Data Breach Claims: The Next Claims Influx?
“Have you been involved in an accident that wasn’t your fault?...”
Most of us have received that call or email at some point. In time however it could eventually become a thing of the past, as a result of legal reform aimed at reducing cost from the personal injury litigation process. Unfortunately, however, it may have already been replaced by something very similar.
In recent months there has been targeted marketing on TV, social media etc by claims management companies with expertise in data breach claims.
Data breaches are not a new phenomenon, and indeed over the past 10 years there have been numerous high-profile data leaks involving well-known organisations. Why then is this just becoming a target area for the claimant market?
Threshold lowered substantially
The Court of Appeal decision in Vidal-Hall v Google from 2015 went largely unnoticed in the market. It was however a pivotal moment in the story.
The case held that the Data Protection Act 1998 (DPA) was incompatible with the overriding EU data protection legislation. Under Section 13 of the DPA, the claimant is required to demonstrate ‘damage’ as a result of the data breach to secure compensation. Damage had largely been accepted to mean bodily injury or financial loss. On a practical level this meant that very few cases met the required threshold, and claim volumes were extremely low as a result.
However, under the EU legislation there is no requirement for the claimant to have suffered damage. To be entitled to damages, a claimant merely needs to demonstrate that they have suffered ‘distress’ as a result of the breach. This is a much lower threshold, and is extremely difficult to refute from a defendant’s perspective.
As a result, it is now substantially easier to recover damages in the case of a data breach.
Legal reform
As our supporting article on Fixed Recoverable Costs (FRC) states, in recent years there have been significant changes in personal injury litigation, which have substantially reduced the income streams for those in the claimant market.
In particular, since 2018, holiday sickness claims have been subject to a strict pre-action protocol and FRC. This had previously become a highly profitable area for some claimant firms, and they have therefore adapted their operating models.
FRC do not currently apply to data breach claims, meaning that they can be very lucrative from a costs perspective. Most data breach claims are of a limited value (£1,000 - £2,500), but in some cases the costs claimed can be upwards of ten times the agreed damages.
Public Awareness
The introduction of the General Data Protection Regulation in 2018 raised the public’s awareness of their rights in this area. This, coupled with an easier route to compensation, has generated more claims.
Zurich Position
During 2020 Zurich saw a substantial increase in data breach claims from its customer base. The numbers remain low in relative terms, but it is gathering pace. Fortunately, Zurich’s Specialist Claims Team had expertise in this claim species prior to the Vidal-Hall decision and are therefore very well positioned to respond and support customers where such claims are received.
