By: 29 November 2021
DAC Beachcroft’s secures important ruling in low-value data breach claim

The cyber and data risk team at law firm DAC Beachcroft has secured a decision in the High Court that found a low-value data breach claim should be simplified and allocated to the Small Claims Track.

The judgement of Master Thornett is expected to avoid more than £50,000 in claimant legal fees for a claim that the claimant had capped at £3,000.

According to Hans Allnutt, partner and head of cyber and data risk at DAC Beachcroft, who  acted for the defendant, the decision in Johnson v Eastlight Community Homes will have major ramifications for how low-value data breach claims should be brought in the future and significantly clarifies the law for organisations and insurers facing these types of data breach claims.

He said: “This ruling makes it clear that low-value data breach claims should be brought within the cost controlled environment of the Small Claims Track of the County Court, not in the High Court.”

“The decision should also be the final nail in the coffin for the recovery of after-the-event (ATE) insurance premium in low-value data breach claims.”

Eastlight Community Homes, a social housing provider, had accidentally emailed the claimant’s personal details and rent statement to a third party.

The third party, the sole recipient of the email, immediately notified the defendant of the error by telephone and deleted the email within three hours.  The claimant was concerned that her ex-partner might learn of her address but acknowledged that the chances were extremely low. The judge also noted that a simple search of the BT Phone Book would have led to her address.

The claimant claimed £3,000 in damages for distress from the misuse of her private information, breach of confidence, negligence, and breaches of Article 8 of the European Convention on Human Rights and under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

The judge noted that the claim had the impression of sophistication, and the suggestion that the area of law required complex legal argument was unrealistic, if not opportunistic. 

Master Thornett struck out the entirety of the claim, save for the GDPR portion, and confirmed that the case had all the hallmarks of a Small Claims Track claim. 

He was clear that such cases could be found daily in virtually every county court and the “lure of adopting a more elaborate and more expensive approach just because the subject matter can so permit is simply unacceptable”.

Allnutt said: “The implications of the ruling are stark. The High Court has clearly stated that breach of confidence, misuse of private information and other causes of actions that are included in low-value data breach claims are simply collateral to a GDPR claim. As a GDPR claim only, they should be allocated to the Small Claims Track in the County Court, and only very limited fixed costs may be recovered.”

“With the simplification of the claim and the removal of any misuse of private information or breach of confidence claim, the action can no longer be presented as ‘publication and privacy proceedings’ so the claimant cannot recover any ATE premium, which can run into the thousands.”

Allnutt concluded: “The decision in Johnson v Eastlight Community Homes Ltd drastically reduces the cost exposure faced by defendants in low-value data breach claims. It still preserves access to justice and the right for claimants to pursue a remedy from the Court, but the claims ought to be pursued within the confines of the Small Claims Track. Organisations and insurers facing similar low-value claims will welcome the positive outcome in Eastlight.”