In a recent judgment the High Court roundly rejected an attempt by Claimants to claim damages for a 'de minimis' data breach. This will be welcome news to data processors who have been seeing an increasing number of these unjustified claims.
The Defendant law firm was representing a school and was writing to parents of a child at the school in relation to a debt which they owed. The law firm accidentally sent a statement of account and demand letter, intended for those parents, to a third party which had a very similar email address. The third party immediately contacted the law firm and said that it had been sent the email in error. The third party agreed to immediately delete the email and attachments. The law firm - rightly - informed the parents of this data breach.
The parents (Claimants) issued a claim against the law firm claiming damages for misuse of confidential information, breach of confidence, negligence and damages under GDPR/Data Protection Act. The Defendant law firm sought summary judgment from the High Court on the basis that there was no realistic prospect that the claim would be successful. The Court agreed.
The Court highlighted that the data which had been incorrectly shared was "minimally significant" and did not contain anything especially personal such a bank details or medical information. It also noted that "a very rapid set of steps" was taken to ask the incorrect recipient to delete the information and that there was no evidence to suggest that further transmission had occurred or that any subsequent misuse of the data had been made. The Court went on to make some very pointed comments about the evidence of 'damage' and 'distress' the Claimants were seeking to claim for "we have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them 'feel ill'. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied".
The Judge dismissed the case and, in a further sign of its displeasure, awarded indemnity costs in favour of the Defendant.
A take away for data processors is the exemplary way in which the data processor handled the data breach. It was immediately and swiftly remedied with assurances sought from the third party that the data would be deleted and not passed on. It made the necessary notifications and was open and transparent in its approach.
In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied. There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial.