The High Court recently ruled that a data breach claim valued at £3,000 should be transferred from the High Court to the County Court, despite costs estimated to exceed £50,000.
This is an important decision as it could have a significant impact moving forward on data breach claims and the recovery of legal costs.
Background
In the case of Johnson v Eastlight Community Homes Ltd, an employee of the Defendant, a provider of low-cost social housing, provided a rent statement to a third party but inadvertently also attached a compilation of rent statements of other customers of the Defendant (including the Claimant).
The information disclosed to the third party included the Claimant’s name, email address, and recent rent payments made to the Defendant. The third party was the sole recipient of the e-mail and immediately notified the Defendant of the error by phone. The Defendant asked the third party to delete the e-mail, which it did shortly after.
Accordingly, as well as informing the Information Commissioner’s Office, the Defendant apologised and informed the Claimant of the error and confirmed that the third party had deleted the information.
As a result of the data breach, the Claimant issued a claim against the Defendant. The Claim Form sought damages for Misuse of Private Information, Breach of Confidence and Negligence, amongst other causes of action.
The damages sought by the Claimant were limited to £3,000. In addition to these damages, the Claimant’s solicitors filed a cost budget confirming that over £15,000 of costs had already been incurred and a total figure for costs just in excess of £50,000 was estimated.
The Defendant subsequently applied to strike out the Claimant’s claims.
High Court Ruling
At the application hearing, the parties made their arguments on whether the claim should be struck out. Master Thornett ruled that the claim should be partly stuck out and allowed for part of the claim to proceed.
The significant part of the judgment though relates to Master Thornett’s decision to require directions for Allocation and transfer of the case from the High Court to the County Court.
In principle, the Civil Procedure Rules permit claims for misuse of private information to be issued in the High Court. However, the rules also state that proceedings (whether for damages or for a specified sum) may not be started in the High Court unless the value of the claim is more than £100,000.
It was on this basis, as well the fact that the subject matter was not so complex that it elevated it to High Court status, that Master Thornett was satisfied that issuing the claim in the High Court constituted a form of procedural abuse and it should have been issued in the County Court and allocated to the Small Claims Track (where the recovery of costs is significantly limited).
Conclusion
From this decision it appears likely that future data breach claims issued in the High Court with a modest value are likely to be transferred to the County Court and allocated to the Small Claims Track, and in the event they are not, they will more than likely be subject to an application by the defendant to transfer the claim.
This decision could be critical for data breach claims, as it could significantly impact a party’s ability to recover costs. Whilst this is not good news for individuals whose information is subject to a data breach, this will be good news for defendants, especially where the data breach affects more than one individual.
If you would like to discuss your company and its options in the event of a data breach, then please contact Mark Culbert at mark.culbert@ilaw.co.uk and George Duncan at george.duncan@ilaw.co.uk.