Email to the wrong person - Court strikes out speculative data breach claim

It is prevalent for personal data breaches to occur where emails go to the wrong recipient. Sometimes that results in a claim by the affected individuals. In a recent case the High Court struck out just such a claim, emphasising that simply because a breach occurs does not mean that compensation should follow as a matter of course.

This is welcome news for those facing claims of this nature.

Context:

• It is of course important to understand the context, because sometimes misdirected emails can cause real distress and damage to those affected.
• In Rolfe -v- Veale Wasbrough Vizards [2021] EWHC 2809 QB*, the defendant, a firm of solicitors, had wrongly directed an email demanding payment of their client’s school fees to a third party.
• The email had attached a letter of demand and a statement of account identifying the parents and the child.
• The parents and the child all brought proceedings for misuse of confidential information, negligence and breach of data protection laws.
• The defendant was quickly alerted to the error by the third party who deleted the email and its attachments when promptly asked to do so. The third-party did not know the claimants.

Loss of control and distress:

• The courts have previously made clear that not every breach of this nature will give rise to a valid claim.
• In the Court of Appeal decision in Lloyd -v- Google, in the absence of any actual loss, it was accepted that compensation could be sought for loss of control over personal data, but that had to be more than a trivial loss of control.
• In addition, claimants can obtain compensation if they can demonstrate that they have suffered distress as a consequence of the breach.
• In Rolfe the claimants said they had lost sleep over the incident and that it had “made them feel ill”.

Implausible claim

• The court struck out the claim (without a trial), determining that it had no reasonable prospect of success.
• The court decided
  • it was inherently implausible that any significant distress had been caused in a case such as this where anodyne personal data had been disclosed (there was no sensitive data involved such as medical details or banking records), and
  • the incident had been resolved promptly with no evidence of any further use of the data. The court explained that claimants would be expected to have a reasonable degree of robustness in terms of their reaction to such situations and not bring trivial claims before it.
• The court showed its displeasure by awarding the defendant its costs against the claimants at the higher indemnity level.

Part of a judicial trend:

• This is another case where the courts are demonstrating that they will not hear speculative or misconceived claims in this area and follows the earlier decision in Warren -v- DSG
• Rad here https://www.farrer.co.uk/news-and-insights/court-ruling-undermines-cybersecurity-compensation-claims/

Possible appeal?

• The court was mindful of the outstanding appeal in Lloyd -v- Google to the UK Supreme Court and that this might impact its decision. It therefore granted the claimants an extended time to appeal until 21 days after the Supreme Court’s judgment is given. We have now heard that the Supreme Court’s judgment in Lloyd -v- Google will be handed down on 10 November 2021.

* Rolfe -v- Veale Wasbrough Vizards, view here  https://www.bailii.org/ew/cases/EWHC/QB/2021/2809.html