Needless to say, group actions for data protection breaches will generally be shaped by financial considerations. Those are partly about compensation, but also about costs. To make it worthwhile, claimants need not only to win and be awarded compensation, but also to get their costs covered, or at least not have their costs eat too far into their compensation. On this issue, today’s costs judgment in the Morrisons litigation is novel, interesting and instructive in practice.
Panopticon’s summary of the liability judgment is here. To recap: following a data breach attributable to the criminal acts of a rogue Morrisons employee, a group claim for compensation was brought. There was a 10-day trial. Langstaff J gave judgment on 1 December 2017. The Claimants lost on direct liability, but won on vicarious liability. Morrisons have permission to appeal on the vicarious liability issue. Questions of compensation will only be tackled if/when the liability issue is ultimately resolved in the claimants’ favour, but in the meantime the important question of costs for the High Court action has been determined.
In a judgment handed down this morning, Langstaff J awarded the successful claimants 40% of their costs. The judgment is here Morrisons Costs final.
Understandably, the claimants sought all their costs, or at least a minimal discount.
Morrisons argued that the Court should exercise its discretion under CPR 44.2(2)(b) to depart from the general rule, i.e. the winner gets his costs. It sought a costs award in its favour, or in the alternative an order that each party bears its own costs. It did not succeed with either of those, but its fallback argument was very successful indeed: the claimants sought their costs in full, but got less than half.
Morrisons argued for a heavy discount because the bulk of the costs related to the issues on which the claimants lost. For example, 13 of the 14 issues at trial were about direct liability. In the Particulars of Claim, more than three pages were devoted to direct liability; only three lines to vicarious liability. Time at trial was likewise skewed towards direct liability, and that issue had also generated a separate disclosure argument by which the claimants had sought (unsuccessfully) to broaden the scope of their pleaded claim on direct liability. Three of Morrisons’ six witness statements went to direct liability (and the bulk of the claimants’ witness statements were irrelevant to the issues at trial).
Morrisons also argued that significant aspects of the claimants’ case was hopeless (such as their argument that the DPA imposes strict liability) or that the claimants should swiftly have realised that numerous issues were not worth pursuing (such as minutiae about memory sticks).
Langstaff J accepted those arguments, though only to some extent. He recognised that sometimes issues only look hopeless in hindsight and that there was a degree of overlap between the work devoted to the direct and vicarious liability issues. He also emphasised the starting point as to the winner getting his costs. But:
“25. The Claimants have had the indulgence of pursuing claims which were tenuous (to which the Defendant early on gave cogent answers), at unnecessary length, pursuing disclosure that was principally related to those claims. The Defendant should not in justice be required to pay for this, but rather be made subject to a costs order which reflects the fact that it succeeded in resisting those claims.”
The upshot was that Morrisons must pay 40% of the claimants’ costs of the High Court action. Morrisons must continue the war – the next stage being the vicarious liability issue in the Court of Appeal – but it will no doubt view this particular costs battle as a big success.
Langstaff J’s judgment is also highly instructive in terms of how to approach, and plead a data breach case and how to ensure that issues of evidence, disclosure and argument are approached in a proportionate and focused way.
Anya Proops QC and Rupert Paines act for Morrisons.
Robin Hopkins @hopkinsrobin