8 April 2024

Equiniti Group claim: A further turning of the tide against low value data breach claims

Written by Laura Cunningham

The ruling handed down by Nicklin J in the case of Fairly and 473 others v Paymaster (1936) Limited (trading as Equiniti) [2024] EWHC 383 (KB) is an indication of the difficulties in bringing a successful data breach claim where there is little or no evidence that claimants have suffered actual harm.

Background:

Over 450 current and past employees of the Sussex Police Force brought claims against Equiniti, a pension scheme administrator, for a breach of data protection legislation, and misuse of private information after Equiniti sent envelopes containing their annual pension benefit statements to out-of-date addresses. The information included name, date of birth, national insurance number, details of the officer’s salary and pension details.

The claims were advanced in a single claim form for 474 claimants with the proposal that a selection of lead claims would be taken forward, focused on the allegation that the misdirection of personal information to third parties caused varying degrees of distress and anxiety.

Judgment:

Of the 474 claimants, only 14 were able to adduce evidence that the envelope containing their annual pension benefit statement had actually been opened by a third party, with only 2 asserting that there was evidence their statement had been read by a third party who was neither a family member nor a colleague. Whilst Nicklin J was not prepared to strike out these 14 claims; he nevertheless stated that they ‘would appear to be very far from serious cases’.

In respect of the other 460 cases, Nicklin J rejected the claimants’ attempt to rely on the inference that the envelopes had been opened and read by a third party; rather there must be a solid evidential basis to draw such an inference. Nicklin J stated, “to have a viable claim for the misuse of private information and/or data protection, each claimant must be able to show that s/he has a real prospect of demonstrating that there had been a ‘misuse’”. Many of the statements had been returned unopened, yet claims were advanced on the basis that personal information had been ‘put at significant risk of being opened and read by unknown third-party recipients’. Nicklin J rejected this on the grounds that a “near miss” was not sufficient on its own even if it did cause significant distress, ‘the general law of torts does not generally allow recovery for the apprehension that a tort might have been committed’.

Conclusion

This ruling appears to follow the recent trend by courts (see Lloyd v Google; Warren v DSG; Rolfe v Veale Wasbrough Vizard) to limit the types of claims that can be brought arising from a data breach incident. Whilst the direction of travel from the judiciary suggests that data breach litigation is not the “gold rush” that was once anticipated; significant numbers of data breach claims continue to be issued and organisations should remain alert to the risk posed by such claims.

If your organisation has suffered a data breach incident or a cyber-attack or if you would like advice on these issues please contact Laura Cunningham Senior Associate in the Data Law team.

*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.

About the author

Laura Cunningham

Partner

Laura Cunningham is a Partnerin the Commercial team at Carson McDowell. She is qualified to practice in Northern Ireland, Republic of Ireland and England and Wales. Laura specialises in all aspects of information law including: privacy, confidentiality, data protection, General Data Protection Regulation (GDPR), and freedom of information (FOIA).

Related Insights

All Insights