In this case, a claim was brought in the High Court for damages for misuse of confidential information, breach of confidence, negligence, damages under the General Data Protection Regulation 2016 and the Data Protection Act 2018, plus a declaration and an injunction.
Reading that, one could be forgiven for thinking that this claim was about a decade of celebrity phone hacking or the online publication by the government of thousands of immigration records.
The case however was brought after the Defendant firm of solicitors wrote a letter of claim in relation to unpaid school fees. The letter enclosed a statement of outstanding fees and was incorrectly sent by email to someone whose email address was one letter different to the intended recipient. The person who received the email by accident notified the sender later that same day and agreed to delete the message.
Faced with this claim, the Defendant applied to the Court for summary judgment seeking to have the claim dismissed without a trial on the grounds there was no loss, and Master McCloud, who heard the application, agreed.
The Court was asked to decide whether the Claimants would have a realistic prospect of succeeding if their claim was allowed to continue to trial. In reaching her decision, Master McCloud had to weigh-up a number of factors:
(1) What was the nature of the breach?
Information was disclosed to one individual only, accidentally, and as a result of a one-off typographical error. This was not a case, for example, involving repeated disclosures or systemic failings.
(2) What was the nature of the disclosed information?
There had been (what Master McCloud described as) "minimally significant information", i.e. no information that was particularly sensitive, such as bank details or medical records.
(3) What steps had the Defendant taken to mitigate the effect of the breach?
There was a "very rapid" set of steps to ask the incorrect recipient to delete the email (which they confirmed they had) and there was no evidence of further transmission or any consequent misuse.
(4) Was any actual loss or harm likely to have been suffered?
The Court was told that the Claimants had felt ill as a result of the breach and that they had experienced loss of sleep through worry. Master McCloud did not accept that though given that there was a lack of credible evidence in support. Going further, Master McCloud said that it was "frankly inherently implausible" given the facts of what had happened that the Claimants would have suffered the distress claimed, adding, "… no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied."
Having taken these points into consideration, Master McCloud decided in favour of the Defendant and dismissed the claim.
The few data breach cases that make it to a reported hearing or trial tend to be high-value, newsworthy cases, in which six-figure damages are awarded. However, as the majority of data breach claims tend to be low-value, very few proceed to court and there is accordingly limited judicial guidance available. What we have in Rolfe is an indication from the High Court as to how "exaggerated" and "speculative" claims might be treated and it is good news for defendants.
Since the Court of Appeal's decision in Lloyd v Google  EWCA Civ 1599 ('Lloyd'), we have seen an increase in the number of claims brought against organisations by individuals who have suffered data breaches on a minor scale. In Lloyd, the Court found that if someone loses control of their personal data because of someone else's actions (for example following a data breach), then they have suffered a wrong that can be compensated, seemingly regardless of whether they have suffered any actual distress or damage as a result.
Across the many claims that we are currently seeing, there tend to be three common features:
(1) The claims pay little or no attention to the 'de minimis' threshold for distress.
Whilst the Court of Appeal decision in Lloyd was generally favourable to claimants, the Court did recognise that there was a threshold below which damages would not be recoverable. At paragraph 55 of its judgment, the Court stated: "That threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied." In other words, where no harm is caused (or, at least, no harm that overcomes the 'de minimis' threshold), arguably no cause of action can be made out and a claim for compensation should not succeed.
(2) The claims are issued in the High Court.
Even for claims that are more straightforward or low-value, Claimants are issuing proceedings in the High Court and relying on Rule 53.1(3) of the Civil Procedure Rules 1998, which provides as follows:
"A High Court claim must be issued in the Media and Communications List if it is or includes a claim for defamation, or is or includes— (a) a claim for misuse of private information; (b) a claim in data protection law…"
However, as the opening part of that provision stipulates, the claim must still first be a "High Court claim" and there have been a number of judgments published confirming that whilst the High Court would remain the correct forum for the more complex or higher-value cases, the more straightforward data breach claims belong in the County Court.
In Ameyaw v Goldrick and others  EWHC 3035 at , Mr Justice Warby said: "I do not, however, consider that the High Court is even arguably the right forum for this claim which can only have the most modest value. The proportionate means of disposing of this claim is to transfer it to the County Court, for resolution (I would think) in the small claims track." Seemingly Master McCloud in Rolfe agreed: "In the modern world it is not appropriate for a party to claim, (especially in the … High Court) for breaches of this sort which are, frankly, trivial."
(3) The claims also allege breach of confidence and misuse of private information.
Following the implementation of the Jackson Reforms to civil litigation costs, claimants have in many cases not been able to recover success fees and premiums for After the Event (ATE) insurance taken out to protect against adverse costs awards. However, since April 2019 there has been an exception to this rule for "publication and privacy proceedings", i.e. claims involving breach of confidence and misuse of private information. Accordingly, we have seen many claimant solicitor firms adding those causes of action to simple data breach cases in order to try to recover additional costs in what would otherwise be Small Claims track cases for which costs would generally not be recoverable.
In the recent case of Warren v DSG Retail Ltd  EWHC 2168 (QB), the High Court showed a willingness to strike out such claims in circumstances where the facts simply do not support the allegations. In the case of Rolfe, the High Court went even further and awarded indemnity costs against the Claimants given what the Court described as its "strong observations" as to the exaggerated nature of the claim.
The Supreme Court is expected to hand down its much anticipated decision in Lloyd imminently, which will determine whether claims for "pure" loss of control of data may proceed on an opt-out basis as a representative action under CPR r19.6 and whether "loss of control of data" is itself a valid basis for a claim. Notwithstanding that the claim was brought under legislation preceding the current Data Protection Act, whichever way the Supreme Court goes, the ramifications of the decision will be significant, particularly in the fast-evolving litigation landscape of data breach claims. Against this backdrop, it is perhaps not surprising that Master McCloud directed that time for appeal in Rolfe should be extended to 21 days after the Supreme Court has handed down its decision in Lloyd.