Email to the wrong person - Court strikes out speculative data breach claim
10/11/2021
It is prevalent for personal data breaches to occur where emails go to the wrong recipient. Sometimes that results in a claim by the affected individuals. In a recent case the High Court struck out just such a claim, emphasising that simply because a breach occurs does not mean that compensation should follow as a matter of course.
This is welcome news for those facing claims of this nature.
Context:
- It is of course important to understand the context, because sometimes misdirected emails can cause real distress and damage to those affected.
- In Rolfe -v- Veale Wasbrough Vizards [2021] EWHC 2809 QB*, the defendant, a firm of solicitors, had wrongly directed an email demanding payment of their client’s school fees to a third party.
- The email had attached a letter of demand and a statement of account identifying the parents and the child.
- The parents and the child all brought proceedings for misuse of confidential information, negligence and breach of data protection laws.
- The defendant was quickly alerted to the error by the third party who deleted the email and its attachments when promptly asked to do so. The third-party did not know the claimants.
Loss of control and distress:
- The courts have previously made clear that not every breach of this nature will give rise to a valid claim.
- In the Court of Appeal decision in Lloyd -v- Google, in the absence of any actual loss, it was accepted that compensation could be sought for loss of control over personal data, but that had to be more than a trivial loss of control.
- In addition, claimants can obtain compensation if they can demonstrate that they have suffered distress as a consequence of the breach.
- In Rolfe the claimants said they had lost sleep over the incident and that it had “made them feel ill”.
Implausible claim
- The court struck out the claim (without a trial), determining that it had no reasonable prospect of success.
- The court decided
- it was inherently implausible that any significant distress had been caused in a case such as this where anodyne personal data had been disclosed (there was no sensitive data involved such as medical details or banking records), and
- the incident had been resolved promptly with no evidence of any further use of the data. The court explained that claimants would be expected to have a reasonable degree of robustness in terms of their reaction to such situations and not bring trivial claims before it.
- The court showed its displeasure by awarding the defendant its costs against the claimants at the higher indemnity level.
Part of a judicial trend:
- This is another case where the courts are demonstrating that they will not hear speculative or misconceived claims in this area and follows the earlier decision in Warren -v- DSG
- Rad here https://www.farrer.co.uk/news-and-insights/court-ruling-undermines-cybersecurity-compensation-claims/
Possible appeal?
- The court was mindful of the outstanding appeal in Lloyd -v- Google to the UK Supreme Court and that this might impact its decision. It therefore granted the claimants an extended time to appeal until 21 days after the Supreme Court’s judgment is given. We have now heard that the Supreme Court’s judgment in Lloyd -v- Google will be handed down on 10 November 2021.
* Rolfe -v- Veale Wasbrough Vizards, view here https://www.bailii.org/ew/cases/EWHC/QB/2021/2809.html
The Team
Meet the team of industry experts behind Comsure
Find out moreLatest News
Keep up to date with the very latest news from Comsure
Find out moreGallery
View our latest imagery from our news and work
Find out moreContact
Think we can help you and your business? Chat to us today
Get In TouchNews Disclaimer
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.