Damages following a data breach – more than minimal harm required

A High Court judgment has affirmed that minor data breaches, handled swiftly, won’t normally justify an award of damages to affected data subjects.

Alongside the ICO’s powers to fine organisations for personal data breaches (namely a security breach that results in the loss, alteration, destruction, unauthorised disclosure of or loss of access to personal data), individuals are able to claim damages through the courts for the same in certain circumstances. Personal data breaches can occur as a result of third party actor, but most often occur following mistakes and errors internally.

Quantifying any damage caused and loss suffered by individuals from a data breach can be challenging, but a recent High Court judgment has provided clarity as to the limited availability of damages where only minimal distress is caused to them by such a breach.

Facts of the case

A junior employee at a law firm, acting on behalf of an independent school to pursue parents for unpaid school fees, sent an email addressed to the parents being pursued but, due to a typographical error, sent this to an incorrect email address.

The (incorrect) recipient, who was in no way connected to the parents concerned, informed the law firm they had received the email in error and the law firm quickly acted to request that the email was deleted by the recipient.

The parents submitted a claim as their names and addresses were disclosed in the breach, which they alleged caused them to lose sleep with worry. The judgment makes clear that the primary concern of the parents was the “fear of the unknown” as to what might happen following the breach, rather than the realisation of any such fears.

The judge in the case found in favour of the law firm and dismissed all claims for damages, ruling that the parents had not suffered distress above a de minimis level. Further, she ruled that the claim was exaggerated and without credible evidence of distress, and ordered that the defendants pay costs on an ‘indemnity’ basis to the law firm given the spurious nature of the claim.

Lessons to be learnt from the case

There are several lessons to be learnt from the case, particularly for those responsible for data protection in their organisations:

• The law firm’s security protocols ensured that the email could only have been read by the (incorrect) recipient, which mitigated the extent of the disclosure of the data subjects’ information. This reinforces the importance of having appropriate encryption on emails to protect data subjects when things go wrong.
• Procedures were in place to swiftly manage and mitigate (the effects of) the breach, which ensured that the potential damage to the relevant data subjects (the parents concerned) was minimised. This shows the advantage of having clear, efficient and effective breach reporting protocols in place.

The case should act as a reassurance to data protection officers and representatives that a data breach does not automatically equate to ‘open season’ for data subjects to submit claims for damages. To quote the judgment, “the law will not supply a remedy [to claimants] in cases where effectively no harm has credibly been shown or be likely to be shown”. In other words, the courts have shown that they understand data breaches will happen and are not inclined to impose liability for trivial or minor data breaches which, in reality, have caused little harm or distress to the data subjects concerned.