letters had been opened by a third party (beyond the above inference on which all claimants relied), and only 2 claimants could evidence that their letters had been opened by a third party who was not a family member or colleague. 

Judgment

The Judge struck out 460 of the 474 claims, only leaving the 14 claims which had pleaded that the letter had in fact been opened by a third party. In doing so, the Court confirmed that each claimant 'must demonstrate that his/her [letter] was opened and read by a third party'. Cases where there was no evidence of a letter having been opened and who relied 'solely upon this inferential case' had 'no real prospect of success.' (paragraph 153 of the Judgement).

The Judge noted that whilst putting data 'at risk' of misuse could, in principle, amount to a regulatory infringement by the data controller or processor at fault, it did not amount to a misuse of private information, or provide a sufficient basis for a claim to be brought for a breach of data protection legislation. This is because a 'near miss, even if it causes significant distress, is not sufficient' to amount to a claim for compensation.

Regarding the remaining 14 claims, the Judge commented that in these cases where the letters were opened they 'would appear to be very far from being serious cases' and some of the remaining cases 'may ultimately be found to be trivial and fall to be dismissed on the basis that they fail to surmount the threshold of seriousness' (paragraph 155 of the Judgement). Further, where the third party that did open a letter was a family member that then returned that letter to the relevant claimant, the Judge noted such claims for loss and damage were 'hopeless' unless evidence could be provided that the family member had copied the letter so as to misuse the data.

Regarding quantum, the Judge confirmed that 'if successful, the claims of the remaining 14 Claimants will only achieve very modest damages'. This reiterates recent cases such as Driver, where damages awarded for minor breaches of data protection obligations are minimal (the claimant in Driver was awarded £250).

The future of minor data breach claims

This judgment draws together and reiterates previous decisions regarding claims brought for breaches of data protection law, namely that:

  • The claimant must show the matter overcomes the 'threshold of seriousness' in order to warrant a claim being pursued at Court
  • The burden of proof is firmly on the Claimant to show that the breach has occurred and caused the loss, damage or distress pleaded, and
  • The breach has, in fact, caused distress that warrants compensation. The Judge made plain that a 'Claimant's prospects of success are not going to be improved by making exaggerated claims as to the impact of the [letter] being opened (and read) by a third party.' (Paragraph 157 of the Judgement). This reinforces the Supreme Court's judgment in Lloyd v Google, where it confirmed that individuals are not given a 'right to compensation without proof of material damage or distress'.

Practical considerations

It is becoming increasingly difficult to succeed on data claims which have caused seemingly minimal distress or loss to the claimant. This should be borne in mind by organisations when a complaint or claim for an alleged or actual breach of data privacy legislation is received, particularly where the matter is seemingly trivial and/or exaggerated in nature.

The hardening stance of the courts in relation to such claims should not, however, be relied on by organisations to avoid carrying out proper practices, including:

  • Maintaining appropriate technical and organisational measures to ensure security of processing. Examples of simple and effective measures may include:
    • Automatic email verification
    • Multi-factor authentication
    • Implementing robust password policies
    • Not storing personal data for longer than necessary
    • Encrypting personal data where necessary
    • Keeping regular secure backups
    • Regular penetration testing, and
    • Effective and frequent cyber-security training for employees.
  • Purchasing cyber insurance for your business, and
  • Ensuring there are appropriate policies and procedures in place covering any processing and sharing of personal data. Robust incident-response policies and guidance should also be in place so your business has a roadmap in the event of a data incident or cyber-attack.

WBD Cipher

In practice, dealing with a low-value data claim can often cost more in legal fees than the value of the claim itself. Due to the nature, volume and pattern of such claims, we have developed a cost effective solution to help organisations faced with this scenario: WBD Cipher. If you would like more information about WBD Cipher please do not hesitate to contact us.

This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.