You are viewing 1 of your 1 free articles
Samantha Grix and Hetal Ruparelia are solicitors at law firm Devonshires
The growing problem of data breach litigation for social landlords
Housing providers are increasingly vulnerable to claims for minor data breaches, which can be difficult to defend and expensive to settle. Each must be assessed on its own merits, write Samantha Grix and Hetal Ruparelia
Housing providers are increasingly vulnerable to claims for minor data breaches, which can be difficult to defend and expensive to settle. Each must be assessed on its own merits, write Samantha Grix and Hetal Ruparelia #UKhousingRegistered providers (RPs) have been facing a growing problem in recent years, with a wave of legal action being brought against them for data breaches, and each case costing them thousands of pounds in compensation and legal fees.
This isn’t because RPs have suddenly become overly lax with individuals’ personal data, but because data breaches are rapidly becoming the new way for claimant law firms to make a quick buck. Effectively, they are the new PPI.
You only need to type the words ‘data breach’ into Google to see that there is no shortage of firms seeking out these kinds of cases.
When you think of a data breach, many think of an organisation being hacked or accidentally revealing thousands of people’s personal details.
While those are the cases that hit the headlines, a data breach can be something as simple as sending an email to the wrong person or accidentally revealing an individual’s name and email address.
It is these minor technical breaches that are now being picked up on by claimant firms, and RPs have no choice but to admit and potentially notify the Information Commissioner’s Office of the breach.
Read more
Unfortunately for RPs, these all too common mistakes can lead to substantial costs even when claims are settled within days or weeks of a letter of claim being served and the damages settled upon are minor.
The main issue for RPs is that the costs incurred and then sought by claimant law firms become very high – and often excessive – very quickly.
We recently represented an RP where the pre-action claim was settled with one letter and a handful of short emails, with damages settled at £1,000 but costs of more than £8,000 were sought.
We challenged the excessive costs to reduce them, but a reduction of 30% is usually the maximum that can be attained.
Given that RPs are paying both parties’ costs, this often puts pressure on organisations to settle as early as possible to limit costs and avoid any negative PR from a claim being issued.
One ray of light for RPs came in the recent judgment of Rolfe and others v Veale Wasbrough Vizards LLP, which addressed trivial one-off data breach claims. In this case, the claimants name and address were revealed in a mistakenly sent email.
“Our advice is that just because you have been hit with a data breach claim, there is no need to hit the panic button and pay up immediately”
The claim was issued in the High Court and sought compensation for the distress caused. The judge held “in the modern world it is not appropriate for a party to claim (especially in the High Court) for breaches of this sort which are, frankly, trivial”.
The claim did not meet the de minimus threshold – the level at which distress is not deemed as negligible – which is a point that will assist RPs going forward.
Another case that has helped RPs is Johnson v Eastlight Community Homes, which saw the RP accidentally send a rent statement to a third party. The case was issued in the High Court, which usually result in higher costs than in the County Court.
The court held that this claim should not have been issued in the High Court, given the minor nature of the data breach, but rather in the County Court to be allocated to small claims track where costs are fixed and substantially less as a result. This is helpful guidance as it narrows the scope for claimant firms to issue in the High Court, which they are technically permitted to do.
The money these cases cost to fight, along with the difficulty in opposing these claims, mean that many organisations don’t have the will to fight them, knowing that the costs could spiral out of control. But our advice is that just because you have been hit with a data breach claim, there is no need to hit the panic button and pay up immediately.
Each claim should be assessed on its own merits to determine what breaches of which legislation/common law has been breached and then value the claim.
If a claim can be deemed trivial, as in the Rolfe judgment, a letter to the claimant law firm may be enough to make this go away. With more complicated matters, such as where it may be necessary to get expert reports on a claimant’s level of mental distress caused by the breach, this comes down to an assessment of the pros and cons of fighting or settling early.
Data breach cases are a growing problem that show no sign of going away anytime soon. If you are unfortunate enough to have a claim made against you, make sure you get some advice on whether it is worth fighting or settling early.
Samantha Grix and Hetal Ruparelia, solicitors, Devonshires
Sign up for our regulation and legal newsletter
Already have an account? Click here to manage your newsletters
Related stories
