GLO-ing with Satisfaction? Conducting Data Breach Litigation

Post the little-known judgment in Lloyd v Google LLC, those representing data subjects affected by a data breach (usually, although not always, a data security breach incident) have been considering alternative ways of litigating a large number of small value claims arising from the same factual matrix. The obvious alternative, well-established in various areas of the law, is a group litigation order (“GLO”). (This post does not concern the Netflix series about women’s wrestling. There is more violence, but less lycra. Each to their own.)

But is a GLO actually a cost-effective idea? What about where liability is contested, and the most expensive and difficult common issues will arise at the liability stage, but where it is the defendant’s case that all or most of the claimants will be able to recover no damages, whether because of causation problems, or because the distress claimed is too insignificant to cross a de minimis threshold?

This was the issue which confronted Senior Master Fontaine in Bennett & others v Equifax Ltd [2022] EWHC 1487 (QB) (Bennett and ors v Equifax Ltd 2022 EWHC 1487 (QB) 20.06.22). Equifax was issued a £500,000 MPN by the ICO for a significant data security breach in 2017, the maximum available under the DPA 98. Most of the datasets compromised involved categories of little privacy impact: name, date of birth, telephone number, email addresses. One dataset involved slightly more, including some partial card data and password information. In the region of some 700,000 UK data subjects were thought by the ICO to be affected.

By the time of the hearing before the Senior Master, some 1,000 claimants had issued claims against Equifax, with a considerable number of others being processed. By agreement, there had been filed Generic Particulars, a Generic Defence and a Generic Reply, along with claimant-specific pleadings in nine instances selected by the parties as exemplars of different categories of claimant. How then to manage this? The Claimants sought a GLO. The Defendant opposed a GLO, and argued instead that preliminary issues on causation and loss should be determined, because if the claims (or most of them) were not worth anything, it would be disproportionate to proceed with a GLO and a contested liability hearing.

Slightly unsatisfactorily the Senior Master fence-sat. Both issues were instead despatched to be considered by a managing judge of the QBD (yet to appointed) at a CMC. The judgment is accordingly a bit of a curate’s egg.

However, some of the judicial mood music is significant. At [23], the Senior Master held that “I agree with the Defendant that there are real concerns about the entitlement to compensation under the DPA for a significant proportion of these claims and other potential claims. The Claimants accept that the claims are all small value claims and have put an average range of values on the claims of £750 -£3,000”. Similarly, at [28], it was described as a “constructive proposal” and at [35] the Court commented that “it may be unlikely that the entirety of the Claimant cohort will be able to establish either financial loss or distress to enable compensation to be awarded”.

It was accepted that there could be advantages in the Defendant’s proposal, and a GLO was not the only way to manage a large number of small value claims. However, the Court expressed the view at [26] that the suggestion was not so attractive where liability was left undetermined, and would then need to be addressed. (This is not immediately easy to follow: if most of the claims were struck out on the basis of non-recoverability, liability need not arise. Obviously if that failed, liability would then be in issue, at which point Equifax would doubtless have to consider whether it really wished to fight liability in light of the likely damages awards following from the Court’s approach to compensation.) The Senior Master encouraged the Defendant to consider whether it wanted to pursue its suggestion in relation to causation as well, and if what it could suggest re the Claimants’ costs.

In similar vein, the Senior Master also declined to make GLO requested by the Claimants, punting that off to a CMC before the managing judge too. The Court considered that there was no doubt that some mechanism to manage the claims was needed, but it was hard to take a final view until it had been determined which dataset all claimants were affected by. Advantages of GLOs were noted at [43], but it was also noted that this was not a context in which a readily discernible class of claimant could be identified (at [44]). The Court encouraged, at [47], further consideration of:

i) the likely costs of obtaining information from all Claimants and potential claimants required to populate a group register, and establishing populating and maintaining a group register for that number of Claimants;

ii) a way in which sample cases could be determined, either by ADR, or as preliminary issues, in such a way as to overcome the supervening problem of liability not being conceded, referred to above at Paragraph 25, and how the issue of causation could be dealt with”.

Finally, an informal application for specific disclosure was also refused, with the Senior Master commenting that such matters should be explored in correspondence first and whether it could be justified even if made formally would depend on the case management decisions which were being pushed to the CMC.

An interesting judgment then, even in its disinclination to actually decide the issues too quickly. But there is a clear indication of a judicial openness to exploring more imaginative ways to case manage large numbers of small claims in this context, where there are obvious issues about how much (if anything) the claimant cohort will recover. Watch this space, no doubt.

Marcus Pilgerstorfer QC and Robin Hopkins act for Equifax.

Christopher Knight