Laura Cunningham

The ruling handed down by Nicklin J in the case of Fairly and 473 others v Paymaster (1936) Limited (trading as Equiniti) [2024] EWHC 383 (KB) is an indication of the difficulties in bringing a successful data breach claim where there is little or no evidence that claimants have suffered actual harm.

Background

Over 450 current and past employees of the Sussex Police Force brought claims against Equiniti, a pension scheme administrator, for a breach of data protection legislation, and misuse of private information after Equiniti sent envelopes containing their annual pension benefit statements to out-of-date addresses.

The information included name, date of birth, national insurance number, details of the officer’s salary and pension details.

The claims were advanced in a single claim form for 474 claimants with the proposal that a selection of lead claims would be taken forward, focused on the allegation that the misdirection of personal information to third parties caused varying degrees of distress and anxiety.

Judgment

Of the 474 claimants, only 14 were able to adduce evidence that the envelope containing their annual pension benefit statement had actually been opened by a third party, with only two asserting that there was evidence their statement had been read by a third party who was neither a family member nor a colleague. Whilst Nicklin J was not prepared to strike out these 14 claims, he nevertheless stated that they “would appear to be very far from serious cases”.

In respect of the other 460 cases, Nicklin J rejected the claimants’ attempt to rely on the inference that the envelopes had been opened and read by a third party; rather, there must be a solid evidential basis to draw such an inference. Nicklin J stated that “to have a viable claim for the misuse of private information and/or data protection, each claimant must be able to show that s/he has a real prospect of demonstrating that there had been a ‘misuse’”.

Many of the statements had been returned unopened, yet claims were advanced on the basis that personal information had been “put at significant risk of being opened and read by unknown third-party recipients”. Nicklin J rejected this on the grounds that a “near miss” was not sufficient on its own even if it did cause significant distress, as “the general law of torts does not generally allow recovery for the apprehension that a tort might have been committed”.

Conclusion

This ruling appears to follow the recent trend by courts (see Lloyd v Google; Warren v DSG; Rolfe v Veale Wasbrough Vizard) to limit the types of claims that can be brought arising from a data breach incident

Whilst the direction of travel from the judiciary suggests that data breach litigation is not the “gold rush” that was once anticipated, significant numbers of data breach claims continue to be issued and organisations should remain alert to the risk posed by such claims.

• Laura Cunningham is a senior associate in the commercial team at Northern Ireland firm Carson McDowell.