Until recently, claimant law firms had a near-perfect business model for bringing vexatious claims following data breaches. But a number of recent judgments have put a hole in their business model.

One of the biggest challenges facing cyber insurers recently has been the growth of privacy and data protection related claims. Data breaches now trigger a welter of claims – even in cases in which Information Commissioner’s Office (ICO) has taken no further regulatory action. Claims management companies and claimant law firms that once pursued payment protection insurance (PPI) claims then moved onto data breach claims. And why not? Until recently, they had a near-perfect business model.

They farmed clients who were promised compensation and immunity from any costs through the use of conditional fee arrangements (CFAs) and after-the-event (ATE) insurance to protect against any adverse costs. Claimants had no skin in the game and litigation was seemingly pursued more in the commercial interests of the law firms concerned. One such firm recently entered into administration with work in progress with a book value of £46m resulting from running 28,000 cases.

2021 was the year that the playing field was levelled by the courts.

The first case to move the dial was Warren v DSG Retail (Dixons). Among others, the High Court dismissed the claims in breach of confidence and misuse of private information on the basis that Dixons itself did not take any positive wrongful action. As well as transferring the claim to the County Court, the consequence of the privacy-based claims being dismissed was that the ATE policy premium would not be recoverable as there were no remaining ‘privacy proceedings’.

Hot on the heels of Dixons came Rolfe v Veale Wasbrough in which the High Court threw out a trivial data breach claim, finding that claims where the alleged distress or damage would not exceed a de minimis threshold should not proceed.

Further good news came a month later in Johnson v Eastlight in which the High Court struck out the privacy claims a la Dixons (preventing the ATE premium from being recovered) and held that there was no basis for the claim to have been issued in the High Court’s Media and Communications List and promptly transferred it to the Small Claims Track in the County Court (which limited the claimant’s ability to claim and recover costs).

Bringing up the rear was the Supreme Court in Lloyd v Google which decided that a representative action (compared to a US-style opt out class action) and rejected the idea that damages could be claimed for loss of control of personal data without more.

These cases have fundamentally challenged the claimant law firm model on all levels in the short term. However, they are unlikely to sound the death knell for the claimant community in the medium-to-long term. Claimants are already re-framing claims to plead positive acts in a bid to breathe new life into privacy claims, revive the recoverability of ATE premiums and keep claims in the High Court.

So, what will 2022 bring for defendants? As claimants assess which data breaches to invest in, expect claims to remain in the pre-action phase for longer, more pre-action disclosure applications will be issued by claimants and resisted by defendants and more innovative methods and approaches will be adopted by claimants, in particular in the bigger data breaches, for example where the two-phased approach mooted in Lloyd v Google is likely to be explored by litigation funders looking to use the CPR19.6 representative action procedure to establish liability on behalf of a class before embarking on phase two focused on other issues including quantum. There will also be a rise in broader GDPR (non-security breach) claims including cookie litigation.